diff --git a/.github/workflows/main-branch-flow.md b/.github/workflows/main-branch-flow.md
index 8fb539d33..094314107 100644
--- a/.github/workflows/main-branch-flow.md
+++ b/.github/workflows/main-branch-flow.md
@@ -13,11 +13,10 @@ Use this with:
 | Event | Main workflows |
 | --- | --- |
 | PR activity (`pull_request_target`) | `pr-intake-checks.yml`, `pr-labeler.yml`, `pr-auto-response.yml` |
-| PR activity (`pull_request`) | `ci-run.yml`, `feature-matrix.yml` (Rust/workflow paths), `sec-audit.yml`, `sec-codeql.yml` (when Rust/codeql paths change), `main-promotion-gate.yml` (for `main` PRs), plus path-scoped workflows |
-| Push to `dev`/`main` | `ci-run.yml`, `feature-matrix.yml` (Rust/workflow paths), `sec-audit.yml`, `sec-codeql.yml` (when Rust/codeql paths change), plus path-scoped workflows |
-| Merge queue (`merge_group`) | `ci-run.yml`, `feature-matrix.yml`, `sec-audit.yml`, `sec-codeql.yml` |
-| Tag push (`v*`) | `pub-release.yml` publish mode, `pub-docker-img.yml` publish job, `pub-prerelease.yml` (for `v*-alpha.*`, `v*-beta.*`, `v*-rc.*`) |
-| Scheduled/manual | `pub-release.yml` verification mode, `pub-prerelease.yml` (manual), `ci-canary-gate.yml`, `pub-homebrew-core.yml` (manual), `sec-codeql.yml`, `ci-connectivity-probes.yml`, `ci-provider-connectivity.yml`, `ci-reproducible-build.yml`, `ci-supply-chain-provenance.yml`, `ci-change-audit.yml` (manual), `ci-rollback.yml` (weekly/manual), `feature-matrix.yml`, `nightly-all-features.yml`, `docs-deploy.yml` (manual), `test-fuzz.yml`, `pr-check-stale.yml`, `pr-check-status.yml`, `sync-contributors.yml`, `test-benchmarks.yml`, `test-e2e.yml` |
+| PR activity (`pull_request`) | `ci-run.yml`, `sec-audit.yml`, `main-promotion-gate.yml` (for `main` PRs), plus path-scoped workflows |
+| Push to `dev`/`main` | `ci-run.yml`, `sec-audit.yml`, plus path-scoped workflows |
+| Tag push (`v*`) | `pub-release.yml` publish mode, `pub-docker-img.yml` publish job |
+| Scheduled/manual | `pub-release.yml` verification mode, `sec-codeql.yml`, `feature-matrix.yml`, `test-fuzz.yml`, `pr-check-stale.yml`, `pr-check-status.yml`, `sync-contributors.yml`, `test-benchmarks.yml`, `test-e2e.yml` |
 
 ## Runtime and Docker Matrix
 
@@ -35,7 +34,6 @@ Observed averages below are from recent completed runs (sampled from GitHub Acti
 | `pub-docker-img.yml` (`pull_request`) | Docker build-input PR changes | 240.4s | Yes | Yes | No |
 | `pub-docker-img.yml` (`push`) | tag push `v*` | 139.9s | Yes | No | Yes |
 | `pub-release.yml` | Tag push `v*` (publish) + manual/scheduled verification (no publish) | N/A in recent sample | No | No | No |
-| `pub-homebrew-core.yml` | Manual workflow dispatch only | N/A in recent sample | No | No | No |
 
 Notes:
 
@@ -204,12 +202,6 @@ Canary policy lane:
 2. `scripts/ci/canary_guard.py` evaluates metrics against `.github/release/canary-policy.json`.
 3. Decision output is explicit (`promote`, `hold`, `abort`) with auditable artifacts and optional dispatch signal.
 
-Manual Homebrew formula flow:
-
-1. Run `.github/workflows/pub-homebrew-core.yml` with `release_tag=vX.Y.Z`.
-2. Use `dry_run=true` first to validate formula patch and metadata.
-3. Use `dry_run=false` to push from bot fork and open `homebrew-core` PR.
-
 ## Merge/Policy Notes
 
