chore(governance): adopt estate-standardization wave + 2026-06-12 checkpoint#55
Merged
Conversation
- C001: CodeQL language fixes - C002: License identifier standardization - C003: Outdated actions audit - C004: Pin standards refs to SHA 861b5e9 - C005: Add workflow-level permissions
…ude/CLAUDE.md, rust-ci.yml)
Per `standards#286` canonical (cut 3, Option B 2026-05-30): convert CodeQL scheduled run from weekly `0 6 * * 1` to monthly `0 6 1 * *`. PR-trigger runs unchanged — every PR still gets CodeQL. Refs `hyperpolymath/standards#288` (campaign). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- 6a2/STATE.a2ml refreshed from git log since 2026-04-04 (PRs #27-#53); META gains last-updated - bot_directives trio added (hypatia, gitbot-fleet, git-private-farm) + README precedence/scope - flat contractiles fully populated with repo-true obligations (Must/Trust/Intent/Adjust ported from prior contractile set; hardened crypto Trustfile content preserved, trust-level minimal) - Dustfile/Bustfile added to flat set (ported from old nested dust/bust) - self-validating/ fleshed out with shared k9 template set (januskey identity; januskey-metadata.k9.ncl + threat-model.a2ml kept) - 6a2/anchor/ANCHOR realignment entry; svc/README pointer-ized - wiki Home + README currency (proofs-pending qualifiers, status entry, CONTRIBUTING link fix)
- ffi/zig/src/main.zig: Handle was 'opaque' WITH FIELDS — invalid Zig (0.13: 'opaque types cannot have fields') and allocator.create needs a sized type. Now a struct; C side still sees only the opaque pointer. Pre-existing on main (this branch had not touched ffi/). - tests/aspect/cross_cutting_test.sh: ((PASS++)) under 'set -e' exits 1 when PASS=0, killing the script after the FIRST check — this gate could never pass. POSIX arithmetic assignment instead. - codeql.yml: javascript-typescript matrix entry fails 'no source code seen' (zero JS/TS files in repo); scan 'actions' instead (same fix as oblibeny + maa-framework). - self-validating/methodology-guard.k9.ncl: add required 'K9!' magic line + pedigree block (data-only, no permissions) per the repo's K9 gate; the nextgen-typing template it was adapted from lacks both. https://claude.ai/code/session_01GJatEm2TVFSTBEkKXmserJ
…ves; k9 pedigree name - ffi/zig/build.zig: linkLibC() on lib+tests (main.zig uses std.heap.c_allocator → 'C allocator is only available when linking against libc'); expose src/main.zig to tests as @import("januskey") via addAnonymousImport (relative ../src import is outside the test module path in Zig 0.13). 'zig build' now exits 0 (was failing on main). NOTE: 'zig build test' still fails — the integration tests target the intended jk_* API (ContentHash/KeyId/OblitProof/jk_init/...) while main.zig is template scaffold; implementing that API is product work, tracked as a proposed issue, pre-existing gap. - tests/aspect/cross_cutting_test.sh: the believe_me/assert_total/sorry greps matched the Proofs.idr COMMENT asserting their absence, and the unsafe grep matched '#![forbid(unsafe_code)]' — the line that bans unsafe. Now comment/attribute-aware. 28/29 checks pass locally (29th is a local-only .zig-cache artifact; clean on CI). - methodology-guard.k9.ncl: pedigree gains required 'name' field. https://claude.ai/code/session_01GJatEm2TVFSTBEkKXmserJ
git-private-farm.a2ml records only the secret's NAME, but the literal 'secret = "…"' shape trips Hypatia's generic-secret detector (error-level, fails the gate — seen on nextgen-typing#34 / oblibeny#59). Renamed the key; no value was ever present. https://claude.ai/code/session_01GJatEm2TVFSTBEkKXmserJ
This was referenced Jun 12, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Reconciles the orphaned
estate-standardization-20260607branch and applies the 2026-06-12 governance checkpoint. Three commits:3157d08estate merge — conflicts.claude/CLAUDE.md+rust-ci.ymlboth resolved to main's versions (verified zero diff vs main for both). Wave brings:6a2/0-AI-MANIFEST.a2ml+6a2/anchor/,agent_instructions/→bot_directives/,svc/k9/→self-validating/, flat contractiles,GOVERNANCE.adoc/MAINTAINERS.adoc/CODEOWNERS, OpenSSF badge, plain-MPL-2.0 LICENSE,flake.nixremoved (guix.scm primary).bda5afecodeql cron weekly→monthly (cherry-pick ofcicd/codeql-cron-monthly).d2bdd55checkpoint layer (24 files,.machine_readable/+ docs only):STATE.a2mlrefreshed to 2026-06-12 with[recent-work]from the real git log (PRs ci: bump actions/upload-artifact SHA to current v4 #27–chore(deps): Bump the actions group with 2 updates #53); completion held honestly at 60% / CRG D.rsr-template-repocopies;minimal/deny-by-default back tomaximal— the hardened trust posture (no-key-material, no-homerolled-hmac, MCP gating) is restored and preserved. Dustfile + Bustfile fully written (n/a sections carry reasons).bot_directives/trio (hypatia / gitbot-fleet / git-private-farm), never-touch list adapted to januskey (src/abi/,generated/idrisiser/, threat-model, Trustfile).self-validating/fleshed out to the shared k9 template set (januskey identity), keepingjanuskey-metadata.k9.ncl+threat-model.a2ml.After merge — branches deletable (maintainer action)
estate-standardization-20260607,cicd/codeql-cron-monthly, plus 4 verified byte-identical/superseded strays:chore/scorecard-job-level-perms-282,claude/changelog-seed-2026-05-26,claude/tech-debt-2026-05-26,docs/claude-md-rescript-to-affinescript. (#54 is dependabot's — leave.)Flagged for maintainer
.claude/CLAUDE.mdneeds 3 maintainer edits (agent-blocked): line ~46 leftover "ReScript"; stale "Fallback: Nix (flake.nix)"; "Guile Scheme — State/meta" row describing.a2mlfiles.TESTING-REPORT.scmin repo root violates the repo's own MUST invariant.instant-sync.ymllacks theFARM_DISPATCH_TOKENpresence gate.🤖 Draft — opened for review.
https://claude.ai/code/session_01GJatEm2TVFSTBEkKXmserJ
Generated by Claude Code