From 4ed4459421d2f64752731fce2fe43d8955028a0a Mon Sep 17 00:00:00 2001
From: blocksifrdev <maurice@blocksifr.com>
Date: Sat, 20 Jun 2026 08:27:05 -0400
Subject: [PATCH 1/2] ci: add optional CortexTrace Free execution review

Signed-off-by: blocksifrdev <maurice@blocksifr.com>
---
 .cortextrace/config.json               | 25 ++++++++++++++
 .github/workflows/cortextrace-free.yml | 45 ++++++++++++++++++++++++++
 2 files changed, 70 insertions(+)
 create mode 100644 .cortextrace/config.json
 create mode 100644 .github/workflows/cortextrace-free.yml

diff --git a/.cortextrace/config.json b/.cortextrace/config.json
new file mode 100644
index 0000000..a3eef82
--- /dev/null
+++ b/.cortextrace/config.json
@@ -0,0 +1,25 @@
+{
+  "mode": "free",
+  "project": "ordvec",
+  "executionSurface": "github_pr",
+  "language": "rust",
+  "policy": {
+    "failClosed": false,
+    "commentOnPr": false,
+    "generateReceipts": true,
+    "detect": [
+      "github_actions_change",
+      "release_pipeline_change",
+      "dependency_change",
+      "unsafe_rust_change",
+      "ffi_boundary_change",
+      "serialized_index_parser_change",
+      "fuzz_surface_change",
+      "security_policy_change"
+    ]
+  },
+  "receipts": {
+    "localOnly": true,
+    "path": ".cortextrace/reports"
+  }
+}
diff --git a/.github/workflows/cortextrace-free.yml b/.github/workflows/cortextrace-free.yml
new file mode 100644
index 0000000..13409dd
--- /dev/null
+++ b/.github/workflows/cortextrace-free.yml
@@ -0,0 +1,45 @@
+name: CortexTrace Free
+
+on:
+  pull_request:
+    branches: [main]
+  push:
+    branches: [main]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  pull-requests: read
+  actions: read
+
+jobs:
+  cortextrace:
+    name: Execution consequence review
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Node for CortexTrace CLI
+        uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+
+      - name: Run CortexTrace Free
+        run: |
+          mkdir -p .cortextrace/reports
+          npx -y @blocksifr/cortextrace@latest doctor || true
+          npx -y @blocksifr/cortextrace@latest run || true
+          npx -y @blocksifr/cortextrace@latest report || true
+
+      - name: Upload CortexTrace reports
+        uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: cortextrace-free-report
+          path: |
+            .cortextrace/reports/**
+            cortextrace-report.*
+          if-no-files-found: ignore

From c40aba1efe7bc51ca680e21bde03880ad0e11afe Mon Sep 17 00:00:00 2001
From: blocksifrdev <maurice@blocksifr.com>
Date: Sat, 20 Jun 2026 08:41:51 -0400
Subject: [PATCH 2/2] ci: harden CortexTrace advisory workflow

Signed-off-by: blocksifrdev <maurice@blocksifr.com>
---
 .github/workflows/cortextrace-free.yml | 50 ++++++++++++++++++++------
 1 file changed, 40 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/cortextrace-free.yml b/.github/workflows/cortextrace-free.yml
index 13409dd..3144a5c 100644
--- a/.github/workflows/cortextrace-free.yml
+++ b/.github/workflows/cortextrace-free.yml
@@ -9,8 +9,6 @@ on:
 
 permissions:
   contents: read
-  pull-requests: read
-  actions: read
 
 jobs:
   cortextrace:
@@ -20,26 +18,58 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
+        with:
+          persist-credentials: false
 
       - name: Setup Node for CortexTrace CLI
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
         with:
           node-version: "20"
 
-      - name: Run CortexTrace Free
+      - name: Run CortexTrace Free advisory review
+        shell: bash
         run: |
+          set +e
+
           mkdir -p .cortextrace/reports
-          npx -y @blocksifr/cortextrace@latest doctor || true
-          npx -y @blocksifr/cortextrace@latest run || true
-          npx -y @blocksifr/cortextrace@latest report || true
+
+          CORTEXTRACE_VERSION="0.1.0"
+
+          npm_config_ignore_scripts=true npx -y @blocksifr/cortextrace@${CORTEXTRACE_VERSION} doctor
+          doctor_status=$?
+
+          npm_config_ignore_scripts=true npx -y @blocksifr/cortextrace@${CORTEXTRACE_VERSION} run
+          run_status=$?
+
+          npm_config_ignore_scripts=true npx -y @blocksifr/cortextrace@${CORTEXTRACE_VERSION} report
+          report_status=$?
+
+          {
+            echo "### CortexTrace Free advisory run"
+            echo
+            echo "| Command | Exit status |"
+            echo "|---|---:|"
+            echo "| doctor | ${doctor_status} |"
+            echo "| run | ${run_status} |"
+            echo "| report | ${report_status} |"
+            echo
+            echo "This workflow is advisory-only. It does not receive a GitHub token and does not block merges."
+          } >> "$GITHUB_STEP_SUMMARY"
+
+          exit 0
 
       - name: Upload CortexTrace reports
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
         if: always()
         with:
           name: cortextrace-free-report
           path: |
             .cortextrace/reports/**
             cortextrace-report.*
-          if-no-files-found: ignore
+            !.cortextrace/**/*.env
+            !.cortextrace/**/*token*
+            !.cortextrace/**/*secret*
+            !.cortextrace/**/*credential*
+          include-hidden-files: true
+          if-no-files-found: warn