ci: `boj-build.yml` — malformed curl JSON + dead `.local` mDNS hostname + http:// estate-policy violation; decide keep or delete

[hyperpolymath]

Finding

.github/workflows/boj-build.yml:18 has three coexisting bugs masked by `continue-on-error: true`:

1. Malformed curl JSON

```yaml
-d "{"repo": "${{ github.repository }}", "branch": "${{ github.ref_name }}", "engine": "casket\"}"}
```

After shell expansion: `{"repo": "...", "branch": "...", "engine": "casket}` followed by extra `"}` outside the shell string. Detected by OSSF Scorecard as "reached EOF without closing quote". Intended JSON appears to be `{"repo": "...", "branch": "...", "engine": "casket"}`.

2. Unreachable host

`http://boj-server.local:7700/cartridges/ssg-mcp/invoke\` uses `.local` (mDNS), which is NOT routable from GitHub-hosted runners. Step has never successfully reached the server.

3. `http://` violates secure-protocols estate policy

Memory hook `feedback_always_use_secure_protocols_in_docs` mandates `https://` / `wss://` etc.; Semgrep scans prose.

Two options

A. Delete the workflow if BoJ trigger is unused or has moved elsewhere.

B. Repair the JSON, switch to a routable `https://` endpoint, and either run on a self-hosted runner with mDNS visibility OR resolve `boj-server` to a public DNS name. Drop `continue-on-error: true` so failures actually fail.

Discovered: 2026-06-01 CI/CD audit.

[hyperpolymath]

Escalated to estate-wide campaign

This finding is replicated verbatim across ~30 repos, not ephapax-specific. Filed hyperpolymath/standards#331 as the canonical campaign covering the malformed JSON + dead .local host + http:// triple bug, the BoJ-routability prerequisite (gates Option A on boj-server#87 item 14), and the iseriser scaffold update (otherwise future regens re-emit the same broken workflow).

Recommend closing this issue as superseded once standards#331 picks a policy (repair vs retire). Keeping it open in the meantime in case ephapax wants a local-only fix ahead of the campaign.

🤖 Generated with Claude Code