License: comprehensive PMPL residue scrub#236
Merged
Conversation
Final pass over the remaining PMPL mentions; boj-server is MPL-2.0 / CC-BY-SA-4.0.
Scrubbed (residual PMPL on an MPL-2.0 repo):
- src/abi/Boj/Federation.idr: reword the module doc-comment ("PMPL provenance
metadata is the legal expression of attestation" -> "Signed provenance
metadata complements the hash attestation"). Comment only; no logic change.
- .machine_readable/svc/self-validating/examples/setup-repo.k9.ncl: the generic
setup example added PMPL-1.0 to any repo; changed to the estate-default MPL-2.0
(canonical mozilla.org text).
- .machine_readable/servers/menu.a2ml: attestation format "PMPL-provenance-v1"
-> "boj-provenance-v1".
- .machine_readable/servers/order-ticket.a2ml: drop "PMPL" from the provenance
comment; rename the (pmpl-provenance #t) security field to (provenance #t).
NOTE: the menu.a2ml format string and the order-ticket.a2ml field are
machine-readable identifiers. Nothing else in the repo references them by name,
but if an external consumer keys on the old strings, revert those two hunks.
Kept (legitimate, not a licence declaration): the pmpl-mcp cartridge + catalogue
entries, the LICENSES/README carve-out note, contractile.just's generic
license-keyword grep, and the consent-aware-http prospective-PMPL note (correct
estate policy).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01XrPAh7eBSUcVKauTVdXH9Y
🏁 path-claims benchCommit NumbersHost-dependent — compare deltas across commits, not absolute values. |
🔍 Hypatia Security ScanFindings: 214 issues detected
View findings[
{
"reason": "Issue in scorecard-enforcer.yml",
"type": "missing_timeout_minutes",
"file": "scorecard-enforcer.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in scorecard-enforcer.yml",
"type": "scorecard_publish_with_run_step",
"file": "scorecard-enforcer.yml",
"action": "split_scorecard_publish_job",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in instant-sync.yml",
"type": "secret_action_without_presence_gate",
"file": "instant-sync.yml",
"action": "peter-evans/repository-dispatch",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in codeql.yml",
"type": "codeql_missing_actions_language",
"file": "codeql.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/academic-workflow-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/ephapax-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/bofig-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/fireflag-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/sanctify-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/hesiod-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
hyperpolymath
added a commit
that referenced
this pull request
Jun 24, 2026
…reen) (#237) Fixes the pre-existing Idris2 failure surfaced on #234/#236 (not caused by either — they just triggered the path-gated Idris2 job by touching a `.idr`). ## Root cause `allTake` was defined **twice** in `src/abi/Boj/SafetyLemmas.idr`: - lines ~122–130 — `{p} -> {n} -> {xs} -> allRec p xs = True -> allRec p (take n xs) = True` - lines ~213–221 — same lemma, implicit args in a different order (`{p} -> {xs} -> {n}`) → `Error: Boj.SafetyLemmas.allTake is already defined` → the **core ABI package `boj.ipkg` failed** type-check (`PASS=104 FAIL=1`). It was masked normally because the Idris2 job is path-gated and skips unless a `.idr` changes. ## Fix Kept the **first** definition — a complete, **total** proof (no `postulate`, no `believe_me`) — and removed the redundant second copy. No proof is weakened or stubbed. Both callers use inferred implicits, so the removed copy's argument order didn't matter to them: - `Boj/SafePromptInjection.idr:168` — `MkDelimiterCharsafe (take n cs) {prf = allTake prf}` - `Boj/SafeHTTP.idr:139` — `MkHeaderCharsafe (take n cs) {prf = allTake prf}` ## Verification Expected: `scripts/typecheck-proofs.sh` → **PASS=105 FAIL=0**. Idris2 isn't available in the authoring environment, so the **Idris2 type-check CI job is the proof verification** here — it should go from failing to green on this PR (and this is the first PR that *should* pass it cleanly when the job runs). 🤖 Generated with [Claude Code](https://claude.com/claude-code) --- _Generated by [Claude Code](https://claude.ai/code/session_01XrPAh7eBSUcVKauTVdXH9Y)_ Co-authored-by: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Final, comprehensive pass over the remaining PMPL mentions (the "item 2" you asked me to deal with thoroughly). boj-server is MPL-2.0 (code) / CC-BY-SA-4.0 (docs). 4 files.
Scrubbed (residual PMPL on an MPL-2.0 repo)
src/abi/Boj/Federation.idr— reworded the module doc-comment: "PMPL provenance metadata is the legal expression of attestation" → "Signed provenance metadata complements the hash attestation." Comment only — no code/logic change..machine_readable/svc/self-validating/examples/setup-repo.k9.ncl— the generic repo-setup example added PMPL-1.0 to any repo (misleading, since estate default is MPL-2.0 and PMPL is only for 3 specific repos). Changed to add MPL-2.0 from the canonical mozilla.org text..machine_readable/servers/menu.a2ml— attestationformat = "PMPL-provenance-v1"→"boj-provenance-v1"..machine_readable/servers/order-ticket.a2ml— dropped "PMPL" from the provenance comment; renamed the(pmpl-provenance #t)security field to(provenance #t).menu.a2ml's format string andorder-ticket.a2ml's field are protocol identifiers. Nothing else in the repo references them by name (verified), but if an external/downstream consumer keys on the old strings, revert those two hunks.Kept on purpose (legitimate — not a licence declaration)
The
pmpl-mcpcartridge + its catalogue/abi-driftentries (product about the licence), theLICENSES/READMEcarve-out note,contractile.just's generic license-keyword grep, and theconsent-aware-http"PMPL applies prospectively" note (correct estate policy).After this, the only PMPL strings left in the tree are those legitimate references.
🤖 Generated with Claude Code
Generated by Claude Code