From c8c692e6006b295ec9c9d6030b9fed4180ced969 Mon Sep 17 00:00:00 2001
From: fullstack-engineer <fullstack-engineer@bot.moleculesai.app>
Date: Tue, 19 May 2026 13:13:39 -0700
Subject: [PATCH 1/2] ci: remove slash from tenant-token lint workflow name

---
 .gitea/workflows/lint-no-tenant-gitea-token.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.gitea/workflows/lint-no-tenant-gitea-token.yml b/.gitea/workflows/lint-no-tenant-gitea-token.yml
index ddd548f9f..3f5c89b34 100644
--- a/.gitea/workflows/lint-no-tenant-gitea-token.yml
+++ b/.gitea/workflows/lint-no-tenant-gitea-token.yml
@@ -1,4 +1,4 @@
-name: Lint no tenant GITEA/GITHUB token write
+name: Lint no tenant Gitea-GitHub token write
 
 # Task #146 — CI guardrail companion to RFC#523's `lint-forbidden-env-keys.yml`.
 #
-- 
2.52.0


From 4d626c76f3c6a98f82edc5cbb5b88107145fab28 Mon Sep 17 00:00:00 2001
From: fullstack-engineer <fullstack-engineer@bot.moleculesai.app>
Date: Tue, 19 May 2026 14:13:34 -0700
Subject: [PATCH 2/2] ci: annotate renamed tenant-token lint context

---
 .gitea/workflows/lint-no-tenant-gitea-token.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.gitea/workflows/lint-no-tenant-gitea-token.yml b/.gitea/workflows/lint-no-tenant-gitea-token.yml
index 3f5c89b34..d98849f54 100644
--- a/.gitea/workflows/lint-no-tenant-gitea-token.yml
+++ b/.gitea/workflows/lint-no-tenant-gitea-token.yml
@@ -58,6 +58,8 @@ env:
   GITHUB_SERVER_URL: https://git.moleculesai.app
 
 jobs:
+  # bp-exempt: merge protection is enforced through CI / all-required; this
+  # workflow is a component guardrail context rather than a direct BP context.
   scan:
     name: Scan for repo-host token write into tenant workspace surface
     runs-on: ubuntu-latest
-- 
2.52.0