fix(licence): #3 isolated — clear scaffold-placeholder leak (verisimdb-data)

[hyperpolymath]

#3 isolated pass (pilot #32-shape). Scaffold-placeholder leak per standards/LICENCE-POLICY.adoc A5 — NOT relicensing. -> PMPL-1.0-or-later. 3 file(s). Isolated mode (if dirty) stages ONLY placeholder lines; repo WIP untouched. Gates: per-file clean check, diff-shape asserted, auto-revert on anomaly. 🤖 Generated with Claude Code

[github-actions]

🔍 Hypatia Security Scan

Findings: 12 issues detected

Severity	Count
🔴 Critical	0
🟠 High	5
🟡 Medium	7

View findings

[
  {
    "reason": "No test directory or test files found",
    "type": "no_tests",
    "file": "/home/runner/work/verisimdb-data/verisimdb-data",
    "action": "flag",
    "rule_module": "honest_completion",
    "severity": "high",
    "deduction": 20
  },
  {
    "reason": "Issue in quality.yml",
    "type": "missing_workflow",
    "file": "quality.yml",
    "action": "create",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Issue in security-policy.yml",
    "type": "missing_workflow",
    "file": "security-policy.yml",
    "action": "create",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
    "type": "unpinned_action",
    "file": "governance.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "codeql.yml lists `language: javascript-typescript` but the repo has no source files in any CodeQL-scannable language. The analyze job will exit 'no source files' on every run. Switch the matrix to `actions` (which scans workflow files — every repo has those).",
    "type": "codeql_language_matrix_mismatch",
    "file": "codeql.yml",
    "action": "switch_codeql_matrix_to_actions",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Download-and-execute pattern (curl|wget pipe to shell) -- verify integrity before execution (3 occurrences, CWE-494)",
    "type": "shell_download_then_run",
    "file": "/home/runner/work/verisimdb-data/verisimdb-data/setup.sh",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "Nominal-only SAST in verisimdb-data: codeql.yml language matrix contains no language present in the repo and lacks `actions`, so CodeQL records zero results on every commit. Remediation: set the CodeQL matrix to `language: actions`.",
    "type": "StaticAnalysis",
    "file": "/home/runner/work/verisimdb-data/verisimdb-data",
    "action": "auto_fix",
    "rule_module": "scorecard",
    "severity": "medium",
    "remediation": "Add CodeQL or equivalent SAST workflow.",
    "scorecard_check": "SAST"
  },
  {
    "reason": "Repository has 4 non-main remote branch(es). Policy: single main branch only.",
    "type": "GS007",
    "file": ".",
    "action": "delete_remote_branches",
    "rule_module": "git_state",
    "severity": "medium"
  },
  {
    "reason": "References STATE.scm -- should be .machine_readable/6a2/STATE.a2ml",
    "type": "SD007",
    "file": "0-AI-MANIFEST.a2ml",
    "action": "update_reference",
    "rule_module": "structural_drift",
    "severity": "medium"
  },
  {
    "reason": "References META.scm -- should be .machine_readable/6a2/META.a2ml",
    "type": "SD007",
    "file": "0-AI-MANIFEST.a2ml",
    "action": "update_reference",
    "rule_module": "structural_drift",
    "severity": "medium"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence