fix(ci): adopt canonical hypatia-scan.yml

[hyperpolymath]

Estate sweep (verisimiser#102 cascade): replace drifted hypatia-scan.yml with the fixed canonical — corrects the env.HOME workdir / old scanner layout drift AND adds pull-requests:write + Comment-step continue-on-error so the advisory PR comment never hard-fails the Hypatia check (hypatia#213). Mechanical, verified green on verisimiser main.

Co-Authored-By: Claude Opus 4.7 (1M context) noreply@anthropic.com

[github-actions]

🔍 Hypatia Security Scan

Findings: 12 issues detected

Severity	Count
🔴 Critical	5
🟠 High	2
🟡 Medium	5

⚠️ Action Required: Critical security issues found!

View findings

[
  {
    "reason": "Action actions/upload-artifact@v4 needs attention",
    "type": "unpinned_action",
    "file": "release.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Action actions/download-artifact@v4 needs attention",
    "type": "unpinned_action",
    "file": "release.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Admitted leaves proof hole (1 occurrences, CWE-704)",
    "type": "admitted",
    "file": "/home/runner/work/affinescript-vite/affinescript-vite/verification/proofs/coq/TypeSafety.v",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "critical"
  },
  {
    "reason": "Shell execution -- validate input before passing to shell (1 occurrences, CWE-78)",
    "type": "js_exec_sync",
    "file": "/home/runner/work/affinescript-vite/affinescript-vite/src/affine-plugin-improved.js",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "Download-and-execute pattern (curl|wget pipe to shell) -- verify integrity before execution (1 occurrences, CWE-494)",
    "type": "shell_download_then_run",
    "file": "/home/runner/work/affinescript-vite/affinescript-vite/setup.sh",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "line": 24,
    "reason": "Secret found: Generic API key",
    "type": "secret_detected",
    "file": "/home/runner/work/affinescript-vite/affinescript-vite/.envrc",
    "action": "revoke_rotate_and_purge",
    "rule_module": "security_errors",
    "severity": "critical"
  },
  {
    "reason": "1 workflow(s) with tag-pinned (not SHA-pinned) actions in affinescript-vite",
    "type": "DependencyPinning",
    "file": "/home/runner/work/affinescript-vite/affinescript-vite",
    "action": "auto_fix",
    "rule_module": "scorecard",
    "severity": "medium",
    "remediation": "Pin GitHub Actions and Docker base images by SHA hash.",
    "scorecard_check": "Pinned-Dependencies"
  },
  {
    "reason": "Repository has 1 non-main remote branch(es). Policy: single main branch only.",
    "type": "GS007",
    "file": ".",
    "action": "delete_remote_branches",
    "rule_module": "git_state",
    "severity": "medium"
  },
  {
    "reason": "6a2ml file outside canonical location -- must be in .machine_readable/6a2/",
    "type": "SD004",
    "file": ".machine_readable/STATE.a2ml",
    "action": "move",
    "rule_module": "structural_drift",
    "severity": "critical"
  },
  {
    "reason": "6a2ml file outside canonical location -- must be in .machine_readable/6a2/",
    "type": "SD004",
    "file": ".machine_readable/META.a2ml",
    "action": "move",
    "rule_module": "structural_drift",
    "severity": "critical"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence