From dac39d1b4e897ffbb2736a26871b136c7befb557 Mon Sep 17 00:00:00 2001
From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com>
Date: Sat, 30 May 2026 21:47:13 +0100
Subject: [PATCH] ci(language-policy): drop SaltStack Python carveout (closes
 reposystem#32)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Discharges hyperpolymath/reposystem#32. The SaltStack Python exception was
removed estate-wide on 2026-01-03 (canonical .claude/CLAUDE.md already
reflects this), but five workflow files still encoded the legacy carveout:

- .github/workflows/governance-reusable.yml — the RSR antipattern check
  (`grep -v salt | grep -v _states | grep -v _modules | grep -v pillar`)
  + the "only allowed for SaltStack" enforce-message + the trailing
  "SaltStack (Python)" line in the summary banner.
- 4× language-policy.yml (rhodium-standard-repositories root,
  consent-aware-http, +2 satellites) — the `| grep -v 'salt'` filter
  on new .py files and the "(except SaltStack)" comment.

Infrastructure moved to Terraform + Ansible; neither needs first-party
Python so no replacement exemption is required.

Closes hyperpolymath/reposystem#32

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/governance-reusable.yml                 | 8 +++-----
 consent-aware-http/.github/workflows/language-policy.yml  | 4 ++--
 .../.github/workflows/language-policy.yml                 | 4 ++--
 .../.github/workflows/language-policy.yml                 | 4 ++--
 .../.github/workflows/language-policy.yml                 | 4 ++--
 5 files changed, 11 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/governance-reusable.yml b/.github/workflows/governance-reusable.yml
index cd802085..87b99f3f 100644
--- a/.github/workflows/governance-reusable.yml
+++ b/.github/workflows/governance-reusable.yml
@@ -312,9 +312,7 @@ jobs:
           RES_FILES=$(git ls-files '*.res' || true)
           GO_FILES=$(git ls-files '*.go' || true)
           PY_FILES=$(git ls-files '*.py' \
-            | grep -v salt | grep -v _states \
-            | grep -v _modules | grep -v pillar | grep -v venv \
-            | grep -v __pycache__ || true)
+            | grep -v venv | grep -v __pycache__ || true)
           MAKE_FILES=$(git ls-files 'Makefile' 'Makefile.*' '*.mk' \
             | grep -v '\.github/' || true)
           JAVA_FILES=$(git ls-files '*.java' '*.kt' '*.kts' || true)
@@ -328,7 +326,7 @@ jobs:
 
           enforce "ReScript files" "use AffineScript instead" "$RES_FILES"
           enforce "Go files" "use Rust/WASM instead" "$GO_FILES"
-          enforce "Python files" "only allowed for SaltStack" "$PY_FILES"
+          enforce "Python files" "Python is fully banned — use AffineScript/Rust/SPARK/Julia (SaltStack carveout removed 2026-01-03)" "$PY_FILES"
           enforce "Makefiles" "use Mustfile/justfile instead" "$MAKE_FILES"
           enforce "Java/Kotlin files" "use Rust/Tauri/Dioxus instead" "$JAVA_FILES"
           enforce "Swift files" "use Tauri/Dioxus instead" "$SWIFT_FILES"
@@ -430,7 +428,7 @@ jobs:
       - name: Summary
         run: |
           echo "RSR language/package policy passed — allowed: AffineScript, Deno,"
-          echo "WASM, Rust, OCaml, Haskell, Guile/Scheme, SaltStack (Python)."
+          echo "WASM, Rust, OCaml, Haskell, Guile/Scheme."
 
