Skip to content

QC Audit Report -- 2026-03-16

QC Audit Report — 2026-03-16

Auditor: @nastypants Scope: All active projects across nix/, quality-control/, roadmap/, nixlab/ namespaces Projects audited: 14 active (archived projects excluded per policy)

Executive Summary

Severity Count Change vs 2026-03-15
HIGH 10 +3 (new: nixlab/nixlab, roadmap/roadmap protections, horizon-develop-flake force push)
MEDIUM 10 ~same
LOW 2 ~same

All default-branch pipelines GREEN except:

  • nix/hackage-server-module — FAILED for 12 days (since 2026-03-04)
  • nix/horizon-hoogle — No CI configured (no .gitlab-ci.yml)
  • nix/horizon-develop-flake — Pipeline inaccessible (403)

Nixica 0.2.0 rollout in progress: 5 open bump MRs from @smartypants, all awaiting @locallycompact review.

HIGH Severity Findings

1. nix/horizon-develop-flake (ID 38) — Force push enabled on master

allow_force_push: true on master. This is the only project with force push enabled and is a direct policy violation. Must be disabled immediately.

  • Also missing: .gitignore, ChangeLog.md, LICENSE
  • Non-standard CI template (uses gitlab/ci-templates/raw/master/default.yml instead of nix/gitlab-ci 0.19.0)
  • 2 strict input violations: feedback, horizon-core lack ref=refs/tags/...
  • Not migrated to nixica

2. nix/hackage-server-module (ID 45) — Pipeline failing 12 days

Pipeline 9336 has been failed since 2026-03-04. This is the longest-standing failure across all projects.

  • Non-standard CI (custom generate/packages/cache pipeline, not nix/gitlab-ci 0.19.0)
  • Not migrated to nixica
  • 3 strict input violations: flake-parts, import-tree, nixpkgs all unpinned
  • Missing: .gitignore, ChangeLog.md, LICENSE

3. nix/horizon-hoogle (ID 42) — No CI at all

No .gitlab-ci.yml exists. 5 of 7 required root files missing (only flake.nix and README.md present).

  • Not migrated to nixica
  • 3 strict input violations: flake-parts, import-tree, nixpkgs unpinned
  • Missing: flake.lock, .gitlab-ci.yml, .gitignore, ChangeLog.md, LICENSE

4. nix/nixica (ID 96) — 3 strict input violations

Inputs flake-parts, import-tree, treefmt-nix all lack ref=refs/tags/... or ref=refs/heads/... pinning.

  • Note: nixica bootstraps via flake-parts directly (not self-referential), so not using nixica.lib.mkFlake is expected.
  • Missing: LICENSE

5. nix/haskell-make-package-set (ID 77) — Push access too permissive

push_access_level: Maintainers on master — should be No one.

  • Missing: LICENSE

6. nix/ghc-common-hadrian (ID 76) — Push access too permissive

push_access_level: Maintainers on master — should be No one.

  • Missing: LICENSE

7. nix/horizon-supported-systems (ID 67) — Push access too permissive

push_access_level: Maintainers on master — should be No one.

  • Missing: LICENSE

8. nixlab/nixlab (ID 101) — Security-critical project lacks scaffolding

Brand new project (created 2026-03-15), currently design-phase only (README.md).

  • No CI, no flake.nix, no .gitignore, no LICENSE, no ChangeLog.md
  • push_access_level: Maintainers — should be No one for security-critical project
  • 8 well-structured issues under NixLab 0.1 milestone (due 2026-06-30)
  • QC consultation open at nixlab/nixlab#2

9. roadmap/roadmap (ID 50) — Empty repo, no protections

main branch has no commits (404 on repository tree). No branch protections configured at all.

  • Used purely as issue tracker (10 open issues)

10. nix/werrorwolf (ID 49) — Missing required files

Missing .gitignore and LICENSE.

