fix: repair allTake proof break; MPL-2.0 licensing; Markdown README; reconcile counts (125/68/0.4.7)#256
Merged
Merged
Conversation
`allTake` was defined twice in src/abi/Boj/SafetyLemmas.idr (a merge
artifact); both clauses prove the identical proposition
`allRec p xs = True -> allRec p (take n xs) = True`, differing only in
implicit-argument order. The duplicate made the core `boj.ipkg` fail to
type-check ("Boj.SafetyLemmas.allTake is already defined"), so
scripts/typecheck-proofs.sh reported PASS=104 FAIL=1.
Removed the redundant second copy; callers use `allTake prf` with inferred
implicits, so argument order is irrelevant. The full proof gate is now
PASS=105 FAIL=0, the trusted base is unchanged (5 sanctioned class-(J)
axioms in SafetyLemmas), JS tests pass 52/52, and boot_smoke passes on
node, bun, and deno.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
… hygiene - License: restore MPL-2.0 in package.json (the published 0.4.7 is already MPL-2.0; the AGPL-3.0-or-later in the working tree was a regression) and switch the sub-component manifests from AGPL to MPL-2.0: elixir/mix.exs, coord-tui/Cargo.toml, tray/Cargo.toml, and the three tools/* packages. (cartridges/idaptik-admin-mcp is intentionally left AGPL.) - README.md: rewrite as true GitHub-Flavored Markdown. It was AsciiDoc markup saved in a .md file, which renders garbled on GitHub/npm/Glama. Marked CC-BY-SA-4.0 (docs). README.adoc is retained as the AsciiDoc source. - package.json: add a `files` whitelist (mcp-bridge/, README.md, LICENSE, NOTICE) so the npm tarball drops from ~10.5 MB to ~0.9 MB. - mcp-bridge/main.js: shebang `deno run ...` -> `node` so the documented `npx` install actually runs under Node. - .gitattributes: linguist overrides (vendor cartridges/ and ffi/, mark docs) so GitHub stops detecting the repo as "Zig". Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
… of truth
Single source of truth: 125 cartridges (= the cartridge.json count and what
the live boj_menu reports), 68 MCP tools (45 boj_* + 23 coord_*), v0.4.7.
- Cartridge count -> 125 across: jsr.json, smithery.yaml, ai-plugin.json,
openapi.yaml, CITATION.cff, site/index.md, .github/settings.yml,
Intentfile.a2ml, README.adoc, mcp-bridge/lib/offline-menu.js, and
docs/{glama/CAPABILITIES,glama/RESOURCES,EXPLAINME,quickstarts/USER,
developer/llm-warmup-dev,developer/llm-warmup-user,index.html}.
- smithery.yaml: complete the static `tools:` table from 18 entries to all
68 (generated from the live tools/list).
- docs/glama/CAPABILITIES.md: replace the inflated "1041 Tools" with the
honest "68 MCP Tools" framing.
- Version -> 0.4.7: smithery.yaml, mcp-bridge/lib/version.js, CITATION.cff,
openapi.yaml, docs/specification/openapi.yaml.
