chore: sync local changes

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: hyperpolymath

docs/BRANCH-PROTECTION-SETUP.md

@@ -0,0 +1,165 @@
+# Branch Protection Setup: Static Analysis Gate
+
+> SPDX-License-Identifier: PMPL-1.0-or-later
+
+This document explains how to wire the `static-analysis-gate.yml` workflow into
+GitHub branch protection so that every PR must pass panic-attack and hypatia
+before merging.
+
+---
+
+## Required Status Checks
+
+In your repository's **Settings > Branches > Branch protection rules** for
+`main` (and/or `master`), enable:
+
+| Status check name                         | Source workflow              |
+|-------------------------------------------|-----------------------------|
+| `panic-attack assail`                     | `static-analysis-gate.yml`  |
+| `Hypatia neurosymbolic scan`              | `static-analysis-gate.yml`  |
+| `Deposit findings for gitbot-fleet`       | `static-analysis-gate.yml`  |
+
+### Recommended branch protection settings
+
+- **Require status checks to pass before merging** — enabled
+- **Require branches to be up to date before merging** — enabled
+- **Include administrators** — enabled (lead by example)
+- **Restrict who can push to matching branches** — optional, recommended
+
+> **Note:** The `Hypatia Security Scan` check from the older `hypatia-scan.yml`
+> workflow is a *separate* status check. You may keep both or retire the older
+> one; `static-analysis-gate.yml` is the unified replacement.
+
+---
+
+## Enabling the Workflow in Any Repo
+
+### From the RSR template
+
+Repos bootstrapped from `rsr-template-repo` already include
+`.github/workflows/static-analysis-gate.yml`. Replace `{{OWNER}}` with your
+GitHub org/user name:
+
+```bash
+sed -i 's/{{OWNER}}/hyperpolymath/g' .github/workflows/static-analysis-gate.yml
+```
+
+### Adding to an existing repo
+
+Copy the workflow file into the target repo:
+
+```bash
+cp /path/to/rsr-template-repo/.github/workflows/static-analysis-gate.yml \
+   your-repo/.github/workflows/static-analysis-gate.yml
+
+cd your-repo
+sed -i 's/{{OWNER}}/hyperpolymath/g' .github/workflows/static-analysis-gate.yml
+git add .github/workflows/static-analysis-gate.yml
+git commit -m "ci: add static analysis gate for branch protection"
+git push
+```
+
+Then add the status checks in **Settings > Branches** as described above.
+
+---
+
+## Local Pre-Push Hook
+
+A local hook mirrors the CI gate so developers catch critical findings before
+pushing. Install it from `gitbot-fleet/hooks/pre-push-gate.sh`:
+
+```bash
+# Symlink (recommended — always picks up updates)
+ln -sf ~/Documents/hyperpolymath-repos/gitbot-fleet/hooks/pre-push-gate.sh \
+       .git/hooks/pre-push
+
+# Or copy
+cp ~/Documents/hyperpolymath-repos/gitbot-fleet/hooks/pre-push-gate.sh \
+   .git/hooks/pre-push
+chmod +x .git/hooks/pre-push
+```
+
+The hook gracefully degrades: if neither panic-attack nor hypatia is installed
+locally, it prints a notice and allows the push (CI will catch it).
+
+---
+
+## How Findings Flow Back to Hypatia for Learning
+
+```
+Developer pushes / opens PR
+        |
+        v
+static-analysis-gate.yml runs
+        |
+        +---> panic-attack assail  ---> findings JSON artifact
+        +---> hypatia scan         ---> findings JSON artifact
+        |
+        v
+deposit-findings job
+        |
+        +---> Combines both into unified-findings.json
+        +---> Uploads as "unified-findings" artifact (90-day retention)
+        |
+        v
+gitbot-fleet scanner (scheduled)
+        |
+        +---> Queries GitHub API for repos with unified-findings artifacts
+        +---> Downloads and ingests into hypatia's learning corpus
+        +---> Feeds rhodibot / echidnabot / sustainabot for pattern recognition
+        |
+        v
+Hypatia learning engine
+        |
+        +---> Updates neurosymbolic rules based on recurring patterns
+        +---> Feeds improved rules back into hypatia-cli.sh
+        +---> Cycle repeats with better detection on next scan
+```
+
+### Artifact-based ingestion
+
+The `deposit-findings` job uploads a `unified-findings` artifact to each
+workflow run. The gitbot-fleet's `learning-monitor.sh` script periodically:
+
+1. Lists recent workflow runs across enrolled repos.
+2. Downloads `unified-findings` artifacts.
+3. Parses the JSON envelope (`schema_version`, `repository`, `commit_sha`,
+   `timestamp`, `findings[]`).
+4. Deduplicates findings already in the learning corpus.
+5. Submits new findings to hypatia's pattern database.
+
+No secrets or special tokens are needed beyond the default `GITHUB_TOKEN` —
+artifacts are readable by the repo owner.
+
+---
+
+## Note on oikos/sustainabot
+
+The `sustainabot` bot was registered in the gitbot-fleet as a sustainability
+and maintenance scanner, but was never fully wired into the CI pipeline.
+`static-analysis-gate.yml` replaces the role sustainabot was intended to fill:
+
+- **What sustainabot was supposed to do:** Run periodic checks and flag
+  maintenance debt.
+- **What static-analysis-gate does instead:** Runs on every PR and push,
+  combining panic-attack (code quality / dangerous patterns) and hypatia
+  (neurosymbolic security analysis) into a single required gate.
+- **sustainabot's remaining role:** It can still operate as a *scheduled*
+  scanner for repos that have not yet adopted the gate workflow. Over time,
+  as all repos adopt `static-analysis-gate.yml`, sustainabot's workload
+  naturally decreases to zero.
+
+The gitbot-fleet coordinator (`fleet-coordinator.sh`) should be updated to
+recognise `unified-findings` artifacts as the primary input channel, replacing
+the ad-hoc sustainabot submission path.
+
+---
+
+## Checklist for New Repos
+
+- [ ] Copy `static-analysis-gate.yml` into `.github/workflows/`
+- [ ] Replace `{{OWNER}}` placeholder
+- [ ] Push to trigger first run
+- [ ] Add required status checks in branch protection settings
+- [ ] Install local pre-push hook (optional but recommended)
+- [ ] Verify `unified-findings` artifact appears after first run

hooks/post-scan.sh

@@ -0,0 +1,56 @@
+#!/usr/bin/env bash
+# SPDX-License-Identifier: PMPL-1.0-or-later
+#
+# post-scan.sh — Post-scan hook for gitbot-fleet
+#
+# Called automatically by run-fleet.sh after a scan completes.
+# If critical findings are detected, triggers immediate fix dispatch.
+#
+# Arguments:
+#   $1  Number of critical findings
+#   $2  Number of high findings
+#   $3  Number of repos scanned
+#
+# Logs triggers to shared-context/learning/triggers.jsonl
+
+set -euo pipefail
+
+FLEET_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+LEARNING_DIR="$FLEET_DIR/shared-context/learning"
+TRIGGERS_LOG="$LEARNING_DIR/triggers.jsonl"
+
+mkdir -p "$LEARNING_DIR"
+
+CRITICAL="${1:-0}"
+HIGH="${2:-0}"
+REPOS_SCANNED="${3:-0}"
+TIMESTAMP="$(date -u +"%Y-%m-%dT%H:%M:%SZ")"
+
+# Log the scan completion trigger
+jq -n \
+    --arg ts "$TIMESTAMP" \
+    --argjson critical "$CRITICAL" \
+    --argjson high "$HIGH" \
+    --argjson repos "$REPOS_SCANNED" \
+    --arg event "scan_complete" \
+    '{timestamp: $ts, event: $event, critical: $critical, high: $high, repos_scanned: $repos}' \
+    >> "$TRIGGERS_LOG"
+
+# If critical findings exist, immediately trigger fix for critical severity
+if [[ "$CRITICAL" -gt 0 ]]; then
+    echo "[post-scan] $CRITICAL critical findings detected -- triggering critical fix dispatch"
+
+    jq -n \
+        --arg ts "$TIMESTAMP" \
+        --argjson critical "$CRITICAL" \
+        --arg event "critical_autofix_trigger" \
+        --arg action "run-fleet.sh fix --severity critical" \
+        '{timestamp: $ts, event: $event, critical_count: $critical, action: $action}' \
+        >> "$TRIGGERS_LOG"
+
+    # Run the fix command for critical severity only (dry run -- safety first)
+    # To auto-apply, change to: --apply --severity critical
+    "$FLEET_DIR/run-fleet.sh" fix --severity critical
+else
+    echo "[post-scan] No critical findings. $HIGH high-severity findings across $REPOS_SCANNED repos."
+fi

hooks/pre-push-gate.sh

@@ -0,0 +1,161 @@
+#!/usr/bin/env bash
+# SPDX-License-Identifier: PMPL-1.0-or-later
+# pre-push-gate.sh — Local pre-push hook for static analysis.
+#
+# Runs panic-attack and hypatia locally before allowing a push.
+# Exits non-zero if critical findings are detected.
+#
+# Installation (symlink into any repo):
+#   ln -sf /path/to/gitbot-fleet/hooks/pre-push-gate.sh .git/hooks/pre-push
+#
+# Or copy it:
+#   cp /path/to/gitbot-fleet/hooks/pre-push-gate.sh .git/hooks/pre-push
+#   chmod +x .git/hooks/pre-push
+
+set -euo pipefail
+
+# Colours (disabled when stdout is not a terminal)
+if [ -t 1 ]; then
+  RED='\033[0;31m'
+  YELLOW='\033[0;33m'
+  GREEN='\033[0;32m'
+  BOLD='\033[1m'
+  RESET='\033[0m'
+else
+  RED='' YELLOW='' GREEN='' BOLD='' RESET=''
+fi
+
+REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd)"
+CRITICAL_COUNT=0
+HIGH_COUNT=0
+TOTAL_COUNT=0
+SCANNERS_RUN=0
+
+# --------------------------------------------------------------------------
+# Helper: parse JSON finding counts (requires jq)
+# --------------------------------------------------------------------------
+count_findings() {
+  local json_file="$1"
+  if [ ! -s "$json_file" ] || ! jq empty "$json_file" 2>/dev/null; then
+    return
+  fi
+  local c h m l
+  c=$(jq '[.[] | select(.severity == "critical")] | length' "$json_file" 2>/dev/null || echo 0)
+  h=$(jq '[.[] | select(.severity == "high")]     | length' "$json_file" 2>/dev/null || echo 0)
+  m=$(jq '[.[] | select(.severity == "medium")]   | length' "$json_file" 2>/dev/null || echo 0)
+  l=$(jq '[.[] | select(.severity == "low")]      | length' "$json_file" 2>/dev/null || echo 0)
+  CRITICAL_COUNT=$(( CRITICAL_COUNT + c ))
+  HIGH_COUNT=$(( HIGH_COUNT + h ))
+  TOTAL_COUNT=$(( TOTAL_COUNT + c + h + m + l ))
+}
+
+# --------------------------------------------------------------------------
+# Scanner 1: panic-attack assail
+# --------------------------------------------------------------------------
+run_panic_attack() {
+  if ! command -v panic-attack >/dev/null 2>&1; then
+    echo -e "${YELLOW}[skip]${RESET} panic-attack not installed — skipping assail"
+    return
+  fi
+
+  echo -e "${BOLD}[1/2]${RESET} Running panic-attack assail..."
+  local tmp
+  tmp=$(mktemp /tmp/pa-findings-XXXXXX.json)
+
+  set +e
+  panic-attack assail --format json "$REPO_ROOT" > "$tmp" 2>/dev/null
+  local rc=$?
+  set -e
+
+  if [ "$rc" -ne 0 ] && [ ! -s "$tmp" ]; then
+    echo -e "${YELLOW}[warn]${RESET} panic-attack exited $rc with no output"
