{{ message }}
chore(submodules): de-vendor rpa-elysium to a real gitlink + drop total-recall dup#133
Merged
Merged
Conversation
…al-recall dup Continues the #131 consolidation — the two reposystem-scoped follow-ups. rpa-elysium — de-vendor (forge canonical): The vendored 171-file tree had diverged from the live forge (141/155 common files differ; 16 vendored-only, 23 forge-only). Per decision the forge is canonical: replace the vendored tree with a real submodule gitlink at forge HEAD bda6720, declared in .gitmodules (git@ URL, matching git-scripts/git-reticulator). The full vendored state is preserved on branch archive/rpa-elysium-vendored-2026-06-21 (171 files) for recovery/diffing — nothing is lost. total-recall — drop the duplicate: total-recall and total-upgrade were byte-identical 28-file scaffolds (same tree 84d1361). Keep total-upgrade (an active feat/total-upgrade-scaffold branch targets it); remove the total-recall duplicate tree. .gitmodules now declares three consistent gitlinks (git-scripts, git-reticulator, rpa-elysium); total-upgrade remains a local scaffold tree. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01KhFfkfjKaB7Rg957u3uCT6
hyperpolymath
pushed a commit
that referenced
this pull request
Jun 21, 2026
Completes the consolidation. bitfuckit, contractiles, recon-silly-ation, scaffoldia, stateful-artefacts each have a populated, active standalone forge repo (main + live estate-standardization branches). Replace the vendored trees with submodule gitlinks pinned at each forge main HEAD, declared in .gitmodules (git@ URLs, matching the existing submodules). No content pushed: the forges are canonical (the vendored copies were stale snapshots, same situation as rpa-elysium). The pre-extraction trees are preserved on branch archive/vendored-standalones-2026-06-21 (bitfuckit 158 / contractiles 236 / recon-silly-ation 114 / scaffoldia 197 / stateful-artefacts 97 files) for recovery/diffing — nothing is lost. .gitmodules now declares 8 consistent gitlinks (git-scripts, git-reticulator, rpa-elysium + these 5); ~807 vendored files removed from reposystem's tree. config/tools.ncl: the 6 extracted tools' status 'extracting -> 'extracted (embed was already 'standalone). repos.toml: recon-silly-ation is already indexed (verification-ecosystem/...); the other four have no determinable ecosystem group in-repo, so their estate-index entries are left to the index generator rather than fabricated. Not Cargo workspace members — build unaffected (cf. rpa-elysium in #133). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01KhFfkfjKaB7Rg957u3uCT6
hyperpolymath
pushed a commit
that referenced
this pull request
Jun 21, 2026
…r triage Informational, non-gating workflow. Runs the Hypatia scanner the same way the standards hypatia-scan-reusable does, then dumps findings to the job log (totals; by severity/rule/path; one line per finding). Submodules are not checked out, so it scans reposystem's own tree only — the residual after the de-vendor (#133) + extraction (#134) work. Lets the residual be triaged from CI output without needing artifact download. Safe to delete once triaged. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01KhFfkfjKaB7Rg957u3uCT6
hyperpolymath
pushed a commit
that referenced
this pull request
Jun 26, 2026
… diagnostic After de-vendor (#133) + extraction (#134) cut the hypatia residual 222 -> 92, this fixes the genuine first-party items (the rest being ReScript-migration debt + vendored libs, see below). code_safety (CWE): - src/commands/apply.rs: replace 3 unwrap() (DoS-via-panic, CWE-754) with safe handling -- error.as_deref().unwrap_or(...) and an if-let on failure_index (both were provably Some; now panic-free). - src/verisimdb.rs: VeriSimDbClient::new() no longer .expect()s the HTTP client build; falls back to a default client (CWE-754). structural_drift (anti-fiction doc accuracy -- verified src/ has only abi/ commands/ importers/, not the referenced dirs): - EXPLAINME.adoc: src/graph/ -> src/graph.rs; src/aspects/ -> src/commands/aspect.rs; src/cli/ -> src/tui.rs; src/scenarios/ -> src/commands/scenario.rs; src/export/ -> src/commands/export.rs. - 0-AI-MANIFEST.a2ml: .machines_readable/6scm/*.scm -> .machine_readable/6a2/*.a2ml. Also removes the spent hypatia-findings-dump diagnostic workflow. Verified: cargo check + cargo test -p reposystem green. Deferred, with reason (NOT silently suppressed): migration_rules (36) + vendored gui/lib code_safety belong to the ReScript->AffineScript migration (epic #93); web/app.js "HTTP URL" findings are false positives (SVG xmlns http://www.w3.org/2000/svg + localhost); web innerHTML is grandfathered-prototype debt; workflow_audit (13) reason is not surfaced by the scanner; CRG-AUDIT refs are historical. The neurosymbolic gate stays non-green (long-standing accepted debt; it has never blocked a merge) but the genuine issues are resolved. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01KhFfkfjKaB7Rg957u3uCT6
hyperpolymath
added a commit
that referenced
this pull request
Jun 26, 2026
## Why Completes the **Q4 hypatia** work. The de-vendor (#133) + extraction (#134) already cut the neurosymbolic residual **222 → 92**. This PR fixes the genuine **first-party** items in that residual; the remainder is tracked migration debt, vendored third-party code, or scanner false-positives (enumerated below). > The scanner has no baseline file for reposystem (the existing `.hypatia-ignore` keys off `type` and serves only the **banned-language** gate), and blanket-suppressing 2 criticals + real CWEs wouldn't be honest — so this **fixes** rather than suppresses. ## Fixed **`code_safety` (CWE):** - **`src/commands/apply.rs`** — 3× `unwrap()` (DoS-via-panic, CWE-754) → `error.as_deref().unwrap_or("unknown error")` and an `if let (true, Some(idx))` on `failure_index`. Both were provably `Some`; now panic-free. - **`src/verisimdb.rs`** — `VeriSimDbClient::new()` no longer `.expect()`s the HTTP-client build; falls back to a default client (CWE-754). **`structural_drift` (anti-fiction doc accuracy)** — verified `src/` actually contains only `abi/ commands/ importers/` (+ flat `.rs`), not the referenced dirs: - **`EXPLAINME.adoc`** — `src/graph/`→`src/graph.rs`, `src/aspects/`→`src/commands/aspect.rs`, `src/cli/`→`src/tui.rs`, `src/scenarios/`→`src/commands/scenario.rs`, `src/export/`→`src/commands/export.rs`. (This is the very doc the CRG-D demotion was about.) - **`0-AI-MANIFEST.a2ml`** — `.machines_readable/6scm/*.scm` → `.machine_readable/6a2/*.a2ml`. Also removes the spent `hypatia-findings-dump` diagnostic workflow. **Verified:** `cargo check` + `cargo test -p reposystem` green. ## Deferred — with reasons (not silently suppressed) | Findings | Why deferred | |---|---| | `migration_rules` (36) + vendored `gui/lib/rescript-*` `code_safety` | ReScript→AffineScript migration debt (epic #93); `Obj.magic`/`getExn` are inherent to vendored FFI bindings | | `web/app.js` "HTTP URL" (16) | **False positives** — all `http://www.w3.org/2000/svg` (required SVG xmlns) + `localhost` | | `web/app.js` `innerHTML` (8) | grandfathered no-build web prototype; data is estate-controlled | | `workflow_audit` (13) | scanner reason not surfaced ("Issue in `<wf>.yml`") — undiagnosable without rule source | | `CRG-AUDIT-2026-04-18.adoc` refs | historical governance record | The long-red neurosymbolic gate stays non-green (accepted debt; it has never blocked a merge), but the genuine in-scope issues are now resolved. 🤖 Generated with [Claude Code](https://claude.com/claude-code) https://claude.ai/code/session_01KhFfkfjKaB7Rg957u3uCT6 --- _Generated by [Claude Code](https://claude.ai/code/session_01KhFfkfjKaB7Rg957u3uCT6)_ Co-authored-by: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
The two reposystem-scoped follow-ups to the #131 consolidation (per the agreed directions).
rpa-elysium — de-vendor (forge canonical)
The vendored 171-file tree had diverged from the live forge (141 of 155 common files differ; 16 vendored-only, 23 forge-only). Decision: the forge is canonical, so the vendored copy is replaced by a real submodule gitlink at forge HEAD
bda6720, declared in.gitmoduleswith agit@URL (matchinggit-scripts/git-reticulator).Nothing is lost: the complete vendored state is preserved on branch
archive/rpa-elysium-vendored-2026-06-21(all 171 files). Recover any vendored file viagit show archive/rpa-elysium-vendored-2026-06-21:rpa-elysium/<path>, or diff the two states from there.total-recall — drop the duplicate
total-recallandtotal-upgradewere byte-identical 28-file scaffolds (same tree84d1361). Kepttotal-upgrade(an activefeat/total-upgrade-scaffoldbranch targets it); removed thetotal-recallduplicate tree.Result
.gitmodulesnow declares three consistent gitlinks —git-scripts,git-reticulator,rpa-elysium.total-upgraderemains a local scaffold tree (its GitLab forge is unverifiable from this environment).Verification
git ls-files -s rpa-elysium→160000 bda6720… rpa-elysium(gitlink, not tree).git submodule status rpa-elysium→ clean atbda6720.total-upgradestill a040000tree;total-recallremoved.Not in this PR (separate, by decision)
bitfuckit,contractiles,recon-silly-ation,scaffoldia,stateful-artefacts) — needs creating their forge repos, which is outside this environment'sreposystem-scoped tooling; handling separately.🤖 Generated with Claude Code
https://claude.ai/code/session_01KhFfkfjKaB7Rg957u3uCT6
Generated by Claude Code