Every automated action gates on a confidence threshold supplied by the upstream Hypatia scanner. The tier decides whether the fix is applied silently, opens a PR, or files an issue for human review.
Eliminate (auto_execute >= 0.95) → Direct fix, no review
Substitute (review >= 0.85) → Proven-module replacement, needs review
Control (report < 0.85) → Human review required
| Tier | Confidence | What happens |
|---|---|---|
| Eliminate | >= 0.95 |
fix-*.sh runs in-place, commits with a deterministic message, no PR. |
| Substitute | >= 0.85 |
Module-level replacement (e.g. swap unsafe.deref for proven::checked) — PR opened with needs-review label. |
| Control | < 0.85 |
No code change. Issue filed via process-review-findings.sh. |
The Hypatia rule corpus is calibrated such that:
>= 0.95rules carry estate-wide observational evidence that the finding is a true positive (e.g. missing SPDX header, trackedpackage-lock.json).>= 0.85rules have substitution-equivalent fixes whose semantics are settled but whose application context wants a human glance.< 0.85is by definition out of scope for automation — the remediation requires judgment.
- Fix scripts in
scripts/fix-*.sh— the eliminate-tier executors. docs/ARCHITECTURE.md— the full pipeline.