From 1843bf897243517c892043c3f5de235457ea5f57 Mon Sep 17 00:00:00 2001
From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com>
Date: Tue, 26 May 2026 08:29:57 +0100
Subject: [PATCH 1/3] fix(paths-ignore): skip absolute-zero/ vendored-estate
 clones by default

The validator was finding K9 files inside vendored copies of other
hyperpolymath repos (e.g., maa-framework ships absolute-zero/coordination.k9
as part of a 204-file vendored subtree). The host PR didn't introduce the
state but CI failed on the vendored copy's K9 invariants.

Estate-wide pattern; vendored estate clones are convention-named after the
upstream repo. The minimum needed to unblock the observed cases is
absolute-zero/; add others as we encounter them.

Refs: maa-framework #69 baseline-rot.
---
 action.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/action.yml b/action.yml
index 9f66e1a..655bf0a 100644
--- a/action.yml
+++ b/action.yml
@@ -39,7 +39,10 @@ inputs:
       Pattern follows hyperpolymath/hypatia#243 — validators that scan
       content patterns must distinguish a target file from a fixture /
       vendored / training-corpus file that legitimately contains the
-      pattern being checked.
+      pattern being checked. The vendored-estate-clone carve-out (e.g.
+      absolute-zero/) follows the convention that a tracked subdirectory
+      named after an upstream hyperpolymath repo is a vendored copy whose
+      K9 files belong to the upstream's CI, not the host's.
     required: false
     default: |
       vendor/
@@ -49,6 +52,7 @@ inputs:
       integration/fixtures/
       test/fixtures/
       tests/fixtures/
+      absolute-zero/
 
 outputs:
   files-scanned:

From ca81a47bef747ec0bf880a015afb17337da32910 Mon Sep 17 00:00:00 2001
From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com>
Date: Tue, 26 May 2026 09:04:04 +0100
Subject: [PATCH 2/3] chore(hypatia): exempt examples/SafeDOMExample.res from
 banned-language gate
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

standards#168 (merged) consolidated all per-language banned-language
checks into governance-reusable.yml's enforce()/is_exempt() helpers.
The check now finds examples/SafeDOMExample.res — the recurring estate
fixture for safe-DOM ReScript patterns that pre-dates the 2026-04-30
ReScript ban.

Adding .hypatia-ignore exemption (the canonical mechanism per
docs/EXEMPTION-MECHANISMS.adoc) so the gate stops failing while the
affinescript#57 Phase 2 tree-sitter walker sequences the .res→.affine
migration for this fixture.

Refs PR #14 governance / Language / package anti-pattern policy
check.
---
 .hypatia-ignore | 9 +++++++++
 1 file changed, 9 insertions(+)
 create mode 100644 .hypatia-ignore

diff --git a/.hypatia-ignore b/.hypatia-ignore
new file mode 100644
index 0000000..20df4cd
--- /dev/null
+++ b/.hypatia-ignore
@@ -0,0 +1,9 @@
+# Hypatia-honoured exemption file for k9-validate-action.
+# Format: <rule_module>/<rule_type>:<path>
+#
+# SafeDOMExample.res is the recurring estate fixture demonstrating a
+# safe-DOM ReScript pattern; it pre-dates the 2026-04-30 ReScript ban and
+# stays as a fixture until the .res→.affine migration sweep (affinescript#57
+# Phase 2) reaches it. The standards#168 consolidated language-policy
+# check honours this line via the enforce()/is_exempt() helpers.
+cicd_rules/banned_language_file:examples/SafeDOMExample.res

From 2a1543ef7bcb61a34fe3b90cc9bf1da3aca3aeaf Mon Sep 17 00:00:00 2001
From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com>
Date: Tue, 26 May 2026 09:09:19 +0100
Subject: [PATCH 3/3] ci(codeql): switch language matrix from
 javascript-typescript to actions

The repo ships only YAML + Bash + Markdown (no JS/TS source). The
CodeQL workflow's javascript-typescript matrix entry was failing
on every run with:

    Only found JavaScript or TypeScript files that were empty or
    contained syntax errors.

Switching to language=actions runs the GitHub Actions security
analyzer against the workflow files, which is the actually-relevant
scan for an action repo.

Refs PR #14 analyze (javascript-typescript, none) check.
---
 .github/workflows/codeql.yml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index c475caf..b50641c 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -30,7 +30,12 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - language: javascript-typescript
+          # k9-validate-action ships only YAML + Bash + Markdown (no JS/TS
+          # source). The `actions` language scans workflow files; the
+          # previous `javascript-typescript` entry made CodeQL fail with
+          # "Only found JavaScript or TypeScript files that were empty
+          # or contained syntax errors" on every run.
+          - language: actions
             build-mode: none
 
     steps: