ci: fix Scorecard startup_failure (missing contents:read) + presence-gate instant-sync

[hyperpolymath]

Summary

Follow-up to #52. After the reusable re-pins landed, I verified main's post-merge CI and found Hypatia is now green (re-pin worked) but Scorecards still startup_failure — proving its cause was not the stale SHA. Root-caused and fixed here, plus the one genuinely-actionable Hypatia HIGH.

Scorecard startup_failure — real root cause

The scorecard-reusable.yml declares top-level permissions: contents: read. But this repo's wrapper sets job-level permissions: { security-events: write, id-token: write } (added in #47), and a job-level permissions block sets every unlisted permission to none — so contents became none. A reusable workflow that requests a permission its caller didn't grant fails at startup (0 jobs), which is exactly the symptom — and it persisted across the re-pin (unlike Hypatia, whose wrapper grants contents: read at workflow level).

Fix: add contents: read to the analysis job's permissions (verified against the reusable's declared permissions: at 861b5e9).

instant-sync — presence gate

Per Hypatia's secret_action_without_presence_gate (HIGH), the repository-dispatch step is now gated on token presence (job env + if: ${{ env.FARM_DISPATCH_TOKEN != '' }}), so absent-token contexts skip cleanly.

⚠️ This does not make Instant Sync green by itself: the configured FARM_DISPATCH_TOKEN returns Bad credentials and must be rotated by the maintainer — no in-repo change can mint a valid credential.

Still needs a maintainer decision (surfaced, not touched — ambiguous/destructive)

• 6 submodule gitlinks with no .gitmodules (fs, obli-fs, transpiler, ssg, riscv-dev-kit, obli-riscv-dev-kit) — all empty, pointing at commits with no URL. Either restore a .gitmodules (if real submodules) or git rm --cached them (if accidental). Needs your intent.
• Stale remote branches (GS007): e.g. cicd/codeql-cron-monthly, claude/codeql-actions-scan, claude/proof-debt-ledger. Branch deletion is destructive — your call.
• CSA001 structural-drift alerts on .machine_readable/{PLAYBOOK,NEUROSYM,AGENTIC}.scm (stale prior-run code-scanning alerts) — schema work, needs context.
• The other Hypatia findings are advisory; the 5 remaining missing_timeout_minutes flags are false positives (reusable-caller jobs cannot carry timeout-minutes).

🤖 Draft — opened for review.

https://claude.ai/code/session_01GJatEm2TVFSTBEkKXmserJ

---

Generated by Claude Code

[github-actions]

🔍 Hypatia Security Scan

Findings: 73 issues detected

Severity	Count
🔴 Critical	12
🟠 High	16
🟡 Medium	45

⚠️ Action Required: Critical security issues found!

View findings

[
  {
    "reason": "Issue in governance.yml",
    "type": "missing_timeout_minutes",
    "file": "governance.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in hypatia-scan.yml",
    "type": "missing_timeout_minutes",
    "file": "hypatia-scan.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in mirror.yml",
    "type": "missing_timeout_minutes",
    "file": "mirror.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in scorecard.yml",
    "type": "missing_timeout_minutes",
    "file": "scorecard.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in secret-scanner.yml",
    "type": "missing_timeout_minutes",
    "file": "secret-scanner.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in instant-sync.yml",
    "type": "secret_action_without_presence_gate",
    "file": "instant-sync.yml",
    "action": "peter-evans/repository-dispatch",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Repository has 5 non-main remote branch(es). Policy: single main branch only.",
    "type": "GS007",
    "file": ".",
    "action": "delete_remote_branches",
    "rule_module": "git_state",
    "severity": "medium"
  },
  {
    "reason": "Code scanning (Hypatia): hypatia/structural_drift/SD007 -- Hypatia structural_drift: SD007 -- 0 day(s) old",
    "type": "CSA001",
    "file": "0-AI-MANIFEST.a2ml",
    "action": "review",
    "rule_module": "code_scanning_alerts",
    "severity": "medium"
  },
  {
    "reason": "Code scanning (Hypatia): hypatia/structural_drift/SD007 -- Hypatia structural_drift: SD007 -- 0 day(s) old",
    "type": "CSA001",
    "file": "0-AI-MANIFEST.a2ml",
    "action": "review",
    "rule_module": "code_scanning_alerts",
    "severity": "medium"
  },
  {
    "reason": "Code scanning (Hypatia): hypatia/structural_drift/SD007 -- Hypatia structural_drift: SD007 -- 0 day(s) old",
    "type": "CSA001",
    "file": "0-AI-MANIFEST.a2ml",
    "action": "review",
    "rule_module": "code_scanning_alerts",
    "severity": "medium"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence