ci(workflows): fix boj-build YAML + gate mirror secrets on presence

.github/workflows/boj-build.yml

@@ -17,6 +17,7 @@ permissions:
 
 jobs:
   trigger-boj:
+    name: Trigger BoJ server
     runs-on: ubuntu-latest
     timeout-minutes: 10
     if: ${{ vars.BOJ_SERVER_URL != '' || secrets.BOJ_SERVER_URL != '' }}
@@ -47,3 +48,58 @@ jobs:
             -H "Content-Type: application/json" \
             --data "$payload" \
             || echo "BoJ server unreachable - skipping (non-fatal)"
+
+  # Contractile validation runs on every push, independent of whether a BoJ
+  # server is configured — it validates THIS repo's own contractile set, so it
+  # must not sit behind the trigger-boj `if:` guard.
+  validate-contractiles:
+    name: K9-SVC contractile validation
+    timeout-minutes: 10
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: K9-SVC Validation
+        run: |
+          echo "Running K9-SVC contractile validation..."
+          if [ -f .machine_readable/contractiles/must/Mustfile.a2ml ]; then
+            echo "✅ Mustfile found - running validation"
+            # Placeholder for actual K9 validation
+            echo "K9 validation would run here"
+          else
+            echo "❌ Mustfile not found"
+            exit 1
+          fi
+
+      - name: Contractile Check
+        run: |
+          set -euo pipefail
+          echo "Checking contractile completeness..."
+          index=".machine_readable/contractiles/INDEX.a2ml"
+          if [ ! -f "$index" ]; then
+            echo "❌ Contractile registry not found: $index"
+            exit 1
+          fi
+          # Read the canonical verb set from the registry rather than hard-coding
+          # it (INDEX.a2ml §Registry: consumers SHOULD discover verbs from here).
+          # Each verb's trident lists "<verb>/<Verb>file.a2ml" as its first entry.
+          mapfile -t files < <(grep -oE '"[a-z]+/[A-Z][a-z]+file\.a2ml"' "$index" | tr -d '"' | sort -u)
+          if [ "${#files[@]}" -eq 0 ]; then
+            echo "❌ No contractile files discovered in $index"
+            exit 1
+          fi
+          missing=0
+          for rel in "${files[@]}"; do
+            if [ -f ".machine_readable/contractiles/$rel" ]; then
+              echo "✅ $rel"
+            else
+              echo "❌ Missing: $rel"
+              missing=$((missing + 1))
+            fi
+          done
+          if [ "$missing" -gt 0 ]; then
+            echo "❌ $missing contractile(s) missing"
+            exit 1
+          fi
+          echo "✅ All ${#files[@]} contractiles present"

.github/workflows/mirror-reusable.yml

@@ -56,6 +56,7 @@ jobs:
         with:
           fetch-depth: 0
       - uses: webfactory/ssh-agent@e83874834305fe9a4a2997156cb26c5de65a8555 # v0.10.0
+        if: ${{ secrets.GITLAB_SSH_KEY != '' }}
         with:
           ssh-private-key: ${{ secrets.GITLAB_SSH_KEY }}
       - name: Mirror to GitLab
@@ -65,10 +66,15 @@ jobs:
         # for Maintainers/Developers or remove the protection on the mirror repo.
         # Until then this step is advisory-only; failures do not red main.
         continue-on-error: true
+        if: ${{ secrets.GITLAB_SSH_KEY != '' }}
         run: |
           ssh-keyscan -t ed25519 gitlab.com >> ~/.ssh/known_hosts
           git remote add gitlab git@gitlab.com:hyperpolymath/${{ github.event.repository.name }}.git || true
           git push --force gitlab main
+      - name: Skipped (GITLAB_SSH_KEY not configured)
+        if: ${{ secrets.GITLAB_SSH_KEY == '' }}
+        run: |
+          echo "::notice::GITLAB_MIRROR_ENABLED=true but secrets.GITLAB_SSH_KEY is empty. Skipping GitLab mirror. Configure the GITLAB_SSH_KEY org/repo secret to enable."
 
   mirror-bitbucket:
     timeout-minutes: 20
@@ -79,13 +85,19 @@ jobs:
         with:
           fetch-depth: 0
       - uses: webfactory/ssh-agent@e83874834305fe9a4a2997156cb26c5de65a8555 # v0.10.0
+        if: ${{ secrets.BITBUCKET_SSH_KEY != '' }}
         with:
           ssh-private-key: ${{ secrets.BITBUCKET_SSH_KEY }}
       - name: Mirror to Bitbucket
+        if: ${{ secrets.BITBUCKET_SSH_KEY != '' }}
         run: |
           ssh-keyscan -t ed25519 bitbucket.org >> ~/.ssh/known_hosts
           git remote add bitbucket git@bitbucket.org:hyperpolymath/${{ github.event.repository.name }}.git || true
           git push --force bitbucket main
+      - name: Skipped (BITBUCKET_SSH_KEY not configured)
+        if: ${{ secrets.BITBUCKET_SSH_KEY == '' }}
+        run: |
+          echo "::notice::BITBUCKET_MIRROR_ENABLED=true but secrets.BITBUCKET_SSH_KEY is empty. Skipping Bitbucket mirror. Configure the BITBUCKET_SSH_KEY org/repo secret to enable."
 
   mirror-codeberg:
     timeout-minutes: 20
@@ -96,13 +108,19 @@ jobs:
         with:
           fetch-depth: 0
       - uses: webfactory/ssh-agent@e83874834305fe9a4a2997156cb26c5de65a8555 # v0.10.0
+        if: ${{ secrets.CODEBERG_SSH_KEY != '' }}
         with:
           ssh-private-key: ${{ secrets.CODEBERG_SSH_KEY }}
       - name: Mirror to Codeberg
+        if: ${{ secrets.CODEBERG_SSH_KEY != '' }}
         run: |
           ssh-keyscan -t ed25519 codeberg.org >> ~/.ssh/known_hosts
           git remote add codeberg git@codeberg.org:hyperpolymath/${{ github.event.repository.name }}.git || true
           git push --force codeberg main
+      - name: Skipped (CODEBERG_SSH_KEY not configured)
+        if: ${{ secrets.CODEBERG_SSH_KEY == '' }}
+        run: |
+          echo "::notice::CODEBERG_MIRROR_ENABLED=true but secrets.CODEBERG_SSH_KEY is empty. Skipping Codeberg mirror. Configure the CODEBERG_SSH_KEY org/repo secret to enable."
 
   mirror-sourcehut:
     timeout-minutes: 20
@@ -113,13 +131,19 @@ jobs:
         with:
           fetch-depth: 0
       - uses: webfactory/ssh-agent@e83874834305fe9a4a2997156cb26c5de65a8555 # v0.10.0
+        if: ${{ secrets.SOURCEHUT_SSH_KEY != '' }}
         with:
           ssh-private-key: ${{ secrets.SOURCEHUT_SSH_KEY }}
       - name: Mirror to SourceHut
+        if: ${{ secrets.SOURCEHUT_SSH_KEY != '' }}
         run: |
           ssh-keyscan -t ed25519 git.sr.ht >> ~/.ssh/known_hosts
           git remote add sourcehut git@git.sr.ht:~hyperpolymath/${{ github.event.repository.name }} || true
           git push --force sourcehut main
+      - name: Skipped (SOURCEHUT_SSH_KEY not configured)
+        if: ${{ secrets.SOURCEHUT_SSH_KEY == '' }}
+        run: |
+          echo "::notice::SOURCEHUT_MIRROR_ENABLED=true but secrets.SOURCEHUT_SSH_KEY is empty. Skipping SourceHut mirror. Configure the SOURCEHUT_SSH_KEY org/repo secret to enable."
 
   mirror-disroot:
     timeout-minutes: 20
@@ -130,13 +154,19 @@ jobs:
         with:
           fetch-depth: 0
       - uses: webfactory/ssh-agent@e83874834305fe9a4a2997156cb26c5de65a8555 # v0.10.0
+        if: ${{ secrets.DISROOT_SSH_KEY != '' }}
         with:
           ssh-private-key: ${{ secrets.DISROOT_SSH_KEY }}
       - name: Mirror to Disroot
+        if: ${{ secrets.DISROOT_SSH_KEY != '' }}
         run: |
           ssh-keyscan -t ed25519 git.disroot.org >> ~/.ssh/known_hosts
           git remote add disroot git@git.disroot.org:hyperpolymath/${{ github.event.repository.name }}.git || true
           git push --force disroot main
+      - name: Skipped (DISROOT_SSH_KEY not configured)
+        if: ${{ secrets.DISROOT_SSH_KEY == '' }}
+        run: |
+          echo "::notice::DISROOT_MIRROR_ENABLED=true but secrets.DISROOT_SSH_KEY is empty. Skipping Disroot mirror. Configure the DISROOT_SSH_KEY org/repo secret to enable."
 
   mirror-gitea:
     timeout-minutes: 20
@@ -147,13 +177,19 @@ jobs:
         with:
           fetch-depth: 0
       - uses: webfactory/ssh-agent@e83874834305fe9a4a2997156cb26c5de65a8555 # v0.10.0
+        if: ${{ secrets.GITEA_SSH_KEY != '' }}
         with:
           ssh-private-key: ${{ secrets.GITEA_SSH_KEY }}
       - name: Mirror to Gitea
+        if: ${{ secrets.GITEA_SSH_KEY != '' }}
         run: |
           ssh-keyscan -t ed25519 ${{ vars.GITEA_HOST }} >> ~/.ssh/known_hosts
           git remote add gitea git@${{ vars.GITEA_HOST }}:hyperpolymath/${{ github.event.repository.name }}.git || true
           git push --force gitea main
+      - name: Skipped (GITEA_SSH_KEY not configured)
+        if: ${{ secrets.GITEA_SSH_KEY == '' }}
+        run: |
+          echo "::notice::GITEA_MIRROR_ENABLED=true but secrets.GITEA_SSH_KEY is empty. Skipping Gitea mirror. Configure the GITEA_SSH_KEY org/repo secret to enable."
 
   mirror-radicle:
     timeout-minutes: 20