From bafb680d3f172811bb07b485f34ee2ed082f79ce Mon Sep 17 00:00:00 2001
From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com>
Date: Wed, 24 Jun 2026 15:30:52 +0100
Subject: [PATCH] ci(language-policy): carve out Kotlin/JVM consumer interop
 from banned-languages gate

The governance-reusable.yml `language-policy` job's JAVA_FILES check globs
`*.java *.kt *.kts` and hard-fails any match outside the narrow Android
carve-out. This flagged three repos that carry Kotlin/Groovy as legitimate
consumer-facing JVM interop (NOT primary mobile app code), which Tauri/Dioxus
cannot replace:

  - proven-servers  -> bindings/kotlin/**   (~102 files)
  - proven          -> bindings/kotlin/** + bindings/groovy/**
  - universal-language-server-plugin -> clients/jetbrains/** (Kotlin-native
    IntelliJ Platform plugin API)

Add three path-exclusion carve-outs to JAVA_FILES, exactly parallel to the
existing TS bindings/typescript/ + bindings/deno/ and clients/vscode/
editor-host carve-outs:

  - bindings/kotlin/   (consumer binding)
  - bindings/groovy/   (consumer binding)
  - clients/jetbrains/ (editor-host plugin)

.groovy is added to the ls-files set so the carve-out is explicit and future
Groovy outside these dirs is still caught. Mobile Kotlin/Swift remains banned.
The carve-out and its rationale are documented inline in the workflow comment
block (the single source of truth). No licence/SPDX edits.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 .github/workflows/governance-reusable.yml | 32 +++++++++++++++++++----
 1 file changed, 27 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/governance-reusable.yml b/.github/workflows/governance-reusable.yml
index 60d1ce11..45784e6b 100644
--- a/.github/workflows/governance-reusable.yml
+++ b/.github/workflows/governance-reusable.yml
@@ -200,7 +200,7 @@ jobs:
       #   3. Inline `# hypatia:ignore ...` pragma in the file's first
       #      8 lines — the same escape the Hypatia scanner itself
       #      honours.
-      - name: Check banned-language files (ReScript / Go / Python / Java / Kotlin / Swift / Dart / V-lang / ATS2 / Makefile)
+      - name: Check banned-language files (ReScript / Go / Python / Java / Kotlin / Groovy / Swift / Dart / V-lang / ATS2 / Makefile)
         run: |
           rule_module="cicd_rules"
           rule_type="banned_language_file"
@@ -307,9 +307,31 @@ jobs:
           # name at platform boundaries — Rust/Zig cannot provide JVM
           # bytecode for these. Each Android Java shim must be a minimal
           # delegating wrapper (typically <10 LoC) that JNIs into Rust/Zig
-          # immediately. Kotlin (*.kt, *.kts) remains banned outright.
-          JAVA_FILES=$(git ls-files '*.java' '*.kt' '*.kts' \
-            | grep -vE '(^|/)android/.*/src/.*\.java$' || true)
+          # immediately.
+          #
+          # Kotlin/JVM INTEROP carve-out 2026-06-24 (parallel to the TS
+          # `bindings/typescript/` / `bindings/deno/` / `clients/vscode/`
+          # interop carve-outs): Kotlin/Groovy is banned for MOBILE app code
+          # (→ Tauri/Dioxus), but is PERMITTED as consumer-facing JVM interop
+          # — directories where we author bindings that expose an estate
+          # library to JVM consumers, or an IDE-host plugin whose plugin API
+          # is Kotlin-native. Tauri/Dioxus cannot replace a consumer binding
+          # or an editor-host plugin. Three path classes are exempt:
+          #   * **/bindings/kotlin/**  — Kotlin bindings exposing a library to
+          #     JVM consumers (exemplars: proven-servers, proven).
+          #   * **/bindings/groovy/**  — Groovy bindings, same rationale
+          #     (exemplar: proven).
+          #   * **/clients/jetbrains/** — JetBrains IDE plugin; the IntelliJ
+          #     Platform plugin API is Kotlin-native (exemplar:
+          #     universal-language-server-plugin).
+          # Unblock condition: never (consumer binding / editor-host plugin).
+          # `.groovy` is included in the ls-files set ONLY so the carve-out is
+          # explicit and future Groovy bindings outside these dirs are caught.
+          JAVA_FILES=$(git ls-files '*.java' '*.kt' '*.kts' '*.groovy' \
+            | grep -vE '(^|/)android/.*/src/.*\.java$' \
+            | grep -vE '(^|/)bindings/kotlin/' \
+            | grep -vE '(^|/)bindings/groovy/' \
+            | grep -vE '(^|/)clients/jetbrains/' || true)
           SWIFT_FILES=$(git ls-files '*.swift' || true)
           DART_FILES=$(git ls-files '*.dart' 'pubspec.yaml' || true)
           # V-lang detected by manifest (v.mod / vpkg.json); the .v extension
@@ -322,7 +344,7 @@ jobs:
           enforce "Go files" "use Rust/WASM instead" "$GO_FILES"
           enforce "Python files" "Python is fully banned — use AffineScript/Rust/SPARK/Julia (SaltStack carveout removed 2026-01-03)" "$PY_FILES"
           enforce "Makefiles" "use Mustfile/justfile instead" "$MAKE_FILES"
-          enforce "Java/Kotlin files" "use Rust/Tauri/Dioxus instead" "$JAVA_FILES"
+          enforce "Java/Kotlin/Groovy files" "use Rust/Tauri/Dioxus instead (consumer JVM interop is exempt under bindings/kotlin, bindings/groovy, clients/jetbrains)" "$JAVA_FILES"
           enforce "Swift files" "use Tauri/Dioxus instead" "$SWIFT_FILES"
           enforce "Flutter/Dart files" "use Tauri/Dioxus instead (Google lock-in)" "$DART_FILES"
           enforce "V-lang manifests (v.mod / vpkg.json)" "V-lang is banned since 2026-04-10 — migrate to Zig" "$VMOD_FILES"