fix(governance): scan a clean caller tree (don't scan the .standards-checkout tooling)#466
Merged
Merged
Conversation
…-checkout tooling Follow-up to #455/#464. The baseline gate checks out standards' scripts/ into `.standards-checkout/` (to get apply-baseline.sh), but that directory lives INSIDE the caller's working tree — so `hypatia-cli.sh scan .` scanned it too and reported standards' OWN files as the caller's findings. On neurophone#172 this surfaced 4 phantom findings from the tooling checkout: a banned-language `.ts` (critical) and three `shell_download` bootstrap.sh scripts (high), none of which are the caller's code. Every adopting repo would inherit these. Fix: copy apply-baseline.sh to $RUNNER_TEMP and `rm -rf .standards-checkout` BEFORE the scan, then run the filter from $RUNNER_TEMP. hypatia now only ever sees the caller's own tree; the tooling checkout can't pollute the finding set. Completes the estate-wide gate: with #455 (baseline consulted) + #464 (filter actually runs) + this (clean scan tree), validate-hypatia-baseline finally behaves as intended — suppress a repo's acknowledged baseline entries, fail on genuinely-new findings, and never conflate the tooling with the repo under audit. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_0172RBMz3qYjb1ttzD2i7RNh
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.



Summary
Third and final piece of the
validate-hypatia-baselinefix (after #455 wired the filter and #464 made it run). The gate checks out standards'scripts/into.standards-checkout/to getapply-baseline.sh— but that directory sits inside the caller's working tree, sohypatia-cli.sh scan .scanned it too and reported standards' own files as the caller's findings.Caught on neurophone#172, where 4 of the 8 "unfiltered" findings were pure tooling pollution:
None is the caller's code. Every adopting repo would inherit these.
The fix
Copy the filter out to
$RUNNER_TEMP(outside the workspace), delete.standards-checkout/, then scan. hypatia only ever sees the repo under audit; the tooling can't pollute the finding set.Net effect
With #455 (baseline actually consulted) + #464 (filter actually runs) + this (clean scan tree), the estate gate finally behaves as intended: suppress a repo's acknowledged baseline entries, fail on genuinely-new findings, and never conflate the tooling with the repo. Opt-in per repo via SHA-pin as before.
Draft pending CI + your review. (As with #455/#464, this job skips on standards' own CI — no baseline here — so it was reasoned through against neurophone#172's real output.)
🤖 Generated with Claude Code
https://claude.ai/code/session_0172RBMz3qYjb1ttzD2i7RNh
Generated by Claude Code