feat(scripts): hcg-policy-smoke.sh — unknown-path default-deny canary (Phase E)#222
Merged
Merged
Conversation
🔍 Hypatia Security ScanFindings: 215 issues detected
View findings[
{
"reason": "Stale AI session file -- delete",
"type": "stale",
"file": "GEMINI.md",
"action": "delete",
"rule_module": "root_hygiene",
"severity": "medium"
},
{
"reason": "Issue in scorecard-enforcer.yml",
"type": "missing_timeout_minutes",
"file": "scorecard-enforcer.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in scorecard-enforcer.yml",
"type": "scorecard_publish_with_run_step",
"file": "scorecard-enforcer.yml",
"action": "split_scorecard_publish_job",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in instant-sync.yml",
"type": "secret_action_without_presence_gate",
"file": "instant-sync.yml",
"action": "peter-evans/repository-dispatch",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in codeql.yml",
"type": "codeql_missing_actions_language",
"file": "codeql.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/academic-workflow-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/ephapax-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/bofig-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/fireflag-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/sanctify-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
🏁 path-claims benchCommit NumbersHost-dependent — compare deltas across commits, not absolute values. |
🔍 Hypatia Security ScanFindings: 215 issues detected
View findings[
{
"reason": "Stale AI session file -- delete",
"type": "stale",
"file": "GEMINI.md",
"action": "delete",
"rule_module": "root_hygiene",
"severity": "medium"
},
{
"reason": "Issue in scorecard-enforcer.yml",
"type": "missing_timeout_minutes",
"file": "scorecard-enforcer.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in scorecard-enforcer.yml",
"type": "scorecard_publish_with_run_step",
"file": "scorecard-enforcer.yml",
"action": "split_scorecard_publish_job",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in instant-sync.yml",
"type": "secret_action_without_presence_gate",
"file": "instant-sync.yml",
"action": "peter-evans/repository-dispatch",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in codeql.yml",
"type": "codeql_missing_actions_language",
"file": "codeql.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/academic-workflow-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/ephapax-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/bofig-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/fireflag-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/sanctify-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
… (Phase E)
Adds one new probe to `scripts/hcg-policy-smoke.sh` so the §1.5 operator
pre-check isolates the no-match → default-deny branch of the gateway's
three-tier lookup (exact → regex → global) at the `{:error, :no_match}`
clause in `http-capability-gateway/lib/http_capability_gateway/gateway.ex`.
Before this PR the smoke script's verb-canary block covered six
unknown-method regressions (DELETE/PUT/PATCH on listed exact paths,
OPTIONS on a listed path, DELETE on a regex-matched route, GET on a
POST-only public route). All six exercise a known path with a verb
outside `global_verbs`. None of them exercises the symmetric pathway: a
verb that *is* in `global_verbs` against a path that has no matching
rule at all. That branch is independently possible to break (a regression
in the global-fallback handling alone would leak there without
triggering any of the existing canaries) so the operator pre-check now
fails closed on both classes.
The new probe targets `GET /__phase-e-canary-unknown-path__` — a
synthetic path that cannot collide with any real route in
`config/gateway-policy-boj.yaml` or any future addition (the prefix is
reserved for this probe by the comment in the script). GET is in
`global_verbs`, so the only way this can default-deny is the no-match
branch.
Runbook §1.5 prose updated to describe the new canary alongside the
existing verb canaries; version bumped 0.5 → 0.6. The §1.5 checkbox
itself stays open — it requires the operator to actually run the script
against staging, which is unchanged.
`bash -n scripts/hcg-policy-smoke.sh` passes. No Elixir / Idris / CI
workflow files touched.
Refs hyperpolymath/standards#91
Refs hyperpolymath/standards#100
(Per rollout runbook §6.5 — single-lane channel discipline — this PR
deliberately does NOT `Closes #100`. Phase E close is owner-driven and
gated on §3.3 (100% soak), §6.4 (Trustfile flip), and cerro-torre
`.ctp` signing. Each Phase E sub-task PR is a `Refs`-only advance.)
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
hyperpolymath
force-pushed
the
feat/hcg-smoke-unknown-path-canary
branch
from
1d253ac to
b53bba6
Compare
🔍 Hypatia Security ScanFindings: 215 issues detected
View findings[
{
"reason": "Stale AI session file -- delete",
"type": "stale",
"file": "GEMINI.md",
"action": "delete",
"rule_module": "root_hygiene",
"severity": "medium"
},
{
"reason": "Issue in scorecard-enforcer.yml",
"type": "missing_timeout_minutes",
"file": "scorecard-enforcer.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in scorecard-enforcer.yml",
"type": "scorecard_publish_with_run_step",
"file": "scorecard-enforcer.yml",
"action": "split_scorecard_publish_job",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in instant-sync.yml",
"type": "secret_action_without_presence_gate",
"file": "instant-sync.yml",
"action": "peter-evans/repository-dispatch",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in codeql.yml",
"type": "codeql_missing_actions_language",
"file": "codeql.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/academic-workflow-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/ephapax-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/bofig-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/fireflag-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/sanctify-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Extends the §1.5 operator pre-check (
scripts/hcg-policy-smoke.sh) with one new probe —GET /__phase-e-canary-unknown-path__— that isolates the no-match → default-deny branch of the gateway's three-tier lookup at the{:error, :no_match}clause inhttp-capability-gateway/lib/http_capability_gateway/gateway.ex. The existing six verb canaries cover the unknown-method path (known path, verb outsideglobal_verbs); this canary covers the symmetric unknown-path path (verb inglobal_verbs, no matching rule). Both must default-deny on independent code branches, so the operator pre-check now fails closed on both classes.Why
A regression in global-fallback handling alone would leak through the unknown-path branch without tripping any existing canary. The verb-canary block is comprehensive within its class; this PR adds the symmetric class so neither half can silently regress.
The synthetic prefix
__phase-e-canary-is reserved for this probe by the script comment and cannot collide with any real or future route inconfig/gateway-policy-boj.yaml.Changes
scripts/hcg-policy-smoke.sh: one newprobe GET …invocation + leading comment explaining the unknown-method vs unknown-path code-path split.docs/integration/hcg-tier2-rollout-runbook.md: §1.5 prose updated to describe the new canary alongside the existing verb canaries; version 0.5 → 0.6; date 2026-06-13 → 2026-06-14.Test plan
bash -n scripts/hcg-policy-smoke.sh— script parses cleanly.scripts/hcg-policy-smoke.sh --gateway-url <staging>should reportPASS path-canary:GET on synthetic unknown path (no-match default-deny)alongside the existing 25 deny probes and six verb canaries. (Same operator action as before; one extraPASSline.)Phase E channel notes
hyperpolymath/standards#91(parent) → Phase E (#100) is the active sub-issue..ctpsigning. Each Phase E sub-task therefore lands as aRefs-only advance — this PR deliberately does notCloses #100.Refs hyperpolymath/standards#91
Refs hyperpolymath/standards#100
🤖 Generated with Claude Code
Generated by Claude Code