CI: governance + hypatia-scan red on main — 104 Hypatia findings vs empty baseline

[hyperpolymath]

Summary

main has been failing two workflows on every push since #392 (2026-06-20):

• governance / Validate Hypatia Baseline
• scan / Hypatia Neurosymbolic Analysis

Both fail with the identical result:

[hypatia] scan complete: 104 findings >= medium (critical=60, high=33, medium=11, low=0, info=0); exit 1

Root cause

The Hypatia CLI exits 1 whenever the repo has any ≥medium finding, and .hypatia-baseline.json is empty (3 bytes), so the baseline job fails on any finding. This is a repo-wide condition, independent of any single PR.

Evidence

• main runs of hypatia-scan.yml + governance.yml are failure for Ci/gitleaks self hosted fix #393–docs(audits): record central actions/cache SHA corruption + #394 repair #396; last green was feat(rsr): direct capability declaration primary; preset optional #392.
• Re-observed on PR ci(staleness): tolerate in-window reusable pins + wire deliberate bump path #397 (commits e29c303 / f01ace5 / 6fcc7dd) — that PR's own gate (Check Workflow Staleness) passed; only these two pre-existing jobs were red. Surfaced during ci(staleness): tolerate in-window reusable pins + wire deliberate bump path #397; not caused by it.

Options (needs owner decision)

1. Triage/clear the 104 findings (60 critical first).
2. Regenerate the baseline so known findings are recorded (scripts/apply-baseline.sh) and only new findings fail.
3. Make the scan advisory (fix-forward / continue-on-error) until the backlog is cleared.

Notes

• Orthogonal to the merged ci(staleness): tolerate in-window reusable pins + wire deliberate bump path #397 (workflow-staleness window).
• Dup-check via the search API was rate-limited when filing; please close as duplicate if an equivalent issue already exists.