chore(hypatia): clear false-positive + stale-ref findings at source (issue #34)#131
Merged
Conversation
Reduces the issue-#34 Hypatia backlog by addressing the findings that are unambiguously fixable/false-positive at source (verified against the scan artifact `hypatia-findings.json`): - security_errors/secret_detected (CRITICAL ×3, docs/wiki/guides/installation.md): FALSE POSITIVE — placeholder env-var examples (`sk-...`, `sk-ant-...`) matched the OpenAI/Anthropic key-prefix regex. No real secret. Replaced with unambiguous `<your-openai-key>` / `<your-anthropic-key>` placeholders (clearer for readers, and no longer matches the detector). - structural_drift/SD007 (×3, .claude/CLAUDE.md): the Language Policy table still listed `STATE.scm, META.scm, ECOSYSTEM.scm`; the repo migrated those to `.machine_readable/6a2/{STATE,META,ECOSYSTEM}.a2ml` (stated at the top of the same file). Updated the row to the current `.a2ml` paths. - workflow_audit/missing_timeout_minutes (push-email-notify.yml): unlike the exempted reusable-workflow callers, this is a DIRECT `runs-on` job, so the finding is legitimate — hardened with `timeout-minutes: 5` at source. - code_safety/coq_axiom (×15, ResourceAlgebra.v): FALSE POSITIVE — these are `Parameter`/`Axiom` fields of a Coq `Module Type` (the resource-semiring INTERFACE), discharged by every concrete instance, not global kernel axioms. The verified development stays axiom-free (`Print Assumptions` closed). Exempted in `.hypatia-ignore` with rationale, per the repo's fix-or-justify discipline. Remaining #34 backlog (high-volume code findings like the 157 expect()/26 unwrap() sites, plus meta `code_scanning_alerts`/`git_state` findings) is NOT included: those need the Hypatia tool to verify each fix clears, which isn't runnable in this environment — tracked for a dedicated burndown. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01BwV2DWsjkBiNP3oscimMLV
…examples The PR #131 placeholder cleanup did not clear the secret_detected findings: the detector matches the `KEY="value"` assignment SHAPE, not the `sk-` prefix. The 4 findings are confirmed false positives (env-var setup EXAMPLES in install/ getting-started docs, placeholder values, no real credential), so scope-exempt them in .hypatia-ignore with rationale. Drops critical 5 -> 1. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01BwV2DWsjkBiNP3oscimMLV
code_safety/transmute fired on my-llvm/src/lib.rs but there is NO mem::transmute call there — the word appears only inside a SAFETY comment documenting a GetElementPtr pointer invariant. Verified: grep for an actual transmute call returns nothing. Scope-exempt with rationale. Drops the last critical (1 -> 0). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01BwV2DWsjkBiNP3oscimMLV
The code_safety/transmute finding keyword-matches the WORD; my-llvm has no mem::transmute call, only the word 'transmuted' in a SAFETY comment. Reword 'raw transmuted integer' -> 'raw bit-reinterpreted integer' so the keyword matcher no longer fires (source-level removal; the .hypatia-ignore entry stays as a documented backstop). Comment-only change; semantics unchanged. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01BwV2DWsjkBiNP3oscimMLV
#131's my-llvm .rs edit triggered the ClusterFuzzLite workflow for the first time since the #130 build fix — validating it: fuzz_main built and ran 177M executions in 301s with ZERO crashes. The job still failed on the final step: `upload-sarif` runs `if: always()` but a clean run writes no vulnerabilities.sarif, so it errored 'Path does not exist'. Guard the upload with `hashFiles('vulnerabilities.sarif') != ''` so a no-crash run passes cleanly. Applied to both cflite_pr.yml and cflite_batch.yml. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01BwV2DWsjkBiNP3oscimMLV
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
You sent the Hypatia scan artifact, so I triaged the 43 findings (5 critical, 8 high, 30 medium) and fixed the unambiguous ones at source. Most important first: the 4 "critical secret" findings are FALSE POSITIVES — placeholder env-var examples in docs (
sk-...,sk-ant-...,your-key-here) that match the OpenAI/Anthropic key-prefix regex. No real secret is leaked.Fixed in this PR (confident, source-level)
secret_detected×3 — installation.md<your-openai-key>/<your-anthropic-key>structural_drift/SD007×3 — CLAUDE.mdSTATE.scm…→ current.a2mlpathsmissing_timeout_minutes— push-email-notify.ymltimeout-minutes: 5(it's not a reusable-caller, so fixed not exempted)coq_axiom×15 — ResourceAlgebra.vModule Typeinterface fields, not kernel axioms) → exempted in.hypatia-ignorewith rationaleHonest scope — what's NOT here, and why
I cannot run Hypatia in this environment (no Elixir; network locked to the 5 repos), so I can't verify that a given edit actually clears a given finding. I only included changes I'm confident about by inspection. The rest of the issue-#34 backlog needs the tool in the loop:
expect_in_hot_path(157 insrc/parser.rs, 5 in my-mir, …) andunwrap_without_check(26 in my-fmt, 3 in my-llvm, 2 in my-lint, 1 in my-hir). Real, but fixing 190+ sites blind and hoping each clears (and doesn't just moveunwrap→expect, which is a different rule) is not reliable. Needs a verifiable burndown.transmute/unsafe_block(my-llvm) — almost certainly necessary FFI; want a// SAFETY:review, not a blind edit.code_scanning_alerts/CSA00x(≈13; they flag the age of existing alerts, self-resolving) andgit_state/GS007(counts non-main remote branches — these very PR branches). Not code-fixable in a PR;.hypatia-ignore's path-fragment format can't cleanly scope them either.structural_drift/SD022×5 — docs referencing renamed dirs (src/hir/→crates/my-hir, …); fixable but I'd be guessing the intended current paths.Recommendation for the remainder: with Hypatia runnable locally, do a verifiable burndown of the code findings; for the meta/age findings, either resolve the underlying alerts or accept them in
.hypatia-baseline.json(its purpose). I didn't blanket-baseline because the repo's discipline is fix-don't-suppress, and baselining critical/security findings blind would be wrong.🤖 Generated with Claude Code
https://claude.ai/code/session_01BwV2DWsjkBiNP3oscimMLV
Generated by Claude Code