From 3869ef019b7931607e6d93609bebba332e64d091 Mon Sep 17 00:00:00 2001
From: "Jonathan D.A. Jewell" <6759885+hyperpolymath@users.noreply.github.com>
Date: Wed, 13 May 2026 03:06:10 +0200
Subject: [PATCH 1/3] fix(ci): hypatia-scan.yml -- pass GITHUB_TOKEN, use
 --exit-zero (hyperpolymath/hypatia#213)

The Hypatia Security Scan workflow exits 1 on any findings (>= medium)
because lib/hypatia/cli.ex halts with System.halt(1). Under `set -e`,
that short-circuits the step before jq/artifact-upload/PR-comment run.

Mirrors hyperpolymath/hypatia#228:
* pass GITHUB_TOKEN so the Dependabot rule stops warning
* append --exit-zero so the downstream critical/high gate stays
  the explicit gate
* bump actions/upload-artifact to v4.6.2 (ea165f8d) to match the
  estate-wide pin

See hyperpolymath/hypatia#213 for the diagnosis.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .github/workflows/hypatia-scan.yml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/hypatia-scan.yml b/.github/workflows/hypatia-scan.yml
index b67e0ec..409477e 100644
--- a/.github/workflows/hypatia-scan.yml
+++ b/.github/workflows/hypatia-scan.yml
@@ -50,11 +50,14 @@ jobs:
 
       - name: Run Hypatia scan
         id: scan
+        env:
+          # Suppress the Dependabot "GITHUB_TOKEN not set" warning.
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           echo "Scanning repository: ${{ github.repository }}"
 
           # Run scanner
-          HYPATIA_FORMAT=json "$HOME/hypatia/hypatia-cli.sh" scan . > hypatia-findings.json
+          HYPATIA_FORMAT=json "$HOME/hypatia/hypatia-cli.sh" scan . --exit-zero > hypatia-findings.json
 
           # Count findings
           FINDING_COUNT=$(jq '. | length' hypatia-findings.json 2>/dev/null || echo 0)
@@ -76,7 +79,7 @@ jobs:
           echo "- Medium: $MEDIUM" >> $GITHUB_STEP_SUMMARY
 
       - name: Upload findings artifact
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: hypatia-findings
           path: hypatia-findings.json

From 5162f6fce4a92f1afada68a5d371718905c5014b Mon Sep 17 00:00:00 2001
From: "Jonathan D.A. Jewell" <6759885+hyperpolymath@users.noreply.github.com>
Date: Thu, 14 May 2026 12:52:04 +0100
Subject: [PATCH 2/3] fix(ci): bump erlef/setup-beam to fc68ffb (ubuntu24
 support)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Follow-up commit on PR #32. The Hypatia Neurosymbolic Analysis check has been failing because `erlef/setup-beam@2f0cc07b…` doesn't know how to map `ImageOS=ubuntu24` (only knows ubuntu18/20/22). Without the bootstrap, the `--exit-zero` change in this PR never gets exercised.

Bumping the pin to `fc68ffb90438ef2936bbb3251622353b3dcb2f93` (matches the pin currently in hyperpolymath/hypatia upstream, dated 2026-03-30, adds ubuntu24 → ubuntu-24.04 mapping).

🤖 Generated with [Claude Code](https://claude.com/claude-code)
---
 .github/workflows/hypatia-scan.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/hypatia-scan.yml b/.github/workflows/hypatia-scan.yml
index 409477e..95b653c 100644
--- a/.github/workflows/hypatia-scan.yml
+++ b/.github/workflows/hypatia-scan.yml
@@ -26,7 +26,7 @@ jobs:
           fetch-depth: 0  # Full history for better pattern analysis
 
       - name: Setup Elixir for Hypatia scanner
-        uses: erlef/setup-beam@2f0cc07b4b9bea248ae098aba9e1a8a1de5ec24c # v1.18.2
+        uses: erlef/setup-beam@fc68ffb90438ef2936bbb3251622353b3dcb2f93 # v1.18.2
         with:
           elixir-version: '1.19.4'
           otp-version: '28.3'

From 5c79319d1e9e929072755d2a3e1347413eed80a0 Mon Sep 17 00:00:00 2001
From: "Jonathan D.A. Jewell" <6759885+hyperpolymath@users.noreply.github.com>
Date: Thu, 14 May 2026 13:14:35 +0100
Subject: [PATCH 3/3] fix(manifests): add top-level identity to vendored A2ML +
 K9 templates
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The 6 A2ML manifests under verified-container-spec/.machine_readable/6a2/
and the 6 K9 templates/examples under .machine_readable/svc/k9/ were
firing identity-field validation errors on every CI run, blocking
hyperpolymath/stapeln#32 (and any other PR) from going green.

Two parallel fixes:

  * A2ML: added `name = "verified-container-spec/<file>"` inside the
    [metadata] section of META, NEUROSYM, PLAYBOOK, AGENTIC (the 4 that
    lacked any top-level identity). STATE and ECOSYSTEM already had
    `project` / `name` respectively; left untouched.

  * K9 templates/examples: hoisted a `name = "k9-template/<level>"` or
    `name = "k9-example/<name>"` field to the top of each pedigree block,
    immediately after `schema_version`. Works around a brace-counting
    edge in hyperpolymath/k9-validate-action's pedigree-block detector:
    when `pedigree = {` opens, the validator doesn't count the opening
    brace from that line, so a subsequent `security = { ... },` closing
    brace prematurely terminates the validator's view of the pedigree
    block — making `metadata.name` invisible. The hoisted top-level
    `pedigree.name` is captured at depth 1 before any nested block,
    so it's seen regardless of the bug. The underlying bug is being
    addressed upstream in k9-validate-action#7.

Both classes of error will also be self-suppressing once stapeln bumps
its action pins to consume the new `paths-ignore` input being added in
hyperpolymath/a2ml-validate-action#7 + hyperpolymath/k9-validate-action#7
(vendored / training-corpus paths default-skipped). The fixes here are
belt-and-suspenders — independent of those upstream merges, so stapeln
#32 can go green today rather than waiting on the dependency chain.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .machine_readable/svc/k9/examples/ci-config.k9.ncl          | 1 +
 .machine_readable/svc/k9/examples/project-metadata.k9.ncl   | 1 +
 .machine_readable/svc/k9/examples/setup-repo.k9.ncl         | 1 +
 .machine_readable/svc/k9/template-hunt.k9.ncl               | 1 +
 .machine_readable/svc/k9/template-kennel.k9.ncl             | 1 +
 .machine_readable/svc/k9/template-yard.k9.ncl               | 1 +
 verified-container-spec/.machine_readable/6a2/AGENTIC.a2ml  | 1 +
 verified-container-spec/.machine_readable/6a2/META.a2ml     | 1 +
 verified-container-spec/.machine_readable/6a2/NEUROSYM.a2ml | 1 +
 verified-container-spec/.machine_readable/6a2/PLAYBOOK.a2ml | 1 +
 10 files changed, 10 insertions(+)

diff --git a/.machine_readable/svc/k9/examples/ci-config.k9.ncl b/.machine_readable/svc/k9/examples/ci-config.k9.ncl
index 11fe019..28ea4c8 100644
--- a/.machine_readable/svc/k9/examples/ci-config.k9.ncl
+++ b/.machine_readable/svc/k9/examples/ci-config.k9.ncl
@@ -6,6 +6,7 @@ K9!
 
 {
   pedigree = {
+    name = "k9-example/ci-config",
     schema_version = "1.0.0",
     component_type = "ci-configuration",
     security = {
diff --git a/.machine_readable/svc/k9/examples/project-metadata.k9.ncl b/.machine_readable/svc/k9/examples/project-metadata.k9.ncl
index 64d5f66..b65f544 100644
--- a/.machine_readable/svc/k9/examples/project-metadata.k9.ncl
+++ b/.machine_readable/svc/k9/examples/project-metadata.k9.ncl
@@ -6,6 +6,7 @@ K9!
 
 {
   pedigree = {
+    name = "k9-example/project-metadata",
     schema_version = "1.0.0",
     component_type = "project-metadata",
     security = {
diff --git a/.machine_readable/svc/k9/examples/setup-repo.k9.ncl b/.machine_readable/svc/k9/examples/setup-repo.k9.ncl
index 66b046b..1ed7889 100644
--- a/.machine_readable/svc/k9/examples/setup-repo.k9.ncl
+++ b/.machine_readable/svc/k9/examples/setup-repo.k9.ncl
@@ -6,6 +6,7 @@ K9!
 
