rule: detect SafeDOMExample.res (banned ReScript dialect, should be .affine)

[hyperpolymath]

Context

After today's otpiser#11 + 48-PR estate sweep, the dominant per-PR failure class is governance / Language / package anti-pattern policy firing on examples/SafeDOMExample.res. The canonical AffineScript version (examples/SafeDOMExample.affine) lives in burble/main; gitbot-fleet#208 ran a 125-repo sweep but template repos (rsr-template-repo, mtpc-template-repo, thunderbird-template-reloaded) plus a long tail of forks kept regenerating the .res variant.

Rule

Add to lib/rules/structural_drift.ex (or code_safety.ex if more appropriate):

def check_safedom_example_dialect(repo_tree, _opts \\ []) do
  res_path = "examples/SafeDOMExample.res"
  affine_path = "examples/SafeDOMExample.affine"

  cond do
    res_path in repo_tree and affine_path not in repo_tree ->
      {:fail, %{rule: :safedom_example_dialect_mismatch, severity: :high,
                path: res_path,
                message: "SafeDOMExample.res lingers; .affine canonical required",
                fix: "Replace with examples/SafeDOMExample.affine (see burble/main)"}}
    res_path in repo_tree and affine_path in repo_tree ->
      {:warn, %{rule: :safedom_example_both_dialects, severity: :medium,
                path: res_path,
                message: "Both .res and .affine present; delete the .res copy"}}
    true -> :ok
  end
end

Skip-list

Skip if the repo has substantive non-SafeDOM .res files (the migration is blocked on affinescript#57 Phase 2). Today's empirical skip-set:

• bunsenite, gossamer, nesy-solver, reposystem, stapeln, svalinn, vcl-ut, verisimdb, idaptik, laniakea, affinescript

Verification

• Add fixture under test/fixtures/safedom-res-only/
• Confirm rule fires on otpiser, kategoria-pipeline, presswerk at pre-2026-05-26 SHAs
• Confirm rule does NOT fire on burble (canonical .affine present)

Filed from session sweeping otpiser#11 + estate-wide drift.

[hyperpolymath]

Now tracked under estate migration epic: affinescript#406.