feat(registry): add verifiable spec-pointer registry for language-coupled specs

Generalise the hub's registry surface so specs whose source-of-truth lives in
another repo (language/service-coupled) are held as VERIFIED POINTERS, never
copies — keeping SSOT intact and avoiding normative-text duplication.

- REGISTRY.a2ml (schema spec-registry.v1): pointer registry distinct from
  SATELLITES.a2ml (absorbed repos). Self-describing field set ratified by owner
  2026-06-03 — 7 base fields (name, canonical_url, owning_repo, version_pin,
  source_hash, conformance_level, last_synced) plus provenance fields
  (source_hash_algo, spec_kind, media_type, lineage). source_hash is the
  anti-drift anchor; sentinel PENDING-FIRST-SYNC is used rather than fabricating
  a hash before upstream lands.
- Three pointers for the AffineScript v2 standards (SSOT =
  hyperpolymath/affinescript): affine-spec, affex-manifest (format_version
  tracked independently of version_pin), affmap-provenance (own pointer per
  owner decision). .affcite documented as a CodeCite-profile A2ML artefact, not
  a separate pointer.
- HYP-S006 registry-pointer-staleness: recomputes each pointer's source_hash
  against canonical_url and flags drift. FLAG-ONLY (strategy: review) — re-pin
  is an owner decision. Rejects md5/sha1 per estate security policy.
- SATELLITES.a2ml + hypatia-rules/README.adoc: scope-boundary cross-references.

Upstream .affine/.affex v2 spec text lands in a separate affinescript PR
(SSOT); writing it here would violate SSOT and is out of scope.