Dated 2026-04-30 measurement snapshots (ROADMAP/architecture/TEST-NEEDS),
ADR records, and the "115 lines" code line-counts are intentionally left
untouched (they need re-measurement, not a number swap).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
that referenced
this pull request
Jun 25, 2026
#257) The Proofs Gate is path-filtered (the `changes` job skips the heavy Idris2 type-check unless a PR/push touches `src/abi/**` etc.), so a proof break already in `main` is never re-detected — off-path PRs skip the typecheck and it reports success. This adds a weekly `schedule` trigger; on a schedule event the detect step leaves `run=true`, so the full core + every-cartridge type-check runs unconditionally against `main` and catches drift. Motivated by the duplicate `allTake` in `SafetyLemmas.idr` that sat in `main` with a green gate (fixed in #256). 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…cts) - README.md: kept the pre-existing MPL-2.0 header + the branch title; dropped main's standardization-sweep duplicate (a second // CC-BY-SA-4.0 header that collided with the file's existing MPL-2.0 header and the PR's MPL-2.0 intent). - site/index.md: honoured main's deletion (#233 replaced it with the new site/index.html website). Branch's only change there was a cartridge-count bump, carried as a flag (see PR comment) rather than into the deleted file. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Owner
Author
|
Conflict resolved (merged main, pushed). Two judgment calls I made — flagging for your review:
|
- README.md + site/index.html: SonarCloud quality-gate badge. - site/.well-known/security.txt (the served one): Expires 2027, Canonical -> boj-server.net, drop bogus Hiring link (matches the root fix in #258). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The served site/.well-known/ had only security.txt; add humans.txt and ai.txt to match the repo-root set. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
that referenced
this pull request
Jun 25, 2026
…render on Glama/community-health) (#260) **Fixes the raw-AsciiDoc rendering** on https://glama.ai/mcp/servers/hyperpolymath/boj-server (and GitHub community-health). The README was AsciiDoc (`README.adoc` + a `README.md` carrying raw asciidoc syntax) → consumers that render Markdown show literal `= boj-server`, `:toc:`, `[source,bash]`, `image:[]`, `link:[]`. Converts the source to GFM via pandoc (badges → clickable `[](link)`), keeps the CC-BY-SA-4.0 SPDX header as an HTML comment, removes the duplicate `README.adoc`. Count (115) carried verbatim; the 115/125/139 reconciliation is separate (#256). Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
hyperpolymath
added a commit
that referenced
this pull request
Jun 25, 2026
Wires SonarCloud (SonarQube Cloud) CI analysis for boj-server. - `.github/workflows/build.yml` — the SonarCloud setup-wizard workflow (SHA-pinned `actions/checkout` + `SonarSource/sonarqube-scan-action@v8.1.0`), runs on push to `main` and PRs. Added a top-level `permissions: contents: read` for Scorecard. - `sonar-project.properties` — org `hyperpolymath`, key `hyperpolymath_boj-server`, with `sonar.exclusions` so only the analysable JS bridge + scripts are scanned (Idris2/Zig/Elixir have no SonarCloud analyser; vendored/generated/build/proof/dep trees excluded). **Prereqs (done/needed):** `SONAR_TOKEN` repo secret (added ✓); the project imported on SonarCloud with **CI-based** analysis selected (disable Automatic Analysis, or SonarCloud errors that both are running). The quality-gate badge is added to the README in #256. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
🔍 Hypatia Security ScanFindings: 221 issues detected
View findings[
{
"reason": "Action actions/checkout@v4 needs attention",
"type": "unpinned_action",
"file": "pages-deploy.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in pages-deploy.yml",
"type": "missing_timeout_minutes",
"file": "pages-deploy.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in push-email-notify.yml",
"type": "missing_timeout_minutes",
"file": "push-email-notify.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in scorecard-enforcer.yml",
"type": "missing_timeout_minutes",
"file": "scorecard-enforcer.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in scorecard-enforcer.yml",
"type": "scorecard_publish_with_run_step",
"file": "scorecard-enforcer.yml",
"action": "split_scorecard_publish_job",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in instant-sync.yml",
"type": "secret_action_without_presence_gate",
"file": "instant-sync.yml",
"action": "peter-evans/repository-dispatch",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in codeql.yml",
"type": "codeql_missing_actions_language",
"file": "codeql.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/academic-workflow-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/ephapax-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/bofig-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
… conflict
main converged on a Markdown-only README (deleted README.adoc, rewrote
README.md — the Glama-crawler-driven clean-Markdown direction); the PR branch
had independently kept README.adoc and rewritten README.md.
Resolution:
- README.adoc: accept main's deletion (Markdown-only is the intended end state).
- README.md: take main's newer/fuller rewrite as the canonical body, with two fixes:
* malformed licence badge URL `MPL_2.0--3.0--or--later` -> `MPL_2.0`
(no such licence; `-or-later` is estate-banned).
