Skip to content

fix(governance): scan a clean caller tree (don't scan the .standards-checkout tooling)#466

Merged
hyperpolymath merged 2 commits into
mainfrom
claude/neurophone-repo-setup-envzix
Jul 3, 2026
Merged

fix(governance): scan a clean caller tree (don't scan the .standards-checkout tooling)#466
hyperpolymath merged 2 commits into
mainfrom
claude/neurophone-repo-setup-envzix

Conversation

@hyperpolymath

Copy link
Copy Markdown
Owner

Summary

Third and final piece of the validate-hypatia-baseline fix (after #455 wired the filter and #464 made it run). The gate checks out standards' scripts/ into .standards-checkout/ to get apply-baseline.sh — but that directory sits inside the caller's working tree, so hypatia-cli.sh scan . scanned it too and reported standards' own files as the caller's findings.

Caught on neurophone#172, where 4 of the 8 "unfiltered" findings were pure tooling pollution:

.standards-checkout/scripts/check-ts-allowlist.ts                      banned_language (critical)
.standards-checkout/neurosym-a2ml/scripts/bootstrap.sh                 shell_download  (high)
.standards-checkout/agentic-a2ml/scripts/bootstrap.sh                  shell_download  (high)
.standards-checkout/.../rsr-deployer/scripts/bootstrap.sh              shell_download  (high)

None is the caller's code. Every adopting repo would inherit these.

The fix

cp .standards-checkout/scripts/apply-baseline.sh "$RUNNER_TEMP/apply-baseline.sh"
rm -rf .standards-checkout          # <- before the scan
HYPATIA_FORMAT=json … scan .# now only sees the caller's own tree
…
bash "$RUNNER_TEMP/apply-baseline.sh"

Copy the filter out to $RUNNER_TEMP (outside the workspace), delete .standards-checkout/, then scan. hypatia only ever sees the repo under audit; the tooling can't pollute the finding set.

Net effect

With #455 (baseline actually consulted) + #464 (filter actually runs) + this (clean scan tree), the estate gate finally behaves as intended: suppress a repo's acknowledged baseline entries, fail on genuinely-new findings, and never conflate the tooling with the repo. Opt-in per repo via SHA-pin as before.

Draft pending CI + your review. (As with #455/#464, this job skips on standards' own CI — no baseline here — so it was reasoned through against neurophone#172's real output.)

🤖 Generated with Claude Code

https://claude.ai/code/session_0172RBMz3qYjb1ttzD2i7RNh


Generated by Claude Code

…-checkout tooling

Follow-up to #455/#464. The baseline gate checks out standards' scripts/ into
`.standards-checkout/` (to get apply-baseline.sh), but that directory lives
INSIDE the caller's working tree — so `hypatia-cli.sh scan .` scanned it too and
reported standards' OWN files as the caller's findings. On neurophone#172 this
surfaced 4 phantom findings from the tooling checkout: a banned-language `.ts`
(critical) and three `shell_download` bootstrap.sh scripts (high), none of which
are the caller's code. Every adopting repo would inherit these.

Fix: copy apply-baseline.sh to $RUNNER_TEMP and `rm -rf .standards-checkout`
BEFORE the scan, then run the filter from $RUNNER_TEMP. hypatia now only ever
sees the caller's own tree; the tooling checkout can't pollute the finding set.

Completes the estate-wide gate: with #455 (baseline consulted) + #464 (filter
actually runs) + this (clean scan tree), validate-hypatia-baseline finally
behaves as intended — suppress a repo's acknowledged baseline entries, fail on
genuinely-new findings, and never conflate the tooling with the repo under audit.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_0172RBMz3qYjb1ttzD2i7RNh
@hyperpolymath hyperpolymath marked this pull request as ready for review July 3, 2026 03:58
@hyperpolymath hyperpolymath merged commit 412a703 into main Jul 3, 2026
18 checks passed
@hyperpolymath hyperpolymath deleted the claude/neurophone-repo-setup-envzix branch July 3, 2026 03:59
@sonarqubecloud

sonarqubecloud Bot commented Jul 3, 2026

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants