[gov] Repo governance/hygiene debt surfaced by Hypatia (194 findings)

[hyperpolymath]

Captured from the Hypatia neurosymbolic scan on PR #40 so the proofs work stays focused and this debt has a home. These findings are pre-existing and repo-wide — PR #40 adds none (its new proofs.yml is already timeout-minutes-pinned).

Baseline (PR #40 scan)

194 findings — 🔴 44 critical · 🟠 133 high · 🟡 17 medium.

root_hygiene

• 0-AI-MANIFEST.a2ml missing (high). NB the repo already has 0.1-AI-MANIFEST.a2ml — reconcile the expected canonical filename against what the rule wants (don't blindly add a duplicate).

workflow_audit

• codeql.yml missing (high) — add a CodeQL workflow (mirror boj-server's pinned one).
• governance.yml unpinned reusable action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main (medium) — pin to a commit SHA.
• missing_timeout_minutes (medium ×7): cartridge-schema.yml, governance.yml, hypatia-scan.yml, mirror.yml, scorecard.yml, secret-scanner.yml, zig-test.yml — add timeout-minutes: to each job (same mechanical fix as boj-server #205).

Not yet enumerated

The 44 critical + 133 high are mostly per-cartridge hygiene; only ~10 items are shown in the PR comment. The full machine-readable list is the hypatia-scan artifact on the PR #40 run — enumerate + triage from there before fixing.

Relationship to other work

Overlaps the planned .machine_readable scaffold for this repo (STATE/META/ECOSYSTEM/AGENTIC/NEUROSYM/PLAYBOOK + contractiles + anchors + bot_directives/), which is blocked on access to hyperpolymath/standards (canonical source + divergence check). The root_hygiene AI-MANIFEST item is part of that scaffold; do them together.

Also fold in

• zig-test.yml still pins the dead Zig 0.15.2 nightly (boj-server #205 moved to 0.15.1) — fix in the same workflow-hygiene pass.

Done when

• Hypatia critical count = 0; highs triaged/justified; the 7 workflow timeouts + the action-pin + the zig pin landed; AI-MANIFEST reconciled.

Governance track (the catch-all "scope e" for this repo). Filed because Hypatia is non-blocking (the check passes) but the debt is real.

---

Filed via Claude Code · https://claude.ai/code/session_019tMcRS1Dm1nWjjYP4WvbJa

[hyperpolymath]

Concrete enumeration from the #44 scan (Hypatia counts drifted 194→201; criticals unchanged at 44 — the items below were already among them, just now surfaced):

banned_language_file (TypeScript) — verified real. cartridges/cross-cutting/orchestration/stack-orchestrator-mcp/adapter/planner.ts (327 lines, a TS port of an Elixir planner). It is not covered by boj-server's 6 approved TS exemptions (which sanction only the {academic-workflow,bofig,ephapax,fireflag,hesiod,sanctify}-mcp/adapter/mod.ts MCP adapters).

Repo-wide there are 34 .ts files under cartridges/. Beyond the ~5–6 sanctioned adapter mod.ts, the bulk are:

• domains/formal-verification/proof-lsp/adapter/** — ~20 .ts (server, handlers, backends for coq/lean/isabelle/agda, tests),
• cross-cutting/orchestration/stack-orchestrator-mcp/adapter/planner.ts.

Sub-task for this issue: a TS-elimination audit for this repo — mirror boj-server's exemption-table style (path · rationale · unblock condition) for any that must stay, and schedule the rest for AffineScript conversion. This is the cartridges-repo counterpart of the boj-server TS-elimination audit and is policy-relevant (the prominent no-new-TS rule).

(Non-blocking — the Hypatia check passes. Captured here so the focused proof/maker PRs stay clean.)

---

Generated by Claude Code