migration: wave 3 — 5 integer brains (NetworkZones, Terminal, VmState, VMNetwork, VMMessageBus)#586
Merged
Merged
Conversation
The zone-routing decision brain from src/app/devices/NetworkZones.res: 8 pure-Int exports — the zone-category taxonomy (0..7 closed band: LAN=0 .. Service=7, with -1 sentinel for out-of-band) and the ISP routing-class core of canRouteViaISP (integer switch returning 2=tier-endpoint / 1=tier-member / 0=not-routed / -1=not-a-category, so the host knows which access-list checks to run). All subnet-prefix String.startsWith IP->zone matching and zone-id string lookups stay host-side. G2 64/64, G4 clean; oracle independently reimplemented. PortNames: ALREADY-MIGRATED (pre-existing brain re-verified 52/52). CoprocessorBridge: NO_NEW_BRAINS (host-side terminal-command wrapper; the integer coprocessor brains it routes to are already migrated). https://claude.ai/code/session_01WoKhFQePiRsAj7aqnxbG8s
The separable integer brain from src/app/devices/Terminal.res (1115 LOC, ~90% host-side string parsing): 16 pure-Int exports — command taxonomy (0..23 closed band; codes 17..23 gated by the FeaturePacks invertible-programming flag, passed as feature_on Int), SSH-stack bounds (top-index/empty/push/pop-depth/post-exit nested-prompt), output ring-buffer eviction, maxLines geometry (milli-pixels), cursor-blink accumulator state machine (milli-seconds, 0.5s->500ms), backspace clamp. The 700-line command string-switch, tokenising (split/trim/startsWith/ slice), SSH host parsing, and Pixi rendering stay host-side. G2 421/421, G4 clean; oracles independently re-derived from the .res line semantics. https://claude.ai/code/session_01WoKhFQePiRsAj7aqnxbG8s
The flat-memory addressing/introspection brain from
vm/lib/ocaml/VmState.res (almost all senses: a dict<int> keyed by
underscore-prefixed strings, accessed via Dict/Option/String ops): 8
pure-Int exports — memory_size (256), max_address, is_valid_address
(-1 sentinel out-of-band), clamp_address, range_addr (start+i), range
in-region+in-bounds guard, stack materialisation depth (max(sp,0)),
unread-port count (max(count-ptr,0)). The opcode pointer/value
arithmetic was already migrated (VmStack/VmMemory/VmPort); the string
dict layout stays host-side. G2 38577/38577, G4 clean.
VMBridge: NO_NEW_BRAINS (pure bridge; every integer transform it does
is already a migrated brain - VmArith/VmBitwise/VmStack/VmMemory/VmState
- and the rest is string parsing + async coprocessor loading + state).
Two parse traps hit + worked around (worth a playbook note): a nested
`else { if cond-with-subtraction }` parse-errored -> flattened to
early-return guards; and `total` is a reserved keyword -> renamed.
https://claude.ai/code/session_01WoKhFQePiRsAj7aqnxbG8s
VMNetwork: the Tier-5 causal-ordering core (6 exports: tick, sync, merge_timestamp, merge_register, can_undo, route_kind) — pure i32 arithmetic + causal-undo gate + last-writer-wins register reconciliation + channel-ordinal routing (CHANNEL band NET:0/COVERT:1/LOCAL:2, -1 sentinel). Matches the host contract in VMNetworkCoprocessor.res:41-56. G2 251/251, G4 clean. VMMessageBus: message-routing dispatch over two closed enum bands (9 exports) — messageTarget band (Console..DevicePort 0..7) with relays_to_partner / is_coop_channel / is_covert_channel, and the coopEvent band (0..6) with event_sends_to_client (every kind except PortData). classifyPort string parsing stays host-side; the host passes the integer message-target ordinal. G2 84/84, G4 clean. Both re-decomposed: drop module state (globalClock cell, output dicts), drop async, explicit Int params, enums as integer bands, all string ops host-side. Oracles independently reimplemented from the .res semantics. https://claude.ai/code/session_01WoKhFQePiRsAj7aqnxbG8s
hyperpolymath
changed the title
🔍 Hypatia Security ScanFindings: 40 issues detected
View findings[
{
"reason": "Action denoland/setup-deno@v2 needs attention",
"type": "unpinned_action",
"file": "publish-jsr.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in scorecard-enforcer.yml",
"type": "scorecard_publish_with_run_step",
"file": "scorecard-enforcer.yml",
"action": "split_scorecard_publish_job",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in instant-sync.yml",
"type": "secret_action_without_presence_gate",
"file": "instant-sync.yml",
"action": "peter-evans/repository-dispatch",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Shell execution -- validate input before passing to shell (1 occurrences, CWE-78)",
"type": "js_exec_sync",
"file": "/home/runner/work/affinescript/affinescript/packages/affinescript-cli/mod.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "Shell execution -- validate input before passing to shell (2 occurrences, CWE-78)",
"type": "js_exec_sync",
"file": "/home/runner/work/affinescript/affinescript/packages/affine-vscode/mod.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "Shell execution -- validate input before passing to shell (1 occurrences, CWE-78)",
"type": "js_exec_sync",
"file": "/home/runner/work/affinescript/affinescript/affinescript-vite/src/affine-plugin-improved.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "expect() in hot path (32 occurrences, CWE-754)",
"type": "expect_in_hot_path",
"file": "/home/runner/work/affinescript/affinescript/affinescriptiser/src/codegen/wasm_gen.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "expect() in hot path (29 occurrences, CWE-754)",
"type": "expect_in_hot_path",
"file": "/home/runner/work/affinescript/affinescript/affinescriptiser/src/codegen/affine_gen.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "unsafe block -- requires SAFETY comment (2 occurrences, CWE-676)",
"type": "unsafe_block",
"file": "/home/runner/work/affinescript/affinescript/runtime/src/panic.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "unsafe block -- requires SAFETY comment (1 occurrences, CWE-676)",
"type": "unsafe_block",
"file": "/home/runner/work/affinescript/affinescript/runtime/src/alloc.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Migration wave 3 — integer brains from string-gated + de-quarantined idaptik modules
Third extraction wave. Continues the C1–C12 + waves 1/2 pattern: pure-integer "brains" extracted to
.affine(compiled to wasm, verified by independent-oracle parity + assail), all string/float/async/state kept host-side. Notably includes files previously quarantined onString.startsWith— confirmed a host-side sense the brains don't touch.Migrated — 5 kernels (verified: I re-ran every gate myself)
VMNetwork/VMMessageBusmatch existing host coprocessor contracts (VMNetworkCoprocessor.res).Terminalis the standout — a 1115-LOC, ~90%-string module still yielded a clean separable integer brain (the 700-line command switch, tokenising, SSH parsing, Pixi rendering all stay ReScript).Already-migrated / no brain
NO_NEW_BRAINS(pure host-side bridges; every integer transform they route to is already a migrated brain —Coprocessor_Compute/Security,VmArith/VmBitwise/VmStack/VmMemory/VmState).Playbook by-product
VmState hit two real parse traps worth recording: a nested
else { if <cond-with-subtraction> }parse-errors (flatten to early-return guards), andtotalis a reserved keyword (rename accumulators).https://claude.ai/code/session_01WoKhFQePiRsAj7aqnxbG8s