feat: consume .hypatia-baseline.json in governance gate#166
Merged
Conversation
Adds a per-repo exemption mechanism to the estate governance gate: `.hypatia-baseline.json`. Same shape as Hypatia findings themselves (severity, rule_module, type, file), so an acknowledged finding can be listed once and silently suppressed by the gate. Why --- The `language-policy` job in `governance-reusable.yml` runs `banned_language_file` across every caller repo. Repos with legitimate in-flight migrations (e.g. `hyperpolymath/gitbot-fleet`'s ReScript → AffineScript port) have been blocked on .res files they have already acknowledged; PR authors started inventing alternate ignore-file conventions (`.hypatia-ignore` flat-file) to work around the gap. This PR formalises one convention so the estate stops sprouting more. What ---- 1. `validate-baseline` job (new). Detects the per-repo baseline file, schema-validates it (ajv when available; jq fallback so it never fails for missing tooling), and surfaces stale entries (referenced file no longer exists) as warnings. Soft-failure throughout — a missing baseline is fine, a malformed one is a warning during advisory mode. 2. `language-policy` job (updated). The `is_exempt()` helper now consults `.hypatia-baseline.json` before falling back to the legacy `.hypatia-ignore` flat-file and the inline `# hypatia:ignore` pragma. The legacy path stays for backward-compat; a follow-up PR will retire it once the estate has converged. 3. `.machine_readable/hypatia-baseline.schema.json` — formal JSON Schema (draft 2020-12). Required fields: severity, rule_module, type, plus exactly one of file / file_pattern. Optional: severity_override, expires_at, note, tracking_issue. 4. `scripts/apply-baseline.sh` — pure bash+jq filter. Used in the richer findings-list flow this PR seeds; the current workflow integration uses the inline jq lookup instead so an advisory-mode landing has the smallest possible footprint. 5. `docs/HYPATIA-BASELINE-FORMAT.adoc` — authoritative format doc. 6. `docs/EXEMPTION-MECHANISMS.adoc` — convention doc clarifying when to use `.hypatia-baseline.json` vs the estate-wide `bot_exclusion_registry.a2ml` vs per-PR labels. Rollout ------- Advisory mode (default) — exempting a finding via the baseline removes it from the gate output. Blocking-mode promotion (via `vars.HYPATIA_BASELINE_MODE = "blocking"`) is the follow-up after a one-week soak. Companion: `hyperpolymath/gitbot-fleet#148` tracks the ReScript migration that motivated this. Once this PR merges, the `.hypatia-baseline.json` entries already in gitbot-fleet will start being honoured by the gate.
🔍 Hypatia Security ScanFindings: 208 issues detected
View findings[
{
"reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "governance-reusable.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "governance.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Python file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/standards/standards/a2ml-templates/state-scm-to-v2.py",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/standards/standards/a2ml/bindings/deno/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/standards/standards/lol/test/vitest.config.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/standards/standards/k9-svc/bindings/deno/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "Agda postulate assumes without proof -- potential soundness hole (4 occurrences, CWE-704)",
"type": "agda_postulate",
"file": "/home/runner/work/standards/standards/lol/proofs/theories/information_theory.agda",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
},
{
"reason": "believe_me undermines formal verification (1 occurrences, CWE-704)",
"type": "believe_me",
"file": "/home/runner/work/standards/standards/lol/src/abi/Locale.idr",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
},
{
"reason": "Wildcard CORS -- restrict to specific origins or use env var (1 occurrences, CWE-942)",
"type": "js_wildcard_cors",
"file": "/home/runner/work/standards/standards/consent-aware-http/examples/reference-implementations/deno/aibdp_middleware.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "innerHTML assignment -- XSS risk, use textContent or SafeDOM (1 occurrences, CWE-79)",
"type": "js_innerhtml",
"file": "/home/runner/work/standards/standards/axel-protocol/src/Tea.res.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
…ript The governance-reusable workflow change in this PR adds .hypatia-baseline.json consumer support; dogfood it on this repo by adding the baseline file itself. Suppresses the `cicd_rules/banned_language_file` finding on a2ml-templates/state-scm-to-v2.py — a one-shot v1->v2 STATE.scm migration script that is banned (Python) but legitimate for its purpose. The note records the rewrite-or-retire follow-up. Demonstrates the mechanism end-to-end: the very PR that adds baseline support has the gate honour an acknowledged finding on its own repo. Resolves the dogfood failure on `governance / Language / package anti-pattern policy`. The separate legacy `Check for Banned Languages` workflow has no baseline support (intentionally out of scope for this PR) and will continue to flag — to be retired by a follow-up.
