From 4bb92bfcc0b970bfc39c76c1028fea12c6003c43 Mon Sep 17 00:00:00 2001 From: Claude Date: Fri, 3 Jul 2026 03:12:25 +0000 Subject: [PATCH] =?UTF-8?q?fix(governance):=20scan=20a=20clean=20caller=20?= =?UTF-8?q?tree=20=E2=80=94=20don't=20scan=20the=20.standards-checkout=20t?= =?UTF-8?q?ooling?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Follow-up to #455/#464. The baseline gate checks out standards' scripts/ into `.standards-checkout/` (to get apply-baseline.sh), but that directory lives INSIDE the caller's working tree — so `hypatia-cli.sh scan .` scanned it too and reported standards' OWN files as the caller's findings. On neurophone#172 this surfaced 4 phantom findings from the tooling checkout: a banned-language `.ts` (critical) and three `shell_download` bootstrap.sh scripts (high), none of which are the caller's code. Every adopting repo would inherit these. Fix: copy apply-baseline.sh to $RUNNER_TEMP and `rm -rf .standards-checkout` BEFORE the scan, then run the filter from $RUNNER_TEMP. hypatia now only ever sees the caller's own tree; the tooling checkout can't pollute the finding set. Completes the estate-wide gate: with #455 (baseline consulted) + #464 (filter actually runs) + this (clean scan tree), validate-hypatia-baseline finally behaves as intended — suppress a repo's acknowledged baseline entries, fail on genuinely-new findings, and never conflate the tooling with the repo under audit. Co-Authored-By: Claude Opus 4.8 Claude-Session: https://claude.ai/code/session_0172RBMz3qYjb1ttzD2i7RNh --- .github/workflows/governance-reusable.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/.github/workflows/governance-reusable.yml b/.github/workflows/governance-reusable.yml index b2047c91..301ba3e2 100644 --- a/.github/workflows/governance-reusable.yml +++ b/.github/workflows/governance-reusable.yml @@ -128,6 +128,14 @@ jobs: BLOCKING_THRESHOLD: info run: | echo "Scanning repository: ${{ github.repository }} (checking baseline)" + # Move the baseline filter OUT of the scanned tree, then delete the + # standards checkout, so `hypatia scan .` only ever sees the CALLER's + # own files. Without this, `.standards-checkout/` (the tooling we + # checked out to get apply-baseline.sh) is itself scanned, and + # standards' own files get reported as the caller's findings (a banned + # `.ts`, `shell_download` bootstrap.sh scripts, etc.). + cp .standards-checkout/scripts/apply-baseline.sh "$RUNNER_TEMP/apply-baseline.sh" + rm -rf .standards-checkout # hypatia's `scan` exits non-zero whenever it finds anything — that is # by design, and under `bash -e` it would abort this step at this line, # before the baseline filter (the real gate) ever runs. Tolerate the @@ -160,7 +168,7 @@ jobs: # suppresses only exact matches. Exits non-zero iff a kept finding is at # or above BLOCKING_THRESHOLD. (Validated against synthetic fixtures; # see the PR description.) - bash .standards-checkout/scripts/apply-baseline.sh \ + bash "$RUNNER_TEMP/apply-baseline.sh" \ hypatia-findings.json .hypatia-baseline.json blocking language-policy: name: Language / package anti-pattern policy