deps(security): cryptography >= 46.0.7 (GHSA-p423-j2cm-9vmq) (#227) #219
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # SPDX-License-Identifier: MIT | |
| # | |
| # Physics Kernel Gate — invariant-driven test validation. | |
| # | |
| # This workflow enforces the physical-contracts layer: | |
| # 1. The physics kernel (.claude/physics/) is internally consistent | |
| # (self-check: INVARIANTS.yaml loads, every invariant type has a | |
| # matching L3 checker, theory-file IDs cross-reference the YAML). | |
| # 2. Every test in tests/ that touches a physics module is grounded | |
| # in an INV-* invariant (L1), references a valid id (L2), has a | |
| # structure matching its invariant type (L3), emits a 5-field | |
| # error message on failure (L4), and derives thresholds from | |
| # theory rather than magic literals (L5). | |
| # 3. Production physics code in core/ does not silently clamp or | |
| # clip physical quantities without logging or an INV-* comment | |
| # (C1, C2 audit). | |
| # | |
| # The gate is fail-closed. If the kernel self-check fails OR any test | |
| # validation issue is reported OR any code-audit violation is found, | |
| # the PR cannot merge. Orphan (pre-migration) tests are tracked but do | |
| # not block merging yet — the migration path is tracked in BASELINE.md. | |
| name: Physics Kernel Gate | |
| on: | |
| pull_request: | |
| branches: [main] | |
| paths: | |
| - 'core/**' | |
| - 'tests/**' | |
| - '.claude/physics/**' | |
| - '.github/workflows/physics-kernel-gate.yml' | |
| merge_group: | |
| push: | |
| branches: [main] | |
| permissions: | |
| contents: read | |
| concurrency: | |
| group: physics-kernel-gate-${{ github.event.pull_request.number || github.sha }} | |
| cancel-in-progress: true | |
| jobs: | |
| # --------------------------------------------------------------------------- | |
| # kernel-self-check — verify the physics kernel is internally consistent. | |
| # Fast (<1s), no deps beyond the standard library; runs on every PR. | |
| # --------------------------------------------------------------------------- | |
| kernel-self-check: | |
| name: physics-kernel-self-check | |
| runs-on: ubuntu-latest | |
| continue-on-error: false | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 | |
| - name: Set up Python | |
| uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 | |
| with: | |
| python-version: '3.12' | |
| - name: Run physics kernel self-check | |
| run: | | |
| set -euo pipefail | |
| python .claude/physics/validate_tests.py --self-check | |
| # --------------------------------------------------------------------------- | |
| # test-validation — run L1–L5 checks on physics tests. | |
| # Reports issues; blocks merge on validation regressions relative to | |
| # tracked migrated files (listed below). Orphan tests outside the | |
| # tracked set are informational until migration completes. | |
| # --------------------------------------------------------------------------- | |
| test-validation: | |
| name: physics-test-validation | |
| runs-on: ubuntu-latest | |
| needs: kernel-self-check | |
| continue-on-error: false | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 | |
| - name: Set up Python | |
| uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 | |
| with: | |
| python-version: '3.12' | |
| # Strict-list enforcement: files that MUST validate clean at every | |
| # level (L1 through L5, zero issues of any kind). Add a file here | |
| # only after every single test function in it is grounded to an | |
| # INV-* invariant and the kernel validator prints | |
| # "All physics tests pass validation." | |
| # | |
| # A file with partial-migration status (some tests grounded, | |
| # others still orphans) goes in PARTIAL_MIGRATED below instead, | |
| # which is checked for L2/L3/L4/L5 regressions only — those are | |
| # the levels that affect existing INV-* witnesses. L1 is allowed | |