🔍 Hypatia Security ScanFindings: 208 issues detected
View findings[
{
"reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "governance-reusable.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "governance.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Python file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/standards/standards/a2ml-templates/state-scm-to-v2.py",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/standards/standards/a2ml/bindings/deno/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/standards/standards/lol/test/vitest.config.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/standards/standards/k9-svc/bindings/deno/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "Agda postulate assumes without proof -- potential soundness hole (4 occurrences, CWE-704)",
"type": "agda_postulate",
"file": "/home/runner/work/standards/standards/lol/proofs/theories/information_theory.agda",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
},
{
"reason": "believe_me undermines formal verification (1 occurrences, CWE-704)",
"type": "believe_me",
"file": "/home/runner/work/standards/standards/lol/src/abi/Locale.idr",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
},
{
"reason": "Wildcard CORS -- restrict to specific origins or use env var (1 occurrences, CWE-942)",
"type": "js_wildcard_cors",
"file": "/home/runner/work/standards/standards/consent-aware-http/examples/reference-implementations/deno/aibdp_middleware.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "innerHTML assignment -- XSS risk, use textContent or SafeDOM (1 occurrences, CWE-79)",
"type": "js_innerhtml",
"file": "/home/runner/work/standards/standards/axel-protocol/src/Tea.res.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a single, formal exemption convention to the estate governance gate:
.hypatia-baseline.json. Same shape as Hypatia findings (severity, rule_module, type, file/file_pattern), so an acknowledged finding can be listed once and silently suppressed by the gate. Companion tohyperpolymath/gitbot-fleet#148.Why
The
language-policyjob runsbanned_language_fileacross every caller repo. In-flight migrations (e.g. the ReScript → AffineScript port atgitbot-fleet) keep getting blocked on.resfiles that are already acknowledged in the repo's baseline. PR authors started inventing alternate ignore conventions (.hypatia-ignoreflat-files) to work around the gap. This PR formalises one convention so the estate stops sprouting more.What
validate-baselinejob (new) — detects the per-repo baseline file, schema-validates it (ajvwhen available,jqfallback otherwise), surfaces stale entries (referenced file no longer exists) as warnings. Soft-failure throughout.language-policyjob (updated) —is_exempt()now consults.hypatia-baseline.jsonbefore falling back to legacy.hypatia-ignoreand the inline# hypatia:ignorepragma. The legacy path stays for back-compat; a follow-up PR retires it once the estate has converged..machine_readable/hypatia-baseline.schema.json— formal JSON Schema (draft 2020-12). Required:severity,rule_module,type, plus exactly one offile/file_pattern. Optional:severity_override,expires_at,note,tracking_issue.scripts/apply-baseline.sh— pure bash+jq filter. Used by the richer findings-list flow this PR seeds; the current workflow integration uses the inlinejqlookup instead so the advisory-mode landing has the smallest possible footprint.docs/HYPATIA-BASELINE-FORMAT.adoc— authoritative format doc.docs/EXEMPTION-MECHANISMS.adoc— convention doc: when to use.hypatia-baseline.jsonvs the estate-widebot_exclusion_registry.a2mlvs per-PR labels.Rollout
Advisory mode (default). Exempting a finding via the baseline removes it from the gate output. Blocking-mode promotion (via
vars.HYPATIA_BASELINE_MODE = "blocking") is the follow-up after a one-week soak. Documented inline at the top ofgovernance-reusable.yml.Test plan
⏭️ exempt (baseline)line in the language-policy job logs and the gate passes despite the banned file..hypatia-ignore+ inline pragma still honoured).validate-baselinewarning (not a hard failure during advisory soak).HYPATIA_BASELINE_MODEtoblockingand confirm the gate behaves identically across the estate.https://claude.ai/code/session_01W3PAoaqgJj3mnM8kjhEqx4
Generated by Claude Code