chore(audit): close 3 governance debt items from 2026-05-07 audit#553
Merged
neuron7xLab merged 2 commits intoneuron7xLab:mainfrom May 7, 2026
Merged
Conversation
…audit After the IERD-Q4 Phase-3 EXIT (PR neuron7xLab#551) and typed governance models (PR neuron7xLab#552) landed, an audit across docs/CLAIMS.yaml, every .claude/commit_acceptors/*.yaml, and the .github/workflows tree surfaced three concrete contradictions. This PR closes them. 1. README invariant-count drift ------------------------------- * README.md:12 badge invariants-87 → invariants-90 * README.md:35 badge physics_gate-87_invariants → 90_invariants * README.md:175 table "87 in INVARIANTS.yaml" → "90 in INVARIANTS.yaml" `python scripts/count_invariants.py` is authoritative — returns 90. The body prose at lines 24/148/781 already said 90; the badges and the headline table were stale. CI gate `invariant-count-sync` did not catch the drift because shields-style markdown badges sit outside the regex it audits. 2. commit-acceptor-gate.yml self-contradiction ---------------------------------------------- The workflow that enforces architectural-boundary contracts (forbidden imports, diff-bound acceptors, claim_type caps) used floating action tags: - actions/checkout@v6 - actions/setup-python@v6 while every other workflow pins by 40-char SHA. The repo-policy gate explicitly checks that all third-party actions are pinned. Repinned both to the canonical SHAs already used elsewhere (de0fac2e... v6.0.2, a309ff8b... v6) so the gate now follows the discipline it prescribes. 3. Latency-budget test isolation regression ------------------------------------------- The PR neuron7xLab#550 implementation set five env vars at module import time (four `os.environ.setdefault` + one unconditional `os.environ["GEOSYNC_DISABLE_METRICS"] = "1"`). Pytest collects the module before fixtures run, so those mutations leaked across the session boundary, polluting downstream test modules. Refactor: env-var window is now bounded to the lifetime of the module-scoped `client` fixture, which snapshots → applies overrides → yields → restores. `create_app` is imported lazily through `importlib` inside the same window so settings (Pydantic, env-driven) resolve under the overrides, not under whatever leaked from upstream test modules. Co-running this test with tests/observability/test_metrics_expectations.py now passes 6/6 (was 3/6 before the fix). Local verification ------------------ mypy --strict + ruff: clean on the touched test pytest tests/api/test_latency_budget_server_compute.py tests/observability/test_metrics_expectations.py -q: 6/6 pass python scripts/count_invariants.py: 90 commit_acceptor validator: exit 0 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
detect-secrets flags the literal strings 'audit_secret' and 'rbac_secret' in the new _REQUIRED_ENV dict (same keyword-detector pattern as in the workflow YAML, where the inline pragma is already applied). The values are non-real test fixtures. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes 3 contradictions surfaced by the codebase audit run after PRs #551 + #552:
See commit message for details. mypy --strict + ruff clean. validator exit 0.