Conversation
…features, wire protocol Aaron's fourth pass of vision edits lands four resolutions: 1. **License: Apache-2.0.** "Apache sounds okay … just pick one and lets go." LICENSE replaced (MIT → Apache-2.0), copyright updated to "Zeta contributors", `<PackageLicenseExpression>` flipped in Directory.Build.props. 2. **SQL dialect order: PostgreSQL first.** Aaron: "whatever is easier to ship first and work with EF, people love postgres compatibility but really IDC i just want something that works with EF." PostgreSQL wins on both axes: Npgsql is widely-used EF provider, pgAdmin/DBeaver/ psql speak wire protocol, Materialize/Feldera/CockroachDB have proven look-like-postgres-while-running-different- engine is viable. 3. **EF provider scope: 100% all features.** Aaron: "100% all features." No partial-provider shape; full LINQ + save-changes + migrations + tracking. Consumers should never hit "this feature not implemented." 4. **Admin UI**: Zeta builds own eventually; meantime speak PostgreSQL wire protocol so existing tools connect unmodified (pgAdmin, DBeaver, psql, Npgsql-via-EF). This is a server mode on top of the embedded library — significant v1-or-early-post-v1 scope expansion. 5. **F# DSL flagged as HUGE multi-round design.** Aaron: "sounds like we need design and research, this task sounds HUGE." Broken into 4+ round sequence in BACKLOG. ## Files changed - `LICENSE` — replaced MIT with Apache-2.0 (official 202-line text + "Copyright 2026 Zeta contributors" line at end) - `Directory.Build.props` — `<PackageLicenseExpression>` MIT → Apache-2.0 - `docs/VISION.md` — v5 with all five resolutions; new "License" section; updated SQL-frontend v1 entry naming PostgreSQL; new wire-protocol-server v1-or- early-post-v1 entry; EF provider marked "100% all features"; F# DSL flagged HUGE with pointer to BACKLOG - `docs/BACKLOG.md` — F# DSL entry expanded with multi-round breakdown; new PostgreSQL wire-protocol- server entry with design questions; new admin-UI far-future entry ## Rationale — why Apache-2.0 over MIT Aaron: "What's wrong with MIT, does not really matter with cleanroom AI rewrites now a days." True — distinctions between MIT / Apache / BSD are minor for most consumers. Apache-2.0 adds the explicit patent grant + contribution clauses at zero practical cost, which is a slightly better defence in the event of a downstream patent dispute. Easy to move FROM Apache-2.0 to dual-licensed or source-available later if commercial trajectory fires; harder to move TO Apache-2.0 from looser licenses without re-collecting contributor sign-off. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
8 tasks
AceHack
added a commit
that referenced
this pull request
Apr 27, 2026
… Aaron 2026-04-27) Reverts the Docker-container approach in favour of the GOVERNANCE §24 three-way-parity invariant: dev laptops + CI runners + devcontainers all install semgrep through the same `tools/setup/install.sh` via mise. CI was the odd one out (had its own actions/setup-python + pip install), which would have made switching CI hosts costly and broke host-portability. Aaron 2026-04-27: > "actions/setup-python we should be using our base python that our > install scripts install we are trying to not use github stuff > unless we have to so it's easy to switch hosts and our dev machine > and build machine setup is the same, that's one of the invariants > we want to try to keep as close as possible dev machine / build > machines are same/very similar for setup/share the setup/install > scripts and post install scripts. this makes CI more deterministic > too." What changed: - `.mise.toml`: added `pipx = "1.11.1"` (aqua-backed; same SHA-pinned release path as actionlint / shellcheck / uv) and `"pipx:semgrep" = "1.161.0"`. Now any machine that runs install.sh gets the same semgrep version pinned the same way. - `.github/workflows/gate.yml` lint-semgrep: dropped the `container: semgrep/semgrep@sha256:...` block from the previous iteration; dropped `actions/setup-python` and the two `pip install` steps. Job is now: checkout → install.sh → semgrep. Same shape as build-and-test. This still resolves Scorecard PinnedDependenciesID #17 + #18 (the unpinned pip-bootstrap surface goes away entirely) and additionally: - Restores host-portability — no GitHub-specific actions in this job - First-class dev-laptop parity (semgrep was previously not actually installed by install.sh; now it is) - More deterministic CI (mise resolves declarative pins; no pip dependency-resolver wandering) Verified locally: `mise install` + `mise exec -- semgrep --version` produces 1.161.0 on the same shape. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
