feat(protocols): proven-epistemic disclosure core (#95) + estate standardization stack#21
Merged
Merged
Conversation
The pin `goto-bus-stop/setup-zig@7ab2955eb728f5440978d7b4f723a50dea1f3608` at .github/workflows/e2e.yml:42 is fabricated (`gh api repos/goto-bus-stop/ setup-zig/commits/7ab2955... -> 422`). The fake SHA's first 16 hex chars collide with v2.2.0's real SHA `7ab2955...2802d` but the rest is fabricated — a partial collision that would have escaped visual review. Replaced with verified v2.2.1 pin `abea47f85e598557f500fa1fd2ab7464fcb39406`. Provenance: propagated from rsr-template-repo#81 (merged); discovered while wiring CI for snifs (hyperpolymath/snifs#30); 3 of 3 fan-out PRs alongside odds-and-sods-package-manager#39 and proven#93.
- C001: CodeQL language fixes - C002: License identifier standardization - C003: Outdated actions audit - C004: Pin standards refs to SHA 861b5e9 - C005: Add workflow-level permissions
…d disclosure (skeleton #95) Epistemic disclosure core: Tier lattice (Band < Relational < Full) with machine-checked laws (meetSym reciprocity, meetLowerLeft/Right never-above- either-grant, meetGreatest, bandAbsorbs), session FSM with impossibility proofs, Disclosable witnesses making over-tier disclosure unrepresentable, WellGoverned (Sensitive => Full). Idris2 0.8.0, %default total, zero escape hatches; typechecks clean. Lineage documented (Denning 1976 -> Fagin et al.); scope boundary vs DP/SMPC/FHE in ADR-0002. First consumer: flat-mate's conceal lattice mirrors this core. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- instant-sync.yml: a step fragment (K9-SVC Validation) was appended at the jobs level, outside any job — folded into the dispatch job's steps - dogfood-gate.yml: the embedded python3 -c script sat at column 1 inside a run literal block, terminating the block — uniformly indented so the YAML strip restores it to column 0 (embedded python verified to parse) These caused every push-triggered run on this branch to die in 0s (startup_failure) and suppressed all PR checks on #21. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
instant-sync.yml, boj-build.yml, dogfood-gate.yml show name==path in the Actions registry (malformed-at-creation cache; every run 0s startup_failure regardless of content). Rename forces fresh registration — estate precedent paint-type#38. Content unchanged (YAML repairs landed in previous commit). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…-zig-sha # Conflicts: # .github/workflows/codeql.yml # .github/workflows/e2e.yml
🔍 Hypatia Security ScanFindings: 280 issues detected
View findings[
{
"reason": "Issue in release.yml",
"type": "missing_timeout_minutes",
"file": "release.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in scorecard-enforcer.yml",
"type": "scorecard_publish_with_run_step",
"file": "scorecard-enforcer.yml",
"action": "split_scorecard_publish_job",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in instant-sync-dispatch.yml",
"type": "secret_action_without_presence_gate",
"file": "instant-sync-dispatch.yml",
"action": "peter-evans/repository-dispatch",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in codeql.yml",
"type": "codeql_missing_actions_language",
"file": "codeql.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Python file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/proven-servers/proven-servers/bindings/python/proven_servers/ldap.py",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "Python file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/proven-servers/proven-servers/bindings/python/proven_servers/caldav.py",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "Python file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/proven-servers/proven-servers/bindings/python/proven_servers/authserver.py",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "Python file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/proven-servers/proven-servers/bindings/python/proven_servers/nfs.py",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "Python file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/proven-servers/proven-servers/bindings/python/proven_servers/pqc.py",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "Python file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/proven-servers/proven-servers/bindings/python/proven_servers/media.py",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
These gates never executed before this branch (registry-stuck + invalid
YAML), so their first runs exposed pre-existing debt:
- container/deploy.k9.ncl: add the K9! magic line (matching the passing
templates); expose a validator-visible pedigree identity block
{name, version, leash}; fix pre-existing infinite recursion
(deployment/scripts let-bindings shadowed by same-name record fields —
the file had never been evaluable). Verified: nickel export now
evaluates; pedigree.name/version/leash resolve.
- dogfood-checks.yml: extend a2ml-validate paths-ignore (defaults
reproduced) with audits/assail-classifications.a2ml — panic-attack's
S-expression ledger, not a TOML-style manifest (hypatia#243 rule).
- e2e.yml: Zig 0.15.0 does not exist in the download index; pin 0.15.1
(the toolchain the FFI was authored against).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
🔍 Hypatia Security ScanFindings: 280 issues detected
View findings[
{
"reason": "Issue in release.yml",
"type": "missing_timeout_minutes",
"file": "release.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in scorecard-enforcer.yml",
"type": "scorecard_publish_with_run_step",
"file": "scorecard-enforcer.yml",
"action": "split_scorecard_publish_job",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in instant-sync-dispatch.yml",
"type": "secret_action_without_presence_gate",
"file": "instant-sync-dispatch.yml",
"action": "peter-evans/repository-dispatch",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in codeql.yml",
"type": "codeql_missing_actions_language",
"file": "codeql.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Python file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/proven-servers/proven-servers/bindings/python/proven_servers/ldap.py",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "Python file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/proven-servers/proven-servers/bindings/python/proven_servers/caldav.py",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "Python file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/proven-servers/proven-servers/bindings/python/proven_servers/authserver.py",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "Python file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/proven-servers/proven-servers/bindings/python/proven_servers/nfs.py",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "Python file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/proven-servers/proven-servers/bindings/python/proven_servers/pqc.py",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "Python file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/proven-servers/proven-servers/bindings/python/proven_servers/media.py",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
Owner
Author
CI triage (close-out pass, 2026-06-11)Gates resurrected by this PR (registry-stuck + invalid YAML — they had never executed):
Hypatia code-scanning (red, left red deliberately): 102 errors / 18 warnings are pre-existing branch-wide debt attributed to this PR because the diff exceeded scoping ("code changes were too large"). Sample: 🤖 Generated with Claude Code |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Two workstreams that accumulated on this branch:
proven-epistemic — protocol skeleton #95
A provably non-amplifying tiered-disclosure core (the formal reference for flat-mate's conceal lattice):
Epistemic.Lattice: Tier chain (Band < Relational < Full),meet, and machine-checked laws —meetSym(reciprocity),meetLowerLeft/Right(never above either party's grant),meetGreatest,bandAbsorbs(deny-by-default absorbs), decidable orderingEpistemic.Transitions: session FSM with impossibility proofs (terminal Closed, no skipped consent);Disclosablewitnesses make over-tier disclosure unrepresentable;WellGoverned(Sensitive ⇒ Full) withsensitiveNeverAtBand/Relational%default total, zerobelieve_me/assert_total; typechecks clean (idris2 --typecheckexit 0)Estate standardization (pre-existing on branch)
Governance docs, contractiles, CI/CD cleanup, TruffleHog secret-scan standardization — the sweep commits that preceded this work.
Verification
idris2 --typecheck proven-epistemic.ipkg→ exit 0 (note:--buildblocked locally by a missingchez/support.ssin the asdf install — toolchain, not code)🤖 Generated with Claude Code