feat(rsr): direct capability declaration primary; preset optional#392
Merged
Conversation
Refines the template-applicability model (standards#391) per the chosen pure capability-gating shape: a profile declares `capabilities = [...]` directly as the primary form; `preset` becomes optional sugar (a named bundle expanded from the gate data). `capabilities`, `preset`, and `add` union; `remove` subtracts; at least one of `capabilities`/`preset` is required. - check-rsr-profile.sh: accept direct `capabilities`; preset optional. - TEMPLATE-APPLICABILITY-POLICY.adoc: capability declaration is the model, presets are optional shorthand (Model + profile example + Presets section). - template-capability-gates.toml: note presets are optional. Verified: direct-capabilities profile (no preset) → OK; preset profile (arghda-core rust-cli) still → OK; vestigial abi.ipkg still flagged under the direct form; a profile declaring neither errors cleanly. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_019GiSiEfgZCte35dyykgBHs
🔍 Hypatia Security ScanFindings: 148 issues detected
View findings[
{
"reason": "Issue in scorecard.yml",
"type": "missing_workflow",
"file": "scorecard.yml",
"action": "create",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in scorecard-enforcer.yml",
"type": "scorecard_publish_with_run_step",
"file": "scorecard-enforcer.yml",
"action": "split_scorecard_publish_job",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in instant-sync.yml",
"type": "secret_action_without_presence_gate",
"file": "instant-sync.yml",
"action": "peter-evans/repository-dispatch",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Required file missing (condition: public_repo)",
"type": "missing_requirement",
"file": ".github/workflows/scorecard.yml",
"action": "create",
"rule_module": "cicd_rules",
"severity": "high"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/standards/standards/scripts/check-ts-allowlist.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "Agda postulate assumes without proof -- potential soundness hole (4 occurrences, CWE-704)",
"type": "agda_postulate",
"file": "/home/runner/work/standards/standards/lol/proofs/theories/information_theory.agda",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
},
{
"reason": "innerHTML assignment -- XSS risk, use textContent or SafeDOM (5 occurrences, CWE-79)",
"type": "js_innerhtml",
"file": "/home/runner/work/standards/standards/avow-protocol/public/demo.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "innerHTML assignment -- XSS risk, use textContent or SafeDOM (1 occurrences, CWE-79)",
"type": "js_innerhtml",
"file": "/home/runner/work/standards/standards/axel-protocol/src/Tea.res.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "Wildcard CORS -- restrict to specific origins or use env var (1 occurrences, CWE-942)",
"type": "js_wildcard_cors",
"file": "/home/runner/work/standards/standards/consent-aware-http/examples/reference-implementations/deno/aibdp_middleware.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "HTTP URL in Nickel config -- must use HTTPS (1 occurrences, CWE-319)",
"type": "ncl_http_url",
"file": "/home/runner/work/standards/standards/k9-svc/register.ncl",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Refines the just-merged template-applicability model (#391) to the pure capability-gating shape: a profile declares
capabilities = [...]directly as the primary form, andpresetbecomes optional sugar (a named bundle expanded from the gate data). This matches the chosen "capability-gated profile" approach while keeping presets available for ergonomics.Precedence:
capabilities,preset, andaddall union;removesubtracts; at least one ofcapabilities/presetis required.Changes
scripts/check-rsr-profile.sh— accept a directcapabilitieslist;presetis now optional (error only if a profile declares neither).TEMPLATE-APPLICABILITY-POLICY.adoc— capability declaration is the model; presets are optional shorthand (updated Model, profile example, and Presets section)..machine_readable/template-capability-gates.toml— note presets are optional.Verification
rust-cli) → still OK.abi.ipkgunder the direct form → still flagged VESTIGIAL.capabilitiesnorpreset→ clean error (exit 2).Note: arghda-core's existing
rsr-profile.a2ml(which usespreset = "rust-cli") remains valid — preset is now demonstrated as the optional form, so no change is needed there.Follow-up to #391 (per the agreed pure-gating-primary direction).
🤖 Generated with Claude Code
https://claude.ai/code/session_019GiSiEfgZCte35dyykgBHs
Generated by Claude Code