ci: deploy missing standard workflows (10 added)

Added from rsr-template-repo: standardizing CI/CD across all repos.

Part of global TODO cleanup (2026-03-16).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: hyperpolymath

.github/workflows/guix-nix-policy.yml

@@ -0,0 +1,35 @@
+# SPDX-License-Identifier: PMPL-1.0-or-later
+name: Guix/Nix Package Policy
+on: [push, pull_request]
+
+permissions: read-all
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: Enforce Guix primary / Nix fallback
+        run: |
+          # Check for package manager files
+          HAS_GUIX=$(find . -name "*.scm" -o -name ".guix-channel" -o -name "guix.scm" 2>/dev/null | head -1)
+          HAS_NIX=$(find . -name "*.nix" 2>/dev/null | head -1)
+          
+          # Block new package-lock.json, yarn.lock, Gemfile.lock, etc.
+          NEW_LOCKS=$(git diff --name-only --diff-filter=A HEAD~1 2>/dev/null | grep -E 'package-lock\.json|yarn\.lock|Gemfile\.lock|Pipfile\.lock|poetry\.lock|cargo\.lock' || true)
+          if [ -n "$NEW_LOCKS" ]; then
+            echo "⚠️ Lock files detected. Prefer Guix manifests for reproducibility."
+          fi
+          
+          # Prefer Guix, fallback to Nix
+          if [ -n "$HAS_GUIX" ]; then
+            echo "✅ Guix package management detected (primary)"
+          elif [ -n "$HAS_NIX" ]; then
+            echo "✅ Nix package management detected (fallback)"
+          else
+            echo "ℹ️ Consider adding guix.scm or flake.nix for reproducible builds"
+          fi
+          
+          echo "✅ Package policy check passed"

.github/workflows/instant-sync.yml

@@ -0,0 +1,33 @@
+# SPDX-License-Identifier: PMPL-1.0-or-later
+# Instant Forge Sync - Triggers propagation to all forges on push/release
+name: Instant Sync
+
+on:
+  push:
+    branches: [main, master]
+  release:
+    types: [published]
+
+permissions:
+  contents: read
+
+jobs:
+  dispatch:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Trigger Propagation
+        uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v3
+        with:
+          token: ${{ secrets.FARM_DISPATCH_TOKEN }}
+          repository: hyperpolymath/.git-private-farm
+          event-type: propagate
+          client-payload: |-
+            {
+              "repo": "${{ github.event.repository.name }}",
+              "ref": "${{ github.ref }}",
+              "sha": "${{ github.sha }}",
+              "forges": ""
+            }
+
+      - name: Confirm
+        run: echo "::notice::Propagation triggered for ${{ github.event.repository.name }}"

.github/workflows/npm-bun-blocker.yml

@@ -0,0 +1,20 @@
+# SPDX-License-Identifier: PMPL-1.0-or-later
+name: NPM/Bun Blocker
+on: [push, pull_request]
+
+permissions: read-all
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: Block npm/bun
+        run: |
+          if [ -f "package-lock.json" ] || [ -f "bun.lockb" ] || [ -f ".npmrc" ]; then
+            echo "❌ npm/bun artifacts detected. Use Deno instead."
+            exit 1
+          fi
+          echo "✅ No npm/bun violations"

.github/workflows/rsr-antipattern.yml

@@ -0,0 +1,92 @@
+# SPDX-License-Identifier: PMPL-1.0-or-later
+# RSR Anti-Pattern CI Check
+# SPDX-License-Identifier: PMPL-1.0-or-later
+#
+# Enforces: No TypeScript, No Go, No Python (except SaltStack), No npm
+# Allows: ReScript, Deno, WASM, Rust, OCaml, Haskell, Guile/Scheme
+
+name: RSR Anti-Pattern Check
+
+on:
+  push:
+    branches: [main, master, develop]
+  pull_request:
+    branches: [main, master, develop]
+
+
+permissions: read-all
+
+jobs:
+  antipattern-check:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Check for TypeScript
+        run: |
+          # Exclude bindings/deno/ - those are Deno FFI files using Deno.dlopen, not plain TypeScript
+          # Exclude .d.ts files - those are TypeScript type declarations for ReScript FFI
+          TS_FILES=$(find . \( -name "*.ts" -o -name "*.tsx" \) | grep -v node_modules | grep -v 'bindings/deno' | grep -v '\.d\.ts$' || true)
+          if [ -n "$TS_FILES" ]; then
+            echo "❌ TypeScript files detected - use ReScript instead"
+            echo "$TS_FILES"
+            exit 1
+          fi
+          echo "✅ No TypeScript files (Deno FFI bindings excluded)"
+
+      - name: Check for Go
+        run: |
+          if find . -name "*.go" | grep -q .; then
+            echo "❌ Go files detected - use Rust/WASM instead"
+            find . -name "*.go"
+            exit 1
+          fi
+          echo "✅ No Go files"
+
+      - name: Check for Python (non-SaltStack)
+        run: |
+          PY_FILES=$(find . -name "*.py" | grep -v salt | grep -v _states | grep -v _modules | grep -v pillar | grep -v venv | grep -v __pycache__ || true)
+          if [ -n "$PY_FILES" ]; then
+            echo "❌ Python files detected - only allowed for SaltStack"
+            echo "$PY_FILES"
+            exit 1
+          fi
+          echo "✅ No non-SaltStack Python files"
+
+      - name: Check for npm lockfiles
+        run: |
+          if [ -f "package-lock.json" ] || [ -f "yarn.lock" ]; then
+            echo "❌ npm/yarn lockfile detected - use Deno instead"
+            exit 1
+          fi
+          echo "✅ No npm lockfiles"
+
+      - name: Check for tsconfig
+        run: |
+          if [ -f "tsconfig.json" ]; then
+            echo "❌ tsconfig.json detected - use ReScript instead"
+            exit 1
+          fi
+          echo "✅ No tsconfig.json"
+
+      - name: Verify Deno presence (if package.json exists)
+        run: |
+          if [ -f "package.json" ]; then
+            if [ ! -f "deno.json" ] && [ ! -f "deno.jsonc" ]; then
+              echo "⚠️ Warning: package.json without deno.json - migration recommended"
+            fi
+          fi
+          echo "✅ Deno configuration check complete"
+
+      - name: Summary
+        run: |
+          echo "╔════════════════════════════════════════════════════════════╗"
+          echo "║           RSR Anti-Pattern Check Passed ✅                 ║"
+          echo "║                                                            ║"
+          echo "║  Allowed: ReScript, Deno, WASM, Rust, OCaml, Haskell,     ║"
+          echo "║           Guile/Scheme, SaltStack (Python)                 ║"
+          echo "║                                                            ║"
+          echo "║  Blocked: TypeScript, Go, npm, Python (non-Salt)          ║"
+          echo "╚════════════════════════════════════════════════════════════╝"

.github/workflows/scorecard-enforcer.yml

@@ -0,0 +1,72 @@
+# SPDX-License-Identifier: PMPL-1.0-or-later
+# Prevention workflow - runs OpenSSF Scorecard and fails on low scores
+name: OpenSSF Scorecard Enforcer
+
+on:
+  push:
+    branches: [main]
+  schedule:
+    - cron: '0 6 * * 1'  # Weekly on Monday
+  workflow_dispatch:
+
+permissions: read-all
+
+jobs:
+  scorecard:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      id-token: write  # For OIDC
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run Scorecard
+        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true
+
+      - name: Upload SARIF
+        uses: github/codeql-action/upload-sarif@9e907b5e64f6b83e7804b09294d44122997950d6 # v3
+        with:
+          sarif_file: results.sarif
+
+      - name: Check minimum score
+        run: |
+          # Parse score from results
+          SCORE=$(jq -r '.runs[0].tool.driver.properties.score // 0' results.sarif 2>/dev/null || echo "0")
+
+          echo "OpenSSF Scorecard Score: $SCORE"
+
+          # Minimum acceptable score (0-10 scale)
+          MIN_SCORE=5
+
+          if [ "$(echo "$SCORE < $MIN_SCORE" | bc -l)" = "1" ]; then
+            echo "::error::Scorecard score $SCORE is below minimum $MIN_SCORE"
+            exit 1
+          fi
+
+  # Check specific high-priority items
+  check-critical:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Check SECURITY.md exists
+        run: |
+          if [ ! -f "SECURITY.md" ]; then
+            echo "::error::SECURITY.md is required"
+            exit 1
+          fi
+
+      - name: Check for pinned dependencies
+        run: |
+          # Check workflows for unpinned actions
+          unpinned=$(grep -r "uses:.*@v[0-9]" .github/workflows/*.yml 2>/dev/null | grep -v "#" | head -5 || true)
+          if [ -n "$unpinned" ]; then
+            echo "::warning::Found unpinned actions:"
+            echo "$unpinned"
+          fi

.github/workflows/secret-scanner.yml

@@ -0,0 +1,67 @@
+# SPDX-License-Identifier: PMPL-1.0-or-later
+# Prevention workflow - scans for hardcoded secrets before they reach main
+name: Secret Scanner
+
+on:
+  pull_request:
+  push:
+    branches: [main]
+
+permissions: read-all
+
+jobs:
+  trufflehog:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0  # Full history for scanning
+
+      - name: TruffleHog Secret Scan
+        uses: trufflesecurity/trufflehog@6961f2bace57ab32b23b3ba40f8f420f6bc7e004 # v3
+        with:
+          extra_args: --only-verified --fail
+
+  gitleaks:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+
+      - name: Gitleaks Secret Scan
+        uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  # Rust-specific: Check for hardcoded crypto values
+  rust-secrets:
+    runs-on: ubuntu-latest
+    if: hashFiles('**/Cargo.toml') != ''
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Check for hardcoded secrets in Rust
+        run: |
+          # Patterns that suggest hardcoded secrets
+          PATTERNS=(
+            'const.*SECRET.*=.*"'
+            'const.*KEY.*=.*"[a-zA-Z0-9]{16,}"'
+            'const.*TOKEN.*=.*"'
+            'let.*api_key.*=.*"'
+            'HMAC.*"[a-fA-F0-9]{32,}"'
+            'password.*=.*"[^"]+"'
+          )
+
+          found=0
+          for pattern in "${PATTERNS[@]}"; do
+            if grep -rn --include="*.rs" -E "$pattern" src/; then
+              echo "WARNING: Potential hardcoded secret found matching: $pattern"
+              found=1
+            fi
+          done
+
+          if [ $found -eq 1 ]; then
+            echo "::error::Potential hardcoded secrets detected. Use environment variables instead."
+            exit 1
+          fi

.github/workflows/security-policy.yml

@@ -0,0 +1,43 @@
+# SPDX-License-Identifier: PMPL-1.0-or-later
+name: Security Policy
+on: [push, pull_request]
+
+permissions: read-all
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: Security checks
+        run: |
+          FAILED=false
+          
+          # Block MD5/SHA1 for security (allow for checksums/caching)
+          WEAK_CRYPTO=$(grep -rE 'md5\(|sha1\(' --include="*.py" --include="*.rb" --include="*.js" --include="*.ts" --include="*.go" --include="*.rs" . 2>/dev/null | grep -v 'checksum\|cache\|test\|spec' | head -5 || true)
+          if [ -n "$WEAK_CRYPTO" ]; then
+            echo "⚠️ Weak crypto (MD5/SHA1) detected. Use SHA256+ for security:"
+            echo "$WEAK_CRYPTO"
+          fi
+          
+          # Block HTTP URLs (except localhost)
+          HTTP_URLS=$(grep -rE 'http://[^l][^o][^c]' --include="*.py" --include="*.js" --include="*.ts" --include="*.go" --include="*.rs" --include="*.yaml" --include="*.yml" . 2>/dev/null | grep -v 'localhost\|127.0.0.1\|example\|test\|spec' | head -5 || true)
+          if [ -n "$HTTP_URLS" ]; then
+            echo "⚠️ HTTP URLs found. Use HTTPS:"
+            echo "$HTTP_URLS"
+          fi
+          
+          # Block hardcoded secrets patterns
+          SECRETS=$(grep -rEi '(api_key|apikey|secret_key|password)\s*[=:]\s*["\x27][A-Za-z0-9+/=]{20,}' --include="*.py" --include="*.js" --include="*.ts" --include="*.go" --include="*.rs" --include="*.env" . 2>/dev/null | grep -v 'example\|sample\|test\|mock\|placeholder' | head -3 || true)
+          if [ -n "$SECRETS" ]; then
+            echo "❌ Potential hardcoded secrets detected!"
+            FAILED=true
+          fi
+          
+          if [ "$FAILED" = true ]; then
+            exit 1
+          fi
+          
+          echo "✅ Security policy check passed"

.github/workflows/ts-blocker.yml

@@ -0,0 +1,25 @@
+# SPDX-License-Identifier: PMPL-1.0-or-later
+name: TypeScript/JavaScript Blocker
+on: [push, pull_request]
+
+permissions: read-all
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: Block new TypeScript/JavaScript
+        run: |
+          NEW_TS=$(git diff --name-only --diff-filter=A HEAD~1 2>/dev/null | grep -E '\.(ts|tsx)$' | grep -v '\.gen\.' || true)
+          NEW_JS=$(git diff --name-only --diff-filter=A HEAD~1 2>/dev/null | grep -E '\.(js|jsx)$' | grep -v '\.res\.js$' | grep -v '\.gen\.' | grep -v 'node_modules' || true)
+          
+          if [ -n "$NEW_TS" ] || [ -n "$NEW_JS" ]; then
+            echo "❌ New TS/JS files detected. Use ReScript instead."
+            [ -n "$NEW_TS" ] && echo "$NEW_TS"
+            [ -n "$NEW_JS" ] && echo "$NEW_JS"
+            exit 1
+          fi
+          echo "✅ ReScript policy enforced"