migration: 7 integer-brain kernels from string-gated idaptik modules#584
Merged
Conversation
…modules
First applied wave of the now-unblocked string-gated corpus (Phase B
classified 71 string-gated files; the string wall + len() lowering opened
the integer-brain extraction path). Seven kernels re-decomposed from
idaptik .res modules into AffineScript brains under proposals/idaptik/
migrated/, each a four-gate deliverable (G1 compile, G2 independent-oracle
parity sweep, G4 assail). Strings/floats/promises/mutable-state stay
host-side per the established C1-C12 recipe; only the pure-integer
decision core crosses to wasm.
Kernels (exports — parity — assail):
- PortScanner (4 — 44/44 — clean) port→scan-figure classifier
- PasswordCracker (7 — 215/215 — clean) djb2 seed/step + score (host walks string)
- FirewallDevice (12 — 164/164 — clean) ACL packet-filter verdict over int flags
- Inventory (9 — 2840/2840 — clean) slot/weight kernel; slot-state as base-3 Int
- Drone (32 — 1192/1192 — clean) enemy state machine + detection ladder
- SecurityDog (29 — 31533/31533— clean) 8-state machine + detection geometry (milli-units)
- GuardNPC (19 — 359/359 — clean) 18-state/8-rank brain + anti-hacker psychology
All re-decompositions, not transliterations: e.g. PasswordCracker inverts
the djb2 string-loop so the host walks the string and the brain does i32
math (Math.imul/|0 modelled in the oracle); Inventory packs slot state
into a base-3 Int instead of a mutable array; the firewall keeps CIDR /
protocol string parsing host-side and decides over integer flags. Floats
cross as floored milli-units; out-of-band inputs return guarded -1
sentinels (assail-clean, no in-band collapse). Each oracle is an
independent JS reimplementation from the .res semantics, not copied from
the .affine. All gates re-verified by the parent before commit.
Deduped: SecurityAI was dropped — already tracked as migrated/securityai/
(with a boundary proof) from an earlier wave; GlobalNetworkData likewise
pre-existed and was left untouched.
Two compiler quirks surfaced (flagged for the migration playbook, not
fixed here): `total` is a reserved keyword (parse error as an identifier);
and an `if { ... }` block immediately followed by a parenthesized
expression parses as a function application ("Expected a function type,
got Unit"). Both have trivial source-side workarounds (rename the local;
bind the subexpression first).
https://claude.ai/code/session_01WoKhFQePiRsAj7aqnxbG8s
🔍 Hypatia Security ScanFindings: 40 issues detected
View findings[
{
"reason": "Action denoland/setup-deno@v2 needs attention",
"type": "unpinned_action",
"file": "publish-jsr.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in scorecard-enforcer.yml",
"type": "scorecard_publish_with_run_step",
"file": "scorecard-enforcer.yml",
"action": "split_scorecard_publish_job",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in instant-sync.yml",
"type": "secret_action_without_presence_gate",
"file": "instant-sync.yml",
"action": "peter-evans/repository-dispatch",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Shell execution -- validate input before passing to shell (1 occurrences, CWE-78)",
"type": "js_exec_sync",
"file": "/home/runner/work/affinescript/affinescript/packages/affinescript-cli/mod.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "Shell execution -- validate input before passing to shell (2 occurrences, CWE-78)",
"type": "js_exec_sync",
"file": "/home/runner/work/affinescript/affinescript/packages/affine-vscode/mod.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "Shell execution -- validate input before passing to shell (1 occurrences, CWE-78)",
"type": "js_exec_sync",
"file": "/home/runner/work/affinescript/affinescript/affinescript-vite/src/affine-plugin-improved.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "expect() in hot path (32 occurrences, CWE-754)",
"type": "expect_in_hot_path",
"file": "/home/runner/work/affinescript/affinescript/affinescriptiser/src/codegen/wasm_gen.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "expect() in hot path (29 occurrences, CWE-754)",
"type": "expect_in_hot_path",
"file": "/home/runner/work/affinescript/affinescript/affinescriptiser/src/codegen/affine_gen.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "unsafe block -- requires SAFETY comment (2 occurrences, CWE-676)",
"type": "unsafe_block",
"file": "/home/runner/work/affinescript/affinescript/runtime/src/panic.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "unsafe block -- requires SAFETY comment (1 occurrences, CWE-676)",
"type": "unsafe_block",
"file": "/home/runner/work/affinescript/affinescript/runtime/src/alloc.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Migration wave: 7 integer-brain kernels from string-gated idaptik modules
First applied wave of the now-unblocked string-gated corpus. Phase B classified 71 string-gated files; closing the string wall (slices 1–8) plus the
len()lowering (#583) opened the integer-brain extraction path. Seven kernels re-decomposed from idaptik.resmodules into AffineScript brains underproposals/idaptik/migrated/, fanned out across 6 parallel agents and re-verified by me before commit.Each is a four-gate deliverable — G1 compile, G2 independent-oracle parity sweep, G4 assail. Strings / floats / promises / mutable state stay host-side per the C1–C12 recipe; only the pure-integer decision core crosses to wasm.
Re-decompositions, not transliterations — e.g. PasswordCracker inverts the djb2 string-loop so the host walks the string and the brain does i32 math (
Math.imul/|0modelled in the oracle); Inventory packs slot-state into a base-3 Int instead of a mutable array; FirewallDevice keeps CIDR/protocol string parsing host-side and decides over integer flags. Floats cross as floored milli-units; out-of-band inputs return guarded-1sentinels (assail-clean, no in-band collapse). Each oracle is an independent JS reimplementation from the.ressemantics, not copied from the.affine.Deduped:
SecurityAIdropped — already tracked asmigrated/securityai/(with a boundary proof) from an earlier wave;GlobalNetworkDatalikewise pre-existed and was left untouched.Two compiler quirks surfaced (flagged for the playbook, not fixed here):
totalis a reserved keyword (parse error as an identifier); and anif { … }block immediately followed by a parenthesized expression parses as a function application. Both have trivial source-side workarounds.Builds on #583 (
len, merged) and the string-wall slices (#574/#575/#578).https://claude.ai/code/session_01WoKhFQePiRsAj7aqnxbG8s
Generated by Claude Code