Merge origin/main into claude/codeql-actions-language

Brings in #356 (AffineScript v2 spec registry) and #361 (estate workflow
timeout sweep). Regenerated .machine_readable/REGISTRY.a2ml: main's
committed registry was stale (9 spec source_hashes) because #361 edited
files under tracked spec homes without running 'just registry'. The
registry-verify gate on the PR-merge result now passes.

PR payload remains the codeql 'actions' language addition.

https://claude.ai/code/session_01XZhw6Fq27eoeyEB4LR3a2c

Author: claude

.github/workflows/boj-build.yml

@@ -18,6 +18,7 @@ permissions:
 jobs:
   trigger-boj:
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     if: ${{ vars.BOJ_SERVER_URL != '' || secrets.BOJ_SERVER_URL != '' }}
     steps:
       - name: Checkout
@@ -46,32 +47,3 @@ jobs:
             -H "Content-Type: application/json" \
             --data "$payload" \
             || echo "BoJ server unreachable - skipping (non-fatal)"
-
-  - name: K9-SVC Validation
-    run: |
-      echo "Running K9-SVC contractile validation..."
-      if [ -f .machine_readable/contractiles/must/Mustfile.a2ml ]; then
-        echo "✅ Mustfile found - running validation"
-        # Placeholder for actual K9 validation
-        echo "K9 validation would run here"
-      else
-        echo "❌ Mustfile not found"
-        exit 1
-      fi
-      
-  - name: Contractile Check
-    run: |
-      echo "Checking contractile completeness..."
-      contractiles=("must" "trust" "dust" "lust" "adjust" "intend")
-      missing=0
-      for c in "${contractiles[@]}"; do
-        if [ ! -f ".machine_readable/contractiles/$c/${c^}file.a2ml" ]; then
-          echo "❌ Missing: $c"
-          missing=$((missing + 1))
-        fi
-      done
-      if [ $missing -gt 0 ]; then
-        echo "❌ $missing contractiles missing"
-        exit 1
-      fi
-      echo "✅ All contractiles present"

.machine_readable/REGISTRY.a2ml

@@ -7,16 +7,20 @@
 # Regenerate with:  bash scripts/build-registry.sh   (or: just registry)
 # Source of truth:  the SPECS table in scripts/build-registry.sh + the file tree.
 #
-# Each entry's `source_hash` is a sha256 over `git ls-files -s <home>`, so it
-# changes whenever any tracked file under the spec's home changes. Hypatia rule
-# HYP-S006 (hypatia-rules/registry-staleness.a2ml) recomputes these and emits a
+# LOCAL entries: `source_hash` is a sha256 over `git ls-files -s <home>`, so it
+# changes whenever any tracked file under the spec's home changes.
+# EXTERNAL entries (kind = "external"): a verified POINTER to a spec whose SSOT
+# lives in another repo. `source_hash` is RECORDED (sentinel PENDING-FIRST-SYNC
+# until upstream lands), not computed locally — the offline generator emits it
+# verbatim. Hypatia rule HYP-S006 (hypatia-rules/registry-staleness.a2ml)
+# recomputes LOCAL hashes and re-fetches EXTERNAL canonical_urls, emitting a
 # `doc.drift` finding (strategy :review) when a recorded hash goes stale.
 
 [registry]
 version = "1.0.0"
 generator = "scripts/build-registry.sh"
-hash_algorithm = "sha256(git ls-files -s <home>)"
-entry_count = 28
+hash_algorithm = "sha256(git ls-files -s <home>)  # local; external: recorded pin"
+entry_count = 31
 
 [registry.streams]
 foundation  = "A2ML format family + K9 + contractiles (Stream 1)"
@@ -32,7 +36,7 @@ name = "A2ML — Attested Markup Language"
 stream = "foundation"
 home = "a2ml/"
 canonical_doc = "a2ml/README.adoc"
-source_hash = "sha256:ffda43ed07bed095c7623d3c6a1d38c8f17a6b9e4eebaebe3bfde5aff62bcfb0"
+source_hash = "sha256:2612d2f66eaefe1aedd2f783c748f85eec80cdc09147fb87593086041a670e07"
 route = "the typed/verified machine-readable document format"
 
