Base camp: RSR Mustfile + green CI (ReScript→AffineScript, CodeQL matrix)#26
Merged
Conversation
Adds the root Mustfile required by REQUIRED-FILES.adoc (was missing across the -iser family). Declares the mandatory checks, each mapping to an existing Justfile recipe (just lint / test / fmt). Part of the base-camp RSR compliance sweep. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Mbq6yKF9RhFai6EQ7WqKhQ
…moval) Replaces the banned ReScript example with the canonical estate-wide AffineScript port (gitbot-fleet#208 sweep; identical to otpiser). Clears the `governance / Language / package anti-pattern policy` gate (cicd_rules/banned_language_file), which hard-fails on any tracked *.res. Documented resolution per the k9iser HANDOFF (port → AffineScript). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Mbq6yKF9RhFai6EQ7WqKhQ
…escribed) The repo has no JS/TS source, so `analyze (javascript-typescript, none)` failed on every run with "no source files". Switch the CodeQL matrix to `actions` (scans the GitHub Actions workflows every repo has), per Hypatia's `switch_codeql_matrix_to_actions` recommendation. build-mode none is correct for the actions language. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Mbq6yKF9RhFai6EQ7WqKhQ
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
🔍 Hypatia Security ScanFindings: 56 issues detected
View findings[
{
"reason": "Issue in boj-build.yml",
"type": "missing_timeout_minutes",
"file": "boj-build.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in casket-pages.yml",
"type": "missing_timeout_minutes",
"file": "casket-pages.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in casket-pages.yml",
"type": "missing_timeout_minutes",
"file": "casket-pages.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in codeql.yml",
"type": "missing_timeout_minutes",
"file": "codeql.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "missing_timeout_minutes",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "missing_timeout_minutes",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "missing_timeout_minutes",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "missing_timeout_minutes",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "missing_timeout_minutes",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in instant-sync.yml",
"type": "missing_timeout_minutes",
"file": "instant-sync.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
…sor badge) Keeps the maintained CHANGELOG.adoc, removes the stale v0.1.0 CHANGELOG.md stub (verisimiser reversed — its .md is the richer/canonical one). Removes the duplicate README.md, porting its sponsor badge into README.adoc so the rendered GitHub page keeps it. RSR: no duplicate doc formats. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Mbq6yKF9RhFai6EQ7WqKhQ
🔍 Hypatia Security ScanFindings: 56 issues detected
View findings[
{
"reason": "Issue in boj-build.yml",
"type": "missing_timeout_minutes",
"file": "boj-build.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in casket-pages.yml",
"type": "missing_timeout_minutes",
"file": "casket-pages.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in casket-pages.yml",
"type": "missing_timeout_minutes",
"file": "casket-pages.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in codeql.yml",
"type": "missing_timeout_minutes",
"file": "codeql.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "missing_timeout_minutes",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "missing_timeout_minutes",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "missing_timeout_minutes",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "missing_timeout_minutes",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "missing_timeout_minutes",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in instant-sync.yml",
"type": "missing_timeout_minutes",
"file": "instant-sync.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
hyperpolymath
added a commit
that referenced
this pull request
Jun 18, 2026
…/Chapel + honest status (#27) Follow-on to base camp (#26, merged). Goal of this slice: move chapeliser from "asserted in prose" to **machine-verified**, and make the docs honest about what is and isn't checked today. ## Provable-real — `.github/workflows/provable.yml` The Rust CLI/codegen is already green (63 tests via `rust-ci.yml`). This adds a new workflow that verifies everything *outside* Rust: | Job | What it proves | |---|---| | `idris2-proofs` | `idris2 --check` type-checks `Types.idr`, `Layout.idr`, `Foreign.idr` (the dependent-type ABI proofs) | | `zig-ffi` | `zig build test` compiles + runs the Zig FFI reference impl (Zig 0.14) | | `codegen-drift` | regenerates the golden sample and `diff`s against the committed tree (fails on drift) | | `chapel-golden` | compiles **and runs** the generated Chapel via real `chpl`, asserting 8/8 items conserved | ## Golden sample — `examples/golden/` A minimal end-to-end fixture that closes the `STATE.a2ml` action *"generate + compile + run"*: - `echo.toml` — deliberately `per-item`/`merge` so the generated Chapel pulls in **no** optional modules (no BlockDist/DynamicIters/AtomicObjects) → small, stable compile surface. - `generated/` — committed codegen output (reviewable + drift-checked). - `ffi_stub.c` — ~60-line C echo implementation of the 12 `c_*` functions so the Chapel can be linked and run without user code. ## Honest status — stop claiming what isn't checked yet - **`ROADMAP.adoc`**: Phase 1 `(COMPLETE)` → `(IMPLEMENTED — verification gated in CI)`; new **Phase 1b** tracks the four CI jobs (each flips `[x]` only when green); dropped "compilable" from the bare codegen bullet. - **Test-count fix**: the old `15 tests (6 unit + 8 integration + 1 doc)` was wrong — actual is **63 (22 + 40 + 1)**. - **`README.adoc`**: Idris2 *"Formal proofs that…"* → *"proof obligations, machine-checked in CI"*; corrected source paths (`src/interface/abi`, `src/interface/ffi`); honest pre-alpha Status paragraph. - **`STATE.a2ml`**: blockers / next-actions / maintenance now reflect CI-gated verification (`last-result = warn` until `provable.yml` is green). ## Why CI is the verifier (not local) The idris2 / zig / chpl toolchains aren't installable in the dev sandbox (`ziglang.org` and the GitHub releases API are network-blocked here; building idris2 from source is sandbox-restricted). So GitHub runners are the verifier. **Until `provable.yml` is green, these artifacts are "written", not "verified"** — and the docs now say exactly that. Kept as a **draft** for that reason: driving the four jobs to green is the acceptance gate, and a first run may surface real fixes (e.g. Idris2 `DecEq` totality, Chapel `Time`/reduce API specifics) — that iteration *is* the "make it real" work. **Follow-up (not blocking):** pin action/image refs (`actions/checkout`, `mlugg/setup-zig`, `chapel/chapel`, `idris2-pack`) to SHAs per estate policy once the tags are confirmed working. 🤖 Generated with [Claude Code](https://claude.com/claude-code) https://claude.ai/code/session_01Mbq6yKF9RhFai6EQ7WqKhQ --- _Generated by [Claude Code](https://claude.ai/code/session_01Mbq6yKF9RhFai6EQ7WqKhQ)_ --------- Co-authored-by: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Part of the estate-wide base camp sweep across the -iser family (coordination atlas + generator fix in iseriser#60).
Brings this repo to the RSR baseline and gets CI green:
Mustfile(root) — RSR-mandatory checks contract (was missing family-wide); maps to existingjust lint/test/fmt.examples/SafeDOMExample.res→.affine— banned ReScript replaced with the canonical estate AffineScript port (matches otpiser); clearsgovernance / Language / package anti-pattern policy.javascript-typescript→actions— analyze job failed every run (no JS/TS source); switched per Hypatiaswitch_codeql_matrix_to_actions.Canary iseriser#60 verified all-green after these changes.
Flag-only (not changed): PMPL/Palimpsest licence drift (owner-only per
standards); Hypatiamissing_timeout_minutesworkflow flags (estate-managed).🤖 Generated with Claude Code
https://claude.ai/code/session_01Mbq6yKF9RhFai6EQ7WqKhQ
Generated by Claude Code