docs: krl AFFIRMATION (real gate run) + scoped Must/Intend/Wish table#36
Merged
Conversation
KRL is QuandleDB's canonical resolution DSL: a database-facing language
whose domain is knot/tangle identity, equivalence, transformation, and
disambiguation. Database-facing but not merely a query language; the two
anti-framings ('a database language' = SQL-for-knots; 'surface DSL over
Tangle' = QuandleDB incidental) are called out explicitly.
Architecture position now enumerates 5 roles, each with the question it
answers: KRL (resolution DSL) -> TangleIR (lowered IR) -> Tangle (compute
substrate) -> QuandleDB (persistence + invariant/equivalence DB) +
Skein.jl (backend library).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_017TXizM5c1Yd9HWf7Y15YH2
… ADR - README 'four KRL operations': add the four-verb glosses (construct/ transform/resolve/retrieve) and a Retrieve clause stating Retrieve recovers resolution-relevant artefacts (presentations, invariants, witnesses, equivalence classes, prior resolutions, explanations, provenance) and is NOT arbitrary database querying; generic access is an engine-layer affordance. - docs/decisions/0002-query-language-deferred.adoc: ADR recording that querying stays a mode of KRL; a sibling query language is deferred (not rejected) behind an explicit trigger list, and if built will be a KRL-family projection/reporting dialect over TangleIR, not a rival paradigm. - CITATION.cff: authorship/citation metadata (anti-commoditisation provenance). - ROADMAP: fix placeholder title; point Future Directions at the ADR. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_017TXizM5c1Yd9HWf7Y15YH2
AFFIRMATION.adoc - No-Bullshit proof-trust attestation for krl at d8b9768, from gate bodies run THIS session as raw bash (just absent): MUST + licence/secrets TRUST pass; verify-template + validate-rsr + container-pinning FAIL loudly (half-instantiated rsr-template - Justfile name, {project-name} in EXPLAINME, ~8 placeholder files, missing ANCHOR.a2ml + src/interface/abi); PROOF-STATUS 0/7. Real content: spec/grammar.ebnf + src/{core,definitions,errors,bridges}. Toolchain + signature limits disclosed; owner signs on commit. docs/identity-fabric/musts-intends-wishes.adoc - krl's own Must/Intend/Wish + marked QuandleDB crossover + cross-repo wiring (2026-06-19 estate rule). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_017TXizM5c1Yd9HWf7Y15YH2
🔍 Hypatia Security ScanFindings: 38 issues detected
View findings[
{
"reason": "Issue in scorecard-enforcer.yml",
"type": "scorecard_publish_with_run_step",
"file": "scorecard-enforcer.yml",
"action": "split_scorecard_publish_job",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in instant-sync.yml",
"type": "secret_action_without_presence_gate",
"file": "instant-sync.yml",
"action": "peter-evans/repository-dispatch",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in scorecard.yml",
"type": "scorecard_wrapper_missing_job_permissions",
"file": "scorecard.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Download-and-execute pattern (curl|wget pipe to shell) -- verify integrity before execution (3 occurrences, CWE-494)",
"type": "shell_download_then_run",
"file": "/home/runner/work/krl/krl/setup.sh",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"line": 24,
"reason": "Secret found: Generic API key",
"type": "secret_detected",
"file": "/home/runner/work/krl/krl/.envrc",
"action": "revoke_rotate_and_purge",
"rule_module": "security_errors",
"severity": "critical"
},
{
"reason": "Nominal-only SAST in krl: codeql.yml language matrix contains no language present in the repo and lacks `actions`, so CodeQL records zero results on every commit. Remediation: set the CodeQL matrix to `language: actions`.",
"type": "StaticAnalysis",
"file": "/home/runner/work/krl/krl",
"action": "auto_fix",
"rule_module": "scorecard",
"severity": "medium",
"remediation": "Add CodeQL or equivalent SAST workflow.",
"scorecard_check": "SAST"
},
{
"reason": "1 workflow(s) with tag-pinned (not SHA-pinned) actions in krl",
"type": "DependencyPinning",
"file": "/home/runner/work/krl/krl",
"action": "auto_fix",
"rule_module": "scorecard",
"severity": "medium",
"remediation": "Pin GitHub Actions and Docker base images by SHA hash.",
"scorecard_check": "Pinned-Dependencies"
},
{
"reason": "Repository has 3 non-main remote branch(es). Policy: single main branch only.",
"type": "GS007",
"file": ".",
"action": "delete_remote_branches",
"rule_module": "git_state",
"severity": "medium"
},
{
"reason": "Code scanning (Hypatia): hypatia/structural_drift/SD022 -- Hypatia structural_drift: SD022 -- 7 day(s) old",
"type": "CSA001",
"file": "spec/grammar-overview.md",
"action": "review",
"rule_module": "code_scanning_alerts",
"severity": "medium"
},
{
"reason": "Code scanning (Hypatia): hypatia/structural_drift/SD022 -- Hypatia structural_drift: SD022 -- 7 day(s) old",
"type": "CSA001",
"file": "docs/practice/AI-CONVENTIONS.adoc",
"action": "review",
"rule_module": "code_scanning_alerts",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Establishes the 2026-06-19 estate rule for krl: a per-repo
AFFIRMATION.adoc+ a scoped Must/Intend/Wish table.AFFIRMATION.adoc— the No-Bullshit proof-trust attestation, written from gates actually run this session at commitd8b9768. Honest results:MUST+ licence/secretsTRUSTgates PASS;verify-template,validate-rsr, and container-pinning FAIL loudly (half-instantiated fromrsr-template-repo— Justfile name,{project-name}in EXPLAINME, ~8 placeholder files, missingANCHOR.a2ml+src/interface/abi);PROOF-STATUSreports 0/7 obligations. Real content acknowledged:spec/grammar.ebnf+src/{core,definitions,errors,bridges,…}.docs/identity-fabric/musts-intends-wishes.adoc— krl's own scope + the QuandleDB side as a marked crossover block + cross-repo wiring.Honest caveats (in the file, surfaced here)
justis not installed in this session, so the gate recipe bodies were run directly as bash, not viajust. The authoritative run is the maintainer'sjust-driven one.d8b9768(the commit the gates ran against) and is not GPG-signed by the AI party — the owner signs on commit.Note
This branch also carries the pre-existing unmerged commit
d8b9768("sharpen four-op glosses, add Retrieve clause + QL-deferral ADR") — included here because it sits on this branch; split it out if you'd rather land it separately.Scope
Docs only. No spec/src/proof changes.
🤖 Generated with Claude Code
https://claude.ai/code/session_017TXizM5c1Yd9HWf7Y15YH2
Generated by Claude Code