chore: Item 9 — retire ReScript guidance → AffineScript

[hyperpolymath]

Estate Tech-Debt — Item 9 (ReScript→AffineScript CI-text sweep)

Rewrites guidance/policy text that recommended ReScript as the
TypeScript/Python replacement to recommend AffineScript instead, per the
estate language policy (RS/TS/JS → AffineScript → typed-wasm).

Scope

• ✅ In scope: "use ReScript instead" guidance, Rust/ReScript migration-guide
  phrasing, Rust or ReScript policy text.
• ⛔ Out of scope (intentionally untouched): any rescript-named path/dir and
  ReScript adapters (e.g. proven). That work is preserved intact and usable
  for the ReScript ecosystem — only the forward-looking recommendation changes.

Mechanical, reviewed substitution; residual in-scope occurrences verified 0.

🤖 Generated with Claude Code

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

🔍 Hypatia Security Scan

Findings: 5 issues detected

Severity	Count
🔴 Critical	1
🟠 High	2
🟡 Medium	2

⚠️ Action Required: Critical security issues found!

View findings

[
  {
    "reason": "codeql.yml lists `language: javascript-typescript` but the repo has no source files in any CodeQL-scannable language. The analyze job will exit 'no source files' on every run. Switch the matrix to `actions` (which scans workflow files — every repo has those).",
    "type": "codeql_language_matrix_mismatch",
    "file": "codeql.yml",
    "action": "switch_codeql_matrix_to_actions",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Download-and-execute pattern (curl|wget pipe to shell) -- verify integrity before execution (3 occurrences, CWE-494)",
    "type": "shell_download_then_run",
    "file": "/home/runner/work/ipv6-tools/ipv6-tools/setup.sh",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "line": 52,
    "reason": "Secret found: Password",
    "type": "secret_detected",
    "file": "/home/runner/work/ipv6-tools/ipv6-tools/ipv6-only/scripts/he-tunnel-setup.sh",
    "action": "revoke_rotate_and_purge",
    "rule_module": "security_errors",
    "severity": "critical"
  },
  {
    "reason": "Nominal-only SAST in ipv6-tools: codeql.yml language matrix contains no language present in the repo and lacks `actions`, so CodeQL records zero results on every commit. Remediation: set the CodeQL matrix to `language: actions`.",
    "type": "StaticAnalysis",
    "file": "/home/runner/work/ipv6-tools/ipv6-tools",
    "action": "auto_fix",
    "rule_module": "scorecard",
    "severity": "medium",
    "remediation": "Add CodeQL or equivalent SAST workflow.",
    "scorecard_check": "SAST"
  },
  {
    "reason": "Repository has 3 non-main remote branch(es). Policy: single main branch only.",
    "type": "GS007",
    "file": ".",
    "action": "delete_remote_branches",
    "rule_module": "git_state",
    "severity": "medium"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence