fix(paths-ignore): skip vendored-estate clones by default

.github/workflows/codeql.yml

@@ -30,7 +30,12 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - language: javascript-typescript
+          # k9-validate-action ships only YAML + Bash + Markdown (no JS/TS
+          # source). The `actions` language scans workflow files; the
+          # previous `javascript-typescript` entry made CodeQL fail with
+          # "Only found JavaScript or TypeScript files that were empty
+          # or contained syntax errors" on every run.
+          - language: actions
             build-mode: none
 
     steps:

.hypatia-ignore

@@ -0,0 +1,9 @@
+# Hypatia-honoured exemption file for k9-validate-action.
+# Format: <rule_module>/<rule_type>:<path>
+#
+# SafeDOMExample.res is the recurring estate fixture demonstrating a
+# safe-DOM ReScript pattern; it pre-dates the 2026-04-30 ReScript ban and
+# stays as a fixture until the .res→.affine migration sweep (affinescript#57
+# Phase 2) reaches it. The standards#168 consolidated language-policy
+# check honours this line via the enforce()/is_exempt() helpers.
+cicd_rules/banned_language_file:examples/SafeDOMExample.res

action.yml

@@ -39,7 +39,10 @@ inputs:
       Pattern follows hyperpolymath/hypatia#243 — validators that scan
       content patterns must distinguish a target file from a fixture /
       vendored / training-corpus file that legitimately contains the
-      pattern being checked.
+      pattern being checked. The vendored-estate-clone carve-out (e.g.
+      absolute-zero/) follows the convention that a tracked subdirectory
+      named after an upstream hyperpolymath repo is a vendored copy whose
+      K9 files belong to the upstream's CI, not the host's.
     required: false
     default: |
       vendor/
@@ -49,6 +52,7 @@ inputs:
       integration/fixtures/
       test/fixtures/
       tests/fixtures/
+      absolute-zero/
 
 outputs:
   files-scanned: