hyperpolymath · hyperpolymath · May 16, 2026 · May 16, 2026 · May 16, 2026
@@ -352,9 +352,9 @@ defmodule Hypatia.Rules.CodeSafety do
     %{id: :ncl_hardcoded_secret, severity: :critical,
       pattern: ~r/password\s*=\s*"[^"]+"|api_key\s*=\s*"[^"]+"|secret\s*=\s*"[^"]+"/, cwe: "CWE-798",
       description: "Hardcoded credential in Nickel config -- use SecretRef"},
-    %{id: :ncl_docker_not_podman, severity: :medium,
+    %{id: :ncl_docker_not_podman, severity: :low,
       pattern: ~r/docker\s|docker\.io|dockerfile/i, cwe: "CWE-1104",
-      description: "Docker reference in Nickel config -- RSR requires Podman/Containerfile"}
+      description: "Docker reference in Nickel config -- Podman/Containerfile highly preferred (Docker permitted)"}
   ]
 
   def patterns_for_language("rust"), do: @rust_patterns
@@ -512,16 +512,16 @@ defmodule Hypatia.Rules.CodeSafety do
     end)
   end
 
-  @doc "Check for Dockerfile instead of Containerfile"
+  @doc "Advise Containerfile over Dockerfile naming (highly preferred; Docker permitted)"
   def check_dockerfile_naming(file_list) do
     file_list
     |> Enum.filter(fn f ->
       basename = Path.basename(f)
       basename == "Dockerfile" or String.starts_with?(basename, "Dockerfile.")
     end)
     |> Enum.map(fn f ->
-      %{rule: :dockerfile_not_containerfile, severity: :high,
-        description: "Dockerfile detected -- must be named Containerfile",
+      %{rule: :dockerfile_not_containerfile, severity: :low,
+        description: "Dockerfile detected -- Containerfile highly preferred (Docker permitted; rename unless a specific tool requires the Dockerfile name)",
         file: f}
     end)
   end

@@ -211,11 +211,11 @@ defmodule Hypatia.Rules.Dogfooding do
             [
               %{
                 rule: "HYP-DOG-005",
-                severity: "medium",
+                severity: "low",
                 file: filepath,
                 line: line,
                 description:
-                  "Uses 'docker' CLI -- policy requires 'podman'. Replace docker commands with podman equivalents."
+                  "Uses 'docker' CLI -- 'podman' is highly preferred (Docker permitted). Prefer podman equivalents where practical."
               }
             ]
 
@@ -230,11 +230,11 @@ defmodule Hypatia.Rules.Dogfooding do
         [
           %{
             rule: "HYP-DOG-005",
-            severity: "medium",
+            severity: "low",
             file: Path.join(repo_path, "Dockerfile"),
             line: nil,
             description:
-              "File named 'Dockerfile' -- policy requires 'Containerfile'. Rename the file."
+              "File named 'Dockerfile' -- 'Containerfile' is highly preferred (Docker permitted). Rename unless a specific tool requires the Dockerfile name."
           }
         ]
       else

@@ -81,11 +81,15 @@ defmodule Hypatia.Rules.RootHygiene do
       action: :move},
     %{pattern: "LANGUAGES.scm", reason: "Must be in .machine_readable/ only", severity: :critical,
       action: :move},
-    %{pattern: "Dockerfile", reason: "Use Containerfile (Podman, not Docker)", severity: :high,
+    # Docker is permitted estate-wide; Podman/Containerfile is HIGHLY PREFERRED
+    # but not mandatory. These are low-severity advisories (do not fail the
+    # critical/high gate), nudging Containerfile naming unless a specific tool
+    # genuinely needs the Docker-* name.
+    %{pattern: "Dockerfile", reason: "Containerfile preferred over Dockerfile (Podman highly preferred; Docker permitted) -- rename unless a tool requires the Dockerfile name", severity: :low,
       action: :rename},
-    %{pattern: "docker-compose.yml", reason: "Use podman-compose or compose.yml", severity: :high,
+    %{pattern: "docker-compose.yml", reason: "compose.yml / podman-compose highly preferred (Docker permitted)", severity: :low,
       action: :rename},
-    %{pattern: "docker-compose.yaml", reason: "Use podman-compose or compose.yml", severity: :high,
+    %{pattern: "docker-compose.yaml", reason: "compose.yml / podman-compose highly preferred (Docker permitted)", severity: :low,
       action: :rename},
     %{pattern: "Makefile", reason: "Use Justfile", severity: :medium,
       action: :replace},

diff --git a/scripts/sweeps/resync-hypatia-scan-phase2.sh b/scripts/sweeps/resync-hypatia-scan-phase2.sh
@@ -143,7 +143,7 @@ for full in "${REPOS[@]}"; do
   git -C "$dir" checkout -q -b "$BRANCH"
   git -C "$dir" add "$WF_PATH"
   git -C "$dir" -c commit.gpgsign=false -c user.name="Jonathan D.A. Jewell" \
-      -c user.email="jonathan.jewell@gmail.com" commit -q -F - <<'MSG'
+      -c user.email="6759885+hyperpolymath@users.noreply.github.com" commit -q -F - <<'MSG'
 fix(ci): Phase-2 fleet submission must not fail the security gate
 
 Layer-1 propagation of hyperpolymath/hypatia#252. This repo's own copy