Keep DB content out of the coordination repo + resite runbook#39
Merged
Conversation
nextgen-databases documents itself as a thin coordination repo ("no
implementation code lives here") but physically holds full database
implementations, and there was no top-level guardrail — so LLMs keep
adding per-database content here instead of in each database's own repo.
Prevention (stops the drift):
- Root CLAUDE.md / AGENTS.md: coordination-only instructions
- REGISTRY.adoc: authoritative database/language -> repo map
- 0-AI-MANIFEST.a2ml + AGENTIC.a2ml: new "coordination only" invariant/constraint
- CONTRIBUTING.md: accurate structure + what belongs here vs a database repo
- .github/workflows/placement-guard.yml: fails PRs that add misplaced files
- .claude/ pre-write hook: blocks new per-database files locally
Remediation (resite, executed later):
- docs/migration/RESITE-DATABASES-TO-OWN-REPOS.adoc: history-preserving
extraction runbook + mapping + open decisions
- scripts/resite/extract-subdir.sh: helper (does not push)
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01W8DXRHQRBgxwSdDz8om287
🔍 Hypatia Security ScanFindings: 261 issues detected
View findings[
{
"reason": "Issue in boj-build.yml",
"type": "missing_timeout_minutes",
"file": "boj-build.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in casket-pages.yml",
"type": "missing_timeout_minutes",
"file": "casket-pages.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in casket-pages.yml",
"type": "missing_timeout_minutes",
"file": "casket-pages.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in codeql.yml",
"type": "missing_timeout_minutes",
"file": "codeql.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "missing_timeout_minutes",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "missing_timeout_minutes",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "missing_timeout_minutes",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "missing_timeout_minutes",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "missing_timeout_minutes",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in instant-sync.yml",
"type": "missing_timeout_minutes",
"file": "instant-sync.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
Addresses the Hypatia workflow-audit "missing_timeout_minutes" finding for the new workflow so this PR does not introduce a newly-flagged file. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01W8DXRHQRBgxwSdDz8om287
🔍 Hypatia Security ScanFindings: 260 issues detected
View findings[
{
"reason": "Issue in boj-build.yml",
"type": "missing_timeout_minutes",
"file": "boj-build.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in casket-pages.yml",
"type": "missing_timeout_minutes",
"file": "casket-pages.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in casket-pages.yml",
"type": "missing_timeout_minutes",
"file": "casket-pages.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in codeql.yml",
"type": "missing_timeout_minutes",
"file": "codeql.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "missing_timeout_minutes",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "missing_timeout_minutes",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "missing_timeout_minutes",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "missing_timeout_minutes",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "missing_timeout_minutes",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in instant-sync.yml",
"type": "missing_timeout_minutes",
"file": "instant-sync.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
nextgen-databasesdocuments itself as a thin coordination repo —EXPLAINME.adocand0-AI-MANIFEST.a2mlboth say "no implementation code lives here" — but it physically contains ~16,000 files of full database implementations (verisimdb/,lithoglyph/,nqc/,typeql-experimental/,quandledb/,verisim-core/,verisim-modular-experiment/), committed as plain directories.There was no top-level guardrail (no root
CLAUDE.md/AGENTS.md/.claude/), and the only AI entry point policed SCM-file placement only. So LLMs landing here naturally edit/add per-database content in place instead of in each database's own repo.This PR — Prevention (stops the drift, lands now)
CLAUDE.md/AGENTS.md(new) — blunt coordination-only instructions for agents.REGISTRY.adoc(new) — authoritative map of each database/query-language → its own repo.0-AI-MANIFEST.a2ml— new top invariant "Coordination only — no implementation"; fixed the<!-- CUSTOMIZE -->structure placeholder and satellite list..machine_readable/6a2/AGENTIC.a2ml— extended[agent-constraints]with the no-DB-implementation rule.CONTRIBUTING.md— replaced the inaccurate single-project tree with the real structure + a "what belongs here vs. a database repo" section..github/workflows/placement-guard.yml(new) — CI gate that fails a PR/push adding files outside the coordination allowlist; legacy DB dirs are grandfathered (warn) until extracted..claude/settings.json+.claude/hooks/block-db-writes.sh(new) — local PreToolUse hook that blocks creating new per-database files and names the correct destination repo (verified locally; allows edits to existing files during the transition).Deferred — Remediation (resite, executed later)
docs/migration/RESITE-DATABASES-TO-OWN-REPOS.adoc(new) — history-preserving extraction runbook, source→destination mapping, and the open decisions.scripts/resite/extract-subdir.sh(new) —git filter-repohelper (review-only; does not push).The actual extraction (moving content to other repos, creating
lithoglyph/glyphbase/gnpl/nqc, history rewrites) is not in this PR — it needs GitHub scope beyondnextgen-databasesand a few open decisions resolved.Open decisions (see runbook / registry)
typeql-experimental→ standalonevcl-ut, or fold intoverisimdb?verisim-core→ own repo, or fold intoverisimdb?verisim-modular-experiment(research-only) → research repo, or documented exception?gnplname + un-nestinggql-dtnow vs. later (deep storage coupling).Verification done
verisimdb//glyphbase/files (with correct destination), allowsREADME.adocedits, new coordination docs, research dir, and non-write tools.ALLOW(no self-flagging), flags a hypotheticalnewdb/schema.sqlas misplaced, warns on grandfathered dirs.sh -nclean on both scripts;settings.jsonvalid JSON.🤖 Generated with Claude Code
https://claude.ai/code/session_01W8DXRHQRBgxwSdDz8om287
Generated by Claude Code