hyperpolymath · hyperpolymath · Apr 30, 2026 · Apr 30, 2026
@@ -13,11 +13,16 @@ on:
 
 permissions:
   contents: read
+  security-events: read   # Hypatia queries Dependabot alerts via the GraphQL API
 
 jobs:
   scan:
     name: Hypatia Neurosymbolic Analysis
     runs-on: ubuntu-latest
+    env:
+      # Hypatia's CLI calls `gh api` for Dependabot alert lookups; without this
+      # env var it logs "Dependabot alerts unavailable: GITHUB_TOKEN not set".
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
     steps:
       - name: Checkout repository

@@ -3,7 +3,9 @@
 # SPDX-License-Identifier: MPL-2.0
 #
 # Enforces: No TypeScript, No Go, No Python (except SaltStack), No npm
-# Allows: ReScript, Deno, WASM, Rust, OCaml, Haskell, Guile/Scheme
+# Allows: AffineScript, Deno, WASM, Rust/SPARK, OCaml, Haskell, Guile/Scheme,
+#         ReScript (only as adapter shim to upstream ReScript-using systems —
+#         per estate-wide policy 2026-04-30, RS/TS/JS default is AffineScript)
 
 name: RSR Anti-Pattern Check
 
@@ -31,7 +33,9 @@ jobs:
           # Exclude .d.ts files - those are TypeScript type declarations for ReScript FFI
           TS_FILES=$(find . \( -name "*.ts" -o -name "*.tsx" \) | grep -v node_modules | grep -v 'bindings/deno' | grep -v '\.d\.ts$' || true)
           if [ -n "$TS_FILES" ]; then
-            echo "❌ TypeScript files detected - use ReScript instead"
+            echo "❌ TypeScript files detected — use AffineScript→typed-wasm instead"
+            echo "   (Estate-wide policy 2026-04-30: RS/TS/JS default is AffineScript;"
+            echo "    ReScript is also being phased out except as upstream-system adapters.)"
             echo "$TS_FILES"
             exit 1
           fi
@@ -67,7 +71,8 @@ jobs:
       - name: Check for tsconfig
         run: |
           if [ -f "tsconfig.json" ]; then
-            echo "❌ tsconfig.json detected - use ReScript instead"
+            echo "❌ tsconfig.json detected — use AffineScript→typed-wasm instead"
+            echo "   (Estate-wide policy 2026-04-30: see RSR Anti-Pattern Allows list.)"
             exit 1
           fi
           echo "✅ No tsconfig.json"
@@ -83,11 +88,15 @@ jobs:
 
       - name: Summary
         run: |
-          echo "╔════════════════════════════════════════════════════════════╗"
-          echo "║           RSR Anti-Pattern Check Passed ✅                 ║"
-          echo "║                                                            ║"
-          echo "║  Allowed: ReScript, Deno, WASM, Rust, OCaml, Haskell,     ║"
-          echo "║           Guile/Scheme, SaltStack (Python)                 ║"
-          echo "║                                                            ║"
-          echo "║  Blocked: TypeScript, Go, npm, Python (non-Salt)          ║"
-          echo "╚════════════════════════════════════════════════════════════╝"
+          echo "╔══════════════════════════════════════════════════════════════════╗"
+          echo "║              RSR Anti-Pattern Check Passed ✅                    ║"
+          echo "║                                                                  ║"
+          echo "║  Allowed (default for new code):                                 ║"
+          echo "║    AffineScript→typed-wasm, Deno, WASM, Rust/SPARK, OCaml,       ║"
+          echo "║    Haskell, Guile/Scheme, SaltStack (Python)                     ║"
+          echo "║                                                                  ║"
+          echo "║  Allowed (transitional / adapter-shim only):                     ║"
+          echo "║    ReScript — for shims to upstream RS-using systems             ║"
+          echo "║                                                                  ║"
+          echo "║  Blocked: TypeScript, Go, npm, Python (non-Salt)                 ║"
+          echo "╚══════════════════════════════════════════════════════════════════╝"
@@ -17,15 +17,20 @@ jobs:
           # Zero-tolerance: NO .ts files anywhere in the tree.
           EXISTING_TS=$(find . -name "*.ts" -o -name "*.tsx" | grep -v './.git/' | grep -v node_modules | grep -v '\.gen\.' || true)
           if [ -n "$EXISTING_TS" ]; then
-            echo "❌ TypeScript files found (must be zero — port to Zig or ReScript):"
+            echo "❌ TypeScript files found (must be zero — port to Zig or AffineScript):"
+            echo "   Estate-wide policy 2026-04-30: RS/TS/JS → AffineScript→typed-wasm."
+            echo "   For systems-level code, Zig→WASM is the alternative."
             printf '%s\n' "$EXISTING_TS"
             exit 1
           fi
 
           # JS: block new additions only (existing JS tracked for WASM migration).
           NEW_JS=$(git diff --name-only --diff-filter=A HEAD~1 2>/dev/null | grep -E '\.(js|jsx)$' | grep -v '\.res\.js$' | grep -v '\.gen\.' | grep -v 'node_modules' || true)
           if [ -n "$NEW_JS" ]; then
-            echo "❌ New .js files detected. Target language is Zig→WASM; use Zig or ReScript instead."
+            echo "❌ New .js files detected."
+            echo "   Estate-wide policy 2026-04-30: target language is AffineScript→typed-wasm"
+            echo "   for application code, Zig→WASM for systems work. ReScript is being"
+            echo "   phased out (only allowed as upstream-system adapter shims)."
             printf '%s\n' "$NEW_JS"
             exit 1
           fi

@@ -24,18 +24,30 @@ Wants=local-coord-mcp.service
 Type=simple
 WorkingDirectory=$BOJ_ROOT/elixir
 
+# PATH must include asdf shims and ~/.cargo/bin for users running
+# asdf-managed Elixir or cargo-installed `just`. Falls through to
+# system paths if asdf isn't installed (in which case the elixir/mix.exs
+# version requirement will fail loudly — apt's Elixir 1.14 on Ubuntu
+# 24.04 LTS does not satisfy `~> 1.15`). %h is the user home directory.
+Environment=PATH=%h/.asdf/shims:%h/.cargo/bin:%h/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+Environment=ASDF_DIR=%h/.asdf
+Environment=ASDF_DATA_DIR=%h/.asdf
+
 # Env vars — see elixir/config/config.exs for the full list
 Environment=MIX_ENV=dev
 Environment=BOJ_PORT=7700
 Environment=BOJ_CARTRIDGES_ROOT=$BOJ_ROOT/cartridges
 Environment=BOJ_DATA_DIR=$HOME/.local/share/boj-server
 Environment=BOJ_INVOKE_CLI=$BOJ_ROOT/ffi/zig/zig-out/bin/boj-invoke
 
-ExecStart=/usr/bin/mix run --no-halt
+# Use `mix` resolved via PATH (the asdf shim picks up the version
+# pinned in .tool-versions). Hardcoding /usr/bin/mix breaks when
+# Elixir is asdf-managed and apt's mix is too old.
+ExecStart=mix run --no-halt
 Restart=on-failure
 RestartSec=5
 
-# Give the Elixir/BEAM VM enough file descriptors for 112 cartridges +
+# Give the Elixir/BEAM VM enough file descriptors for 115 cartridges +
 # one Deno worker port per JS cartridge (up to 256 concurrent workers).
 LimitNOFILE=65536