Sub-issue of #66. Surfaced 2026-05-17 via the burble#35 canonical SARIF PR (rsr-template-repo#53) — pre-existing, unrelated to that change.
Symptom
estate-rules.yml → step "Root shape allowlist" (bash scripts/check-root-shape.sh .) fails on rsr-template-repo's own root:
FAIL: 9 root entries are not on the allowlist:
- CONTRIBUTING.md
- PROOF-NEEDS.adoc
- PROOF-STATUS.adoc
- READINESS.adoc
- SECURITY.md
- TEST-NEEDS.adoc
- TOPOLOGY.adoc
- llm-warmup-dev.adoc
- llm-warmup-user.adoc
Root cause
scripts/check-root-shape.sh enforces the allowlist file .machine_readable/root-allow.txt. All 9 flagged entries are legitimate, standard estate root artifacts (PROOF-NEEDS/PROOF-STATUS/READINESS/TEST-NEEDS/TOPOLOGY .adoc, the llm-warmup-*.adoc pair, plus the GitHub community-health files CONTRIBUTING.md / SECURITY.md — these two are legitimately .md, GitHub only special-renders them as .md, so the "AsciiDoc by default" rule does not apply to them). The allowlist is stale relative to the current estate root standard, so the canonical template repo fails its own rule — and any consumer with these standard files inherits the same red.
Fix
Add the 9 justified entries to the canonical .machine_readable/root-allow.txt in rsr-template-repo (with a one-line justification comment each, per the file's existing convention), then propagate the allowlist to consumers. Explicitly allowlist CONTRIBUTING.md + SECURITY.md as the GitHub-recognised exceptions to AsciiDoc-by-default. Re-run check-root-shape.sh . → expect PASS.
Refs #66
Sub-issue of #66. Surfaced 2026-05-17 via the burble#35 canonical SARIF PR (rsr-template-repo#53) — pre-existing, unrelated to that change.
Symptom
estate-rules.yml→ step "Root shape allowlist" (bash scripts/check-root-shape.sh .) fails on rsr-template-repo's own root:Root cause
scripts/check-root-shape.shenforces the allowlist file.machine_readable/root-allow.txt. All 9 flagged entries are legitimate, standard estate root artifacts (PROOF-NEEDS/PROOF-STATUS/READINESS/TEST-NEEDS/TOPOLOGY.adoc, thellm-warmup-*.adocpair, plus the GitHub community-health filesCONTRIBUTING.md/SECURITY.md— these two are legitimately.md, GitHub only special-renders them as.md, so the "AsciiDoc by default" rule does not apply to them). The allowlist is stale relative to the current estate root standard, so the canonical template repo fails its own rule — and any consumer with these standard files inherits the same red.Fix
Add the 9 justified entries to the canonical
.machine_readable/root-allow.txtin rsr-template-repo (with a one-line justification comment each, per the file's existing convention), then propagate the allowlist to consumers. Explicitly allowlistCONTRIBUTING.md+SECURITY.mdas the GitHub-recognised exceptions to AsciiDoc-by-default. Re-runcheck-root-shape.sh .→ expectPASS.Refs #66