AceHack
added a commit
that referenced
this pull request
Apr 27, 2026
…three-way-parity per Aaron 2026-04-27) (#653) * ci: run lint-semgrep via SHA-pinned semgrep/semgrep Docker image (resolves Scorecard PinnedDependenciesID #17 #18) Replaces `pip install --upgrade pip + pip install semgrep` with the official semgrep/semgrep:1.161.0 image, pinned by multi-arch manifest digest sha256:326e5f41cc972bb423b764a14febbb62bbad29ee1c01820805d077dd868fea48. Why this is a quality improvement, not just rule-appeasement: - Image bytes are content-addressed by digest. Tag mutation cannot affect us; the earlier `pip install semgrep` was version-floating and would silently pick up any new semgrep release between CI runs. - Removes the entire pip-bootstrap surface (Setup Python + pip --upgrade + pip install semgrep). Smaller attack surface, faster CI, fewer pinning surfaces to maintain. - Multi-arch index digest covers both x86_64 and arm64 runners. Per Aaron 2026-04-27: "given we want high quality signals for future AI training and we persision the PRs do you still agree?" — fix, do not relax. This commit is the fix. Resolves Scorecard alerts #17, #18 (PinnedDependenciesID, pipCommand). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * ci/setup: pin elan + mise installers by content hash (resolves Scorecard PinnedDependenciesID #15 #16) elan.sh — switched from `curl ... master/elan-init.sh | sh` (latest master, unpinned) to: 1. Download elan-init.sh at v4.2.1 commit SHA (58e8d545e33641f66dbcbd22c4283109e71757be) 2. Verify SHA256 (4bacca9502cb89736fe63d2685abc2947cfbf34dc87673504f1bb4c43eda9264) 3. Execute the verified copy linux.sh — switched from `curl mise.run | sh` (auto-detects latest at runtime) to: 1. Download the pinned tarball mise-v2026.4.24-linux-{x64,arm64}.tar.gz directly from github.com/jdx/mise/releases 2. Verify per-arch SHA256 (x64: de2f924…2c58, arm64: cf5f4899…5727) 3. Extract mise/bin/mise to ~/.local/bin and source PATH Why this is a quality improvement, not just rule-appeasement: - The previous shapes silently absorbed any new elan/mise release between CI runs. A compromised upstream master branch (elan) or a redirector swap (mise.run) would have shipped to every dev laptop + every CI run with no signal. Content-hash pinning makes such an event a hard fail with a verification message. - Bumping is a deliberate two-line change (commit/tarball + hash) with a documented procedure in each script's comment block — easier to audit than `master`/`mise.run`. - Portable SHA256 verification (sha256sum/shasum fallback) per Otto-235 4-shell target. Per Aaron 2026-04-27: "preserve quality signals" — fix, don't relax. Resolves Scorecard alerts #15 (elan downloadThenRun) and #16 (mise downloadThenRun). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * ci: switch semgrep to mise-managed pipx:semgrep (three-way-parity per Aaron 2026-04-27) Reverts the Docker-container approach in favour of the GOVERNANCE §24 three-way-parity invariant: dev laptops + CI runners + devcontainers all install semgrep through the same `tools/setup/install.sh` via mise. CI was the odd one out (had its own actions/setup-python + pip install), which would have made switching CI hosts costly and broke host-portability. Aaron 2026-04-27: > "actions/setup-python we should be using our base python that our > install scripts install we are trying to not use github stuff > unless we have to so it's easy to switch hosts and our dev machine > and build machine setup is the same, that's one of the invariants > we want to try to keep as close as possible dev machine / build > machines are same/very similar for setup/share the setup/install > scripts and post install scripts. this makes CI more deterministic > too." What changed: - `.mise.toml`: added `pipx = "1.11.1"` (aqua-backed; same SHA-pinned release path as actionlint / shellcheck / uv) and `"pipx:semgrep" = "1.161.0"`. Now any machine that runs install.sh gets the same semgrep version pinned the same way. - `.github/workflows/gate.yml` lint-semgrep: dropped the `container: semgrep/semgrep@sha256:...