+    rm -f "$tmp"
+    return
+  fi
+
+  count_findings "$tmp"
+  SCANNERS_RUN=$(( SCANNERS_RUN + 1 ))
+
+  local pa_total
+  pa_total=$(jq '. | length' "$tmp" 2>/dev/null || echo 0)
+  echo -e "       panic-attack: ${pa_total} finding(s)"
+  rm -f "$tmp"
+}
+
+# --------------------------------------------------------------------------
+# Scanner 2: hypatia-cli.sh scan
+# --------------------------------------------------------------------------
+run_hypatia() {
+  # Look for hypatia-cli.sh in common locations
+  local hypatia_bin=""
+  for candidate in \
+    "$(command -v hypatia-cli.sh 2>/dev/null || true)" \
+    "$HOME/hypatia/hypatia-cli.sh" \
+    "$HOME/.local/bin/hypatia-cli.sh"; do
+    if [ -x "$candidate" ]; then
+      hypatia_bin="$candidate"
+      break
+    fi
+  done
+
+  if [ -z "$hypatia_bin" ]; then
+    echo -e "${YELLOW}[skip]${RESET} hypatia-cli.sh not found — skipping scan"
+    return
+  fi
+
+  echo -e "${BOLD}[2/2]${RESET} Running hypatia scan..."
+  local tmp
+  tmp=$(mktemp /tmp/hyp-findings-XXXXXX.json)
+
+  set +e
+  HYPATIA_FORMAT=json "$hypatia_bin" scan "$REPO_ROOT" > "$tmp" 2>/dev/null
+  local rc=$?
+  set -e
+
+  if [ "$rc" -ne 0 ] && [ ! -s "$tmp" ]; then
+    echo -e "${YELLOW}[warn]${RESET} hypatia exited $rc with no output"
+    rm -f "$tmp"
+    return
+  fi
+
+  count_findings "$tmp"
+  SCANNERS_RUN=$(( SCANNERS_RUN + 1 ))
+
+  local hyp_total
+  hyp_total=$(jq '. | length' "$tmp" 2>/dev/null || echo 0)
+  echo -e "       hypatia: ${hyp_total} finding(s)"
+  rm -f "$tmp"
+}
+
+# --------------------------------------------------------------------------
+# Main
+# --------------------------------------------------------------------------
+echo -e "${BOLD}Static Analysis Gate (pre-push)${RESET}"
+echo "Repository: $REPO_ROOT"
+echo ""
+
+run_panic_attack
+run_hypatia
+
+echo ""
+echo -e "${BOLD}--- Summary ---${RESET}"
+echo "Scanners run : $SCANNERS_RUN"
+echo "Total findings: $TOTAL_COUNT"
+echo "  Critical    : $CRITICAL_COUNT"
+echo "  High        : $HIGH_COUNT"
+
+if [ "$SCANNERS_RUN" -eq 0 ]; then
+  echo ""
+  echo -e "${YELLOW}No scanners available — push allowed (install panic-attack or hypatia for local gating).${RESET}"
+  exit 0
+fi
+
+if [ "$CRITICAL_COUNT" -gt 0 ]; then
+  echo ""
+  echo -e "${RED}BLOCKED: $CRITICAL_COUNT critical finding(s) detected. Fix before pushing.${RESET}"
+  exit 1
+fi
+
+echo ""
+echo -e "${GREEN}No critical findings — push allowed.${RESET}"
+exit 0