From a9eeac4a5aba22dca5e14caaebdac11ffc2204c4 Mon Sep 17 00:00:00 2001 From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com> Date: Wed, 27 May 2026 12:11:27 +0100 Subject: [PATCH] feat(proof-debt): add .trusted-base-ignore for scanner fixtures + worktree shadows MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit standards#223 merged 2026-05-27 09:16Z, adding path-fragment exemption support to check-trusted-base.sh. Since governance-reusable.yml fetches scripts from standards/main at run-time (ref: main), this PR is sufficient to make the script honour the exemptions on the next CI run — no governance.yml SHA-pin bump needed. Exemptions in this PR: - test/soundness/fixtures/ — 5 scanner test fixtures (admitted.v, sorry.lean, agda_postulate.agda, believe_me.idr, unsafe_coerce.hs) that exist solely to verify the detector fires. - .claude/worktrees/ — local agent worktree shadows that duplicate the canonical tree while feature branches are checked out side-by-side (cf. hypatia#343 §(d) refresh noting 10 such shadowed copies). The 5 inline TRUSTED: comments added by #352 and the 5/10 §(d) enumeration entries added by #343 become redundant after this PR lands but are kept for the moment to avoid stomping on those in-flight PRs. A follow-up cleanup PR can remove them once #352 and #343 settle. Closes hypatia#354. Co-Authored-By: Claude Opus 4.7 (1M context) --- .trusted-base-ignore | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 .trusted-base-ignore diff --git a/.trusted-base-ignore b/.trusted-base-ignore new file mode 100644 index 00000000..b0bfbffc --- /dev/null +++ b/.trusted-base-ignore @@ -0,0 +1,27 @@ +# SPDX-License-Identifier: MPL-2.0 +# +# .trusted-base-ignore — path-fragment exemptions for check-trusted-base.sh. +# +# Format (matches .hypatia-ignore): +# - Lines starting with `#` are comments. +# - Each non-comment, non-blank line is a path-fragment substring that +# exempts every escape-hatch marker whose file path contains the fragment. +# +# Prefer this over inline TRUSTED: comments only for whole-path/whole-directory +# exemptions with a documented org-policy rationale. Per-site TRUSTED:/AXIOM: +# comments remain the right tool for one-off documented escapes. +# +# See: standards/docs/TRUSTED-BASE-REDUCTION-POLICY.adoc (standards#223 added +# this exemption mechanism). + +# ─── Scanner test fixtures ────────────────────────────────────────────── +# Files under test/soundness/fixtures/code_safety/ exist *to be detected* +# by Hypatia's own scanner — they are deliberate inputs to verify the +# detector fires. Not real soundness debt. +test/soundness/fixtures/ + +# ─── Local agent worktree shadows ─────────────────────────────────────── +# `.claude/worktrees/` holds locally-checked-out copies of feature +# branches; their contents shadow the canonical tree and cause +# double-counting in self-scans. Not part of the committed source. +.claude/worktrees/