MEDIUM Severity Findings

# Project Finding
1 nix/hackage-server-module (45) Not migrated to nixica
2 nix/horizon-hoogle (42) Not migrated to nixica
3 nix/horizon-develop-flake (38) Not migrated to nixica
4 quality-control/policy (97) Missing README.md, ChangeLog.md, LICENSE (persistent since 2026-03-14)
5 nix/haskell-make-package-set (77) Open MR !6 — bump nixica 0.2.0, awaiting review
6 nix/ghc-common-hadrian (76) Open MR !11 — bump nixica 0.2.0, awaiting review
7 nix/horizon-supported-systems (67) Open MR !10 — bump nixica 0.2.0, awaiting review
8 nix/werrorwolf (49) Open MR !6 — bump nixica 0.2.0, awaiting review
9 nix/horizon-flake-parts (66) Open MR !34 — bump nixica 0.2.0, awaiting review; Missing LICENSE
10 nix/ghc-common-hadrian (76) nixpkgs pinned to 25.05 while most projects use 25.11

Compliant Projects

Project Status
nix/gitlab-ci (78) All clear — all files present, CI local (self-referential, expected), protections correct, pipeline green, nixica 0.2.0 migrated, all inputs pinned
quality-control/audits (100) ️ Mostly OK — issue-tracker repo, push=Maintainers (should tighten for audit integrity)

Nixica 0.2.0 Rollout Status

Tier Project MR Status
nix/gitlab-ci Merged on master Done (nixica 0.2.0, pipeline 14968 green)
1a nix/ghc-common-hadrian !11 Awaiting @locallycompact review
1a nix/werrorwolf !6 Awaiting @locallycompact review
1a nix/horizon-supported-systems !10 Awaiting @locallycompact review
1a nix/haskell-make-package-set !6 Awaiting @locallycompact review
1b nix/horizon-flake-parts !34 Awaiting @locallycompact review (blocked on Tier 1a)
2 nix/hackage-server-module Not started (needs nixica migration first)
2 nix/horizon-hoogle Not started (needs nixica migration first)
2 nix/horizon-develop-flake Not started (needs nixica migration first)

Recommended Actions

P0 — Immediate

  1. Disable force push on nix/horizon-develop-flake master@locallycompact (admin action)
  2. Lock down push on nix/haskell-make-package-set, nix/ghc-common-hadrian, nix/horizon-supported-systems master to "No one" — @locallycompact
  3. Lock down push on nixlab/nixlab main to "No one" — @locallycompact

P1 — This week

  1. Fix nix/hackage-server-module pipeline (failing 12 days) — @smartypants
  2. Review and merge Tier 1a nixica 0.2.0 bump MRs (4 MRs awaiting review) — @locallycompact
  3. Scaffold nixlab/nixlab before any code lands — add .gitignore, LICENSE, flake.nix (with nixica), .gitlab-ci.yml (0.19.0 template), ChangeLog.md@smartypants
  4. Add branch protections on roadmap/roadmap main@locallycompact

P2 — Medium term

  1. Migrate nix/hackage-server-module, nix/horizon-hoogle, nix/horizon-develop-flake to nixica + standard CI template — @smartypants
  2. Add LICENSE to all projects missing it (8 projects) — @smartypants
  3. Add missing root files across projects (various .gitignore, ChangeLog.md) — @smartypants
  4. Pin strict inputs on nix/nixica (flake-parts, import-tree, treefmt-nix) — @smartypants

Changes Since Last Audit (2026-03-15)

  • New project audited: nixlab/nixlab (101) — first audit
  • nix/gitlab-ci: Now fully migrated to nixica 0.2.0 (was pending in previous audit)
  • 5 new nixica 0.2.0 bump MRs opened by @smartypants across Tier 1a/1b repos
  • Archived project correction applied: nixica-library (51), gitlab-omnix-ci (71), gitlab-nixci (68) correctly excluded