Author: claude

REGISTRY.a2ml

@@ -0,0 +1,164 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
+# SPDX-FileCopyrightText: 2026 Jonathan D.A. Jewell
+# REGISTRY.a2ml -- Verifiable Spec-Pointer Registry for hyperpolymath/standards
+#
+# WHY THIS EXISTS (and why it is NOT SATELLITES.a2ml)
+# ---------------------------------------------------
+# SATELLITES.a2ml registers repositories that were *absorbed* into this hub as
+# subdirectories -- their normative text now lives HERE.  This registry is the
+# opposite case: specs whose source-of-truth deliberately lives ELSEWHERE
+# because they are coupled to a language, runtime, or service whose release
+# cadence the standards repo must not own.
+#
+# For those, the standards repo holds a POINTER, never a copy.  Duplicating the
+# normative text would create two sources of truth and guarantee drift.  Each
+# pointer records a `source_hash` of the upstream spec; hypatia (HYP-S006)
+# recomputes that hash against the canonical_url and flags any mismatch as
+# staleness.  That hash is the anti-drift mechanism -- the registry is
+# verifiable, not merely descriptive.
+#
+# First user of this registry: the AffineScript v2 standards (.affine source
+# documents / faces, .affex face-interop manifest, .affmap provenance), whose
+# SSOT is hyperpolymath/affinescript.  The standards repo only points at them.
+
+[registry]
+version = "1.0.0"
+schema = "spec-registry.v1"
+created = "2026-06-03"
+owner = "Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>"
+description = "Verifiable pointers to language/service-coupled specs whose SSOT lives in another repo. Pointers, never copies."
+
+[registry.relationship]
+# How this file relates to its sibling.
+companion = "SATELLITES.a2ml"
+distinction = "SATELLITES = absorbed repos (text lives here). REGISTRY = external SSOT (text lives upstream, we hold a verified pointer)."
+overlap = "none -- a given spec appears in exactly one of the two files."
+
+# ============================================================================
+# SCHEMA -- self-describing field set for every [[registry.pointers]] entry.
+# Field set ratified by owner 2026-06-03 (7 base fields + provenance fields).
+# This block is documentation for humans and a contract for hypatia's loader.
+# ============================================================================
+
+[registry.schema]
+id = "spec-registry.v1"
+# The seven base fields (owner directive 2026-06-03).
+required = [
+  "name",             # stable registry key for the spec
+  "canonical_url",    # upstream source-of-truth location (the file hypatia hashes)
+  "owning_repo",      # repo that authors + versions the spec (org/repo)
+  "version_pin",      # upstream version/tag this pointer is pinned to
+  "source_hash",      # hash of the upstream spec content (anti-drift anchor)
+  "conformance_level",# normative | draft | proposed | experimental
+  "last_synced",      # ISO-8601 timestamp hypatia last verified the hash (or "never")
+]
+# Provenance fields (owner-approved extension 2026-06-03).
+provenance = [
+  "source_hash_algo", # e.g. sha256 -- makes the anti-drift check unambiguous
+  "spec_kind",        # language-coupled | service-coupled (heterogeneous registry)
+  "media_type",       # consistency with SATELLITES media-types
+  "lineage",          # lineage convention key, consistency with the .affine lineage
+]
+# Operational fields (not part of the ratified set, but the loader tolerates them).
+optional = [
+  "sync_status",      # awaiting-upstream | verified | drift-detected
+  "format_version",   # for regenerable artefacts whose format bumps independently
+  "notes",
+]
+
+[registry.schema.source_hash_format]
+# A source_hash value is "<algo>:<hex>". When the upstream spec has not yet
+# landed, source_hash is the sentinel below and sync_status = "awaiting-upstream".
+# NEVER fabricate a hash -- an unknown hash is recorded as the sentinel.
+sentinel-unsynced = "PENDING-FIRST-SYNC"
+preferred-algo = "sha256"
+banned-algos = ["md5", "sha1"]   # estate security policy: no MD5/SHA1
+
+[registry.policy]
+ssot = "A pointer's canonical_url is the ONLY normative copy. The standards repo MUST NOT re-author or mirror the spec text."
+anti-drift = "hypatia HYP-S006 recomputes source_hash against canonical_url; mismatch => staleness finding."
+flag-only = "Registry findings are :review (flag), never :auto_execute -- consistent with estate no-automated-edit posture."
+versioning = "language-coupled specs pin version_pin to the language tag; regenerable artefacts ALSO carry format_version, bumped independently."
+
+# ============================================================================
+# POINTERS
+# ============================================================================
+# AffineScript v2 standards. SSOT = hyperpolymath/affinescript (NOT here).
+# Spec text is authored ONCE in AsciiDoc in that repo; faces govern how
+# AffineScript SOURCE is written, not how the SPECS are written. Multi-face
+# examples live upstream, never in this registry.
+#
+# source_hash is the sentinel until the separate affinescript PR lands the v2
+# spec text (see "Upstream work" note at the foot of this file). On first
+# successful sync hypatia replaces the sentinel and sets last_synced.
+
+[[registry.pointers]]
+name = "affine-spec"
+spec_kind = "language-coupled"
+owning_repo = "hyperpolymath/affinescript"
+canonical_url = "https://github.com/hyperpolymath/affinescript/blob/main/spec/affine.adoc"
+version_pin = "v2.0.0"
+source_hash = "PENDING-FIRST-SYNC"
+source_hash_algo = "sha256"
+conformance_level = "draft"          # v2 proposed direction; promote to normative when upstream lands
+media_type = "application/vnd.affinescript.affine"
+lineage = "affinescript:affine@2"
+last_synced = "never"
+sync_status = "awaiting-upstream"
+notes = "Source documents / faces. Defines faces, canonical-lowering invariant, canonical islands, idiom packs, mimicry bindings, project face policy."
+
+[[registry.pointers]]
+name = "affex-manifest"
+spec_kind = "language-coupled"
+owning_repo = "hyperpolymath/affinescript"
+canonical_url = "https://github.com/hyperpolymath/affinescript/blob/main/spec/affex.adoc"
+version_pin = "v2.0.0"               # language version this manifest format targets
+format_version = "2"                 # affex format version -- tracked INDEPENDENTLY (owner 2026-06-03)
+format_version_tracking = "independent"
+source_hash = "PENDING-FIRST-SYNC"
+source_hash_algo = "sha256"
+conformance_level = "draft"
+media_type = "application/vnd.affinescript.affex"
+lineage = "affinescript:affex@2"
+last_synced = "never"
+sync_status = "awaiting-upstream"
+notes = "Face-interop manifest. Derived, regenerable, source-authoritative artefact: declaration heads not full bodies. Because it is regenerable, format_version may bump freely without moving version_pin."
+
+[[registry.pointers]]
+name = "affmap-provenance"
+spec_kind = "language-coupled"
+owning_repo = "hyperpolymath/affinescript"
+canonical_url = "https://github.com/hyperpolymath/affinescript/blob/main/spec/affmap.adoc"
+version_pin = "v2.0.0"
+source_hash = "PENDING-FIRST-SYNC"
+source_hash_algo = "sha256"
+conformance_level = "draft"
+media_type = "application/vnd.affinescript.affmap"
+lineage = "affinescript:affmap@2"
+last_synced = "never"
+sync_status = "awaiting-upstream"
+# Owner 2026-06-03: .affmap gets its OWN pointer now (not folded under affex),
+# so its provenance format has an independent source_hash / staleness signal.
+notes = "Provenance format. Own registry entry (owner decision) for independent staleness tracking."
+
+# ----------------------------------------------------------------------------
+# Citation profile note (NOT a pointer):
+# .affcite.a2ml is an A2ML document under the CodeCite citation profile
+# (consistent with the .affex sketch that names pixi.affcite.a2ml). Citation
+# CONTENTS live in that A2ML artefact inside the AffineScript repo, not in
+# .affex and not here. It is therefore not a separate spec pointer.
+# ----------------------------------------------------------------------------
+
+# ============================================================================
+# Upstream work (tracked, NOT done from this repo)
+# ============================================================================
+# A separate PR in hyperpolymath/affinescript lands the v2 spec text these
+# pointers reference, using the lineage convention:
+#   * .affine v2  -- faces, canonical-lowering invariant, canonical islands,
+#                    idiom packs, mimicry bindings, project face policy.
+#   * .affex v2   -- derived, regenerable manifest; source-authoritative;
+#                    declaration heads not full bodies.
+# Writing that spec text HERE would violate SSOT and is out of scope. Once it
+# lands, run hypatia HYP-S006 to populate source_hash + last_synced.
+
+### End of REGISTRY.a2ml

