hyperpolymath
diff --git a/‎.github/workflows/hypatia-scan-reusable.yml‎
Lines changed: 11 additions & 0 deletions b/‎.github/workflows/hypatia-scan-reusable.yml‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎.github/workflows/secret-scanner-reusable.yml‎
Lines changed: 15 additions & 0 deletions b/‎.github/workflows/secret-scanner-reusable.yml‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎.machine_readable/6a2/STATE.a2ml‎
Lines changed: 30 additions & 4 deletions b/‎.machine_readable/6a2/STATE.a2ml‎
Lines changed: 30 additions & 4 deletions
diff --git a/‎0-ai-gatekeeper-protocol/.gitattributes‎
Lines changed: 1 addition & 1 deletion b/‎0-ai-gatekeeper-protocol/.gitattributes‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎0-ai-gatekeeper-protocol/.github/FUNDING.yml‎
Lines changed: 1 addition & 1 deletion b/‎0-ai-gatekeeper-protocol/.github/FUNDING.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎0-ai-gatekeeper-protocol/.github/dependabot.yml‎
Lines changed: 1 addition & 1 deletion b/‎0-ai-gatekeeper-protocol/.github/dependabot.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎0-ai-gatekeeper-protocol/.github/workflows/governance.yml‎
Lines changed: 1 addition & 1 deletion b/‎0-ai-gatekeeper-protocol/.github/workflows/governance.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎0-ai-gatekeeper-protocol/.github/workflows/hypatia-scan.yml‎
Lines changed: 1 addition & 1 deletion b/‎0-ai-gatekeeper-protocol/.github/workflows/hypatia-scan.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎0-ai-gatekeeper-protocol/.github/workflows/instant-sync.yml‎
Lines changed: 1 addition & 1 deletion b/‎0-ai-gatekeeper-protocol/.github/workflows/instant-sync.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎0-ai-gatekeeper-protocol/.github/workflows/jekyll-gh-pages.yml‎
Lines changed: 1 addition & 1 deletion b/‎0-ai-gatekeeper-protocol/.github/workflows/jekyll-gh-pages.yml‎
Lines changed: 1 addition & 1 deletion
@@ -81,6 +81,17 @@ permissions:
   # "Resource not accessible by integration" and (absent continue-on-error)
   # hard-fails the scan — exactly what the gate-decoupling design forbids.
   pull-requests: write
+  # actions: read lets `codeql-action/upload-sarif` call
+  # GET /repos/{owner}/{repo}/actions/runs/{run_id} to attach the SARIF
+  # blob to the workflow run. Without it the upload step fails with
+  # "Resource not accessible by integration" AFTER the scan + SARIF
+  # conversion both succeed — symptoms observed across .git-private-farm
+  # and other estate consumers since the SARIF upload was wired in.
+  # Reusable workflow permission blocks OVERRIDE the caller's permission
+  # block, so this MUST live here at source rather than at every
+  # wrapper — adding it only at the wrapper is a no-op.
+  # See .git-private-farm#69 for the reproducing logs.
+  actions: read
 
 jobs:
   scan:
 
@@ -77,6 +77,21 @@ jobs:
 
   gitleaks:
     runs-on: ${{ inputs.runs-on }}
+    # Job-level permissions (narrower than granting these workflow-wide).
+    # The other jobs (trufflehog / rust-secrets / shell-secrets) only need
+    # `contents: read`, which they get from the workflow-level block.
+    permissions:
+      contents: read
+      # gitleaks-action's `ScanPullRequest` posts a summary comment via
+      # the GitHub Issues/PR API. Without `pull-requests: write` it fails
+      # with "Resource not accessible by integration" AFTER the gitleaks
+      # scan itself succeeds. Reusable-workflow permission blocks
+      # OVERRIDE the caller's, so this MUST live here at source.
+      # See .git-private-farm#69 for the reproducing logs.
+      pull-requests: write
+      # Additional API calls inside `ScanPullRequest` (workflow-run
+      # metadata, PR-files endpoint) require `actions: read`.
+      actions: read
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
 
@@ -5,9 +5,9 @@
 [metadata]
 project = "standards"
 version = "0.2.0"
-last-updated = "2026-04-04T00:00:00Z"
+last-updated = "2026-06-02T18:00:00Z"
 status = "active"
-session = "converted from scheme — 2026-04-11"
+session = "2026-06-02 inbox cleanup + license-policy hardening + estate sweeps"
 
 [project-context]
 name = "Standards"
@@ -34,5 +34,31 @@ actions = [
 ]
 
 [maintenance-status]
-last-run-utc = "2026-04-04T00:00:00ZT00:00:00Z"
-last-result = "unknown"  # unknown | pass | warn | fail
+last-run-utc = "2026-06-02T18:00:00Z"
+last-result = "pass"  # unknown | pass | warn | fail
+
+[session-history-2026-06-02]
+session = "2026-06-02 inbox cleanup wave + license-policy hardening + estate sweeps"
+prs-merged = [
+  "#338 docs(carveouts): add zotpress/** upstream-fork ReScript carve-out",
+  "#339 docs(policy): top-of-file 'License Policy — Manual Only' section + 5-way classification",
+  "#340 ci(governance): allow Java in android/**/src/**/*.java (platform-required JVM shims)"
+]
+issues-still-open = [
+  "#288 [campaign] Estate CodeQL weekly→monthly sweep (cut 3) — sweep RESUMED today 13:08Z, ~22h remaining at 7-min cadence",
+  "#323 [standing] Estate CodeQL cron drift detection + 6-week budget review",
+  "#324 [campaign] Long-tail non-canonical CodeQL cron sweep — corrected audit posted (17 not 86; no daily); long-tail sweep queued behind #288",
+  "#331 [campaign] Estate boj-build.yml sweep — repair or retire"
+]
+estate-policy-changes = [
+  "License auto-PR pipeline DISABLED at 3 layers: hypatia#414/#415 (SC-010 auto_fixable:false + license_finding_strategy) + gitbot-fleet#247 (dispatch-runner refusal + fix-script exit-1 banners) + standards#339 (CLAUDE.md top-of-file Manual-Only header)",
+  "Trigger: neurophone#99 method-violation closed",
+  "Verified by synthetic test: bash scripts/fix-license-hygiene.sh exits 1; SC-010 carries auto_fixable:false; dispatch-runner refuses license/spdx/pmpl/mpl-2/agpl/palimpsest categories",
+  "Companion auto-remediation: hypatia#422 (WF024 chapel + WF025 cron-drift + BH008 inherited-debt) + gitbot-fleet#251 (5 fix scripts for chapel + codeql-cron-monthly)"
+]
+related-memories = [
+  "[[estate-license-policy-umbrella]]",
+  "[[no-automated-licence-edits]]",
+  "[[pr-sweep-title-keyword-exclusion]]",
+  "[[session_2026_06_02_inbox_root_cause_wave]]"
+]
@@ -1,4 +1,4 @@
-# SPDX-License-Identifier: PMPL-1.0-or-later
+# SPDX-License-Identifier: AGPL-3.0-or-later
 # RSR-compliant .gitattributes
 
 * text=auto eol=lf
 
@@ -1,4 +1,4 @@
-# SPDX-License-Identifier: PMPL-1.0-or-later
+# SPDX-License-Identifier: AGPL-3.0-or-later
 # Funding platforms for hyperpolymath projects
 # See: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository
 
 
@@ -1,4 +1,4 @@
-# SPDX-License-Identifier: PMPL-1.0-or-later
+# SPDX-License-Identifier: AGPL-3.0-or-later
 # Dependabot configuration for RSR-compliant repositories
 # Covers common ecosystems - remove unused ones for your project
 
 
@@ -1,4 +1,4 @@
-# SPDX-License-Identifier: PMPL-1.0-or-later
+# SPDX-License-Identifier: AGPL-3.0-or-later
 # governance.yml — single wrapper calling the shared estate governance bundle
 # in hyperpolymath/standards instead of carrying per-repo copies.
 #
 
@@ -1,4 +1,4 @@
-# SPDX-License-Identifier: PMPL-1.0-or-later
+# SPDX-License-Identifier: AGPL-3.0-or-later
 # Hypatia Neurosymbolic CI/CD Security Scan
 name: Hypatia Security Scan
 
 
@@ -1,4 +1,4 @@
-# SPDX-License-Identifier: PMPL-1.0-or-later
+# SPDX-License-Identifier: AGPL-3.0-or-later
 # Instant Forge Sync - Triggers propagation to all forges on push/release
 name: Instant Sync
 
 
@@ -1,4 +1,4 @@
-# SPDX-License-Identifier: PMPL-1.0-or-later
+# SPDX-License-Identifier: AGPL-3.0-or-later
 # Sample workflow for building and deploying a Jekyll site to GitHub Pages
 name: Deploy Jekyll with GitHub Pages dependencies preinstalled
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-# SPDX-License-Identifier: PMPL-1.0-or-later`
	`1`	`+# SPDX-License-Identifier: AGPL-3.0-or-later`
`2`	`2`	`# RSR-compliant .gitattributes`
`3`	`3`
`4`	`4`	`* text=auto eol=lf`