feat(rsr): standards RSR compliance pass — Bronze (58% → 86%)#390
Merged
Conversation
hyperpolymath
pushed a commit
that referenced
this pull request
Jun 18, 2026
Editing rhodium-standard-repositories/rsr-audit.sh changed that spec home's content-addressed source_hash; regenerated REGISTRY.a2ml via the sanctioned generator (bash scripts/build-registry.sh) to clear the "Registry + topology in sync" drift on PR #390. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_019awZjBD1qx61tvmEuEKNpn
🔍 Hypatia Security ScanFindings: 148 issues detected
View findings[
{
"reason": "Issue in scorecard.yml",
"type": "missing_workflow",
"file": "scorecard.yml",
"action": "create",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in scorecard-enforcer.yml",
"type": "scorecard_publish_with_run_step",
"file": "scorecard-enforcer.yml",
"action": "split_scorecard_publish_job",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in instant-sync.yml",
"type": "secret_action_without_presence_gate",
"file": "instant-sync.yml",
"action": "peter-evans/repository-dispatch",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Required file missing (condition: public_repo)",
"type": "missing_requirement",
"file": ".github/workflows/scorecard.yml",
"action": "create",
"rule_module": "cicd_rules",
"severity": "high"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/standards/standards/scripts/check-ts-allowlist.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "Agda postulate assumes without proof -- potential soundness hole (4 occurrences, CWE-704)",
"type": "agda_postulate",
"file": "/home/runner/work/standards/standards/lol/proofs/theories/information_theory.agda",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
},
{
"reason": "innerHTML assignment -- XSS risk, use textContent or SafeDOM (5 occurrences, CWE-79)",
"type": "js_innerhtml",
"file": "/home/runner/work/standards/standards/avow-protocol/public/demo.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "innerHTML assignment -- XSS risk, use textContent or SafeDOM (1 occurrences, CWE-79)",
"type": "js_innerhtml",
"file": "/home/runner/work/standards/standards/axel-protocol/src/Tea.res.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "Wildcard CORS -- restrict to specific origins or use env var (1 occurrences, CWE-942)",
"type": "js_wildcard_cors",
"file": "/home/runner/work/standards/standards/consent-aware-http/examples/reference-implementations/deno/aibdp_middleware.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "HTTP URL in Nickel config -- must use HTTPS (1 occurrences, CWE-319)",
"type": "ncl_http_url",
"file": "/home/runner/work/standards/standards/k9-svc/register.ncl",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
hyperpolymath
pushed a commit
that referenced
this pull request
Jun 18, 2026
Editing rhodium-standard-repositories/rsr-audit.sh changed that spec home's content-addressed source_hash; regenerated REGISTRY.a2ml via the sanctioned generator (bash scripts/build-registry.sh) to clear the "Registry + topology in sync" drift on PR #390. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_019awZjBD1qx61tvmEuEKNpn
hyperpolymath
force-pushed
the
claude/hopeful-babbage-pn0l4o
branch
from
a377b29 to
29cf386
Compare
🔍 Hypatia Security ScanFindings: 148 issues detected
View findings[
{
"reason": "Issue in scorecard.yml",
"type": "missing_workflow",
"file": "scorecard.yml",
"action": "create",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in scorecard-enforcer.yml",
"type": "scorecard_publish_with_run_step",
"file": "scorecard-enforcer.yml",
"action": "split_scorecard_publish_job",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in instant-sync.yml",
"type": "secret_action_without_presence_gate",
"file": "instant-sync.yml",
"action": "peter-evans/repository-dispatch",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Required file missing (condition: public_repo)",
"type": "missing_requirement",
"file": ".github/workflows/scorecard.yml",
"action": "create",
"rule_module": "cicd_rules",
"severity": "high"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/standards/standards/scripts/check-ts-allowlist.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "Agda postulate assumes without proof -- potential soundness hole (4 occurrences, CWE-704)",
"type": "agda_postulate",
"file": "/home/runner/work/standards/standards/lol/proofs/theories/information_theory.agda",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
},
{
"reason": "innerHTML assignment -- XSS risk, use textContent or SafeDOM (5 occurrences, CWE-79)",
"type": "js_innerhtml",
"file": "/home/runner/work/standards/standards/avow-protocol/public/demo.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "innerHTML assignment -- XSS risk, use textContent or SafeDOM (1 occurrences, CWE-79)",
"type": "js_innerhtml",
"file": "/home/runner/work/standards/standards/axel-protocol/src/Tea.res.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "Wildcard CORS -- restrict to specific origins or use env var (1 occurrences, CWE-942)",
"type": "js_wildcard_cors",
"file": "/home/runner/work/standards/standards/consent-aware-http/examples/reference-implementations/deno/aibdp_middleware.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "HTTP URL in Nickel config -- must use HTTPS (1 occurrences, CWE-319)",
"type": "ncl_http_url",
"file": "/home/runner/work/standards/standards/k9-svc/register.ncl",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
🔍 Hypatia Security ScanFindings: 148 issues detected
View findings[
{
"reason": "Issue in scorecard.yml",
"type": "missing_workflow",
"file": "scorecard.yml",
"action": "create",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in scorecard-enforcer.yml",
"type": "scorecard_publish_with_run_step",
"file": "scorecard-enforcer.yml",
"action": "split_scorecard_publish_job",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in instant-sync.yml",
"type": "secret_action_without_presence_gate",
"file": "instant-sync.yml",
"action": "peter-evans/repository-dispatch",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Required file missing (condition: public_repo)",
"type": "missing_requirement",
"file": ".github/workflows/scorecard.yml",
"action": "create",
"rule_module": "cicd_rules",
"severity": "high"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/standards/standards/scripts/check-ts-allowlist.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "Agda postulate assumes without proof -- potential soundness hole (4 occurrences, CWE-704)",
"type": "agda_postulate",
"file": "/home/runner/work/standards/standards/lol/proofs/theories/information_theory.agda",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
},
{
"reason": "innerHTML assignment -- XSS risk, use textContent or SafeDOM (5 occurrences, CWE-79)",
"type": "js_innerhtml",
"file": "/home/runner/work/standards/standards/avow-protocol/public/demo.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "innerHTML assignment -- XSS risk, use textContent or SafeDOM (1 occurrences, CWE-79)",
"type": "js_innerhtml",
"file": "/home/runner/work/standards/standards/axel-protocol/src/Tea.res.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "Wildcard CORS -- restrict to specific origins or use env var (1 occurrences, CWE-942)",
"type": "js_wildcard_cors",
"file": "/home/runner/work/standards/standards/consent-aware-http/examples/reference-implementations/deno/aibdp_middleware.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "HTTP URL in Nickel config -- must use HTTPS (1 occurrences, CWE-319)",
"type": "ncl_http_url",
"file": "/home/runner/work/standards/standards/k9-svc/register.ncl",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
hyperpolymath
pushed a commit
that referenced
this pull request
Jun 18, 2026
The merge of main into the PR branch changed a spec-home content hash; regenerated REGISTRY.a2ml via the sanctioned generator to clear the "Registry + topology in sync" check on #390. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_019awZjBD1qx61tvmEuEKNpn
🔍 Hypatia Security ScanFindings: 148 issues detected
View findings[
{
"reason": "Issue in scorecard.yml",
"type": "missing_workflow",
"file": "scorecard.yml",
"action": "create",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in scorecard-enforcer.yml",
"type": "scorecard_publish_with_run_step",
"file": "scorecard-enforcer.yml",
"action": "split_scorecard_publish_job",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in instant-sync.yml",
"type": "secret_action_without_presence_gate",
"file": "instant-sync.yml",
"action": "peter-evans/repository-dispatch",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Required file missing (condition: public_repo)",
"type": "missing_requirement",
"file": ".github/workflows/scorecard.yml",
"action": "create",
"rule_module": "cicd_rules",
"severity": "high"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/standards/standards/scripts/check-ts-allowlist.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "Agda postulate assumes without proof -- potential soundness hole (4 occurrences, CWE-704)",
"type": "agda_postulate",
"file": "/home/runner/work/standards/standards/lol/proofs/theories/information_theory.agda",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
},
{
"reason": "innerHTML assignment -- XSS risk, use textContent or SafeDOM (5 occurrences, CWE-79)",
"type": "js_innerhtml",
"file": "/home/runner/work/standards/standards/avow-protocol/public/demo.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "innerHTML assignment -- XSS risk, use textContent or SafeDOM (1 occurrences, CWE-79)",
"type": "js_innerhtml",
"file": "/home/runner/work/standards/standards/axel-protocol/src/Tea.res.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "Wildcard CORS -- restrict to specific origins or use env var (1 occurrences, CWE-942)",
"type": "js_wildcard_cors",
"file": "/home/runner/work/standards/standards/consent-aware-http/examples/reference-implementations/deno/aibdp_middleware.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "HTTP URL in Nickel config -- must use HTTPS (1 occurrences, CWE-319)",
"type": "ncl_http_url",
"file": "/home/runner/work/standards/standards/k9-svc/register.ncl",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
hyperpolymath
force-pushed
the
claude/hopeful-babbage-pn0l4o
branch
from
fad601b to
388f3fe
Compare
🔍 Hypatia Security ScanFindings: 148 issues detected
View findings[
{
"reason": "Issue in scorecard.yml",
"type": "missing_workflow",
"file": "scorecard.yml",
"action": "create",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in scorecard-enforcer.yml",
"type": "scorecard_publish_with_run_step",
"file": "scorecard-enforcer.yml",
"action": "split_scorecard_publish_job",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in instant-sync.yml",
"type": "secret_action_without_presence_gate",
"file": "instant-sync.yml",
"action": "peter-evans/repository-dispatch",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Required file missing (condition: public_repo)",
"type": "missing_requirement",
"file": ".github/workflows/scorecard.yml",
"action": "create",
"rule_module": "cicd_rules",
"severity": "high"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/standards/standards/scripts/check-ts-allowlist.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "Agda postulate assumes without proof -- potential soundness hole (4 occurrences, CWE-704)",
"type": "agda_postulate",
"file": "/home/runner/work/standards/standards/lol/proofs/theories/information_theory.agda",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
},
{
"reason": "innerHTML assignment -- XSS risk, use textContent or SafeDOM (5 occurrences, CWE-79)",
"type": "js_innerhtml",
"file": "/home/runner/work/standards/standards/avow-protocol/public/demo.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "innerHTML assignment -- XSS risk, use textContent or SafeDOM (1 occurrences, CWE-79)",
"type": "js_innerhtml",
"file": "/home/runner/work/standards/standards/axel-protocol/src/Tea.res.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "Wildcard CORS -- restrict to specific origins or use env var (1 occurrences, CWE-942)",
"type": "js_wildcard_cors",
"file": "/home/runner/work/standards/standards/consent-aware-http/examples/reference-implementations/deno/aibdp_middleware.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "HTTP URL in Nickel config -- must use HTTPS (1 occurrences, CWE-319)",
"type": "ncl_http_url",
"file": "/home/runner/work/standards/standards/k9-svc/register.ncl",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The standards RSR compliance pass — continuation of the standards end-to-end (the Idris ABI fix landed separately in #389). Takes the standards self-audit from 58.46% → 85.92% (🥉 BRONZE).
1. Real gaps (additive) —
feat(rsr).well-known/security.txt(RFC 9116: Contact/Expires/Preferred-Languages → GitHub Security Advisory + SECURITY.md).well-known/ai.txt(AI usage/training policy; summary of the estate bot-exclusion registry +0-ai-gatekeeper-protocol).well-known/humans.txt(humanstxt.org attribution)validaterecipe (registry-check hard-dep + RSR self-audit)2. Audit-script de-brittle —
fix(rsr-audit)rsr-audit.shwas mis-calibrated for this GitHub/.adocestate, failing repos on deliberate, policy-correct choices. De-brittled format/case only in the two core helpers + the CI check — licence content checks untouched:.adocdocs (estate docs policy mandates AsciiDoc),Justfilecase, bareLICENSE.github/workflows/*.y*ml) as first-class (not just GitLab CI / a hardcodedci.yml) — the estate runs on GitHub; the RSR satelliteCLAUDE.mditself notes the old GitLab guidance is superseded.Improves scoring for all 10 estate repos, not just standards.
🔒 Flagged for owner (NOT changed — licence guardrail)
rsr-audit.shhardcodesMIT AND Palimpsestas the required LICENSE content (≈ lines 194/424/430), which contradicts the estate's MPL-2.0-for-sole-owner policy. Updating what licence the standard mandates is an owner decision — left as-is.Residual (honest)
3 checks still fail, all content-pattern brittleness for content the estate phrases differently: SECURITY "24 hours" literal (standards has a Response Timeline section), the exact TPCF perimeter strings, and "fork workflow" (standards uses the TPCF perimeter model, not a fork workflow). BRONZE (≥75%) is achieved; these can be de-brittled in a follow-up.
🤖 Generated with Claude Code
https://claude.ai/code/session_019awZjBD1qx61tvmEuEKNpn
Generated by Claude Code