hyperpolymath · hyperpolymath · Jun 4, 2026 · Jun 4, 2026 · Jun 4, 2026 · Jun 4, 2026
diff --git a/.claude/CLAUDE.md b/.claude/CLAUDE.md
@@ -2,7 +2,7 @@
 
 ## Overview
 
-Static analysis and bug signature detection tool. Scans source code for weak points (unwrap/expect, unsafe blocks, panic sites, error handling gaps, command injection, unsafe deserialization, FFI boundaries, atom exhaustion, and more) across 47 programming languages.
+Static analysis and bug signature detection tool. Scans source code for weak points (unwrap/expect, unsafe blocks, panic sites, error handling gaps, command injection, unsafe deserialization, FFI boundaries, atom exhaustion, and more) across 49 programming languages.
 
 **Position in AmbientOps ecosystem**: Part of the hospital model, loosely affiliated. Sits alongside the Operating Room as a diagnostic tool for software health (while hardware-crash-team handles hardware health). Independent top-level repo, but feeds findings to the hospital's Records system via verisimdb.
 
@@ -19,7 +19,7 @@ Static analysis and bug signature detection tool. Scans source code for weak poi
 
 ```
 src/
-├── main.rs              # CLI entry point (clap) — 20 subcommands
+├── main.rs              # CLI entry point (clap) — 38 subcommands
 ├── lib.rs               # Library API
 ├── types.rs             # Core types (AssailReport, WeakPoint, etc.)
 ├── assail/              # Static analysis engine
@@ -55,6 +55,8 @@ src/
 ├── amuck/               # Mutation combinations
 ├── abduct/              # Isolation + time-skew
 ├── adjudicate/          # Campaign verdict aggregation
+├── aggregate/           # Fold external prover output into reports (BLAKE3-hashed, trust-tagged)
+├── assay/               # Proven-library substitution survey + assimilate swap
 ├── axial/               # Reaction observation
 ├── bridge/              # Patch Bridge — CVE mitigation lifecycle (feature: http)
 │   ├── mod.rs           # Triage orchestrator, core types (BridgeReport, AssessedCve)

diff --git a/.github/workflows/boj-build.yml b/.github/workflows/boj-build.yml
@@ -9,6 +9,7 @@ permissions:
 jobs:
   trigger-boj:
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     steps:
       - name: Checkout
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

diff --git a/.github/workflows/cargo-audit.yml b/.github/workflows/cargo-audit.yml
@@ -16,6 +16,7 @@ jobs:
   audit:
     name: Cargo Audit
     runs-on: ubuntu-latest
+    timeout-minutes: 20
     steps:
       - name: Checkout code
         uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5

diff --git a/.github/workflows/casket-pages.yml b/.github/workflows/casket-pages.yml
@@ -18,6 +18,7 @@ concurrency:
 jobs:
   build:
     runs-on: ubuntu-latest
+    timeout-minutes: 20
     steps:
       - name: Checkout
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
@@ -109,6 +110,7 @@ jobs:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     needs: build
     steps:
       - name: Deploy to GitHub Pages

diff --git a/.github/workflows/chapel-ci.yml b/.github/workflows/chapel-ci.yml
@@ -65,6 +65,7 @@ jobs:
   detect-relevant-changes:
     name: detect-relevant-changes
     runs-on: ubuntu-22.04
+    timeout-minutes: 10
     outputs:
       relevant: ${{ steps.f.outputs.relevant }}
     steps:
@@ -99,6 +100,7 @@ jobs:
     needs: detect-relevant-changes
     if: needs.detect-relevant-changes.outputs.relevant == 'true'
     runs-on: ubuntu-22.04
+    timeout-minutes: 45
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Install Chapel ${{ env.CHAPEL_VERSION }}
@@ -121,6 +123,7 @@ jobs:
     needs: [detect-relevant-changes, chapel-parse-check]
     if: needs.detect-relevant-changes.outputs.relevant == 'true'
     runs-on: ubuntu-22.04
+    timeout-minutes: 45
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Install Chapel ${{ env.CHAPEL_VERSION }}
@@ -151,6 +154,7 @@ jobs:
     needs: [detect-relevant-changes, chapel-build]
     if: needs.detect-relevant-changes.outputs.relevant == 'true'
     runs-on: ubuntu-22.04
+    timeout-minutes: 45
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Install Chapel ${{ env.CHAPEL_VERSION }}
@@ -175,6 +179,7 @@ jobs:
     needs: [detect-relevant-changes, chapel-build]
     if: needs.detect-relevant-changes.outputs.relevant == 'true'
     runs-on: ubuntu-22.04
+    timeout-minutes: 45
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Install Chapel ${{ env.CHAPEL_VERSION }}
@@ -211,6 +216,7 @@ jobs:
     needs: detect-relevant-changes
     if: needs.detect-relevant-changes.outputs.relevant == 'true'
     runs-on: ubuntu-22.04
+    timeout-minutes: 45
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - uses: dtolnay/rust-toolchain@4be9e76fd7c4901c61fb841f559994984270fce7 # stable
@@ -231,6 +237,7 @@ jobs:
     needs: [detect-relevant-changes, chapel-build]
     if: needs.detect-relevant-changes.outputs.relevant == 'true'
     runs-on: ubuntu-22.04
+    timeout-minutes: 45
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - uses: dtolnay/rust-toolchain@4be9e76fd7c4901c61fb841f559994984270fce7 # stable
@@ -417,6 +424,7 @@ jobs:
       - chapel-multilocale
     if: always()
     runs-on: ubuntu-22.04
+    timeout-minutes: 45
     steps:
       - name: Aggregate chapel-ci results
         env:

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -23,6 +23,7 @@ permissions:
 jobs:
   analyze:
     runs-on: ubuntu-latest
+    timeout-minutes: 20
     permissions:
       contents: read
       security-events: write

diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml
@@ -14,6 +14,7 @@ jobs:
   coverage:
     name: Generate Coverage Report
     runs-on: ubuntu-latest
+    timeout-minutes: 20
     steps:
       - name: Checkout code
         uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5

diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -13,6 +13,7 @@ jobs:
   review:
     name: Review Dependencies
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     steps:
       - name: Checkout code
         uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5

diff --git a/.github/workflows/dogfood-gate.yml b/.github/workflows/dogfood-gate.yml
@@ -22,6 +22,7 @@ jobs:
   a2ml-validate:
     name: Validate A2ML manifests
     runs-on: ubuntu-latest
+    timeout-minutes: 10
 
     steps:
       - name: Checkout repository
@@ -66,6 +67,7 @@ jobs:
   k9-validate:
     name: Validate K9 contracts
     runs-on: ubuntu-latest
+    timeout-minutes: 10
 
     steps:
       - name: Checkout repository
@@ -128,6 +130,7 @@ jobs:
   empty-lint:
     name: Empty-linter (invisible characters)
     runs-on: ubuntu-latest
+    timeout-minutes: 10
 
     steps:
       - name: Checkout repository
@@ -192,6 +195,7 @@ jobs:
   groove-check:
     name: Groove manifest check
     runs-on: ubuntu-latest
+    timeout-minutes: 10
 
     steps:
       - name: Checkout repository
@@ -250,6 +254,7 @@ jobs:
   dogfood-summary:
     name: Dogfooding compliance summary
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     needs: [a2ml-validate, k9-validate, empty-lint, groove-check]
     if: always()
 

diff --git a/.github/workflows/instant-sync.yml b/.github/workflows/instant-sync.yml
@@ -14,6 +14,7 @@ permissions:
 jobs:
   dispatch:
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     steps:
       - name: Trigger Propagation
         uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v3

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -18,6 +18,7 @@ jobs:
   build:
     name: Build Release Binary
     runs-on: ubuntu-latest
+    timeout-minutes: 45
     permissions:
       contents: read
     outputs:
@@ -70,6 +71,7 @@ jobs:
   changelog:
     name: Generate Changelog
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     permissions:
       contents: read
     outputs:
@@ -114,6 +116,7 @@ jobs:
     name: Create GitHub Release
     needs: [build, changelog]
     runs-on: ubuntu-latest
+    timeout-minutes: 45
     permissions:
       contents: write
     steps:

diff --git a/.github/workflows/scan-and-report.yml b/.github/workflows/scan-and-report.yml
@@ -21,6 +21,7 @@ permissions:
 jobs:
   scan:
     runs-on: ubuntu-latest
+    timeout-minutes: 20
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
 

diff --git a/.github/workflows/scorecard-enforcer.yml b/.github/workflows/scorecard-enforcer.yml
@@ -23,6 +23,7 @@ permissions:
 jobs:
   scorecard:
     runs-on: ubuntu-latest
+    timeout-minutes: 20
     permissions:
       security-events: write
       id-token: write  # For OIDC
@@ -61,6 +62,7 @@ jobs:
   # Check specific high-priority items
   check-critical:
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-Original file line number
+Diff line change
@@ Expand Up / @@ -21,6 +21,7 @@ permissions: @@
     jobs:
       scan:
         runs-on: ubuntu-latest
+        timeout-minutes: 20
         steps:
           - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
@@ Expand Down @@