` block from the previous iteration; dropped `actions/setup-python` and the two `pip install` steps. Job is now: checkout → install.sh → semgrep. Same shape as build-and-test. This still resolves Scorecard PinnedDependenciesID #17 + #18 (the unpinned pip-bootstrap surface goes away entirely) and additionally: - Restores host-portability — no GitHub-specific actions in this job - First-class dev-laptop parity (semgrep was previously not actually installed by install.sh; now it is) - More deterministic CI (mise resolves declarative pins; no pip dependency-resolver wandering) Verified locally: `mise install` + `mise exec -- semgrep --version` produces 1.161.0 on the same shape. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * ci: drop redundant pipx pin, bump uv to 0.11.8; document uv-canonical decision (Aaron 2026-04-27) Removes `pipx = "1.11.1"` from `.mise.toml` — mise's `pipx:` backend auto-routes through `uv tool install` when uv is available, so adding pipx as a separate package was redundant. Bumps `uv` from 0.9 to 0.11.8 (latest, verified via gh API today 2026-04-27 — current training data is stale per Otto-247 version-currency rule). Adds: - `docs/DECISIONS/2026-04-27-uv-canonical-python-tool-manager.md` — ADR documenting uv as the canonical Python tool manager for Zeta, the lineage from `../scratch` (where uv was made first-class first), the mise pipx:→uv auto-route behaviour, and the rules for using `pipx:foo` pins without an actual pipx package. - `memory/feedback_three_way_parity_install_scripts_dev_ci_devcontainer_minimize_github_specific_surface_aaron_2026_04_27.md` — substrate memory naming Aaron's host-portability invariant; what three-way parity buys; what was almost violated by the Docker-container draft; the right-fix decision flow. - MEMORY.md row pointing at the new memory + ADR. Aaron 2026-04-27 verbatim: - "we have uv do we need pipx, isn't there a uvx this should be much faster also +pipx = '1.11.1' is this latest, remember you mode cached latest can't be trusted you have to search the internet this goies for all version numbers you add, let's not start on an older version." - "the fact that uv is our desired python setup should be documented somewehre this project ../scratch made it first class too" Verified locally: `mise install` with `uv = "0.11.8"` + `pipx:semgrep = "1.161.0"` (no separate pipx) installs semgrep 1.161.0 via uv tool install. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * ci/setup: address review feedback on #653 (cleanup traps, armv7, role-refs, stale comment) 7 review threads: 1. Copilot P1 — name attribution in gate.yml + .mise.toml comments ("Per Aaron 2026-04-27") violates the role-ref-on-current-state discipline (history surfaces only). Replaced with role-refs: "the host-portability invariant" / "per the three-way-parity invariant (GOVERNANCE §24)". 2. Codex P2 — preserve armv7 support that `curl mise.run | sh` used to give us implicitly. Added the armv7 case + SHA256 to the per-arch dispatch in linux.sh. 3. Copilot P1 — temp dir leak on failure in linux.sh: `mktemp -d` only cleaned up on the success path. Added `trap 'rm -rf "${MISE_TMP}"' EXIT` so the dir is removed even on download / SHA / extract failure. 4. Copilot P1 — same pattern in elan.sh tmp file. Added EXIT trap. 5. Copilot P1 — gate.yml install-toolchain step comment claimed "mise installs python + pipx + semgrep" but pipx was dropped in commit d62fc6d (mise auto-routes pipx: through uv). Updated the comment to reflect current state and to point at the uv-canonical ADR. 6. Copilot P1 — same name-attribution issue in .mise.toml semgrep block. Replaced. 7. Copilot P1 — PR description was already updated; thread should be re-evaluated by reviewer with the current description in view. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Four resolutions from Aaron round 33:
Plus F# DSL flagged as HUGE multi-round design sequence in BACKLOG.
🤖 Generated with Claude Code