 [[spec]]
@@ -41,7 +45,7 @@ name = "K9 Self-Validating Components"
 stream = "foundation"
 home = "k9-svc/"
 canonical_doc = "k9-svc/README.adoc"
-source_hash = "sha256:6a9c2065fc29abdaaeef08c3e551f21c7408afd3c9a7cee4ed3e73460db443ab"
+source_hash = "sha256:c368125fbfb026c89d83b4b2b9d249024e83295e75ac49ab2889b8d7c1989dcd"
 route = "self-validating components with embedded contracts + deploy logic"
 
 [[spec]]
@@ -59,7 +63,7 @@ name = "META.a2ml spec"
 stream = "foundation"
 home = "meta-a2ml/"
 canonical_doc = "meta-a2ml/README.adoc"
-source_hash = "sha256:2904f47d20a79723a830674fd9dc14105bf14911b5f700586480fe3a7a424542"
+source_hash = "sha256:fd41c8f7c2f4d2dd6dceb11bffaabc8905a9da33c2aa76ab8360da6ee9e3a0b4"
 route = "architecture decisions / governance metadata format"
 
 [[spec]]
@@ -122,7 +126,7 @@ name = "0-AI Gatekeeper Protocol"
 stream = "protocol"
 home = "0-ai-gatekeeper-protocol/"
 canonical_doc = "0-ai-gatekeeper-protocol/README.adoc"
-source_hash = "sha256:e1893253df97b1b989b1ba8e6926548a9a06a6582ab8b9448438da0b4b3e4428"
+source_hash = "sha256:d3157a30fde9e78ab2374e7b6a8c733e6a9b21492ee426bdd26695522624b646"
 route = "the AI-agent entry/gating protocol behind 0-AI-MANIFEST"
 
 [[spec]]
@@ -140,7 +144,7 @@ name = "AVOW Protocol"
 stream = "protocol"
 home = "avow-protocol/"
 canonical_doc = "avow-protocol/README.adoc"
-source_hash = "sha256:fc6011d8531fbe3d8fbc5ba0b819cea892d8e0dee7ccb31ef0a22b7d264a8263"
+source_hash = "sha256:556e42c1fc34c277a18b16bc2553f202ced9365b196d5c17649dda4a1a31e545"
 route = "consent-attested messaging / origin attribution"
 
 [[spec]]
@@ -149,7 +153,7 @@ name = "AXEL Protocol"
 stream = "protocol"
 home = "axel-protocol/"
 canonical_doc = "axel-protocol/README.adoc"
-source_hash = "sha256:6884bcc4f845e05cb0ff0d6d77171707e74f6069512bcf233161a5d8de8fb704"
+source_hash = "sha256:2b20dddef2d9405f6eb35eaca0006e097bab31e88360b8cfed2fa239bebb911c"
 route = "age-gating + explicit-content enforcement"
 
 [[spec]]
@@ -167,7 +171,7 @@ name = "Consent-Aware HTTP"
 stream = "protocol"
 home = "consent-aware-http/"
 canonical_doc = "consent-aware-http/README.adoc"
-source_hash = "sha256:e4165fa238b12e8515b985a21e7c7a9d7337627a484e74abe17fa000113a22e0"
+source_hash = "sha256:dbfc1d464ac7e9098d8115dda332eff832276b643bcea787a5f9b3900f09142b"
 route = "consent headers / AI-usage boundaries for HTTP"
 
 [[spec]]
@@ -212,7 +216,7 @@ name = "RSR — Rhodium Standard Repositories"
 stream = "governance"
 home = "rhodium-standard-repositories/"
 canonical_doc = "rhodium-standard-repositories/README.adoc"
-source_hash = "sha256:9e10e92598a307d3e32f8af3dc8b5cdfdbbcfd6d78069498d6797dc1f0001e62"
+source_hash = "sha256:16937c23fe261963c80f611e827d987f924d87169e79a388958b1bd53a11d7cc"
 route = "the repository-compliance standard every repo is graded against"
 
 [[spec]]
@@ -266,7 +270,7 @@ name = "Standards Hypatia Rules"
 stream = "integration"
 home = "hypatia-rules/"
 canonical_doc = "hypatia-rules/README.adoc"
-source_hash = "sha256:a63e95c5e43ced2ee13c58014175da156c71ab731f01449e3a61b3e2f33bbe52"
+source_hash = "sha256:797f42c3ac24cf610e1e0da0e9e019f3f0dce527d1f80857ab2adb85741159d3"
 route = "the dogfooding rules that scan THIS repo (incl. drift detection)"
 
 [[spec]]
@@ -278,4 +282,59 @@ canonical_doc = "a2ml-templates/STATE.a2ml.v2.spec.adoc"
 source_hash = "sha256:5105bc72621b6214f1adecdf33a1dadf62d1d2b0afd0c2c6a48bbc5e24e9a454"
 route = "copy-in templates for the 7 A2ML files"
 
+[[spec]]
+id = "affine-spec"
+name = "AffineScript .affine (faces / source documents)"
+stream = "language"
+kind = "external"
+spec_kind = "language-coupled"
+owning_repo = "hyperpolymath/affinescript"
+canonical_url = "https://github.com/hyperpolymath/affinescript/blob/main/spec/affine.adoc"
+version_pin = "v2.0.0"
+source_hash = "PENDING-FIRST-SYNC"
+source_hash_algo = "sha256"
+conformance_level = "draft"
+last_synced = "never"
+sync_status = "awaiting-upstream"
+media_type = "application/vnd.affinescript.affine"
+lineage = "affinescript:affine@2"
+route = "faces, canonical-lowering invariant, canonical islands, idiom packs, mimicry bindings, project face policy"
+
+[[spec]]
+id = "affex-manifest"
+name = "AffineScript .affex (face-interop manifest)"
+stream = "language"
+kind = "external"
+spec_kind = "language-coupled"
+owning_repo = "hyperpolymath/affinescript"
+canonical_url = "https://github.com/hyperpolymath/affinescript/blob/main/spec/affex.adoc"
+version_pin = "v2.0.0"
+source_hash = "PENDING-FIRST-SYNC"
+source_hash_algo = "sha256"
+conformance_level = "draft"
+last_synced = "never"
+sync_status = "awaiting-upstream"
+media_type = "application/vnd.affinescript.affex"
+lineage = "affinescript:affex@2"
+route = "derived regenerable manifest; declaration heads not full bodies; format_version bumps independently"
+format_version = "2"  # tracked independently of version_pin
+
+[[spec]]
+id = "affmap-provenance"
+name = "AffineScript .affmap (provenance)"
+stream = "language"
+kind = "external"
+spec_kind = "language-coupled"
+owning_repo = "hyperpolymath/affinescript"
+canonical_url = "https://github.com/hyperpolymath/affinescript/blob/main/spec/affmap.adoc"
+version_pin = "v2.0.0"
+source_hash = "PENDING-FIRST-SYNC"
+source_hash_algo = "sha256"
+conformance_level = "draft"
+last_synced = "never"
+sync_status = "awaiting-upstream"
+media_type = "application/vnd.affinescript.affmap"
+lineage = "affinescript:affmap@2"
+route = "provenance format; own pointer for independent staleness tracking"
+
 ### End of REGISTRY.a2ml

0-ai-gatekeeper-protocol/.github/workflows/codeql.yml

@@ -15,6 +15,7 @@ permissions: read-all
 jobs:
   analyze:
     runs-on: ubuntu-latest
+    timeout-minutes: 30
     permissions:
       contents: read
       security-events: write

