ci: add workspace-integrity gate (L2.3 pilot)

[theLightArchitect]

Summary

Adds a parallel integrity job that catches the bug class shipped four times during the 2026-04-28 session:

• workspace member declared in Cargo.toml but source missing
• feature-gated code that bit-rots without a test path
• features that don't compile in isolation

Steps added

1. cargo metadata --no-deps — workspace declaration parseable (~5s)
2. cargo build --workspace --no-default-features (~30–90s)
3. cargo build --workspace --all-features (~60–180s)

Why

Per the canonical artifact at ~/lightarchitects/soul/helix/user/standards/workspace-integrity-ci.yml: a 30-second CI check would have caught every shipped PR in the workspace-integrity bucket. Total CI cost added: ~2–4 minutes. Bug class prevented: every shipped fix-PR from that session.

Pilot rollout

This is the pilot for task #31 — first of 7-repo propagation (CORSO, EVA, SOUL, QUANTUM, SERAPH, AYIN, lightarchitects-sdk). AYIN chosen first because:

• No SOUL git dep (simplest credential path)
• 5-crate workspace exercises real --all-features surface
• Standalone (failures don't cascade to other repos)

Test plan

• Workspace integrity job passes on this PR
• Existing quality / test / audit / smoke-test jobs unaffected
• Total CI duration not significantly changed (parallel job)

Cross-references

• ~/.claude/plans/permanent-fixes-2026-04-29.md (L2.3)
• ~/lightarchitects/soul/helix/user/standards/workspace-integrity-ci.yml (canonical drop-in)
• ~/lightarchitects/soul/helix/user/standards/builders-cookbook.md

🤖 Generated with Claude Code

[theLightArchitect]

Independent code review — Agent E (feature-dev:code-reviewer)

VERDICT: ⚠️ drift-fix-needed

Gate logic (sound)

• ✅ cargo metadata --format-version 1 --no-deps (workspace-parseable check)
• ✅ cargo build --workspace --no-default-features (no continue-on-error)
• ✅ cargo build --workspace --all-features (no continue-on-error)

Drift from canonical template

Canonical: ~/lightarchitects/soul/helix/user/standards/workspace-integrity-ci.yml

1. Gitlab credential step (concerning) — workflow writes ${SOUL_TOKEN} as plaintext to ~/.git-credentials on the runner:

   echo "https://gitlab-ci-token:${SOUL_TOKEN}@gitlab.com" > ~/.git-credentials

   Per memory project_gitlab_retirement.md (2026-04-29), gitlab is soft-retired. This step should be removed entirely — github is canonical now. Even guarded by if: env.NEEDS_SOUL == true, it constitutes a credential-hygiene concern (token-on-disk on shared runner).

2. Cache action drift — uses Swatinem/rust-cache@v2; canonical uses actions/cache@v4 with explicit registry/git/target path pinning.

Recommended action

Land as-is to unblock the integrity gate (the gate logic itself is correct), then file a follow-up PR in each repo to drop the gitlab credential step + align cache action with canonical. Tracked as Phase D / task #17.

cc: Phase D (#17) of ~/.claude/plans/immerse-yourself-and-get-idempotent-swing.md.

[theLightArchitect]

Closing per user direction (2026-04-29): no GitHub Actions runs while billing/Actions strategy is undecided. No code loss — this PR only adds CI workflow config to .github/workflows/ci.yml; the canonical workspace-integrity gate template is preserved at ~/lightarchitects/soul/helix/user/standards/workspace-integrity-ci.yml (Option B standalone form) and can be reapplied to any repo when CI strategy is finalized.

Reapply path:

1. Decide on CI strategy (self-hosted runners / public repos / paid Actions / no CI)
2. Copy canonical template into target repo's .github/workflows/workspace-integrity.yml
3. Drop the Configure SOUL git credentials step (gitlab is retired per memory project_gitlab_retirement.md)
4. Open fresh narrow PR

Tracked: tasks #17 + #24 in plan ~/.claude/plans/immerse-yourself-and-get-idempotent-swing.md.