hyperpolymath · hyperpolymath · May 20, 2026 · May 19, 2026
diff --git a/.github/workflows/affinescript-verify.yml b/.github/workflows/affinescript-verify.yml
@@ -39,7 +39,7 @@ jobs:
   verify:
     name: AffineScript Verify
     runs-on: ubuntu-latest
-    # NON-BLOCKING (temporary): see header note. continue-on-error keeps the
+    # advisory: see header note. continue-on-error keeps the
     # whole job advisory — including the compiler checkout/setup-ocaml/build
     # steps — so a toolchain/build problem cannot block merges or add
     # estate-wide red noise while the ports + build are sorted in follow-up.
@@ -78,6 +78,8 @@ jobs:
 
       - name: Checkout AffineScript compiler
         if: steps.changed.outputs.any == 'true'
+        # advisory: compiler checkout is report-only until the port backlog
+        # is cleared and BLOCKING flips to true.
         continue-on-error: true
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -87,13 +89,17 @@ jobs:
 
       - name: Set up OCaml
         if: steps.changed.outputs.any == 'true'
+        # advisory: setup failures should surface as signal without blocking
+        # unrelated standards changes while AffineScript verification matures.
         continue-on-error: true
         uses: ocaml/setup-ocaml@e32b06a3e831ff2fbc6f08cf35be2085e3918014 # v3
         with:
           ocaml-compiler: "5.1"
 
       - name: Build compiler
         if: steps.changed.outputs.any == 'true'
+        # advisory: compiler build failures are reported by this job, not yet
+        # merge-blocking, until the report-only porting phase ends.
         continue-on-error: true
         working-directory: .affinescript-compiler
         run: |
@@ -102,6 +108,8 @@ jobs:
 
       - name: Verify changed .affine files
         if: steps.changed.outputs.any == 'true'
+        # advisory: verification findings are emitted as warnings and job
+        # summary entries until BLOCKING is intentionally enabled.
         continue-on-error: true
         working-directory: .affinescript-compiler
         run: |

diff --git a/.github/workflows/governance-reusable.yml b/.github/workflows/governance-reusable.yml
@@ -382,6 +382,8 @@ jobs:
           find . -type f -size +1M -not -path "./.git/*" | head -10 || echo "No large files"
       - name: EditorConfig check
         uses: editorconfig-checker/action-editorconfig-checker@4b6cd6190d435e7e084fb35e36a096e98506f7b9 # v2.1.0
+        # advisory: formatting hygiene is reported from the reusable estate
+        # bundle; repos opt into blocking formatter checks locally when ready.
         continue-on-error: true
       - name: Check documentation
         run: |

diff --git a/.github/workflows/hypatia-scan.yml b/.github/workflows/hypatia-scan.yml
@@ -259,6 +259,8 @@ jobs:
         # See hyperpolymath/hypatia#213 (gate decoupling) and the exit-127
         # estate-wide breakage when gitbot-fleet/scripts/submit-finding.sh
         # no longer existed on the default branch.
+        # advisory: Phase 2 learning submission is optional enrichment; the
+        # security gate remains the baseline-aware severity check below.
         continue-on-error: true
         env:
           # All GitHub context values surface as env vars so the run
@@ -376,7 +378,7 @@ jobs:
 
       - name: Comment on PR with findings
         if: github.event_name == 'pull_request' && steps.scan.outputs.findings_count > 0
-        # Advisory only — posting findings as a PR comment must never gate
+        # advisory: posting findings as a PR comment must never gate
         # the scan (hypatia#213 gate decoupling). Belt-and-braces alongside
         # the pull-requests: write permission above: a token/API hiccup or
         # a fork PR (read-only token) skips the comment, not the check.
@@ -411,4 +413,4 @@ jobs:
               repo: context.repo.repo,
               issue_number: context.issue.number,
               body: comment
-            });
+            });
diff --git a/Mustfile b/Mustfile
@@ -12,4 +12,4 @@ checks:
   - name: format
     run: just fmt
   - name: tooling-version-integrity
-    run: bash tasks/tooling-integrity-lint.sh
+    run: bash tasks/tooling-integrity-lint.sh --strict
diff --git a/TOOLING-VERSION-INTEGRITY-POLICY.adoc b/TOOLING-VERSION-INTEGRITY-POLICY.adoc
@@ -137,8 +137,11 @@ Integrity sweep tracking issue).
 
 * `tasks/tooling-integrity-lint.sh` — scans `.github/workflows/` for
   unversioned family-tool installs (Rule 1) and bare `continue-on-error`
-  (Rule 4). Exit non-zero on any violation.
-* `contractiles/must/Mustfile` (canonical template) and this repo's live
-  `Mustfile` carry a `tooling-version-integrity` mandatory check that
-  runs the lint — so every repo adopting the canonical `must` contract
-  inherits the gate (Rule 3, Rule 5).
+  (Rule 4). R1 is always blocking; R4 is advisory by default and blocking
+  with `--strict`.
+* `contractiles/must/Mustfile` (canonical template) carries a default
+  `tooling-version-integrity` mandatory check so every repo adopting the
+  canonical `must` contract inherits the R0/R1 gate (Rule 3, Rule 5).
+  This repo's live `Mustfile` runs the lint with `--strict` because its
+  local soft-gates are now explained; the reusable estate workflow keeps
+  R4 advisory until each consumer repo is ready to promote it.