Skip to content

feat: truthfulness gate + proof typecheck + trusted-base scripts#220

Merged
hyperpolymath merged 4 commits into
mainfrom
claude/foundry-a1-close
Jun 14, 2026
Merged

feat: truthfulness gate + proof typecheck + trusted-base scripts#220
hyperpolymath merged 4 commits into
mainfrom
claude/foundry-a1-close

Conversation

@hyperpolymath

@hyperpolymath hyperpolymath commented Jun 13, 2026

Copy link
Copy Markdown
Owner

Summary

Adds three quality gate scripts for the BoJ stack:

  • scripts/typecheck-proofs.sh: runs idris2 --find-ipkg --check on every .idr file under src/abi/ and cartridges/*/abi/; reports PASS/FAIL per file; exits 1 if any FAIL
  • scripts/check-trusted-base.sh: counts non-comment believe_me calls in SafetyLemmas.idr; exits 1 if count != 5 (the declared axiom budget); currently PASS 5/5
  • tests/truthfulness_check.sh: finds all cartridges with available:true across boj-server and sibling boj-server-cartridges, invokes boj-invoke on each first tool, fails if result is {"status":"stub"}; currently PASS=1 (textkit-mcp encode_base64), SKIP=264

Also fixes the pre-commit hook's boj-* AGPL classification heuristic — boj-server is hyperpolymath/boj-server (MPL-2.0), not a son-shared AGPL repo. Updated to only require AGPL when the boj-* repo actually has an AGPL LICENSE file.

Gate results

check-trusted-base.sh:
  Axiom count: 5 (expected 5)
  PASS: trusted-base axiom count correct (5/5)

truthfulness_check.sh:
  PASS textkit-mcp (encode_base64): {"base64":""}
  Results: PASS=1 FAIL=0 SKIP=264
  PASS: all available cartridges are truthful

Note: typecheck-proofs.sh surfaces 3 pre-existing failures in core ABI modules (CartridgeDispatch parser error, SafeCORS unsolved constraint, SafePromptInjection unsolved constraint). These predate this PR; textkit-mcp's new ABI proof passes cleanly.

Test plan

🤖 Generated with Claude Code

@hyperpolymath hyperpolymath marked this pull request as ready for review June 14, 2026 01:08
@hyperpolymath hyperpolymath enabled auto-merge (rebase) June 14, 2026 01:19
hyperpolymath and others added 3 commits June 14, 2026 02:26
@hyperpolymath
ci: fix CI/CD configuration (campaigns C001-C005)
3b7bca3 
- C001: CodeQL language fixes
- C002: License identifier standardization
- C003: Outdated actions audit
- C004: Pin standards refs to SHA 861b5e9
- C005: Add workflow-level permissions
@hyperpolymath @mistral-vibe
fix(ci): add missing timeout-minutes to all workflow jobs + update Hy…
5781b71 
…patia SHA + fix CodeQL timeout

Includes CodeQL timeout increase from 15 to 60 minutes.

Generated by Mistral Vibe.
Co-Authored-By: Mistral Vibe <vibe@mistral.ai>
@hyperpolymath
chore: rename k9 directories to self-validating for clarity
4e4582e
@hyperpolymath hyperpolymath force-pushed the claude/foundry-a1-close branch from d0beeb8 to 4e4582e Compare June 14, 2026 01:29
github-advanced-security[bot]
github-advanced-security AI found potential problems Jun 14, 2026
View reviewed changes
Comment thread GEMINI.md
Comment thread SECURITY.md
Comment thread SECURITY.md Fixed
Comment thread TOPOLOGY.md
Comment thread TOPOLOGY.md
Comment thread TOPOLOGY.md
Comment thread TOPOLOGY.md
@github-actions

github-actions Bot commented Jun 14, 2026

Copy link
Copy Markdown

🔍 Hypatia Security Scan

Findings: 242 issues detected

Severity Count
🔴 Critical 15
🟠 High 138
🟡 Medium 89

⚠️ Action Required: Critical security issues found!

View findings 
[
  {
    "reason": "Stale AI session file -- delete",
    "type": "stale",
    "file": "GEMINI.md",
    "action": "delete",
    "rule_module": "root_hygiene",
    "severity": "medium"
  },
  {
    "reason": "Issue in scorecard-enforcer.yml",
    "type": "missing_timeout_minutes",
    "file": "scorecard-enforcer.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in scorecard-enforcer.yml",
    "type": "scorecard_publish_with_run_step",
    "file": "scorecard-enforcer.yml",
    "action": "split_scorecard_publish_job",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Issue in instant-sync.yml",
    "type": "secret_action_without_presence_gate",
    "file": "instant-sync.yml",
    "action": "peter-evans/repository-dispatch",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Issue in codeql.yml",
    "type": "codeql_missing_actions_language",
    "file": "codeql.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "TypeScript file detected -- banned language",
    "type": "banned_language_file",
    "file": "/home/runner/work/boj-server/boj-server/cartridges/academic-workflow-mcp/adapter/mod.ts",
    "action": "flag",
    "rule_module": "cicd_rules",
    "severity": "critical"
  },
  {
    "reason": "TypeScript file detected -- banned language",
    "type": "banned_language_file",
    "file": "/home/runner/work/boj-server/boj-server/cartridges/ephapax-mcp/adapter/mod.ts",
    "action": "flag",
    "rule_module": "cicd_rules",
    "severity": "critical"
  },
  {
    "reason": "TypeScript file detected -- banned language",
    "type": "banned_language_file",
    "file": "/home/runner/work/boj-server/boj-server/cartridges/bofig-mcp/adapter/mod.ts",
    "action": "flag",
    "rule_module": "cicd_rules",
    "severity": "critical"
  },
  {
    "reason": "TypeScript file detected -- banned language",
    "type": "banned_language_file",
    "file": "/home/runner/work/boj-server/boj-server/cartridges/fireflag-mcp/adapter/mod.ts",
    "action": "flag",
    "rule_module": "cicd_rules",
    "severity": "critical"
  },
  {
    "reason": "TypeScript file detected -- banned language",
    "type": "banned_language_file",
    "file": "/home/runner/work/boj-server/boj-server/cartridges/sanctify-mcp/adapter/mod.ts",
    "action": "flag",
    "rule_module": "cicd_rules",
    "severity": "critical"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence

@hyperpolymath @claude
fix(docs): replace stale src/browser/ path reference in SECURITY.md t…
c51a515 
…emplate

src/browser/ was never a real directory in this repo; the browser surface
is cartridges/browser-mcp/. Corrects SD022 structural-drift alert.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@github-actions

github-actions Bot commented Jun 14, 2026

Copy link
Copy Markdown

🔍 Hypatia Security Scan

Findings: 241 issues detected

Severity Count
🔴 Critical 15
🟠 High 138
🟡 Medium 88

⚠️ Action Required: Critical security issues found!

View findings 
[
  {
    "reason": "Stale AI session file -- delete",
    "type": "stale",
    "file": "GEMINI.md",
    "action": "delete",
    "rule_module": "root_hygiene",
    "severity": "medium"
  },
  {
    "reason": "Issue in scorecard-enforcer.yml",
    "type": "missing_timeout_minutes",
    "file": "scorecard-enforcer.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in scorecard-enforcer.yml",
    "type": "scorecard_publish_with_run_step",
    "file": "scorecard-enforcer.yml",
    "action": "split_scorecard_publish_job",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Issue in instant-sync.yml",
    "type": "secret_action_without_presence_gate",
    "file": "instant-sync.yml",
    "action": "peter-evans/repository-dispatch",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Issue in codeql.yml",
    "type": "codeql_missing_actions_language",
    "file": "codeql.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "TypeScript file detected -- banned language",
    "type": "banned_language_file",
    "file": "/home/runner/work/boj-server/boj-server/cartridges/academic-workflow-mcp/adapter/mod.ts",
    "action": "flag",
    "rule_module": "cicd_rules",
    "severity": "critical"
  },
  {
    "reason": "TypeScript file detected -- banned language",
    "type": "banned_language_file",
    "file": "/home/runner/work/boj-server/boj-server/cartridges/ephapax-mcp/adapter/mod.ts",
    "action": "flag",
    "rule_module": "cicd_rules",
    "severity": "critical"
  },
  {
    "reason": "TypeScript file detected -- banned language",
    "type": "banned_language_file",
    "file": "/home/runner/work/boj-server/boj-server/cartridges/bofig-mcp/adapter/mod.ts",
    "action": "flag",
    "rule_module": "cicd_rules",
    "severity": "critical"
  },
  {
    "reason": "TypeScript file detected -- banned language",
    "type": "banned_language_file",
    "file": "/home/runner/work/boj-server/boj-server/cartridges/fireflag-mcp/adapter/mod.ts",
    "action": "flag",
    "rule_module": "cicd_rules",
    "severity": "critical"
  },
  {
    "reason": "TypeScript file detected -- banned language",
    "type": "banned_language_file",
    "file": "/home/runner/work/boj-server/boj-server/cartridges/sanctify-mcp/adapter/mod.ts",
    "action": "flag",
    "rule_module": "cicd_rules",
    "severity": "critical"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence

@hyperpolymath hyperpolymath merged commit 7f001c2 into main Jun 14, 2026
31 of 36 checks passed
@hyperpolymath hyperpolymath deleted the claude/foundry-a1-close branch June 14, 2026 01:35
@hyperpolymath hyperpolymath mentioned this pull request Jun 14, 2026
Merged
2 tasks
hyperpolymath added a commit that referenced this pull request Jun 14, 2026
@hyperpolymath @claude
fix(proofs): add allTake/fromLteTrue lemmas + extend path_claims tests (
d0f32e1 
#221)

## Summary

- `SafetyLemmas.idr`: two new exported lemmas needed for
SafeHTTP/SafeCORS proof chains:
- `allTake`: if `allRec p xs = True` then `allRec p (take n xs) = True`
- `fromLteTrue`: converts a `Bool` lte witness `(a <= b) = True` to `LTE
a b`
- `falseImpliesNotTrue`: refactored from case-split to `rewrite prf in
Refl` so it works for any `Bool b`, not just the `False` constructor
- `mcp-bridge/tests/path_claims_test.js`: additional claim coverage

These were in the working tree during the foundry/truthfulness-gate
rebase (PR #220) and stashed for a clean PR.

## Test plan

- [ ] `idris2 --typecheck src/abi/boj.ipkg` passes
- [ ] `node mcp-bridge/tests/path_claims_test.js` passes

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hyperpolymath @github-advanced-security