From 45210e13fe48f056ae8bf2cc720a6285f574024e Mon Sep 17 00:00:00 2001
From: "Jonathan D.A. Jewell" <6759885+hyperpolymath@users.noreply.github.com>
Date: Tue, 28 Apr 2026 03:51:16 +0100
Subject: [PATCH] feat(bust): extend schema with alert_remediations + seed 11
 entries
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds a sibling array to the existing failure_modes schema for *discovered*
(CI/CD/scanner-emitted) failure patterns, alongside the existing *injected*
(operational chaos-drill) failure_modes.

Changes:
  - bust.ncl: schema.alert_remediations array (id, title, severity,
    fingerprint, diagnosis, remediation, verification, preemption,
    references, last_seen, dismissed/dismissed_until). Backwards-compatible —
    existing failure_modes entries unchanged; default = [] for repos that
    don't populate it.
  - Bustfile.a2ml: 11 seed entries derived from the 2026-04-28 estate-wide
    alert audit (echidna, airborne-submarine-squadron, robodog-ecm, gossamer,
    boj-server, hypatia, file-soup, KnotTheory.jl, panll). Covers Scorecard
    (vulnerabilities, token-permissions, pinned-deps, branch-protection,
    maintained, binary-artifacts split into build-output vs tracked-asset,
    code-review), CodeQL (incomplete sanitization), and Dependabot
    (auto-closed-stale, merge-blocked-on-red-main).
  - EXTENSION-PROPOSAL-2026-04-28.adoc: full design (motivation,
    Fix-It rendering format, runner contract, inheritance model,
    consumer table, adoption path, open questions).

Each entry carries:
  - rich human diagnosis (symptom / root cause / why-stuck)
  - machine-actionable remediation with auto_safe gating
  - verification check + CI signal to watch
  - preemption block naming files to add to rsr-template-repo

Designed to be consumed by:
  - humans via `contractile bust diagnose <id>` (Fix-It-style render)
  - sustainabot for auto-safe remediations across the estate
  - hypatia for alert-to-fingerprint mapping
  - robot-repo-automaton for confidence-gated execution
  - rsr-template adoption test (preemption.template_addition is the source
    of truth for what should land in the template)

Pre-existing drift between the runner schema's failure_modes shape and the
existing Bustfile.a2ml content (which uses `scenarios`/`escalation-ladder`/
`backup-points` instead) is NOT addressed here — out of scope for this PR.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../contractiles/bust/Bustfile.a2ml           | 469 ++++++++++++
 .../bust/EXTENSION-PROPOSAL-2026-04-28.adoc   | 715 ++++++++++++++++++
 .machine_readable/contractiles/bust/bust.ncl  |  60 ++
 3 files changed, 1244 insertions(+)
 create mode 100644 .machine_readable/contractiles/bust/EXTENSION-PROPOSAL-2026-04-28.adoc

diff --git a/.machine_readable/contractiles/bust/Bustfile.a2ml b/.machine_readable/contractiles/bust/Bustfile.a2ml
index 6afee70..0e2ab1e 100644
--- a/.machine_readable/contractiles/bust/Bustfile.a2ml
+++ b/.machine_readable/contractiles/bust/Bustfile.a2ml
@@ -25,4 +25,473 @@ Bust {
         "Meta-repo history on origin/main is the durable backup for pointer state",
         "Local backup tags (backup/pre-<operation>-<date>) retained on risky rewrites"
     ]
+
+    // alert_remediations — discovered (CI/CD/scanner-emitted) failure patterns.
+    // Sibling array to scenarios; consumed by `contractile bust diagnose <id>` and
+    // `contractile bust remediate <id>`. Seeded 2026-04-28 from estate-wide audit.
+    // See EXTENSION-PROPOSAL-2026-04-28.adoc for schema, rendering, and adoption path.
+    alert_remediations: [
+        {
+            id: "scorecard.vulnerabilities.rustsec"
+            title: "Cargo dependency has a known RUSTSEC advisory"
+            severity: "high"
+            emitted_by: ["scorecard", "cargo-audit", "cargo-deny", "osv-scanner"]
+            fingerprint: {
+                source: "scorecard"
+                rule_id: "VulnerabilitiesID"
+                message_regex: "RUSTSEC-\\d{4}-\\d{4}"
+            }
+            diagnosis: {
+                short: "A Cargo dependency is on a version with an open RUSTSEC advisory."
+                root_cause: "Direct or transitive Cargo dep on a version flagged by RUSTSEC. Three classes: (a) vuln with fix available, (b) unmaintained crate with no fix, (c) yanked version."
+                why_humans_stuck: "Scorecard reports but no auto-fixer subscribes; cargo-audit not in template; dependabot-automerge skips HIGH severity."
+                class: "dep_advisory"
+            }
+            remediation: {
+                preferred_strategy: "auto_pr"
+                human_steps: [
+                    "cargo audit  # confirm advisory + class"
+                    "cargo update -p <crate>  (class a) OR edit Cargo.toml to swap (class b) OR --precise (class c)"
+                    "cargo test"
+                    "git checkout -b fix/rustsec-<id>"
+                    "git commit -am 'deps: bust RUSTSEC-<id> (<crate>)'"
+                    "gh pr create --fill && gh pr merge --auto --squash"
+                ]
+                machine_runner: "reposystem/.machine_readable/contractiles/bust/runners/cargo-rustsec.sh"
+                auto_safe: true
+                needs_review_when: ["class == 'b' (no drop-in replacement)", "major-version bump required"]
+            }
+            verification: {
+                post_fix_check: "cargo audit --deny warnings"
+                expected_state: "no advisories"
+                ci_check_to_watch: "Scorecard / VulnerabilitiesID"
+            }
+            preemption: {
+                template_addition: [
+                    ".github/workflows/cargo-audit.yml"
+                    ".github/workflows/cargo-deny-check.yml"
+                ]
+                template_config: [
+                    ".machine_readable/compliance/rust/deny.toml: unmaintained = 'deny'"
+                ]
+                prevents_recurrence: true
+                back_ratchet_target: "rust_only"
+            }
+            references: ["https://rustsec.org/advisories/", "https://github.com/EmbarkStudios/cargo-deny"]
+            last_seen: "2026-04-28"
+        }
+
+        {
+            id: "scorecard.token-permissions.no-toplevel"
+            title: "Workflow lacks top-level GITHUB_TOKEN permissions"
+            severity: "high"
+            emitted_by: ["scorecard"]
+            fingerprint: {
+                source: "scorecard"
+                rule_id: "TokenPermissionsID"
+                message_regex: "no topLevel permission defined"
+            }
+            diagnosis: {
+                short: "A workflow YAML has no top-level permissions block, so jobs run with default broad token scope."
+                root_cause: "Default GITHUB_TOKEN permissions are write-all when no permissions: is declared. Scorecard wants read-all at minimum at workflow level."
+                why_humans_stuck: "Scorecard fires per-workflow per-commit. Template enforces this for new repos; older repos predate the rule."
+                class: "permission_misconfig"
+            }
+            remediation: {
+                preferred_strategy: "config_change"
+                human_steps: [
+                    "Open every .github/workflows/*.yml lacking top-level permissions"
+                    "Add `permissions: read-all` directly under `name:` (or before `on:`)"
+                    "Per-job override only where explicitly needed (e.g. `pages: write`)"
+                    "Commit + push"
+                ]
+                machine_runner: "reposystem/.machine_readable/contractiles/bust/runners/inject-toplevel-permissions.sh"
+                auto_safe: true
+            }
+            verification: {
+                post_fix_check: "yq '.permissions' .github/workflows/*.yml | grep -v null | wc -l  # all should be non-null"
+                expected_state: "every workflow has a top-level permissions key"
+                ci_check_to_watch: "Scorecard / TokenPermissionsID"
+            }
+            preemption: {
+                template_addition: [".github/workflows/workflow-linter.yml (already in template)"]
+                template_config: ["All template workflows already carry permissions: read-all"]
+                prevents_recurrence: true
+                back_ratchet_target: "all_repos"
+            }
+            references: ["https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions"]
+            last_seen: "2026-04-28"  // airborne-submarine-squadron #11
+        }
+
+        {
+            id: "scorecard.pinned-dependencies.action-not-pinned"
+            title: "GitHub Action is referenced by tag/branch instead of SHA"
+            severity: "medium"
+            emitted_by: ["scorecard"]
+            fingerprint: {
+                source: "scorecard"
+                rule_id: "PinnedDependenciesID"
+                message_regex: "GitHubAction not pinned by hash"
+            }
+            diagnosis: {
+                short: "Workflow references like `actions/checkout@v6` instead of `actions/checkout@<sha>  # v6.0.2`."
+                root_cause: "Tag/branch refs let action authors silently re-publish the same ref pointing at different code. SHA pin freezes the artefact."
+                why_humans_stuck: "Many repos predate the SHA-pinning rule. 2026-04-17 estate-wide audit found ~12,000 v6 SHAs but ~2,100 v4 lingering. Template enforces forward; nobody back-ratchets."
+                class: "config_drift"
+            }
+            remediation: {
+                preferred_strategy: "auto_pr"
+                human_steps: [
+                    "For each unpinned action, look up the canonical SHA (CLAUDE.md SHA table)"
+                    "sed-replace `@v<n>` with `@<sha>  # v<n.n.n>`"
+                    "Verify CI still green"
+                    "Commit + PR"
+                ]
+                machine_runner: "reposystem/.machine_readable/contractiles/bust/runners/sha-pin-actions.sh"
+                auto_safe: true
+                needs_review_when: ["action not in canonical SHA table", "flathub repos (deliberate v4 pin)"]
+            }
+            verification: {
+                post_fix_check: "grep -E '@v[0-9]' .github/workflows/*.yml  # should be empty (or only in comments)"
+                expected_state: "every action @ ref is a 40-char SHA"
+                ci_check_to_watch: "Scorecard / PinnedDependenciesID"
+            }
+            preemption: {
+                template_addition: [".github/workflows/workflow-linter.yml"]
+                template_config: ["CLAUDE.md SHA table is the canonical reference"]
+                prevents_recurrence: true
+                back_ratchet_target: "all_repos"
+            }
+            references: ["CLAUDE.md - Common GitHub Actions SHA Pins section"]
+            last_seen: "2026-04-28"
+        }
+
+        {
+            id: "scorecard.branch-protection.weak-or-missing"
+            title: "Branch protection on main is weak or absent"
+            severity: "high"
+            emitted_by: ["scorecard"]
+            fingerprint: {
+                source: "scorecard"
+                rule_id: "BranchProtectionID"
+                message_regex: "(branch protection.*disabled|does not require approvers|no status checks)"
+            }
+            diagnosis: {
+                short: "main lacks: required reviews, status-check requirements, admin enforcement, stale-review dismissal, or codeowners."
+                root_cause: "GitHub branch protection has many independent toggles; older repos were created before the standard was tightened."
+                why_humans_stuck: "GitHub Free blocks rulesets on private repos (verified 2026-04-10). Estate-wide ratchet stalled on Wave 3 (5 private repos)."
+                class: "config_drift"
+            }
+            remediation: {
+                preferred_strategy: "cli_command"
+                human_steps: [
+                    "julia ~/security-fixes/enable-branch-protection.jl <repo>"
+                    "OR via gh api: PUT /repos/{owner}/{repo}/branches/main/protection"
+                ]
+                machine_runner: "~/security-fixes/enable-branch-protection.jl"
+                auto_safe: true
+                needs_review_when: ["repo is private and on GitHub Free (will fail)"]
+            }
+            verification: {
+                post_fix_check: "gh api /repos/<owner>/<repo>/branches/main/protection"
+                expected_state: "all required-checks/reviews/admin-enforcement enabled"
+                ci_check_to_watch: "Scorecard / BranchProtectionID"
+            }
+            preemption: {
+                template_addition: ["enable-branch-protection.jl on every repo create"]
+                prevents_recurrence: true
+                back_ratchet_target: "all_repos"
+            }
+            references: ["~/security-fixes/enable-branch-protection.jl"]
+            last_seen: "2026-04-28"  // robodog-ecm #11
+        }
+
+        {
+            id: "scorecard.maintained.repo-too-young"
+            title: "Repo created within last 90 days"
+            severity: "high"
+            emitted_by: ["scorecard"]
+            fingerprint: {
+                source: "scorecard"
+                rule_id: "MaintainedID"
+                message_regex: "created within the last 90 days"
+            }
+            diagnosis: {
+                short: "Cosmetic, time-based alert that resolves itself after 90 days from repo creation."
+                root_cause: "Scorecard penalises new repos because malicious actors create burner repos. Heuristic, not a real defect."
+                why_humans_stuck: "There is no fix; alert sits open until time passes. Eats human attention every time it appears in a triage list."
+                class: "expected_after_repo_creation"
+            }
+            remediation: {
+                preferred_strategy: "manual_only"
+                human_steps: [
+                    "Acknowledge: this clears automatically 90 days after repo creation"
+                    "Optional: dismiss in GitHub UI with reason 'won't fix - heuristic'"
+                ]
+                auto_safe: false
+                side_effects: ["dismissal is per-repo manual action"]
+            }
+            verification: {
+                post_fix_check: "true  # nothing to verify"
+                expected_state: "alert age > 90 days OR dismissed"
+                ci_check_to_watch: "Scorecard / MaintainedID"
+            }
+            preemption: {
+                template_addition: ["scorecard-enforcer.yml configured to ignore MaintainedID for first 90 days"]
+                prevents_recurrence: true
+                back_ratchet_target: "all_repos"
+            }
+            references: ["https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained"]
+            last_seen: "2026-04-28"
+        }
+
+        {
+            id: "dependabot.auto-closed.dep-no-longer-tracked"
+            title: "Dependabot auto-closed PR with comment 'no longer being updated'"
+            severity: "low"
+            emitted_by: ["dependabot"]
+            fingerprint: {
+                source: "dependabot"
+                rule_id: "auto-close"
+                message_regex: "no longer being updated by Dependabot"
+            }
+            diagnosis: {
+                short: "Dependabot itself closed a bump PR because the dep is no longer in the manifest tracking set."
+                root_cause: "Manifest dropped the dep, an ignore rule was added, or the dep was renamed/replaced. Closure is an intentional bot signal, not a rejection of the bump's contents."
+                why_humans_stuck: "Easy to mistake for 'user rejected this' and bulk-delete the head branch."
+                class: "dep_advisory"
+            }
+            remediation: {
+                preferred_strategy: "cli_command"
+                human_steps: [
+                    "Verify dependabot's close comment matches the regex"
+                    "Delete the head branch: gh api -X DELETE repos/<owner>/<repo>/git/refs/heads/<branch>"
+                    "Do NOT bulk-delete by closed-PR state alone; always check the close reason"
+                ]
+                machine_runner: "reposystem/.machine_readable/contractiles/bust/runners/cleanup-dependabot-stale-branch.sh"
+                auto_safe: true
+            }
+            verification: {
+                post_fix_check: "gh api repos/<owner>/<repo>/branches/<branch> 2>&1 | grep -q 'Branch not found'"
+                expected_state: "branch absent"
+            }
+            preemption: {
+                template_config: ["dependabot.yml ignore rules tracked alongside Bustfile"]
+                prevents_recurrence: false
+                back_ratchet_target: "opt_in"
+            }
+            references: []
+            last_seen: "2026-04-28"  // file-soup PR #2
+        }
+
+        {
+            id: "dependabot.merge-blocked.unrelated-red-checks-on-main"
+            title: "Dependabot PR can't merge because main is red on unrelated checks"
+            severity: "medium"
+            emitted_by: ["dependabot", "github-checks"]
+            fingerprint: {
+                source: "github-checks"
+                rule_id: "BLOCKED-merge-state"
+                message_regex: "mergeStateStatus.*BLOCKED"
+            }
+            diagnosis: {
+                short: "PR is mergeable per git, but auto-merge is gated on 'all required checks green' and main itself has red checks."
+                root_cause: "Required-status-check policy treats main's failures as PR failures. One broken workflow on main blocks every Dependabot PR."
+                why_humans_stuck: "Each Dependabot PR appears 'broken' but the actual broken thing is upstream — red checks rotate among repos and never get attention."
+                class: "config_drift"
+            }
+            remediation: {
+                preferred_strategy: "manual_only"
+                human_steps: [
+                    "List failing checks: gh pr view <n> --json statusCheckRollup"
+                    "Identify which fail on main itself (vs. PR-introduced)"
+                    "Fix the upstream broken workflow first"
+                    "Then Dependabot PRs unblock automatically"
+                ]
+                auto_safe: false
+                needs_review_when: ["never auto - upstream cause needs human triage"]
+            }
+            verification: {
+                post_fix_check: "gh pr view <n> --json mergeStateStatus | grep -v BLOCKED"
+                expected_state: "mergeStateStatus is CLEAN or HAS_HOOKS"
+                ci_check_to_watch: "all required checks on the affected workflows"
+            }
+            preemption: {
+                template_addition: ["main-health-monitor workflow that opens an issue when main goes red"]
+                prevents_recurrence: false
+                back_ratchet_target: "all_repos"
+            }
+            references: []
+            last_seen: "2026-04-28"  // hypatia PR #194
+        }
+
+        {
+            id: "codeql.js.incomplete-multi-character-sanitization"
+            title: "CodeQL: regex-based HTML sanitizer is incomplete"
+            severity: "high"
+            emitted_by: ["codeql"]
+            fingerprint: {
+                source: "codeql"
+                rule_id: "js/incomplete-multi-character-sanitization"
+            }
+            diagnosis: {
+                short: "JS code is using a regex to strip <script tags or similar; CodeQL has shown the regex misses edge-cases."
+                root_cause: "Regex-based HTML parsing is fundamentally incomplete. HTML must be parsed with a real parser to be safely sanitized."
+                why_humans_stuck: "This is a real code defect, not config. No safe one-liner auto-fix; requires replacing the sanitizer with a parser-based library (DOMPurify, sanitize-html)."
+                class: "code_defect"
+            }
+            remediation: {
+                preferred_strategy: "manual_only"
+                human_steps: [
+                    "Identify the offending regex sanitizer (path:line in CodeQL output)"
+                    "Replace with DOMPurify or sanitize-html"
+                    "Keep allowlist explicit"
+                    "Add a CodeQL test case to prevent regression"
+                ]
+                auto_safe: false
+                needs_review_when: ["always - real code change"]
+            }
+            verification: {
+                post_fix_check: "codeql analyze + grep for the rule  # should be absent"
+                expected_state: "no js/incomplete-multi-character-sanitization findings"
+                ci_check_to_watch: "CodeQL / js/incomplete-multi-character-sanitization"
+            }
+            preemption: {
+                template_config: [
+                    "CodeQL config in template should already include js-experimental queries"
+                    "Template README should warn against regex-based HTML sanitization"
+                ]
+                prevents_recurrence: false
+                back_ratchet_target: "js_only"
+            }
+            references: ["https://github.com/cure53/DOMPurify", "https://codeql.github.com/codeql-query-help/javascript/js-incomplete-multi-character-sanitization/"]
+            last_seen: "2026-04-28"  // gossamer #21, #22
+        }
+
+        {
+            id: "scorecard.binary-artifacts.build-output"
+            title: "Build artefact (.wasm/.so/.dylib/target binary) committed to repo"
+            severity: "high"
+            emitted_by: ["scorecard"]
+            fingerprint: {
+                source: "scorecard"
+                rule_id: "BinaryArtifactsID"
+                message_regex: "binary detected"
+            }
+            diagnosis: {
+                short: "A regenerable build output is tracked in git."
+                root_cause: "Build artefacts (.wasm, .so, .dylib, target/, dist/) shouldn't be committed; they bloat clones, can't be diffed, and Scorecard treats committed binaries as supply-chain risk."
+                why_humans_stuck: ".gitignore alone won't clear the alert because the file is currently tracked. Need git rm --cached AND .gitignore AND a build-pipeline that produces it on demand."
+                class: "config_drift"
+            }
+            remediation: {
+                preferred_strategy: "auto_pr"
+                human_steps: [
+                    "Add path to .gitignore (prevents future re-commits)"
+                    "git rm --cached <path> (removes from index, keeps working copy)"
+                    "Verify build still produces it (locally + in CI)"
+                    "Commit + PR"
+                    "Optional: git filter-repo to scrub from history (DESTRUCTIVE - needs explicit user confirmation)"
+                ]
+                machine_runner: "reposystem/.machine_readable/contractiles/bust/runners/untrack-build-artefact.sh"
+                auto_safe: true
+                needs_review_when: ["history-rewrite requested", "asset is not regenerable from source"]
+            }
+            verification: {
+                post_fix_check: "git ls-files <path>  # should output nothing"
+                expected_state: "build artefact untracked + in .gitignore + regenerable via build script"
+                ci_check_to_watch: "Scorecard / BinaryArtifactsID"
+            }
+            preemption: {
+                template_addition: [".gitattributes with LFS rules", "pre-commit hook blocking large binaries", "standard .gitignore covering target/, dist/, *.wasm"]
+                prevents_recurrence: true
+                back_ratchet_target: "all_repos"
+            }
+            references: []
+            last_seen: "2026-04-28"  // panll #16 (panll_gui.wasm), gossamer #13-19
+        }
+
+        {
+            id: "scorecard.binary-artifacts.tracked-asset"
+            title: "Non-regenerable binary asset (image/PDF/fixture) committed"
+            severity: "high"
+            emitted_by: ["scorecard"]
+            fingerprint: {
+                source: "scorecard"
+                rule_id: "BinaryArtifactsID"
+                message_regex: "binary detected"
+            }
+            diagnosis: {
+                short: "A non-regenerable binary (PNG, PDF, test fixture) is tracked in git."
+                root_cause: "Same as build-output entry but the file is not regenerable, so untracking deletes content. Needs LFS migration or release-asset relocation instead."
+                why_humans_stuck: "Cannot just git rm --cached without losing the file's content stream from the repo's working set."
+                class: "config_drift"
+            }
+            remediation: {
+                preferred_strategy: "manual_only"
+                human_steps: [
+                    "Decide: is this LFS material, release asset, or trash?"
+                    "If LFS: git lfs track + migrate"
+                    "If release asset: move to a GitHub Release attachment + .gitignore the local copy"
+                    "If trash: git rm + commit"
+                    "git filter-repo to scrub from history (DESTRUCTIVE - needs explicit user confirmation)"
+                ]
+                auto_safe: false
+                needs_review_when: ["always - human judgment about asset value"]
+            }
+            verification: {
+                post_fix_check: "find . -size +1M -type f -not -path '*/.git/*'  # review remaining"
+                expected_state: "no committed non-LFS binaries above size threshold"
+                ci_check_to_watch: "Scorecard / BinaryArtifactsID"
+            }
+            preemption: {
+                template_addition: [".gitattributes with LFS rules for *.png/*.pdf"]
+                prevents_recurrence: false
+                back_ratchet_target: "all_repos"
+            }
+            references: []
+            last_seen: "2026-04-28"
+        }
+
+        {
+            id: "scorecard.code-review.no-approved-changesets"
+            title: "Scorecard: 0 approved changesets out of N merged"
+            severity: "high"
+            emitted_by: ["scorecard"]
+            fingerprint: {
+                source: "scorecard"
+                rule_id: "CodeReviewID"
+                message_regex: "Found 0/\\d+ approved changesets"
+            }
+            diagnosis: {
+                short: "Solo-author repos where the author also merges their own PRs have no review record."
+                root_cause: "Scorecard's CodeReview check counts approvals on merged PRs. Solo-author estate repos have none — by design."
+                why_humans_stuck: "There is no way to satisfy this check on a solo-author repo without bringing in a co-reviewer or a bot. Eats triage attention forever otherwise."
+                class: "expected_after_repo_creation"
+            }
+            remediation: {
+                preferred_strategy: "config_change"
+                human_steps: [
+                    "Option A: enrol a review-bot (e.g. echidnabot/finishbot) as a CODEOWNER and have it auto-approve trivial changes"
+                    "Option B: dismiss the alert with reason 'solo-author repo'"
+                    "Option C: lower CodeReview check weight in scorecard.yml config"
+                ]
+                machine_runner: "reposystem/.machine_readable/contractiles/bust/runners/enrol-review-bot.sh"
+                auto_safe: false
+                needs_review_when: ["solo-author policy is a per-repo decision"]
+            }
+            verification: {
+                post_fix_check: "scorecard run + grep CodeReviewID"
+                expected_state: "score >= configured threshold"
+                ci_check_to_watch: "Scorecard / CodeReviewID"
+            }
+            preemption: {
+                template_addition: ["scorecard.yml with CodeReviewID weight tuned for solo-author"]
+                prevents_recurrence: true
+                back_ratchet_target: "all_repos"
+            }
+            references: []
+            last_seen: "2026-04-28"  // airborne-submarine-squadron #13
+        }
+    ]
 }
diff --git a/.machine_readable/contractiles/bust/EXTENSION-PROPOSAL-2026-04-28.adoc b/.machine_readable/contractiles/bust/EXTENSION-PROPOSAL-2026-04-28.adoc
new file mode 100644
index 0000000..cbcd329
--- /dev/null
+++ b/.machine_readable/contractiles/bust/EXTENSION-PROPOSAL-2026-04-28.adoc
@@ -0,0 +1,715 @@
+// SPDX-License-Identifier: PMPL-1.0-or-later
+// (MPL-2.0 is automatic legal fallback until PMPL is formally recognised)
+// Author: Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>
+= Bustfile Extension — Catalogued Alert Remediation
+:toc: left
+:toclevels: 3
+:sectnums:
+:icons: font
+:source-highlighter: rouge
+Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>
+Proposal v0.1, 2026-04-28
+
+== Origin
+
+This proposal was authored after a session in which the same diagnostic question
+was asked repeatedly across the estate:
+
+* `hyperpolymath/echidna` code-scanning #11 — RUSTSEC-2024-0436 (`paste` unmaintained)
+* `hyperpolymath/airborne-submarine-squadron` — 8 Scorecard alerts (TokenPermissions, PinnedDeps, BranchProtection, etc.)
+* `hyperpolymath/robodog-ecm` — BranchProtection + RUSTSEC-2024-0380/0381
+* `hyperpolymath/gossamer` — CodeQL `js/incomplete-multi-character-sanitization`, `js/bad-tag-filter`
+* `hyperpolymath/boj-server` — Dependabot `lru` low-sev (unmaintained)
+* `hyperpolymath/hypatia` PR #194 — `ruby/setup-ruby` blocked by red main checks
+* `hyperpolymath/file-soup` — 8 open Dependabot PRs, 1 auto-closed
+* `hyperpolymath/KnotTheory.jl` — TokenPermissions/PinnedDeps/SAST already fixed; Fuzzing/CIIBestPractices/Maintained still open
+
+Each alert was *predictable*, *formulaic*, and either pre-emptable in the RSR
+template or auto-fixable by a runner. The diagnosis was that nothing in the
+estate is currently doing either. This document specifies the artefact that
+closes the gap.
+
+== Problem statement (one paragraph)
+
+Hypatia is wired to *analyse* and gitbot-fleet is wired to *act*, but neither
+holds a catalogue of *which alert means what* and *how to fix it*. So alerts
+fire, accumulate, and sit. The missing artefact is a per-repo,
+template-overridable catalogue of known alert patterns paired with rich
+human-facing diagnoses and machine-actionable remediations — analogous to the
+Microsoft Fix-It / Easy Fix wizard pattern (rich error message, root cause,
+proposed fix, "apply now" toggle), but expressed in A2ML so a runner can also
+consume it.
+
+== Proposal — extend the existing `bust` contractile
+
+The `bust` contractile already exists in
+`reposystem/.machine_readable/contractiles/bust/`. Its current scope is
+*operational chaos drills*: declared `failure_modes` with `injection_probe` +
+`recovery_probe`. That stays.
+
+This proposal adds a *sibling* schema array — `alert_remediations` — for
+*discovered* (CI/CD/security-scanner-emitted) failure patterns rather than
+*injected* (operational) ones. The two arrays share the verb because both
+encode the same shape: "named breakage X has known recovery path Y."
+
+The runner gets two new subcommands:
+
+[source,bash]
+----
+contractile bust diagnose <alert-id>     # render Fix-It-style human report
+contractile bust remediate <alert-id>    # apply the registered auto-fix (with --dry-run)
+----
+
+== Schema extension (Nickel)
+
+Adds to `bust.ncl`:
+
+[source]
+----
+schema = {
+  failure_modes      | Array { ... existing chaos-drill shape ... },
+
+  alert_remediations | Array {
+    id                  | String,             # e.g. "scorecard.token-permissions"
+    title               | String,             # one-line human title
+    severity            | [| 'low, 'medium, 'high, 'critical |],
+    emitted_by          | Array String,       # ["scorecard", "cargo-audit", "dependabot", "codeql"]
+    fingerprint         | {
+      source            | String,             # alert source name
+      rule_id           | String,             # the source's rule identifier
+      message_regex     | String | optional,  # for further disambiguation
+    },
+
+    diagnosis           | {
+      short             | String,             # 1-2 sentence symptom
+      root_cause        | String,             # WHY this fires (mechanism, not symptom)
+      why_humans_stuck  | String | optional,  # the systemic gap (no auto-bot, gated automerge, etc.)
+      class             | [| 'config_drift, 'dep_advisory, 'unmaintained_dep,
+                            'missing_workflow, 'missing_policy, 'code_defect,
+                            'permission_misconfig, 'expected_after_repo_creation |],
+    },
+
+    remediation         | {
+      preferred_strategy | [| 'auto_pr, 'cli_command, 'manual_only, 'config_change |],
+      human_steps       | Array String,       # numbered, copy-pasteable
+      machine_runner    | String | optional,  # path to executable: shell, deno, julia
+      auto_safe         | Bool | default = false,
+      needs_review_when | Array String | optional,
+      side_effects      | Array String | optional,  # files/branches/PRs created
+    },
+
+    verification        | {
+      post_fix_check    | String,             # command; exit 0 = fixed
+      expected_state    | String,             # human description
+      ci_check_to_watch | String | optional,  # e.g. "Scorecard / VulnerabilitiesID"
+    },
+
+    preemption          | {
+      template_addition | Array String | optional,  # files to add to rsr-template-repo
+      template_config   | Array String | optional,  # config keys to set
+      prevents_recurrence | Bool | default = false,
+      back_ratchet_target | [| 'all_repos, 'rust_only, 'js_only, 'opt_in |] | optional,
+    },
+
+    references          | Array String | optional,
+    last_seen           | String | optional,        # ISO date
+    notes               | String | optional,
+  },
+}
+----
+
+== Human-facing rendering — the Fix-It output
+
+When `contractile bust diagnose <id>` runs, it renders one entry as a
+multi-section terminal report. Format below; the runner emits this from the A2ML
+data so it stays in sync:
+
+[source]
+----
+━━━ BUST DIAGNOSE ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+ID:        scorecard.vulnerabilities.rustsec
+Title:     Cargo dependency has a known RUSTSEC advisory
+Severity:  high
+Emitted:   scorecard / VulnerabilitiesID    (also: cargo-audit, cargo-deny)
+Last seen: 2026-04-28 in echidna #11
+
+▸ Symptom
+   "Project is vulnerable to: RUSTSEC-2024-0436"
+
+▸ Root cause
+   A direct or transitive Cargo dependency is on a version with an open
+   RUSTSEC advisory. RUSTSEC advisories cover three classes:
+     (a) Vulnerability with fixed version available  → bump to fixed
+     (b) Unmaintained crate (no fix exists)          → swap or vendor
+     (c) Yanked version                              → pin to last good
+
+▸ Why this is sitting open
+   Scorecard *reports* the alert but the estate has no auto-fixer
+   subscribed to Scorecard alerts. cargo-audit is not in the rsr-template's
+   default workflow set, so most repos never run it locally. The
+   dependabot-automerge policy explicitly skips HIGH/CRITICAL, so even if
+   a fix PR existed it would not auto-merge.
+
+▸ Suggested fix  (preferred: auto_pr, auto-safe: yes)
+   1. cargo audit                            # confirm advisory + class
+   2. cargo update -p <crate>                # class (a)
+      OR  edit Cargo.toml to swap dep        # class (b)
+      OR  cargo update -p <crate> --precise  # class (c)
+   3. cargo test
+   4. git checkout -b fix/rustsec-<id>
+   5. git commit -am "deps: bust RUSTSEC-<id> (<crate>)"
+   6. gh pr create --fill && gh pr merge --auto --squash
+
+▸ Verify
+   Command:        cargo audit --deny warnings
+   Expected:       no advisories
+   CI check:       Scorecard / VulnerabilitiesID  (next nightly run)
+
+▸ Prevent recurrence  (template fix — landing this once back-ratchets the estate)
+   Add to rsr-template-repo:
+     .github/workflows/cargo-audit.yml          (run on push + weekly)
+     .github/workflows/cargo-deny-check.yml     (run on push + weekly)
+     .machine_readable/compliance/rust/deny.toml  (set unmaintained = "deny")
+   Then sweep with template-drift back-ratchet.
+
+▸ Apply auto-fix now? [y/N]
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+----
+
+== Machine-facing — runner contract
+
+The runner (`bust diagnose` / `bust remediate`) consumes the same A2ML and
+exposes:
+
+* JSON-over-stdout structured payloads (for gitbot-fleet, hypatia, robot-repo-automaton consumers — note: emitted to stdout for transient inter-process pipes only; persisted artefacts are A2ML per the no-JSON-emit rule).
+* Exit codes: `0` = no remediation needed, `1` = remediation available + applied, `2` = remediation needed + manual, `3` = unknown alert.
+* `--dry-run` flag mandatory before any side effect; default behaviour with no flag is dry-run.
+* Remediations marked `auto_safe = false` ALWAYS require `--apply --confirm`.
+
+== Consumers (who reads the Bustfile)
+
+|===
+| Consumer | Reads what | Writes what
+
+| Human triaging an alert
+| `bust diagnose <id>` rendered output
+| Decides whether to apply
+
+| `gitbot-fleet/sustainabot`
+| All `auto_safe = true` entries on a schedule
+| Opens fix PRs
+
+| `gitbot-fleet/echidnabot`
+| Entries where `class = code_defect` and a proof obligation can be drafted
+| Adds proof opportunity to its queue
+
+| `hypatia` neurosymbolic engine
+| All entries — uses `fingerprint` to map incoming alerts → Bustfile entries
+| Annotates alerts with diagnosis text + remediation suggestion
+
+| `robot-repo-automaton`
+| Entries with `machine_runner` set
+| Executes the runner inside its confidence-gated harness
+
+| `rsr-template-repo` adoption test
+| `preemption.template_addition` + `template_config` fields
+| Verifies template is up to date with current Bustfile preemptions
+|===
+
+== Inheritance model
+
+Three layers, each can add or override:
+
+. *Estate-wide* — `reposystem/.machine_readable/contractiles/bust/Bustfile.a2ml`. Patterns that apply to every hyperpolymath repo (Scorecard, Dependabot, common CI failures).
+. *Language-tier* — e.g. `reposystem/.machine_readable/contractiles/bust/tiers/rust.a2ml`, `tiers/agda.a2ml`. Patterns specific to a stack.
+. *Per-repo* — each repo's own `.machine_readable/contractiles/bust/Bustfile.a2ml`. Adds repo-specific patterns and overrides estate ones (with reason).
+
+The CLI merges them at runtime; per-repo wins, with the merged result available
+via `contractile bust list`.
+
+== Worked content — proposed entries from this session
+
+The following 10 entries are derived from the alerts surfaced during the
+2026-04-28 session. They are the seed corpus for the estate-wide Bustfile.
+A2ML form below; this is the actual proposed text to commit.
+
+[source]
+----
+// alert_remediations entries — paste into Bustfile.a2ml under the existing Bust { ... }
+
+alert_remediations: [
+    {
+        id: "scorecard.vulnerabilities.rustsec"
+        title: "Cargo dependency has a known RUSTSEC advisory"
+        severity: 'high
+        emitted_by: ["scorecard", "cargo-audit", "cargo-deny", "osv-scanner"]
+        fingerprint: {
+            source: "scorecard"
+            rule_id: "VulnerabilitiesID"
+            message_regex: "RUSTSEC-\\d{4}-\\d{4}"
+        }
+        diagnosis: {
+            short: "A Cargo dependency is on a version with an open RUSTSEC advisory."
+            root_cause: "Direct or transitive Cargo dep on a version flagged by RUSTSEC. Three classes: (a) vuln with fix available, (b) unmaintained crate (no fix), (c) yanked version."
+            why_humans_stuck: "Scorecard reports but no auto-fixer subscribes; cargo-audit not in template; dependabot-automerge skips HIGH severity."
+            class: 'dep_advisory
+        }
+        remediation: {
+            preferred_strategy: 'auto_pr
+            human_steps: [
+                "cargo audit  # confirm advisory + class"
+                "cargo update -p <crate>  (class a) OR edit Cargo.toml to swap (class b) OR --precise (class c)"
+                "cargo test"
+                "git checkout -b fix/rustsec-<id>"
+                "git commit -am 'deps: bust RUSTSEC-<id> (<crate>)'"
+                "gh pr create --fill && gh pr merge --auto --squash"
+            ]
+            machine_runner: "reposystem/.machine_readable/contractiles/bust/runners/cargo-rustsec.sh"
+            auto_safe: true
+            needs_review_when: ["class == 'b' (no drop-in replacement)", "major-version bump required"]
+        }
+        verification: {
+            post_fix_check: "cargo audit --deny warnings"
+            expected_state: "no advisories"
+            ci_check_to_watch: "Scorecard / VulnerabilitiesID"
+        }
+        preemption: {
+            template_addition: [
+                ".github/workflows/cargo-audit.yml"
+                ".github/workflows/cargo-deny-check.yml"
+            ]
+            template_config: [
+                ".machine_readable/compliance/rust/deny.toml: unmaintained = 'deny'"
+            ]
+            prevents_recurrence: true
+            back_ratchet_target: 'rust_only
+        }
+        references: ["https://rustsec.org/advisories/", "https://github.com/EmbarkStudios/cargo-deny"]
+        last_seen: "2026-04-28"
+    }
+
+    {
+        id: "scorecard.token-permissions.no-toplevel"
+        title: "Workflow lacks top-level GITHUB_TOKEN permissions"
+        severity: 'high
+        emitted_by: ["scorecard"]
+        fingerprint: {
+            source: "scorecard"
+            rule_id: "TokenPermissionsID"
+            message_regex: "no topLevel permission defined"
+        }
+        diagnosis: {
+            short: "A workflow YAML has no top-level `permissions:` block, so jobs run with default broad token scope."
