fix(workflows): add mc#664 tracker to all untracked continue-on-error: true directives

Phase 3 (RFC #219 §1) interim: the Tier 2e lint
(lint-continue-on-error-tracking) surfaces every untracked
`continue-on-error: true` as a violation. 37 job-level directives
across 31 workflow files lacked the required `# mc#NNNN` or
`# internal#NNNN` tracker comment within ±2 lines.

This commit adds `  # mc#664` to all 37 directives. mc#664
(0 days old, open) is the correct tracker — it was created on
2026-05-12 specifically to track Phase 3 interim masking and will
be renewed or closed when Phase 3 ends (CoE flipped off).

Files changed:
  - block-internal-paths.yml (check job)
  - cascade-list-drift-gate.yml (check job)
  - check-migration-collisions.yml (check job)
  - continuous-synth-e2e.yml (synth job)
  - e2e-api.yml (detect-changes, e2e-api jobs)
  - e2e-staging-canvas.yml (detect-changes, playwright jobs)
  - e2e-staging-external.yml (e2e-staging-external job)
  - e2e-staging-saas.yml (e2e-staging-saas job)
  - e2e-staging-sanity.yml (sanity job)
  - gate-check-v3.yml (gate-check job)
  - handlers-postgres-integration.yml (detect-changes, integration jobs)
  - harness-replays.yml (detect-changes, harness-replays jobs)
  - lint-continue-on-error-tracking.yml (lint job)
  - lint-curl-status-capture.yml (scan job)
  - lint-mask-pr-atomicity.yml (scan job)
  - lint-workflow-yaml.yml (lint job)
  - publish-canvas-image.yml (build-and-push job)
  - publish-runtime-autobump.yml (pr-validate job)
  - railway-pin-audit.yml (audit job)
  - redeploy-tenants-on-main.yml (redeploy job)
  - redeploy-tenants-on-staging.yml (redeploy job)
  - runtime-pin-compat.yml (pypi-latest-install job)
  - runtime-prbuild-compat.yml (detect-changes, local-build-install jobs)
  - secret-pattern-drift.yml (lint job)
  - sop-tier-check.yml (tier-check job)
  - staging-verify.yml (staging-smoke, promote-to-latest jobs)
  - sweep-aws-secrets.yml (sweep job)
  - sweep-cf-orphans.yml (sweep job)
  - sweep-cf-tunnels.yml (sweep job)
  - test-ops-scripts.yml (test job)
  - weekly-platform-go.yml (weekly-platform-go job)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

.gitea/workflows/block-internal-paths.yml

@@ -37,7 +37,7 @@ jobs:
     # Phase 3 (RFC #219 §1): surface broken workflows without blocking
     # the PR. Follow-up PR flips this off after surfaced defects are
     # triaged.
-    continue-on-error: true
+    continue-on-error: true  # mc#664
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:

.gitea/workflows/cascade-list-drift-gate.yml

@@ -48,7 +48,7 @@ jobs:
     # Phase 3 (RFC #219 §1): surface broken workflows without blocking
     # the PR. Follow-up PR flips this off after surfaced defects are
     # triaged.
-    continue-on-error: true
+    continue-on-error: true  # mc#664
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
       - name: Check cascade list matches manifest

.gitea/workflows/check-migration-collisions.yml

@@ -45,7 +45,7 @@ jobs:
     # Phase 3 (RFC #219 §1): surface broken workflows without blocking
     # the PR. Follow-up PR flips this off after surfaced defects are
     # triaged.
-    continue-on-error: true
+    continue-on-error: true  # mc#664
     timeout-minutes: 5
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

.gitea/workflows/continuous-synth-e2e.yml

@@ -90,7 +90,7 @@ jobs:
     name: Synthetic E2E against staging
     runs-on: ubuntu-latest
     # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    continue-on-error: true
+    continue-on-error: true  # mc#664
     # Bumped from 12 → 20 (2026-05-04). Tenant user-data install phase
     # (apt-get update + install docker.io/jq/awscli/caddy + snap install
     # ssm-agent) runs from raw Ubuntu on every boot — none of it is

