diff --git a/.github/workflows/hypatia-scan.yml b/.github/workflows/hypatia-scan.yml
index 215fcfe..544844d 100644
--- a/.github/workflows/hypatia-scan.yml
+++ b/.github/workflows/hypatia-scan.yml
@@ -74,7 +74,7 @@ jobs:
           echo "- Medium: $MEDIUM" >> $GITHUB_STEP_SUMMARY
 
       - name: Upload findings artifact
-        uses: actions/upload-artifact@65c79d7f54e76e4e3c7a8f34db0f4ac8b515c478 # v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: hypatia-findings
           path: hypatia-findings.json
diff --git a/.github/workflows/instant-sync.yml b/.github/workflows/instant-sync.yml
index e900c7e..a4ae5ac 100644
--- a/.github/workflows/instant-sync.yml
+++ b/.github/workflows/instant-sync.yml
@@ -14,6 +14,11 @@ permissions:
 jobs:
   dispatch:
     runs-on: ubuntu-latest
+    # Skip the dispatch job entirely when the FARM_DISPATCH_TOKEN secret is
+    # not configured (e.g. on forks, or before the secret is provisioned).
+    # Without this gate the action errors with "Parameter token or opts.auth
+    # is required" and the whole workflow fails on every main push.
+    if: ${{ vars.FARM_DISPATCH_ENABLED == 'true' }}
     steps:
       - name: Trigger Propagation
         uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v3
diff --git a/.github/workflows/rsr-antipattern.yml b/.github/workflows/rsr-antipattern.yml
index a001dcd..deb7978 100644
--- a/.github/workflows/rsr-antipattern.yml
+++ b/.github/workflows/rsr-antipattern.yml
@@ -26,15 +26,34 @@ jobs:
 
       - name: Check for TypeScript
         run: |
-          # Exclude bindings/deno/ - those are Deno FFI files using Deno.dlopen, not plain TypeScript
-          # Exclude .d.ts files - those are TypeScript type declarations for ReScript FFI
-          TS_FILES=$(find . \( -name "*.ts" -o -name "*.tsx" \) | grep -v node_modules | grep -v 'bindings/deno' | grep -v '\.d\.ts$' || true)
+          # Exclusions, in order of specificity. Each is "essential glue" —
+          # the platform requires TypeScript and a ReScript replacement is
+          # not viable.
+          #
+          # - bindings/deno/ : Deno FFI files using Deno.dlopen.
+          # - *.d.ts         : TypeScript declarations for ReScript FFI.
+          # - affinescript-deno-test/ : Deno-native test runner (Deno is
+          #   TS-native; the test driver imports Deno.test which has no
+          #   ReScript binding).
+          # - editors/vscode/ : VS Code extension. The extension API is
+          #   exclusively TypeScript; no ReScript path exists.
+          # - faces/         : vendored snapshots of upstream face
+          #   implementations; the antipattern policy applies to upstream,
+          #   not to a vendored copy in this repo.
+          TS_FILES=$(find . \( -name "*.ts" -o -name "*.tsx" \) \
+            | grep -v node_modules \
+            | grep -v 'bindings/deno' \
+            | grep -v '\.d\.ts$' \
+            | grep -v '^\./affinescript-deno-test/' \
+            | grep -v '^\./editors/vscode/' \
+            | grep -v '^\./faces/' \
+            || true)
           if [ -n "$TS_FILES" ]; then
             echo "❌ TypeScript files detected - use ReScript instead"
             echo "$TS_FILES"
             exit 1
           fi
-          echo "✅ No TypeScript files (Deno FFI bindings excluded)"
+          echo "✅ No TypeScript files (essential-glue exclusions applied)"
 
       - name: Check for Go
         run: |
diff --git a/.github/workflows/workflow-linter.yml b/.github/workflows/workflow-linter.yml
index 7336a75..9391dd6 100644
--- a/.github/workflows/workflow-linter.yml
+++ b/.github/workflows/workflow-linter.yml
@@ -61,11 +61,15 @@ jobs:
       - name: Check SHA-Pinned Actions
         run: |
           echo "=== Checking Action Pinning ==="
-          # Find any uses: lines that don't have @SHA format
-          # Pattern: uses: owner/repo@<40-char-hex>
-          unpinned=$(grep -rn "uses:" .github/workflows/ | \
+          # Match only YAML uses: keys (allowing optional list-item dash and
+          # leading whitespace), not the literal substring "uses:" inside a
+          # run-script comment — otherwise the linter false-positives on its
+          # own explanatory comments (every previous "uses: lines..." comment
+          # was being flagged as unpinned).
+          # Pattern: <indent>[- ]uses: owner/repo@<40-char-hex>
+          unpinned=$(grep -rEn "^[[:space:]]*-?[[:space:]]+uses:[[:space:]]" .github/workflows/ | \
             grep -v "@[a-f0-9]\{40\}" | \
-            grep -v "uses: \./\|uses: docker://\|uses: actions/github-script" || true)
+            grep -vE "uses: \./|uses: docker://|uses: actions/github-script" || true)
 
           if [ -n "$unpinned" ]; then
             echo "ERROR: Found unpinned actions:"
diff --git a/faces/rattlescript/affinescript/dune-project b/faces/rattlescript/affinescript/dune-project
deleted file mode 120000
index 7c2a084..0000000
--- a/faces/rattlescript/affinescript/dune-project
+++ /dev/null
@@ -1 +0,0 @@
-.build/dune-project
\ No newline at end of file