SATELLITES.a2ml

@@ -4,6 +4,16 @@
 #
 # This file registers all satellite repositories that orbit the standards hub.
 # Satellites inherit enforcement policies, language rules, and governance from here.
+#
+# SCOPE BOUNDARY (see also: REGISTRY.a2ml)
+# ----------------------------------------
+# This file is for repos ABSORBED into the hub -- their normative text lives
+# HERE, as subdirectories. For specs whose source-of-truth deliberately lives
+# in ANOTHER repo (language/service-coupled: e.g. the AffineScript v2
+# .affine/.affex/.affmap standards), the hub holds a VERIFIED POINTER, not a
+# copy. Those live in REGISTRY.a2ml (schema spec-registry.v1), with hypatia
+# HYP-S006 verifying each pointer's source_hash against upstream to catch drift.
+# A given spec appears in exactly one of the two files, never both.
 
 [satellites]
 version = "2.0.0"

hypatia-rules/README.adoc

@@ -3,7 +3,7 @@
 :status: Draft v0.2.0
 :updated: 2026-04-18
 
-Five Hypatia rules specific to the standards-repo dogfooding loop.
+Six Hypatia rules specific to the standards-repo dogfooding loop.
 Each rule is defined in A2ML, consumes VeriSimDB octads, and emits
 Groove `compliance.finding.new` signals.
 
@@ -16,12 +16,21 @@ Groove `compliance.finding.new` signals.
 | HYP-S003 | `proof-freshness` | Alert when a proof hasn't been re-verified in > 30 days |
 | HYP-S004 | `rsr-self-compliance` | Validate standards repo against its own RSR definition |
 | HYP-S005 | `crg-overclaim-detector` | Alert when a self-declared CRG grade lacks v2.0 evidence artefacts |
+| HYP-S006 | `registry-pointer-staleness` | Flag a `REGISTRY.a2ml` pointer whose `source_hash` drifts from its upstream `canonical_url` |
 
 The CRG rule pair (S001 + S005) together enforce grade-honesty: S001
 catches backwards moves, S005 catches forwards-overshoots. Both read from
 `crg-grade` octads in VeriSimDB, but S005 also scans the repo file tree for
 evidence artefacts required by CRG v2.0 (STRICT).
 
+HYP-S006 is the anti-drift mechanism for `REGISTRY.a2ml`: language/service-
+coupled specs (first user: the AffineScript v2 `.affine` / `.affex` / `.affmap`
+standards) keep their source-of-truth in another repo, so the standards repo
+holds only a verified pointer. The rule recomputes each pointer's `source_hash`
+against its `canonical_url` and flags any mismatch. It is FLAG-ONLY
+(`strategy: review`) — re-pinning a pointer is an owner decision, never an
+auto-fix.
+
 == Implementation
 
 Rules live as `.a2ml` files in this directory. They are consumed by
@@ -41,10 +50,11 @@ enabled = true
 
 Rules read from:
 - VeriSimDB `crg-grade` octads (HYP-S001, HYP-S005)
-- Repo file tree via Hypatia's scanner (HYP-S002, HYP-S004, HYP-S005)
+- Repo file tree via Hypatia's scanner (HYP-S002, HYP-S004, HYP-S005, HYP-S006)
 - VeriSimDB `proof-status` octads (HYP-S003)
 - `rhodium-standard-repositories/RSR.adoc` (HYP-S004)
 - `rsr-template-repo/docs/governance/CRG-AUDIT-TEMPLATE.adoc` (HYP-S005 reference)
+- `REGISTRY.a2ml` spec pointers + upstream `canonical_url` fetch (HYP-S006)
 
 And emit:
 - Groove `compliance.finding.new` signals with the rule's ID

hypatia-rules/registry-pointer-staleness.a2ml

@@ -0,0 +1,82 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
+# HYP-S006 — Registry Pointer Staleness
+# Flags a REGISTRY.a2ml spec-pointer whose recorded source_hash no longer
+# matches the upstream spec at its canonical_url. This is the anti-drift
+# mechanism for language/service-coupled specs whose SSOT lives in another
+# repo (the standards repo holds a verified pointer, never a copy).
+
+@rule(version="1.0"):
+id: HYP-S006
+name: "Registry pointer staleness"
+description: "Detect REGISTRY.a2ml pointers whose source_hash drifts from the upstream spec at canonical_url"
+severity: high
+category: SourceOfTruth
+auto_fixable: false   # FLAG-ONLY: re-pinning a pointer is an owner decision, never auto
+source: standards/hypatia-rules
+
+@parameters:
+registry_file: "REGISTRY.a2ml"
+schema: "spec-registry.v1"
+# A pointer still on the sentinel hash with sync_status=awaiting-upstream is
+# NOT drift -- it is a not-yet-landed upstream. Treat as info, not high.
+sentinel_unsynced: "PENDING-FIRST-SYNC"
+# How long a sentinel pointer may sit unsynced before it is itself a finding.
+unsynced_grace_days: 30
+@end
+
+@scanner(type="file-tree"):
+find:
+  - glob: "REGISTRY.a2ml"
+  - glob: "**/REGISTRY.a2ml"
+@end
+
+@logic(engine="built-in"):
+# For each [[registry.pointers]] entry:
+#   1. read source_hash, source_hash_algo, canonical_url, sync_status.
+#   2. fetch canonical_url (the upstream spec file) and recompute the hash
+#      with source_hash_algo (sha256+; md5/sha1 are rejected per security policy).
+#   3. compare:
+#        - recomputed == recorded            -> ok (refresh last_synced)
+#        - recorded == sentinel_unsynced      -> awaiting-upstream:
+#              * upstream now exists           -> emit registry.pointer.ready (info)
+#              * still absent > grace          -> emit registry.pointer.unsynced (low)
+#        - recomputed != recorded (both real)  -> emit registry.pointer.stale (high)
+steps:
+  - parse_pointers: "registry.pointers"
+  - reject_weak_algo: "source_hash_algo in [md5, sha1]"   # security policy
+  - fetch_canonical: "canonical_url"
+  - recompute_hash: "source_hash_algo"
+  - compare_to_recorded: "source_hash"
+  - classify_and_emit
+@end
+
+@action:
+emit_signal: compliance.finding.new
+strategy: review            # never :auto_execute -- mirrors the estate flag-only posture
+message_template: "Registry pointer '{name}' is STALE: upstream {canonical_url} hashes {recomputed} but pointer pins {source_hash} (algo {source_hash_algo}). Re-pin is an owner decision."
+recipe: none
+halt_on_violation: false
+@end
+
+@signals:
+# Emitted variants so downstream pipelines can route by severity.
+- name: registry.pointer.stale
+  severity: high
+  meaning: "recorded hash != recomputed upstream hash"
+- name: registry.pointer.unsynced
+  severity: low
+  meaning: "still on sentinel hash beyond unsynced_grace_days"
+- name: registry.pointer.ready
+  severity: info
+  meaning: "sentinel pointer's upstream now exists; ready for first sync"
+@end
+
+@notes:
+# Weak-algo rejection is a hard fail, not a warning: a pointer that claims to
+# be verified by md5/sha1 is treated as UNVERIFIED, because those hashes do not
+# meet the estate's no-MD5/SHA1-for-security requirement.
+# Re-pinning (updating source_hash + version_pin + last_synced) is deliberately
+# NOT auto_fixable: changing what the standards repo points at is an owner call.
+@end
+
+@end