docs(ci): sketch required-check hygiene (human + machine)#651
Merged
Conversation
Captures the "Expected — Waiting for status to be reported" failure class fixed in #645 and the guardrail that prevents it: - docs/ci/required-checks.adoc — the failure mode, the three mechanisms (branch-filtered workflow / renamed-migrated job / external app check), a diagnosis recipe, the rule (a required check must be emitted on every PR base), and the estate required-vs-emitted matrix. - .machine_readable/6a2/PLAYBOOK.a2ml — new [ci-required-checks] operational entry pointing at the doc and tracking issue #650. Refs #645, #650, hyperpolymath/hypatia#519. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01UXXpaoiATzxcn3kW3eTM26
🔍 Hypatia Security ScanFindings: 41 issues detected
View findings[
{
"reason": "Action denoland/setup-deno@v2 needs attention",
"type": "unpinned_action",
"file": "publish-jsr.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in instant-sync.yml",
"type": "secret_action_without_presence_gate",
"file": "instant-sync.yml",
"action": "peter-evans/repository-dispatch",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Shell execution -- validate input before passing to shell (1 occurrences, CWE-78)",
"type": "js_exec_sync",
"file": "/home/runner/work/affinescript/affinescript/packages/affinescript-cli/mod.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "Shell execution -- validate input before passing to shell (2 occurrences, CWE-78)",
"type": "js_exec_sync",
"file": "/home/runner/work/affinescript/affinescript/packages/affine-vscode/mod.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "Shell execution -- validate input before passing to shell (1 occurrences, CWE-78)",
"type": "js_exec_sync",
"file": "/home/runner/work/affinescript/affinescript/affinescript-vite/src/affine-plugin-improved.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "expect() in hot path (32 occurrences, CWE-754)",
"type": "expect_in_hot_path",
"file": "/home/runner/work/affinescript/affinescript/affinescriptiser/src/codegen/wasm_gen.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "expect() in hot path (29 occurrences, CWE-754)",
"type": "expect_in_hot_path",
"file": "/home/runner/work/affinescript/affinescript/affinescriptiser/src/codegen/affine_gen.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "unsafe block -- requires SAFETY comment (2 occurrences, CWE-676)",
"type": "unsafe_block",
"file": "/home/runner/work/affinescript/affinescript/runtime/src/panic.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "unsafe block -- requires SAFETY comment (1 occurrences, CWE-676)",
"type": "unsafe_block",
"file": "/home/runner/work/affinescript/affinescript/runtime/src/alloc.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "unsafe block -- requires SAFETY comment (3 occurrences, CWE-676)",
"type": "unsafe_block",
"file": "/home/runner/work/affinescript/affinescript/runtime/src/ffi.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
3 tasks
hyperpolymath
added a commit
to hyperpolymath/hypatia
that referenced
this pull request
Jun 21, 2026
…sitive) (#522) ## What `lib/rules/code_safety.ex` rated `:unwrap_dangerous_default` (`~r/\.unwrap_or\(0\)/`) as **`:critical`** / CWE-754. But `.unwrap_or(0)` is the panic-**free**, idiomatic-safe form — it's the *fix* for `.unwrap()` and cannot panic. The same module rates `.unwrap()` (which **does** panic) only `:high`, so the safe form outranked the unsafe one. This change: - demotes `:critical` → **`:low`** (now correctly below `:unwrap_without_check`'s `:high`), - switches `CWE-754` → **`CWE-252`** (None/Err collapsed to a default — not improper exception handling, since `unwrap_or` *is* the handling), - rewords the description to drop the panic framing. ```diff - %{id: :unwrap_dangerous_default, severity: :critical, - pattern: ~r/\.unwrap_or\(0\)/, cwe: "CWE-754", - description: "unwrap_or(0) with dangerous default"}, + %{id: :unwrap_dangerous_default, severity: :low, + pattern: ~r/\.unwrap_or\(0\)/, cwe: "CWE-252", + description: "unwrap_or(0) masks errors with 0 default -- no panic; verify 0 is safe"}, ``` ## Why Surfaced while triaging the Hypatia scan on `hyperpolymath/affinescript#651`: the two reported `critical` findings were both `.unwrap_or(0)` in correct LSP code (`tools/affinescript-lsp/src/{main.rs:155,handlers.rs:575}`) — a start-of-line word-boundary default, and a protocol-version default that is immediately range-checked. Both are false positives; the miscalibrated rule is the cause. ## Scope Addresses the **rule half** of #521. The other half (critical findings counted but never listed in the scan comment/artifact/log) is a separate change in the reporting path and remains tracked in #521. ## Tests No test asserts this rule's severity (`code_safety_test.exs` only references `:unwrap_without_check`), so the change is test-safe. The pattern/id are unchanged, so `.unwrap_or(0)` is still detected — just at `:low`. Refs: #521 · `hyperpolymath/affinescript#651` · `hyperpolymath/affinescript#655` 🤖 Generated with [Claude Code](https://claude.com/claude-code) --- _Generated by [Claude Code](https://claude.ai/code/session_01UXXpaoiATzxcn3kW3eTM26)_ Co-authored-by: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Documents the CI failure class diagnosed and fixed in #645 (merged), so it doesn't have to be re-derived next time.
docs/ci/required-checks.adoc(new) — the "Expected — Waiting for status to be reported" trap: what it means (a required context never reported ≠ a failure), the three mechanisms that cause it (branch-filtered workflow / renamed-migrated job / external app check), a diagnosis recipe (get_check_runsvs the required pins), the guardrail rule, and the estate required-vs-emitted matrix..machine_readable/6a2/PLAYBOOK.a2ml— new[ci-required-checks]operational entry pointing at the doc + tracking issue.Why
This is the "sketch area + human/machine documentation" half of the close-out for the required-checks work. The fix itself shipped in #645; this preserves the reasoning and the rule (a context may be marked Required only if it is emitted unconditionally on every PR that can target the protected branch).
Refs #645 · #650 (pin reconciliation) · hyperpolymath/hypatia#519 (
Hypatiaapp check). DOC-FORMAT-compliant (.adoc).🤖 Generated with Claude Code
https://claude.ai/code/session_01UXXpaoiATzxcn3kW3eTM26
Generated by Claude Code