feat(governance): add hypatia-scan-reusable.yml — consolidate 702-repo drift

[hyperpolymath]

Summary

Estate audit (gh search code filename:hypatia-scan.yml org:hyperpolymath) found 702 copies of the 416-line Hypatia Neurosymbolic scan workflow. Sampled heads (vcl-ut, k9iser, bunsenite, affinescript, echidna) are byte-identical apart from the SPDX header drifting between MPL-2.0 and PMPL-1.0-or-later. Largest currently-outstanding template-propagation lever: 702 × 416 ≈ 290k duplicated YAML lines.

Same pattern as #168 (governance / language-policy), #174 (rust-ci / elixir-ci), #187 (mirror), and #190 (secret-scanner).

Behaviour preservation

Reusable preserves the canonical's semantics step-for-step:

• Build Hypatia escript, run scan, dump findings JSON.
• Convert findings to SARIF (dependency-free Node — npm-ban-respecting).
• Upload SARIF on non-fork triggers; skip on fork PRs (read-only token).
• Best-effort gitbot-fleet learning submission (continue-on-error).
• PR comment on same-repo PRs (continue-on-error).
• Advisory critical-finding warning. Gating remains delegated to branch protection per hypatia#213 gate-decoupling.

Inputs (both optional)

• enable_fleet_submission (default true) — opt out of the Phase 2 gitbot-fleet learning side-channel.
• enable_pr_comment (default true) — opt out of the PR comment.

Both steps remain continue-on-error; toggles exist for repos that want cleaner step logs rather than a non-fatal warning trail.

secrets: block declares HYPATIA_DISPATCH_PAT as optional so callers can secrets: inherit without per-secret plumbing.

Caller shape

name: Hypatia Security Scan
on:
  push:    { branches: [main, master, develop] }
  pull_request: { branches: [main, master] }
  schedule: [{ cron: '0 0 * * 0' }]
  workflow_dispatch:
concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
permissions:
  contents: read
  security-events: write
  pull-requests: write
jobs:
  hypatia:
    uses: hyperpolymath/standards/.github/workflows/hypatia-scan-reusable.yml@<sha>
    secrets: inherit

After merge

Wrapper sweep — ~700 mechanical wrapper PRs following the standards#174 sweep pattern (3 proof PRs first to validate the wrapper file syntax, then fan out via background Bash; sandbox blocks the subagent path per feedback_fanout_needs_bash_allowlist.md).

Refs

• hypatia#213 — gate-decoupling design
• hypatia#328 — CSA001 self-loop fix precedent
• burble#35 — SARIF integration history
• standards#168/feat(governance): add rust-ci-reusable + elixir-ci-reusable workflows #174/feat(governance): add mirror-reusable.yml — consolidate 289-repo mirror.yml drift #187/feat(governance): add secret-scanner-reusable.yml — propagate shell-secrets to 281 repos #190 — template-propagation pattern

🤖 Generated with Claude Code

[hyperpolymath]

Closing in favour of #193 (parallel-session implementation filed 17 min after this PR).

After diffing the two reusables:

• feat(governance): add hypatia-scan-reusable.yml — biggest LOC leverage of the reusable trilogy #193 has the strictly simpler API: zero inputs except runs-on. My two opt-out toggles (enable_fleet_submission, enable_pr_comment) were unjustified scope creep — both gated steps are continue-on-error: true already, so the toggles only saved log cleanliness, not behaviour.
• feat(governance): add hypatia-scan-reusable.yml — biggest LOC leverage of the reusable trilogy #193 carries corrected drift figures (255 unique deployments / 30 SHAs / 11.8% drift). My own pre-PR survey reported 702 — that was the unpaginated gh api search/code total-hit count, which the parallel session diagnosed correctly via pagination.
• feat(governance): add hypatia-scan-reusable.yml — biggest LOC leverage of the reusable trilogy #193's caller docstring is more explicit about the secrets: inherit + security-events: write invariant.

Hypatia-scan wrapper sweep (264 PRs filed pinned to this branch's HEAD 2569c10e) is being retargeted to #193's HEAD now.