Feat/hcg smoke unknown path canary

.github/CICD-CHANGES-2026-06-04.md

@@ -1,3 +1,8 @@
+<!--
+SPDX-License-Identifier: MPL-2.0
+Copyright (c) Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>
+-->
+
 # CI/CD Changes — 2026-06-04
 
 **Date:** 2026-06-04  
@@ -22,7 +27,7 @@ All 18 workflows in this repository have been updated to include `timeout-minute
 | Workflow | timeout-minutes | Concurrency Added | Notes |
 |----------|-----------------|------------------|-------|
 | `abi-drift.yml` | 15 | | ABI manifest + FFI verification |
-| `codeql.yml` | 15 | ✓ | Includes C++ support (has C/C++ headers) |
+| `codeql.yml` | 15 | ✓ | JavaScript/TypeScript CodeQL only; Zig FFI is covered by Zig workflows |
 | `container-publish.yml` | 30 | | Container build & push |
 | `dogfood-gate.yml` | 5-15 | ✓ | 6 jobs: a2ml(5), k9(5), empty-lint(15), groove(5), eclexiaiser(5), summary(5) |
 | `e2e.yml` | 15 | ✓ | MCP bridge input fuzz tests |
@@ -54,8 +59,13 @@ All 18 workflows in this repository have been updated to include `timeout-minute
 
 ## CodeQL Configuration
 
-**Languages:** `javascript-typescript` + `cpp`  
-**Reason:** This repository contains C/C++ headers in the FFI layer.
+**Languages:** `javascript-typescript`
+
+**Reason:** The FFI implementation is Zig. The tracked C ABI file is a generated
+header-only surface (`generated/abi/boj_catalogue.h`), not a C/C++ translation
+unit; enabling CodeQL `cpp` for headers alone makes extraction fail before
+analysis. Re-add `cpp` only when tracked `.c`, `.cc`, `.cpp`, or `.cxx` sources
+exist.
 
 ---
 

.github/workflows/codeql.yml

@@ -33,8 +33,10 @@ jobs:
         include:
           - language: javascript-typescript
             build-mode: none
-          - language: cpp
-            build-mode: none
+            # C/C++ CodeQL is intentionally not enabled for the generated
+            # header-only ABI surface. The FFI implementation is Zig and is
+            # covered by the Zig workflows; re-add cpp only when tracked
+            # .c/.cc/.cpp/.cxx translation units exist.
 
     steps:
       - name: Checkout

.github/workflows/dogfood-gate.yml

@@ -165,6 +165,9 @@ jobs:
             echo "::warning file=${REL_PATH}::Invisible Unicode characters detected (zero-width space, BOM, NBSP, etc.)"
           done < /tmp/empty-lint-results.txt
 
+      - name: Check shebang placement
+        run: bash scripts/check-shebang-first.sh
+
       - name: Write summary
         run: |
           if [ "${{ steps.lint.outputs.ready }}" = "true" ]; then
@@ -374,4 +377,3 @@ jobs:
           *Generated by the [Dogfood Gate](https://github.com/hyperpolymath/rsr-template-repo) workflow.*
           *Dogfooding is guinea pig fooding — we test our tools on ourselves.*
           EOF
-

.github/workflows/governance.yml

@@ -1,35 +1,16 @@
-# SPDX-License-Identifier: MPL-2.0
-# governance.yml — single wrapper calling the shared estate governance bundle
-# in hyperpolymath/standards instead of carrying per-repo copies.
-#
-# Replaces the per-repo governance scaffolding removed in the same commit:
-#   quality.yml, guix-nix-policy.yml, npm-bun-blocker.yml, ts-blocker.yml,
-#   security-policy.yml, rsr-antipattern.yml, wellknown-enforcement.yml,
-#   workflow-linter.yml
-#
-# Load-bearing build/security workflows stay standalone in the repo
-# (rust-ci, codeql, dependabot, release, scan/mirror/pages plumbing).
-
+# SPDX-License-Identifier: PMPL-1.0-or-later
 name: Governance
 
 on:
   push:
     branches: [main, master]
   pull_request:
+    branches: [main, master]
   workflow_dispatch:
 
-# Estate guardrail: cancel superseded runs so re-pushes / rebased PR
-# updates do not pile up queued runs against the shared account-wide
-# Actions concurrency pool. Applied only to read-only check workflows
-# (no publish/mutation), so cancelling a superseded run is always safe.
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
 permissions:
   contents: read
 
 jobs:
   governance:
-    uses: hyperpolymath/standards/.github/workflows/governance-reusable.yml@861b5e911d9e5dcfb3c0ab3dd2a9a3c8fd0a1613
-    timeout-minutes: 10
+    uses: hyperpolymath/standards/.github/workflows/governance-reusable.yml@5a93d9d57cc04de4002d6d0ecd336fc7a8698910