| # to be non-zero for partial files. | |
| - name: Validate fully-migrated physics tests (strict, fail-closed) | |
| run: | | |
| set -euo pipefail | |
| STRICT_FILES=( | |
| "tests/unit/physics/test_T8_kelly_oms_signalbus_hpc.py" | |
| "tests/unit/physics/test_T9_kuramoto_transitions.py" | |
| "tests/unit/physics/test_T10_ricci_bounds.py" | |
| "tests/unit/physics/test_T11_dopamine_algebraic.py" | |
| "tests/unit/physics/test_T12_serotonin_stability.py" | |
| "tests/unit/physics/test_T13_free_energy_components.py" | |
| "tests/unit/physics/test_T14_portfolio_energy_conservation.py" | |
| "tests/unit/physics/test_T15_oms_idempotency_causality.py" | |
| "tests/unit/physics/test_T16_signalbus_dag.py" | |
| "tests/core/neuro/serotonin/test_serotonin_properties.py" | |
| "tests/core/neuro/dopamine/test_dopamine_invariants_properties.py" | |
| ) | |
| exit_code=0 | |
| for file in "${STRICT_FILES[@]}"; do | |
| echo "::group::strict: ${file}" | |
| if ! python .claude/physics/validate_tests.py "${file}"; then | |
| echo "::error file=${file}::strict physics validation failed" | |
| exit_code=1 | |
| fi | |
| echo "::endgroup::" | |
| done | |
| exit "${exit_code}" | |
| # Partial-migration list: files with at least one INV-* witness but | |
| # still carrying pre-migration orphans. Enforcement ensures no | |
| # regression in the grounded witnesses (no new L2/L3/L4/L5 issue), | |
| # but tolerates the remaining L1 backlog while migration continues. | |
| - name: Validate partial-migration files (no L2-L5 regression) | |
| run: | | |
| set -euo pipefail | |
| PARTIAL_MIGRATED=( | |
| "tests/unit/physics/test_T4_higher_order_kuramoto.py" | |
| "tests/unit/physics/test_T2_explosive_sync.py" | |
| "tests/unit/physics/test_T6_free_energy_gate.py" | |
| "tests/unit/core/neuro/test_gaba_position_gate.py" | |
| ) | |
| exit_code=0 | |
| for file in "${PARTIAL_MIGRATED[@]}"; do | |
| echo "::group::partial: ${file}" | |
| # The validator exits non-zero when any L1-L5 issue exists. | |
| # We re-examine its output and fail only on L2-L5 regressions. | |
| report=$(python .claude/physics/validate_tests.py "${file}" 2>&1 || true) | |
| echo "${report}" | |
| regressed=0 | |
| for level in L2 L3 L4 L5; do | |
| count=$(echo "${report}" | grep -E "^\s+\[${level}\]" | head -1 | grep -oE "[0-9]+$" || echo "0") | |
| if [ "${count}" != "0" ]; then | |
| echo "::error file=${file}::${level} regression: ${count} issue(s)" | |
| regressed=1 | |
| fi | |
| done | |
| if [ "${regressed}" -eq 1 ]; then | |
| exit_code=1 | |
| fi | |
| echo "::endgroup::" | |
| done | |
| exit "${exit_code}" | |
| # Repo-wide sweep: informational today (orphan tests are not blocking) | |
| # but emitted so reviewers can see total grounding progress. | |
| - name: Repo-wide physics grounding report (informational) | |
| if: always() | |
| run: | | |
| set -euo pipefail | |
| python .claude/physics/validate_tests.py tests/ --summary || true | |
| # --------------------------------------------------------------------------- | |
| # code-audit — C1/C2: silent clamps and undocumented bounds in physics code | |
| # --------------------------------------------------------------------------- | |
| code-audit: | |
| name: physics-code-audit | |
| runs-on: ubuntu-latest | |
| needs: kernel-self-check | |
| continue-on-error: false | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 | |
| - name: Set up Python | |
| uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 | |
| with: | |
| python-version: '3.12' | |
| # The C1/C2 audit is currently run in report-only mode (|| true) until | |
| # the backlog of silent clamps in core/ is resolved. Flip the `|| true` | |
| # to a hard failure once the audit count reaches zero. | |
| - name: Audit core/ for silent clamps and undocumented bounds | |
| run: | | |
| set -euo pipefail | |
| python .claude/physics/validate_tests.py core/ --audit-code --summary || true |