 {
   pedigree = {
+    name = "k9-example/setup-repo",
     schema_version = "1.0.0",
     component_type = "repository-setup",
     security = {
diff --git a/.machine_readable/svc/k9/template-hunt.k9.ncl b/.machine_readable/svc/k9/template-hunt.k9.ncl
index 0814c8d..ffebc26 100644
--- a/.machine_readable/svc/k9/template-hunt.k9.ncl
+++ b/.machine_readable/svc/k9/template-hunt.k9.ncl
@@ -6,6 +6,7 @@ K9!
 
 {
   pedigree = {
+    name = "k9-template/hunt",
     schema_version = "1.0.0",
     component_type = "TODO: describe component type (e.g., 'deployment', 'setup-script')",
     security = {
diff --git a/.machine_readable/svc/k9/template-kennel.k9.ncl b/.machine_readable/svc/k9/template-kennel.k9.ncl
index c78e27d..f963d47 100644
--- a/.machine_readable/svc/k9/template-kennel.k9.ncl
+++ b/.machine_readable/svc/k9/template-kennel.k9.ncl
@@ -6,6 +6,7 @@ K9!
 
 {
   pedigree = {
+    name = "k9-template/kennel",
     schema_version = "1.0.0",
     component_type = "TODO: describe component type (e.g., 'build-config', 'metadata')",
     security = {
diff --git a/.machine_readable/svc/k9/template-yard.k9.ncl b/.machine_readable/svc/k9/template-yard.k9.ncl
index 75e5d89..54db688 100644
--- a/.machine_readable/svc/k9/template-yard.k9.ncl
+++ b/.machine_readable/svc/k9/template-yard.k9.ncl
@@ -6,6 +6,7 @@ K9!
 
 {
   pedigree = {
+    name = "k9-template/yard",
     schema_version = "1.0.0",
     component_type = "TODO: describe component type (e.g., 'validated-config', 'schema')",
     security = {
diff --git a/verified-container-spec/.machine_readable/6a2/AGENTIC.a2ml b/verified-container-spec/.machine_readable/6a2/AGENTIC.a2ml
index d119bec..5095ee9 100644
--- a/verified-container-spec/.machine_readable/6a2/AGENTIC.a2ml
+++ b/verified-container-spec/.machine_readable/6a2/AGENTIC.a2ml
@@ -3,6 +3,7 @@
 #
 # AGENTIC.a2ml — AI agent constraints and capabilities
 [metadata]
+name = "verified-container-spec/AGENTIC"
 version = "0.1.0"
 last-updated = "2026-04-11"
 
diff --git a/verified-container-spec/.machine_readable/6a2/META.a2ml b/verified-container-spec/.machine_readable/6a2/META.a2ml
index 6b901fc..8a0e973 100644
--- a/verified-container-spec/.machine_readable/6a2/META.a2ml
+++ b/verified-container-spec/.machine_readable/6a2/META.a2ml
@@ -3,6 +3,7 @@
 #
 # META.a2ml — Verified Container Spec meta-level information
 [metadata]
+name = "verified-container-spec/META"
 version = "0.1.0"
 last-updated = "2026-04-11"
 
diff --git a/verified-container-spec/.machine_readable/6a2/NEUROSYM.a2ml b/verified-container-spec/.machine_readable/6a2/NEUROSYM.a2ml
index 1443ec7..8cda37c 100644
--- a/verified-container-spec/.machine_readable/6a2/NEUROSYM.a2ml
+++ b/verified-container-spec/.machine_readable/6a2/NEUROSYM.a2ml
@@ -3,6 +3,7 @@
 #
 # NEUROSYM.a2ml — Neurosymbolic integration metadata
 [metadata]
+name = "verified-container-spec/NEUROSYM"
 version = "0.1.0"
 last-updated = "2026-04-11"
 
diff --git a/verified-container-spec/.machine_readable/6a2/PLAYBOOK.a2ml b/verified-container-spec/.machine_readable/6a2/PLAYBOOK.a2ml
index c894f05..e1615eb 100644
--- a/verified-container-spec/.machine_readable/6a2/PLAYBOOK.a2ml
+++ b/verified-container-spec/.machine_readable/6a2/PLAYBOOK.a2ml
@@ -3,6 +3,7 @@
 #
 # PLAYBOOK.a2ml — Operational playbook
 [metadata]
+name = "verified-container-spec/PLAYBOOK"
 version = "0.1.0"
 last-updated = "2026-04-11"