+            root_cause: "Default GITHUB_TOKEN permissions are write-all when no `permissions:` is declared. Scorecard wants read-all at minimum at workflow level."
+            why_humans_stuck: "Scorecard fires per-workflow per-commit. Template enforces this for new repos; older repos predate the rule."
+            class: 'permission_misconfig
+        }
+        remediation: {
+            preferred_strategy: 'config_change
+            human_steps: [
+                "Open every .github/workflows/*.yml lacking top-level permissions"
+                "Add `permissions: read-all` directly under `name:` (or before `on:`)"
+                "Per-job override only where explicitly needed (e.g. `pages: write`)"
+                "Commit + push"
+            ]
+            machine_runner: "reposystem/.machine_readable/contractiles/bust/runners/inject-toplevel-permissions.sh"
+            auto_safe: true
+        }
+        verification: {
+            post_fix_check: "yq '.permissions' .github/workflows/*.yml | grep -v null | wc -l  # all should be non-null"
+            expected_state: "every workflow has a top-level permissions key"
+            ci_check_to_watch: "Scorecard / TokenPermissionsID"
+        }
+        preemption: {
+            template_addition: [".github/workflows/workflow-linter.yml (already in template)"]
+            template_config: [
+                "All template workflows already carry permissions: read-all"
+            ]
+            prevents_recurrence: true
+            back_ratchet_target: 'all_repos
+        }
+        references: ["https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions"]
+        last_seen: "2026-04-28"  // airborne-submarine-squadron #11
+    }
+
+    {
+        id: "scorecard.pinned-dependencies.action-not-pinned"
+        title: "GitHub Action is referenced by tag/branch instead of SHA"
+        severity: 'medium
+        emitted_by: ["scorecard"]
+        fingerprint: {
+            source: "scorecard"
+            rule_id: "PinnedDependenciesID"
+            message_regex: "GitHubAction not pinned by hash"
+        }
+        diagnosis: {
+            short: "Workflow references like `actions/checkout@v6` instead of `actions/checkout@<sha>  # v6.0.2`."
+            root_cause: "Tag/branch refs let action authors silently re-publish the same ref pointing at different code. SHA pin freezes the artefact."
+            why_humans_stuck: "Many repos predate the SHA-pinning rule; estate-wide drift audit on 2026-04-17 found ~12,000 v6 SHAs but ~2,100 v4 lingering. Template enforces forward; nobody back-ratchets."
+            class: 'config_drift
+        }
+        remediation: {
+            preferred_strategy: 'auto_pr
+            human_steps: [
+                "For each unpinned action, look up the canonical SHA (see CLAUDE.md SHA table)"
+                "sed-replace `@v<n>` with `@<sha>  # v<n.n.n>`"
+                "Verify CI still green"
+                "Commit + PR"
+            ]
+            machine_runner: "reposystem/.machine_readable/contractiles/bust/runners/sha-pin-actions.sh"
+            auto_safe: true
+            needs_review_when: ["action not in canonical SHA table", "flathub repos (deliberate v4 pin)"]
+        }
+        verification: {
+            post_fix_check: "grep -E '@v[0-9]' .github/workflows/*.yml  # should be empty (or only in comments)"
+            expected_state: "every action @ ref is a 40-char SHA"
+            ci_check_to_watch: "Scorecard / PinnedDependenciesID"
+        }
+        preemption: {
+            template_addition: [".github/workflows/workflow-linter.yml"]
+            template_config: ["CLAUDE.md SHA table is the canonical reference"]
+            prevents_recurrence: true
+            back_ratchet_target: 'all_repos
+        }
+        references: ["CLAUDE.md §Workflow Standards"]
+        last_seen: "2026-04-28"
+    }
+
+    {
+        id: "scorecard.branch-protection.weak-or-missing"
+        title: "Branch protection on main is weak or absent"
+        severity: 'high
+        emitted_by: ["scorecard"]
+        fingerprint: {
+            source: "scorecard"
+            rule_id: "BranchProtectionID"
+            message_regex: "(branch protection.*disabled|does not require approvers|no status checks)"
+        }
+        diagnosis: {
+            short: "main lacks: required reviews, status-check requirements, admin enforcement, stale-review dismissal, or codeowners."
+            root_cause: "GitHub branch protection has many independent toggles; older repos were created before the standard was tightened, or the standard was applied unevenly."
+            why_humans_stuck: "GitHub Free blocks rulesets on private repos (verified 2026-04-10). Estate-wide ratchet stalled on Wave 3 (5 private repos)."
+            class: 'config_drift
+        }
+        remediation: {
+            preferred_strategy: 'cli_command
+            human_steps: [
+                "julia ~/security-fixes/enable-branch-protection.jl <repo>"
+                "OR via gh api: PUT /repos/{owner}/{repo}/branches/main/protection"
+            ]
+            machine_runner: "~/security-fixes/enable-branch-protection.jl"
+            auto_safe: true
+            needs_review_when: ["repo is private and on GitHub Free (will fail)"]
+        }
+        verification: {
+            post_fix_check: "gh api /repos/<owner>/<repo>/branches/main/protection"
+            expected_state: "all required-checks/reviews/admin-enforcement enabled"
+            ci_check_to_watch: "Scorecard / BranchProtectionID"
+        }
+        preemption: {
+            template_addition: ["enable-branch-protection.jl on every repo create"]
+            prevents_recurrence: true
+            back_ratchet_target: 'all_repos
+        }
+        references: ["~/security-fixes/enable-branch-protection.jl"]
+        last_seen: "2026-04-28"  // robodog-ecm #11
+    }
+
+    {
+        id: "scorecard.maintained.repo-too-young"
+        title: "Repo created within last 90 days"
+        severity: 'high
+        emitted_by: ["scorecard"]
+        fingerprint: {
+            source: "scorecard"
+            rule_id: "MaintainedID"
+            message_regex: "created within the last 90 days"
+        }
+        diagnosis: {
+            short: "Cosmetic, time-based alert that resolves itself after 90 days from repo creation."
+            root_cause: "Scorecard penalises new repos because malicious actors create burner repos. Heuristic, not a real defect."
+            why_humans_stuck: "There is no fix; alert sits open until time passes. Eats human attention every time it appears in a triage list."
