feat(rsr): capability-gated template-applicability policy (presets + gates)#391
Merged
Conversation
…gates) Replaces "every repo looks like the full template" with a rule + a test for which rsr-template-repo modules a repo should carry. Problem: scripts/check-root-shape.sh + .machine_readable/root-allow.txt encode the maximal template as one canonical shape for all repos — so a small Rust CLI is told abi.ipkg, verification/, container/, affinescript/ are "canonical" even with no ABI seam, no in-tree proofs, no container, no AffineScript. That empty scaffolding is vestigial cruft. Model (hybrid presets + gates): - Universal baseline (identity, community-health, machine-readable state, the licence invariant) — always carried. - Every other module is tagged with the capability it serves; a repo carries it iff it declares that capability. - Presets (rust-cli, rust-ffi-lib, rust-service, formal-proof-lib, docs-site, affinescript-app) are named capability bundles; a profile adds/removes on top. The test: carries(M) ⟺ M ∈ baseline ∨ gate(M) ⊆ profile.capabilities. VESTIGIAL = present without the gating capability (remove or declare it). MISSING = capability declared but module absent (add it). Crucial distinction: CONSUMING a prover (e.g. shelling out to Agda) is NOT the `formal-proofs` capability — only CONTAINING in-tree proofs is. Deliverables: - TEMPLATE-APPLICABILITY-POLICY.adoc — the human policy (taxonomy, gate table, presets, the test, the per-repo profile, how it evolves root-allow.txt). - .machine_readable/template-capability-gates.toml — machine-readable source of truth (capabilities, baseline, gates, presets). - scripts/check-rsr-profile.sh — reference checker: reads a repo's rsr-profile.a2ml, resolves effective capabilities, reports VESTIGIAL/MISSING. Validated against arghda-core (preset rust-cli): clean; planting a stray abi.ipkg + container/ is correctly flagged VESTIGIAL. Naming note: the file is rsr-profile.a2ml (PROFILE.a2ml already means an A2ML schema profile in k9-svc). DRAFT first pass. Follow-up: fold effective-allowlist into check-root-shape.sh; confirm the governance-tier boundary. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_019GiSiEfgZCte35dyykgBHs
🔍 Hypatia Security ScanFindings: 148 issues detected
View findings[
{
"reason": "Issue in scorecard.yml",
"type": "missing_workflow",
"file": "scorecard.yml",
"action": "create",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in scorecard-enforcer.yml",
"type": "scorecard_publish_with_run_step",
"file": "scorecard-enforcer.yml",
"action": "split_scorecard_publish_job",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in instant-sync.yml",
"type": "secret_action_without_presence_gate",
"file": "instant-sync.yml",
"action": "peter-evans/repository-dispatch",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Required file missing (condition: public_repo)",
"type": "missing_requirement",
"file": ".github/workflows/scorecard.yml",
"action": "create",
"rule_module": "cicd_rules",
"severity": "high"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/standards/standards/scripts/check-ts-allowlist.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "Agda postulate assumes without proof -- potential soundness hole (4 occurrences, CWE-704)",
"type": "agda_postulate",
"file": "/home/runner/work/standards/standards/lol/proofs/theories/information_theory.agda",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
},
{
"reason": "innerHTML assignment -- XSS risk, use textContent or SafeDOM (5 occurrences, CWE-79)",
"type": "js_innerhtml",
"file": "/home/runner/work/standards/standards/avow-protocol/public/demo.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "innerHTML assignment -- XSS risk, use textContent or SafeDOM (1 occurrences, CWE-79)",
"type": "js_innerhtml",
"file": "/home/runner/work/standards/standards/axel-protocol/src/Tea.res.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "Wildcard CORS -- restrict to specific origins or use env var (1 occurrences, CWE-942)",
"type": "js_wildcard_cors",
"file": "/home/runner/work/standards/standards/consent-aware-http/examples/reference-implementations/deno/aibdp_middleware.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "HTTP URL in Nickel config -- must use HTTPS (1 occurrences, CWE-319)",
"type": "ncl_http_url",
"file": "/home/runner/work/standards/standards/k9-svc/register.ncl",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
hyperpolymath
added a commit
to hyperpolymath/arghda-core
that referenced
this pull request
Jun 20, 2026
…-cli) (#11) ## Summary The **worked example** for the estate template-applicability policy (companion to `hyperpolymath/standards#391`). Adds `.machine_readable/rsr-profile.a2ml` declaring arghda-core's capabilities — `preset = rust-cli` (rust, cli, library) — with a `[rationale]` block recording why it declines the maximal template's gated modules: - **no `abi`/`ffi`** — language-agnostic engine, no C-ABI seam / Idris2 ABI proofs; - **no `formal-proofs`** — it *consumes* Agda (shells out to `agda`/`agda-unused`) but contains **no in-tree proofs**; - **no `container`/`reproducible-build`/`affinescript`/`governance-tier`**. This turns arghda-core's already-lean shape from a judgement call into a rule: the reference checker (`standards/scripts/check-rsr-profile.sh`) reports **OK** against this profile, and flags a planted `abi.ipkg` / `container/` as **VESTIGIAL**. ## Verification - `bash scripts/check-spdx.sh` ✓ (new `.a2ml` carries `MPL-2.0`). - `check-rsr-profile.sh /path/to/arghda-core` → OK (effective caps: rust, cli, library). - `STATE.a2ml` updated to point at `standards#391`; wiring the profile check into arghda CI is a follow-up once that policy lands. Depends on: hyperpolymath/standards#391 (defines the preset + gate model this profile references). 🤖 Generated with [Claude Code](https://claude.com/claude-code) https://claude.ai/code/session_019GiSiEfgZCte35dyykgBHs --- _Generated by [Claude Code](https://claude.ai/code/session_019GiSiEfgZCte35dyykgBHs)_
hyperpolymath
added a commit
that referenced
this pull request
Jun 20, 2026
## Summary Refines the just-merged template-applicability model (#391) to the **pure capability-gating** shape: a profile declares `capabilities = [...]` directly as the primary form, and `preset` becomes **optional sugar** (a named bundle expanded from the gate data). This matches the chosen "capability-gated profile" approach while keeping presets available for ergonomics. Precedence: `capabilities`, `preset`, and `add` all union; `remove` subtracts; at least one of `capabilities` / `preset` is required. ## Changes - **`scripts/check-rsr-profile.sh`** — accept a direct `capabilities` list; `preset` is now optional (error only if a profile declares neither). - **`TEMPLATE-APPLICABILITY-POLICY.adoc`** — capability declaration is *the model*; presets are *optional shorthand* (updated Model, profile example, and Presets section). - **`.machine_readable/template-capability-gates.toml`** — note presets are optional. ## Verification - Direct-capabilities profile (no preset) → **OK**. - Preset profile (arghda-core `rust-cli`) → still **OK**. - A planted `abi.ipkg` under the direct form → still flagged **VESTIGIAL**. - A profile declaring neither `capabilities` nor `preset` → clean error (exit 2). Note: arghda-core's existing `rsr-profile.a2ml` (which uses `preset = "rust-cli"`) remains valid — preset is now demonstrated as the optional form, so no change is needed there. Follow-up to #391 (per the agreed pure-gating-primary direction). 🤖 Generated with [Claude Code](https://claude.com/claude-code) https://claude.ai/code/session_019GiSiEfgZCte35dyykgBHs --- _Generated by [Claude Code](https://claude.ai/code/session_019GiSiEfgZCte35dyykgBHs)_ Co-authored-by: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Formalises which parts of
rsr-template-repoa repo should carry, replacing "every repo looks like the full template" with a capability-gated rule + a test. Addresses the over-scaffolding thatcheck-root-shape.sh+root-allow.txtcurrently bake in (they listabi.ipkg,verification/,container/,affinescript/as canonical for every repo).Model — hybrid presets + gates
rust-cli,rust-ffi-lib,rust-service,formal-proof-lib,docs-site,affinescript-app) are named capability bundles a profile adopts, then adjusts withadd/remove.The test:
carries(M) ⟺ M ∈ baseline ∨ gate(M) ⊆ profile.capabilities.Key distinction baked in: consuming a prover (e.g. shelling out to Agda) is not the
formal-proofscapability — only containing in-tree proofs is. That's precisely why a tool like arghda-core shouldn't carryverification/proofs/.Files
TEMPLATE-APPLICABILITY-POLICY.adoc— the human policy (taxonomy, gate table, presets, the test, the per-repo profile, how it evolvesroot-allow.txt)..machine_readable/template-capability-gates.toml— machine-readable source of truth.scripts/check-rsr-profile.sh— reference checker (reads a repo'srsr-profile.a2ml, resolves effective capabilities, reports VESTIGIAL/MISSING).Validation
Ran the checker against arghda-core (
preset = rust-cli): OK. Planting a strayabi.ipkg+container/is correctly flagged VESTIGIAL (exit 1). arghda-core's companionrsr-profile.a2mlis a separate PR onhyperpolymath/arghda-core.Status
DRAFT, first pass per the agreed scope. Follow-ups: fold
effective-allowlist(repo)intocheck-root-shape.sh/validate-template.sh; confirm thegovernance-tierboundary (which repos must carry the full AUDIT/AFFIRMATION/GOVERNANCE/MAINTAINERS trio); enumerate remaining maximal-template modules into the gate table.🤖 Generated with Claude Code
https://claude.ai/code/session_019GiSiEfgZCte35dyykgBHs
Generated by Claude Code