* header SPDX CC-BY-SA-4.0 -> MPL-2.0 (owner decision) to satisfy this repo's
pre-commit hook (still strict MPL-2.0) and match the PR's "MPL-2.0 licensing"
purpose. NB: the estate docs=CC-BY-SA split is not yet rolled into boj's hook.
OPEN (pending owner notes): main's README.md says "115 cartridges" / no 0.4.7,
vs the PR's reconciled 125 / 68 / 0.4.7. Left as main's values — owner to settle.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
🔍 Hypatia Security ScanFindings: 222 issues detected
View findings[
{
"reason": "Action actions/checkout@v4 needs attention",
"type": "unpinned_action",
"file": "pages-deploy.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in build.yml",
"type": "missing_timeout_minutes",
"file": "build.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in pages-deploy.yml",
"type": "missing_timeout_minutes",
"file": "pages-deploy.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in push-email-notify.yml",
"type": "missing_timeout_minutes",
"file": "push-email-notify.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in scorecard-enforcer.yml",
"type": "missing_timeout_minutes",
"file": "scorecard-enforcer.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in scorecard-enforcer.yml",
"type": "scorecard_publish_with_run_step",
"file": "scorecard-enforcer.yml",
"action": "split_scorecard_publish_job",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in instant-sync.yml",
"type": "secret_action_without_presence_gate",
"file": "instant-sync.yml",
"action": "peter-evans/repository-dispatch",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in codeql.yml",
"type": "codeql_missing_actions_language",
"file": "codeql.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/academic-workflow-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/ephapax-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
|
🏁 path-claims benchCommit NumbersHost-dependent — compare deltas across commits, not absolute values. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Three independent fixes — split for review — that lift BoJ's Glama grades and repair a real proof break that was sitting in
main.1.
fix(abi)— duplicateallTakeproof (daf8129a)src/abi/Boj/SafetyLemmas.idrdefinedallTaketwice (a merge artifact; both clauses prove the identical proposition, differing only in implicit-arg order), so the coreboj.ipkgfailed to type-check. Removed the redundant copy. Proof gate:PASS=104 FAIL=1→PASS=105 FAIL=0; trusted base unchanged (5 sanctioned class-(J) axioms).2.
chore(license,packaging)— MPL-2.0, Markdown README, npm hygiene (04cdf2fa)MPL-2.0inpackage.json(the published0.4.7is already MPL; the working-treeAGPL-3.0-or-laterwas a regression) and switch 6 sub-manifests AGPL→MPL (elixir/mix.exs,coord-tui/trayCargo.toml, threetools/*packages).cartridges/idaptik-admin-mcpintentionally left AGPL.README.mdas real GitHub-Flavored Markdown — it was AsciiDoc markup in a.mdfile, which renders garbled on GitHub/npm/Glama.fileswhitelist (npm tarball ~10.5 MB → ~0.9 MB); fix themain.jsshebang (deno run→node) sonpxruns; add.gitattributeslinguist overrides so the repo stops being detected as "Zig".3.
docs(metadata)— reconcile counts to one source of truth (14a43ee6)125 cartridges (=
cartridge.jsoncount = liveboj_menu), 68 tools (45boj_*+ 23coord_*), v0.4.7. Completed the smitherytools:table 18 → 68 (generated from the livetools/list); replaced the inflated "1041 Tools" with the honest 68; synced versions. Dated2026-04-30measurement snapshots, ADRs, and code line-counts were left untouched on purpose.Verification
scripts/check-trusted-base.sh✓ (5 axioms) ·idris2 --check Boj/SafetyLemmas.idr✓scripts/typecheck-proofs.sh→PASS=105 FAIL=0boot_smoke✓ on node/bun/deno (68 tools)Notes
MPL-2.0to satisfy the repo's current single-licence pre-commit hook. Moving prose to CC-BY-SA-4.0 needs a hook +.reuse/dep5change (tracked as a follow-up).elixir/boj-rest.serviceworking-tree change was deliberately excluded from these commits.🤖 Generated with Claude Code