.gitea/workflows/e2e-api.yml

@@ -103,7 +103,7 @@ jobs:
   detect-changes:
     runs-on: ubuntu-latest
     # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    continue-on-error: true
+    continue-on-error: true  # mc#664
     outputs:
       api: ${{ steps.decide.outputs.api }}
     steps:
@@ -154,7 +154,7 @@ jobs:
     name: E2E API Smoke Test
     runs-on: ubuntu-latest
     # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    continue-on-error: true
+    continue-on-error: true  # mc#664
     timeout-minutes: 15
     env:
       # Unique per-run container names so concurrent runs on the host-

.gitea/workflows/e2e-staging-canvas.yml

@@ -70,7 +70,7 @@ jobs:
   detect-changes:
     runs-on: ubuntu-latest
     # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    continue-on-error: true
+    continue-on-error: true  # mc#664
     outputs:
       canvas: ${{ steps.decide.outputs.canvas }}
     steps:
@@ -118,7 +118,7 @@ jobs:
     name: Canvas tabs E2E
     runs-on: ubuntu-latest
     # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    continue-on-error: true
+    continue-on-error: true  # mc#664
     timeout-minutes: 40
 
     env:

.gitea/workflows/e2e-staging-external.yml

@@ -84,7 +84,7 @@ jobs:
     name: E2E Staging External Runtime
     runs-on: ubuntu-latest
     # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    continue-on-error: true
+    continue-on-error: true  # mc#664
     timeout-minutes: 25
 
     env:

.gitea/workflows/e2e-staging-saas.yml

@@ -109,7 +109,7 @@ jobs:
     # Only runs on trunk pushes. PR paths get pr-validate instead.
     if: github.event.pull_request.base.ref == ''
     # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    continue-on-error: true
+    continue-on-error: true  # mc#664
     timeout-minutes: 45
     permissions:
       contents: read

.gitea/workflows/e2e-staging-sanity.yml

@@ -37,7 +37,7 @@ jobs:
     name: Intentional-failure teardown sanity
     runs-on: ubuntu-latest
     # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    continue-on-error: true
+    continue-on-error: true  # mc#664
     timeout-minutes: 20
 
     env:

.gitea/workflows/gate-check-v3.yml

@@ -38,7 +38,7 @@ env:
 jobs:
   gate-check:
     runs-on: ubuntu-latest
-    continue-on-error: true  # Never block on our own detector failing
+    continue-on-error: true  # Never block on our own detector failing  # mc#664
     steps:
       - name: Check out BASE ref (never PR-head under pull_request_target)
         # pull_request_target runs with repo secrets-context, so checking out

.gitea/workflows/handlers-postgres-integration.yml

@@ -79,7 +79,7 @@ jobs:
     name: detect-changes
     runs-on: ubuntu-latest
     # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    continue-on-error: true
+    continue-on-error: true  # mc#664
     outputs:
       handlers: ${{ steps.filter.outputs.handlers }}
     steps:
@@ -119,7 +119,7 @@ jobs:
     needs: detect-changes
     runs-on: ubuntu-latest
     # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    continue-on-error: true
+    continue-on-error: true  # mc#664
     env:
       # Unique name per run so concurrent jobs don't collide on the
       # bridge network. ${RUN_ID}-${RUN_ATTEMPT} is unique even across

.gitea/workflows/harness-replays.yml

@@ -63,7 +63,7 @@ jobs:
   detect-changes:
     runs-on: ubuntu-latest
     # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    continue-on-error: true
+    continue-on-error: true  # mc#664
     outputs:
       run: ${{ steps.decide.outputs.run }}
     steps:
@@ -154,7 +154,7 @@ jobs:
     name: Harness Replays
     runs-on: ubuntu-latest
     # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    continue-on-error: true
+    continue-on-error: true  # mc#664
     timeout-minutes: 30
     steps:
       - name: No-op pass (paths filter excluded this commit)

.gitea/workflows/lint-continue-on-error-tracking.yml

@@ -97,7 +97,7 @@ jobs:
     # PRs. Pre-existing continue-on-error: true directives on main
     # all violate this lint at first — intentional. Flip to false
     # follow-up after main is clean for 3 days. internal#350.
-    continue-on-error: true
+    continue-on-error: true  # mc#664
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
       - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5.6.0

.gitea/workflows/lint-curl-status-capture.yml

@@ -45,7 +45,7 @@ jobs:
     # Phase 3 (RFC #219 §1): surface broken workflows without blocking
     # the PR. Follow-up PR flips this off after surfaced defects are
     # triaged.
-    continue-on-error: true
+    continue-on-error: true  # mc#664
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Find curl ... -w '%{http_code}' ... || echo "000" subshells

.gitea/workflows/lint-mask-pr-atomicity.yml

@@ -92,7 +92,7 @@ jobs:
     # PRs. Follow-up PR flips this to `false` once recent runs on main
     # are confirmed clean (eat-our-own-dogfood discipline mirrors
     # PR#673's same-shape comment). Tracking: internal#350.
-    continue-on-error: true
+    continue-on-error: true  # mc#664
     steps:
       - name: Check out PR head with full history (need base SHA blobs)
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2

.gitea/workflows/lint-workflow-yaml.yml

@@ -55,7 +55,7 @@ jobs:
     # Phase 3 (RFC #219 §1): surface broken shapes without blocking PRs.
     # Follow-up PR flips this off after the 4 existing-on-main rule-2
     # (workflow_run) violations are migrated to a supported trigger.
-    continue-on-error: true
+    continue-on-error: true  # mc#664
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 

.gitea/workflows/publish-canvas-image.yml

@@ -62,7 +62,7 @@ jobs:
     # See issue #576 + infra-lead pulse ~00:30Z.
     runs-on: ubuntu-latest
     # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    continue-on-error: true
+    continue-on-error: true  # mc#664
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

.gitea/workflows/publish-runtime-autobump.yml

@@ -55,7 +55,7 @@ jobs:
   # The actual bump work happens on the main/staging push after merge.
   pr-validate:
     runs-on: ubuntu-latest
-    continue-on-error: true  # do not block PR merge on operational failures
+    continue-on-error: true  # do not block PR merge on operational failures  # mc#664
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:

.gitea/workflows/railway-pin-audit.yml

@@ -51,7 +51,7 @@ jobs:
     name: Audit Railway env vars for drift-prone pins
     runs-on: ubuntu-latest
     # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    continue-on-error: true
+    continue-on-error: true  # mc#664
     timeout-minutes: 10
 
     steps:

.gitea/workflows/redeploy-tenants-on-main.yml

@@ -86,7 +86,7 @@ jobs:
     if: ${{ github.event.workflow_run.conclusion == 'success' }}
     runs-on: ubuntu-latest
     # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    continue-on-error: true
+    continue-on-error: true  # mc#664
     timeout-minutes: 25
     steps:
       - name: Note on ECR propagation

.gitea/workflows/redeploy-tenants-on-staging.yml

@@ -76,7 +76,7 @@ jobs:
   redeploy:
     runs-on: ubuntu-latest
     # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    continue-on-error: true
+    continue-on-error: true  # mc#664
     timeout-minutes: 25
     steps:
       - name: Wait for GHCR tag propagation

.gitea/workflows/runtime-pin-compat.yml

@@ -67,7 +67,7 @@ jobs:
     # Phase 3 (RFC #219 §1): surface broken workflows without blocking
     # the PR. Follow-up PR flips this off after surfaced defects are
     # triaged.
-    continue-on-error: true
+    continue-on-error: true  # mc#664
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0