+            class: 'expected_after_repo_creation
+        }
+        remediation: {
+            preferred_strategy: 'manual_only
+            human_steps: [
+                "Acknowledge: this clears automatically 90 days after repo creation"
+                "Optional: dismiss in GitHub UI with reason 'won't fix - heuristic'"
+            ]
+            auto_safe: false
+            side_effects: ["dismissal is per-repo manual action"]
+        }
+        verification: {
+            post_fix_check: "true  # nothing to verify"
+            expected_state: "alert age > 90 days OR dismissed"
+            ci_check_to_watch: "Scorecard / MaintainedID"
+        }
+        preemption: {
+            template_addition: ["scorecard-enforcer.yml configured to ignore MaintainedID for first 90 days"]
+            prevents_recurrence: true
+            back_ratchet_target: 'all_repos
+        }
+        references: ["https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained"]
+        last_seen: "2026-04-28"
+    }
+
+    {
+        id: "dependabot.auto-closed.dep-no-longer-tracked"
+        title: "Dependabot auto-closed PR with comment 'no longer being updated'"
+        severity: 'low
+        emitted_by: ["dependabot"]
+        fingerprint: {
+            source: "dependabot"
+            rule_id: "auto-close"
+            message_regex: "no longer being updated by Dependabot"
+        }
+        diagnosis: {
+            short: "Dependabot itself closed a bump PR because the dep is no longer in the manifest tracking set."
+            root_cause: "Manifest dropped the dep, an ignore rule was added, or the dep was renamed/replaced. Closure is an intentional bot signal, not a rejection of the bump's contents."
+            why_humans_stuck: "Easy to mistake for 'user rejected this' and bulk-delete the head branch."
+            class: 'dep_advisory
+        }
+        remediation: {
+            preferred_strategy: 'cli_command
+            human_steps: [
+                "Verify dependabot's close comment matches the regex"
+                "Delete the head branch: gh api -X DELETE repos/<owner>/<repo>/git/refs/heads/<branch>"
+                "Do NOT bulk-delete by closed-PR state alone; always check the close reason"
+            ]
+            machine_runner: "reposystem/.machine_readable/contractiles/bust/runners/cleanup-dependabot-stale-branch.sh"
+            auto_safe: true
+        }
+        verification: {
+            post_fix_check: "gh api repos/<owner>/<repo>/branches/<branch> 2>&1 | grep -q 'Branch not found'"
+            expected_state: "branch absent"
+        }
+        preemption: {
+            template_config: ["dependabot.yml ignore rules tracked alongside Bustfile"]
+            prevents_recurrence: false
+            back_ratchet_target: 'opt_in
+        }
+        references: []
+        last_seen: "2026-04-28"  // file-soup PR #2
+    }
+
+    {
+        id: "dependabot.merge-blocked.unrelated-red-checks-on-main"
+        title: "Dependabot PR can't merge because main is red on unrelated checks"
+        severity: 'medium
+        emitted_by: ["dependabot", "github-checks"]
+        fingerprint: {
+            source: "github-checks"
+            rule_id: "BLOCKED-merge-state"
+            message_regex: "mergeStateStatus.*BLOCKED"
+        }
+        diagnosis: {
+            short: "PR is mergeable per git, but auto-merge is gated on 'all required checks green' and main itself has red checks."
+            root_cause: "Required-status-check policy treats main's failures as PR failures. One broken workflow on main blocks every Dependabot PR."
+            why_humans_stuck: "Each Dependabot PR appears 'broken' but the actual broken thing is upstream — red checks rotate among repos and never get attention."
+            class: 'config_drift
+        }
+        remediation: {
+            preferred_strategy: 'manual_only
+            human_steps: [
+                "List failing checks: gh pr view <n> --json statusCheckRollup"
+                "Identify which fail on main itself (vs. PR-introduced)"
+                "Fix the upstream broken workflow first"
+                "Then Dependabot PRs unblock automatically"
+            ]
+            auto_safe: false
+            needs_review_when: ["never auto - upstream cause needs human triage"]
+        }
+        verification: {
+            post_fix_check: "gh pr view <n> --json mergeStateStatus | grep -v BLOCKED"
+            expected_state: "mergeStateStatus is CLEAN or HAS_HOOKS"
+            ci_check_to_watch: "all required checks on the affected workflows"
+        }
+        preemption: {
+            template_addition: ["main-health-monitor workflow that opens an issue when main goes red"]
+            prevents_recurrence: false
+            back_ratchet_target: 'all_repos
+        }
+        references: []
+        last_seen: "2026-04-28"  // hypatia PR #194
+    }
+
+    {
+        id: "codeql.js.incomplete-multi-character-sanitization"
+        title: "CodeQL: regex-based HTML sanitizer is incomplete"
+        severity: 'high
+        emitted_by: ["codeql"]
+        fingerprint: {
+            source: "codeql"
+            rule_id: "js/incomplete-multi-character-sanitization"
+        }
+        diagnosis: {
+            short: "JS code is using a regex to strip <script tags or similar; CodeQL has shown the regex misses edge-cases."
+            root_cause: "Regex-based HTML parsing is fundamentally incomplete (the classic 'cthulhu' answer). HTML must be parsed with a real parser to be safely sanitized."
+            why_humans_stuck: "This is a real code defect, not config. No safe one-liner auto-fix; requires replacing the sanitizer with a parser-based library (e.g. DOMPurify, sanitize-html)."
+            class: 'code_defect
+        }
+        remediation: {
+            preferred_strategy: 'manual_only
+            human_steps: [
+                "Identify the offending regex sanitizer (path:line in CodeQL output)"
+                "Replace with DOMPurify or sanitize-html"
+                "Keep allowlist explicit"
+                "Add a CodeQL test case to prevent regression"
+            ]
+            auto_safe: false
+            needs_review_when: ["always - real code change"]
+        }
+        verification: {
+            post_fix_check: "codeql analyze + grep for the rule  # should be absent"
+            expected_state: "no js/incomplete-multi-character-sanitization findings"
+            ci_check_to_watch: "CodeQL / js/incomplete-multi-character-sanitization"
+        }
+        preemption: {
+            template_config: [
+                "CodeQL config in template should already include js-experimental queries"
+                "Template README should warn against regex-based HTML sanitization"
+            ]
+            prevents_recurrence: false
+            back_ratchet_target: 'js_only
+        }
+        references: ["https://github.com/cure53/DOMPurify", "https://codeql.github.com/codeql-query-help/javascript/js-incomplete-multi-character-sanitization/"]
+        last_seen: "2026-04-28"  // gossamer #21, #22
+    }
+
+    {
+        id: "scorecard.binary-artifacts.committed-binary"
+        title: "Binary file detected in repository"
+        severity: 'high
+        emitted_by: ["scorecard"]
+        fingerprint: {
+            source: "scorecard"
+            rule_id: "BinaryArtifactsID"
+            message_regex: "binary detected"
+        }
+        diagnosis: {
+            short: "A binary blob (.exe, .so, .png, large .pdf, etc.) is committed to the repo."
+            root_cause: "Binaries committed to git bloat clones, can't be diffed, and Scorecard treats them as supply-chain risk if executable."
+            why_humans_stuck: "Binaries often slip in with screenshots or test fixtures. Removal requires history-rewrite which is destructive."
+            class: 'config_drift
+        }
+        remediation: {
+            preferred_strategy: 'manual_only
+            human_steps: [
+                "List binaries: scorecard's report names paths"
+                "If safe (image/asset): move to a release artefact or git LFS"
+                "If executable: delete + add to .gitignore + add LFS pointer if needed"
+                "git-filter-repo to scrub from history (destructive — needs explicit user confirmation)"
+            ]
+            auto_safe: false
+            needs_review_when: ["always - history rewrite is destructive"]
+        }
+        verification: {
+            post_fix_check: "find . -size +1M -type f -not -path '*/.git/*'  # review remaining"
+            expected_state: "no committed executables; large assets in LFS"
+            ci_check_to_watch: "Scorecard / BinaryArtifactsID"
+        }
+        preemption: {
+            template_addition: [".gitattributes with LFS rules", "pre-commit hook blocking large binaries"]
+            prevents_recurrence: true
+            back_ratchet_target: 'all_repos
+        }
+        references: []
+        last_seen: "2026-04-28"  // gossamer #13-19
+    }
+
+    {
+        id: "scorecard.code-review.no-approved-changesets"
+        title: "Scorecard: 0 approved changesets out of N merged"
+        severity: 'high
+        emitted_by: ["scorecard"]
+        fingerprint: {
+            source: "scorecard"
+            rule_id: "CodeReviewID"
+            message_regex: "Found 0/\\d+ approved changesets"
+        }
+        diagnosis: {
+            short: "Solo-author repos where the author also merges their own PRs have no review record."
+            root_cause: "Scorecard's CodeReview check counts approvals on merged PRs. Solo-author estate repos have none — by design."
+            why_humans_stuck: "There is no way to satisfy this check on a solo-author repo without bringing in a co-reviewer or a bot. Eats triage attention forever otherwise."
+            class: 'expected_after_repo_creation
+        }
+        remediation: {
+            preferred_strategy: 'config_change
+            human_steps: [
+                "Option A: enrol a review-bot (e.g. echidnabot/finishbot) as a CODEOWNER and have it auto-approve trivial changes"
+                "Option B: dismiss the alert with reason 'solo-author repo'"
+                "Option C: lower CodeReview check weight in scorecard.yml config"
+            ]
+            machine_runner: "reposystem/.machine_readable/contractiles/bust/runners/enrol-review-bot.sh"
+            auto_safe: false
+            needs_review_when: ["solo-author policy is a per-repo decision"]
+        }
+        verification: {
+            post_fix_check: "scorecard run + grep CodeReviewID"
+            expected_state: "score >= configured threshold"
+            ci_check_to_watch: "Scorecard / CodeReviewID"
+        }
+        preemption: {
+            template_addition: ["scorecard.yml with CodeReviewID weight tuned for solo-author"]
+            prevents_recurrence: true
+            back_ratchet_target: 'all_repos
+        }
+        references: []
+        last_seen: "2026-04-28"  // airborne-submarine-squadron #13
+    }
+]
+----
+
+== Adoption path
+
+[cols="1,3"]
+|===
+| Stage | Action
+
+| 1. Land schema
+| Add the `alert_remediations` array to `bust.ncl`. Backwards-compatible — existing Bustfile content (`failure_modes`) stays.
+
+| 2. Seed the catalogue
+| Paste the 10 entries above into `reposystem/.machine_readable/contractiles/bust/Bustfile.a2ml`.
+
+| 3. Build the runner
+| Implement `bust diagnose <id>` (rendering only) first — read-only, low-risk, immediately useful for triage. Then `bust remediate <id>` with mandatory `--dry-run` default.
+
+| 4. Wire to alerts
+| Add a hypatia rule that maps incoming Scorecard / CodeQL / Dependabot alerts → Bustfile fingerprints, emits `bust diagnose <id>` output as alert annotation.
+
+| 5. Wire to bots
+| `gitbot-fleet/sustainabot` runs `bust remediate --auto-safe-only` on a schedule across the estate. Opens fix PRs.
+
+| 6. Pre-empt at template
+| Each entry's `preemption` block names files to add to rsr-template-repo. Land them. Then template-drift sweep back-ratchets the estate.
+
+| 7. Per-repo overrides
+| Repos that need to opt out of an entry add a per-repo Bustfile entry with `dismissed = true` and a reason.
+|===
+
+== Open design questions
+
+. Should the schema separate *alert sources* (scorecard / codeql / dependabot) into typed sub-objects rather than free-form strings? Tighter but lots of branching.
+. Is `auto_safe: true` granular enough, or do we need a confidence score (0–100) like robot-repo-automaton uses?
+. How should Bustfile entries cross-reference each other when one alert's fix introduces another (e.g. SHA-pinning fixes PinnedDeps but introduces a manual cadence problem)?
+. Do we want a `dismissed_until: <date>` field for time-bound dismissals (e.g. MaintainedID at 90 days)?
+. Should the `preemption.template_addition` field generate an automated PR against `rsr-template-repo` itself when an entry is added?
+
+== Relationship to other contractiles
+
+* `intend` — declares what the repo aims to do; Bustfile entries can reference intent items they protect.
+* `trust` — declares trust boundaries; some Bustfile entries are about violations of declared trust (e.g. unmaintained dep crossing a trust boundary).
+* `must` — declares hard invariants; a `must` violation can map to a Bustfile entry whose remediation restores the invariant.
+* `adjust` — declares planned remediations (forward-looking); Bustfile is reactive (alert-triggered). They share runner infrastructure.
+* `dust` — declares cleanup tasks; Bustfile cleanup-class entries (e.g. dependabot-stale-branch) can defer to dust.
+
+== SPDX and Attribution
+
+  SPDX-License-Identifier: PMPL-1.0-or-later
+
+MPL-2.0 is the automatic legal fallback until PMPL achieves formal recognition.
+
+Author: Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk> +
+Copyright: CC BY-SA (Attribution-ShareAlike) The Open University
diff --git a/.machine_readable/contractiles/bust/bust.ncl b/.machine_readable/contractiles/bust/bust.ncl
index 3d9ab8b..aef56c7 100644
--- a/.machine_readable/contractiles/bust/bust.ncl
+++ b/.machine_readable/contractiles/bust/bust.ncl
@@ -53,6 +53,66 @@ let base = import "../_base.ncl" in
           status | [| 'declared, 'drilled, 'verified, 'failing |] | default = 'declared,
           notes | String | optional,
         },
+
+    # alert_remediations — discovered (CI/CD/scanner-emitted) failure patterns.
+    # Sibling to failure_modes (which is for injected/operational failures).
+    # Fix-It-style entries: rich human diagnosis + machine-actionable remediation.
+    # Consumed by `contractile bust diagnose <id>` (rendering) and
+    # `contractile bust remediate <id>` (apply, --dry-run by default).
+    # See EXTENSION-PROPOSAL-2026-04-28.adoc for full motivation and adoption path.
+    alert_remediations
+      | Array {
+          id | String,                       # e.g. "scorecard.token-permissions.no-toplevel"
+          title | String,
+          severity | [| 'low, 'medium, 'high, 'critical |],
+          emitted_by | Array String,         # ["scorecard", "cargo-audit", "dependabot", "codeql", ...]
+
+          fingerprint | {
+            source | String,
+            rule_id | String,
+            message_regex | String | optional,
+          },
+
+          diagnosis | {
+            short | String,
+            root_cause | String,
+            why_humans_stuck | String | optional,
+            class | [|
+              'config_drift, 'dep_advisory, 'unmaintained_dep,
+              'missing_workflow, 'missing_policy, 'code_defect,
+              'permission_misconfig, 'expected_after_repo_creation
+            |],
+          },
+
+          remediation | {
+            preferred_strategy | [| 'auto_pr, 'cli_command, 'manual_only, 'config_change |],
+            human_steps | Array String,
+            machine_runner | String | optional,
+            auto_safe | Bool | default = false,
+            needs_review_when | Array String | optional,
+            side_effects | Array String | optional,
+          },
+
+          verification | {
+            post_fix_check | String,
+            expected_state | String,
+            ci_check_to_watch | String | optional,
+          },
+
+          preemption | {
+            template_addition | Array String | optional,
+            template_config | Array String | optional,
+            prevents_recurrence | Bool | default = false,
+            back_ratchet_target | [| 'all_repos, 'rust_only, 'js_only, 'agda_only, 'opt_in |] | optional,
+          },
+
+          references | Array String | optional,
+          last_seen | String | optional,        # ISO date
+          dismissed | Bool | default = false,
+          dismissed_until | String | optional,  # ISO date for time-bound dismissals
+          notes | String | optional,
+        }
+      | default = [],
   },
 
   # Runner behaviour — inherits from base.run_defaults.