   package-policy:
     name: Guix primary / Nix fallback policy
diff --git a/consent-aware-http/.github/workflows/language-policy.yml b/consent-aware-http/.github/workflows/language-policy.yml
index 2811e465..a4fc56ec 100644
--- a/consent-aware-http/.github/workflows/language-policy.yml
+++ b/consent-aware-http/.github/workflows/language-policy.yml
@@ -8,8 +8,8 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       - name: Enforce language policies
         run: |
-          # Block new Python files (except SaltStack)
-          NEW_PY=$(git diff --name-only --diff-filter=A HEAD~1 2>/dev/null | grep -E '\.py$' | grep -v 'salt' || true)
+          # Block new Python files (Python fully banned 2026-01-03 — SaltStack carveout removed)
+          NEW_PY=$(git diff --name-only --diff-filter=A HEAD~1 2>/dev/null | grep -E '\.py$' || true)
           if [ -n "$NEW_PY" ]; then
             echo "❌ New Python files detected. Use Rust or AffineScript instead."
             echo "$NEW_PY"
diff --git a/rhodium-standard-repositories/.github/workflows/language-policy.yml b/rhodium-standard-repositories/.github/workflows/language-policy.yml
index da03b52d..aabcb9af 100644
--- a/rhodium-standard-repositories/.github/workflows/language-policy.yml
+++ b/rhodium-standard-repositories/.github/workflows/language-policy.yml
@@ -11,8 +11,8 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - name: Enforce language policies
         run: |
-          # Block new Python files (except SaltStack)
-          NEW_PY=$(git diff --name-only --diff-filter=A HEAD~1 2>/dev/null | grep -E '\.py$' | grep -v 'salt' || true)
+          # Block new Python files (Python fully banned 2026-01-03 — SaltStack carveout removed)
+          NEW_PY=$(git diff --name-only --diff-filter=A HEAD~1 2>/dev/null | grep -E '\.py$' || true)
           if [ -n "$NEW_PY" ]; then
             echo "❌ New Python files detected. Use Rust or AffineScript instead."
             echo "$NEW_PY"
diff --git a/rhodium-standard-repositories/satellites/consent-aware-http/.github/workflows/language-policy.yml b/rhodium-standard-repositories/satellites/consent-aware-http/.github/workflows/language-policy.yml
index 1c12dccd..404f0723 100644
--- a/rhodium-standard-repositories/satellites/consent-aware-http/.github/workflows/language-policy.yml
+++ b/rhodium-standard-repositories/satellites/consent-aware-http/.github/workflows/language-policy.yml
@@ -7,8 +7,8 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       - name: Enforce language policies
         run: |
-          # Block new Python files (except SaltStack)
-          NEW_PY=$(git diff --name-only --diff-filter=A HEAD~1 2>/dev/null | grep -E '\.py$' | grep -v 'salt' || true)
+          # Block new Python files (Python fully banned 2026-01-03 — SaltStack carveout removed)
+          NEW_PY=$(git diff --name-only --diff-filter=A HEAD~1 2>/dev/null | grep -E '\.py$' || true)
           if [ -n "$NEW_PY" ]; then
             echo "❌ New Python files detected. Use Rust or AffineScript instead."
             echo "$NEW_PY"
diff --git a/rhodium-standard-repositories/satellites/palimpsest-license/.github/workflows/language-policy.yml b/rhodium-standard-repositories/satellites/palimpsest-license/.github/workflows/language-policy.yml
index 0220de5f..9d5d1fbc 100644
--- a/rhodium-standard-repositories/satellites/palimpsest-license/.github/workflows/language-policy.yml
+++ b/rhodium-standard-repositories/satellites/palimpsest-license/.github/workflows/language-policy.yml
@@ -7,8 +7,8 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - name: Enforce language policies
         run: |
-          # Block new Python files (except SaltStack)
-          NEW_PY=$(git diff --name-only --diff-filter=A HEAD~1 2>/dev/null | grep -E '\.py$' | grep -v 'salt' || true)
+          # Block new Python files (Python fully banned 2026-01-03 — SaltStack carveout removed)
+          NEW_PY=$(git diff --name-only --diff-filter=A HEAD~1 2>/dev/null | grep -E '\.py$' || true)
           if [ -n "$NEW_PY" ]; then
             echo "❌ New Python files detected. Use Rust or AffineScript instead."
             echo "$NEW_PY"