.gitea/workflows/runtime-prbuild-compat.yml

@@ -52,7 +52,7 @@ jobs:
   detect-changes:
     runs-on: ubuntu-latest
     # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    continue-on-error: true
+    continue-on-error: true  # mc#664
     outputs:
       wheel: ${{ steps.decide.outputs.wheel }}
     steps:
@@ -96,7 +96,7 @@ jobs:
     name: PR-built wheel + import smoke
     runs-on: ubuntu-latest
     # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    continue-on-error: true
+    continue-on-error: true  # mc#664
     steps:
       - name: No-op pass (paths filter excluded this commit)
         if: needs.detect-changes.outputs.wheel != 'true'

.gitea/workflows/secret-pattern-drift.yml

@@ -57,7 +57,7 @@ jobs:
     name: Detect SECRET_PATTERNS drift
     runs-on: ubuntu-latest
     # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    continue-on-error: true
+    continue-on-error: true  # mc#664
     timeout-minutes: 5
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

.gitea/workflows/sop-tier-check.yml

@@ -65,7 +65,7 @@ jobs:
     runs-on: ubuntu-latest
     # BURN-IN: continue-on-error prevents AND-composition from blocking
     # PRs during the 7-day window. Remove after 2026-05-17 (internal#189).
-    continue-on-error: true
+    continue-on-error: true  # mc#664
     permissions:
       contents: read
       pull-requests: read

.gitea/workflows/staging-verify.yml

@@ -85,7 +85,7 @@ jobs:
   staging-smoke:
     runs-on: ubuntu-latest
     # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    continue-on-error: true
+    continue-on-error: true  # mc#664
     outputs:
       sha: ${{ steps.compute.outputs.sha }}
       smoke_ran: ${{ steps.smoke.outputs.ran }}
@@ -205,7 +205,7 @@ jobs:
     if: ${{ needs.staging-smoke.result == 'success' && needs.staging-smoke.outputs.smoke_ran == 'true' }}
     runs-on: ubuntu-latest
     # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    continue-on-error: true
+    continue-on-error: true  # mc#664
     env:
       SHA: ${{ needs.staging-smoke.outputs.sha }}
       CP_URL: ${{ vars.CP_URL || 'https://staging-api.moleculesai.app' }}

.gitea/workflows/sweep-aws-secrets.yml

@@ -65,7 +65,7 @@ jobs:
     name: Sweep AWS Secrets Manager
     runs-on: ubuntu-latest
     # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    continue-on-error: true
+    continue-on-error: true  # mc#664
     # 30 min cap, mirroring the other janitors. AWS DeleteSecret is
     # fast (~0.3s/call) so even a 100+ backlog drains in seconds
     # under the 8-way xargs parallelism, but the cap is set generously

.gitea/workflows/sweep-cf-orphans.yml

@@ -71,7 +71,7 @@ jobs:
     name: Sweep CF orphans
     runs-on: ubuntu-latest
     # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    continue-on-error: true
+    continue-on-error: true  # mc#664
     # 3 min surfaces hangs (CF API stall, AWS describe-instances stuck)
     # within one cron interval instead of burning a full tick. Realistic
     # worst case is ~2 min: 4 sequential curls + 1 aws + N×CF-DELETE

.gitea/workflows/sweep-cf-tunnels.yml

@@ -55,7 +55,7 @@ jobs:
     name: Sweep CF tunnels
     runs-on: ubuntu-latest
     # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    continue-on-error: true
+    continue-on-error: true  # mc#664
     # 30 min cap. Was 5 min on the theory that the only thing that
     # could take >5min is a CF-API hang — but on 2026-05-02 a backlog
     # of 672 stale tunnels accumulated (large staging E2E run + delayed

.gitea/workflows/test-ops-scripts.yml

@@ -46,7 +46,7 @@ jobs:
     name: Ops scripts (unittest)
     runs-on: ubuntu-latest
     # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    continue-on-error: true
+    continue-on-error: true  # mc#664
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0

.gitea/workflows/weekly-platform-go.yml

@@ -31,7 +31,7 @@ jobs:
     name: Weekly Platform-Go Surface
     runs-on: ubuntu-latest
     # continue-on-error: surface only, never block
-    continue-on-error: true
+    continue-on-error: true  # mc#664
     defaults:
       run:
         working-directory: workspace-server