0-ai-gatekeeper-protocol/.github/workflows/hypatia-scan.yml

@@ -17,6 +17,7 @@ jobs:
   scan:
     name: Hypatia Neurosymbolic Analysis
     runs-on: ubuntu-latest
+    timeout-minutes: 20
 
     steps:
       - name: Checkout repository

0-ai-gatekeeper-protocol/.github/workflows/instant-sync.yml

@@ -14,6 +14,7 @@ permissions:
 jobs:
   dispatch:
     runs-on: ubuntu-latest
+    timeout-minutes: 20
     steps:
       - name: Trigger Propagation
         uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v3

0-ai-gatekeeper-protocol/.github/workflows/jekyll-gh-pages.yml

@@ -26,6 +26,7 @@ jobs:
   # Build job
   build:
     runs-on: ubuntu-latest
+    timeout-minutes: 30
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
@@ -45,6 +46,7 @@ jobs:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}
     runs-on: ubuntu-latest
+    timeout-minutes: 30
     needs: build
     steps:
       - name: Deploy to GitHub Pages

0-ai-gatekeeper-protocol/.github/workflows/jekyll.yml

@@ -31,6 +31,7 @@ jobs:
   # Build job
   build:
     runs-on: ubuntu-latest
+    timeout-minutes: 30
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
@@ -59,6 +60,7 @@ jobs:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}
     runs-on: ubuntu-latest
+    timeout-minutes: 30
     needs: build
     steps:
       - name: Deploy to GitHub Pages

0-ai-gatekeeper-protocol/.github/workflows/mirror.yml

@@ -12,6 +12,7 @@ permissions: read-all
 jobs:
   mirror-gitlab:
     runs-on: ubuntu-latest
+    timeout-minutes: 20
     if: vars.GITLAB_MIRROR_ENABLED == 'true'
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4
@@ -30,6 +31,7 @@ jobs:
 
   mirror-bitbucket:
     runs-on: ubuntu-latest
+    timeout-minutes: 20
     if: vars.BITBUCKET_MIRROR_ENABLED == 'true'
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4
@@ -48,6 +50,7 @@ jobs:
 
   mirror-codeberg:
     runs-on: ubuntu-latest
+    timeout-minutes: 20
     if: vars.CODEBERG_MIRROR_ENABLED == 'true'
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4
@@ -66,6 +69,7 @@ jobs:
 
   mirror-sourcehut:
     runs-on: ubuntu-latest
+    timeout-minutes: 20
     if: vars.SOURCEHUT_MIRROR_ENABLED == 'true'
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4
@@ -84,6 +88,7 @@ jobs:
 
   mirror-disroot:
     runs-on: ubuntu-latest
+    timeout-minutes: 20
     if: vars.DISROOT_MIRROR_ENABLED == 'true'
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4
@@ -102,6 +107,7 @@ jobs:
 
   mirror-gitea:
     runs-on: ubuntu-latest
+    timeout-minutes: 20
     if: vars.GITEA_MIRROR_ENABLED == 'true'
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4
@@ -120,6 +126,7 @@ jobs:
 
   mirror-radicle:
     runs-on: ubuntu-latest
+    timeout-minutes: 20
     if: vars.RADICLE_MIRROR_ENABLED == 'true'
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4

0-ai-gatekeeper-protocol/.github/workflows/scorecard-enforcer.yml

@@ -14,6 +14,7 @@ permissions: read-all
 jobs:
   scorecard:
     runs-on: ubuntu-latest
+    timeout-minutes: 20
     permissions:
       security-events: write
       id-token: write  # For OIDC
@@ -52,6 +53,7 @@ jobs:
   # Check specific high-priority items
   check-critical:
     runs-on: ubuntu-latest
+    timeout-minutes: 20
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4
 

0-ai-gatekeeper-protocol/.github/workflows/scorecard.yml

@@ -12,6 +12,7 @@ permissions: read-all
 jobs:
   analysis:
     runs-on: ubuntu-latest
+    timeout-minutes: 20
     permissions:
       security-events: write
       id-token: write