 1. Workflow-file changes (`.github/workflows/**`) activate owner-approval gate in `ci-run.yml`.
diff --git a/.github/workflows/pub-homebrew-core.yml b/.github/workflows/pub-homebrew-core.yml
deleted file mode 100644
index ec7eb2209..000000000
--- a/.github/workflows/pub-homebrew-core.yml
+++ /dev/null
@@ -1,221 +0,0 @@
-name: Pub Homebrew Core
-
-on:
-    workflow_dispatch:
-        inputs:
-            release_tag:
-                description: "Existing release tag to publish (vX.Y.Z)"
-                required: true
-                type: string
-            dry_run:
-                description: "Patch formula only (no push/PR)"
-                required: false
-                default: true
-                type: boolean
-
-concurrency:
-    group: homebrew-core-${{ github.run_id }}
-    cancel-in-progress: false
-
-permissions:
-    contents: read
-
-jobs:
-    publish-homebrew-core:
-        name: Publish Homebrew Core PR
-        runs-on: blacksmith-2vcpu-ubuntu-2404
-        env:
-            UPSTREAM_REPO: Homebrew/homebrew-core
-            FORMULA_PATH: Formula/z/zeroclaw.rb
-            RELEASE_TAG: ${{ inputs.release_tag }}
-            DRY_RUN: ${{ inputs.dry_run }}
-            BOT_FORK_REPO: ${{ vars.HOMEBREW_CORE_BOT_FORK_REPO }}
-            BOT_EMAIL: ${{ vars.HOMEBREW_CORE_BOT_EMAIL }}
-        steps:
-            - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
-              with:
-                  fetch-depth: 0
-
-            - name: Validate release tag and version alignment
-              id: release_meta
-              shell: bash
-              run: |
-                  set -euo pipefail
-
-                  semver_pattern='^v[0-9]+\.[0-9]+\.[0-9]+([.-][0-9A-Za-z.-]+)?$'
-                  if [[ ! "$RELEASE_TAG" =~ $semver_pattern ]]; then
-                    echo "::error::release_tag must match semver-like format (vX.Y.Z[-suffix])."
-                    exit 1
-                  fi
-
-                  if ! git rev-parse "refs/tags/${RELEASE_TAG}" >/dev/null 2>&1; then
-                    git fetch --tags origin
-                  fi
-
-                  tag_version="${RELEASE_TAG#v}"
-                  cargo_version="$(git show "${RELEASE_TAG}:Cargo.toml" | sed -n 's/^version = "\([^"]*\)"/\1/p' | head -n1)"
-                  if [[ -z "$cargo_version" ]]; then
-                    echo "::error::Unable to read Cargo.toml version from tag ${RELEASE_TAG}."
-                    exit 1
-                  fi
-                  if [[ "$cargo_version" != "$tag_version" ]]; then
-                    echo "::error::Tag ${RELEASE_TAG} does not match Cargo.toml version (${cargo_version})."
-                    echo "::error::Bump Cargo.toml first, then publish Homebrew."
-                    exit 1
-                  fi
-
-                  tarball_url="https://github.com/${GITHUB_REPOSITORY}/archive/refs/tags/${RELEASE_TAG}.tar.gz"
-                  tarball_sha="$(curl -fsSL "$tarball_url" | sha256sum | awk '{print $1}')"
-
-                  {
-                    echo "tag_version=$tag_version"
-                    echo "tarball_url=$tarball_url"
-                    echo "tarball_sha=$tarball_sha"
-                  } >> "$GITHUB_OUTPUT"
-
-                  {
-                    echo "### Release Metadata"
-                    echo "- release_tag: ${RELEASE_TAG}"
-                    echo "- cargo_version: ${cargo_version}"
-                    echo "- tarball_sha256: ${tarball_sha}"
-                    echo "- dry_run: ${DRY_RUN}"
-                  } >> "$GITHUB_STEP_SUMMARY"
-
-            - name: Patch Homebrew formula
-              id: patch_formula
-              shell: bash
-              env:
-                  HOMEBREW_CORE_BOT_TOKEN: ${{ secrets.HOMEBREW_UPSTREAM_PR_TOKEN || secrets.HOMEBREW_CORE_BOT_TOKEN }}
-                  GH_TOKEN: ${{ secrets.HOMEBREW_UPSTREAM_PR_TOKEN || secrets.HOMEBREW_CORE_BOT_TOKEN }}
-              run: |
-                  set -euo pipefail
-
-                  tmp_repo="$(mktemp -d)"
-                  echo "tmp_repo=$tmp_repo" >> "$GITHUB_OUTPUT"
-
-                  if [[ "$DRY_RUN" == "true" ]]; then
-                    git clone --depth=1 "https://github.com/${UPSTREAM_REPO}.git" "$tmp_repo/homebrew-core"
-                  else
-                    if [[ -z "${BOT_FORK_REPO}" ]]; then
-                      echo "::error::Repository variable HOMEBREW_CORE_BOT_FORK_REPO is required when dry_run=false."
-                      exit 1
-                    fi
-                    if [[ -z "${HOMEBREW_CORE_BOT_TOKEN}" ]]; then
-                      echo "::error::Repository secret HOMEBREW_CORE_BOT_TOKEN is required when dry_run=false."
-                      exit 1
-                    fi
-                    if [[ "$BOT_FORK_REPO" != */* ]]; then
-                      echo "::error::HOMEBREW_CORE_BOT_FORK_REPO must be in owner/repo format."
-                      exit 1
-                    fi
-                    if ! command -v gh >/dev/null 2>&1; then
-                      echo "::error::gh CLI is required on the runner."
-                      exit 1
-                    fi
-                    if [[ -z "${GH_TOKEN:-}" ]]; then
-                      echo "::error::Repository secret HOMEBREW_CORE_BOT_TOKEN is missing."
-                      exit 1
-                    fi
-                    if ! gh api "repos/${BOT_FORK_REPO}" >/dev/null 2>&1; then
-                      echo "::error::HOMEBREW_CORE_BOT_TOKEN cannot access ${BOT_FORK_REPO}."
-                      exit 1
-                    fi
-                    gh repo clone "${BOT_FORK_REPO}" "$tmp_repo/homebrew-core" -- --depth=1
-                  fi
-
-                  repo_dir="$tmp_repo/homebrew-core"
-                  formula_file="$repo_dir/$FORMULA_PATH"
-                  if [[ ! -f "$formula_file" ]]; then
-                    echo "::error::Formula file not found: $FORMULA_PATH"
-                    exit 1
-                  fi
-
-                  if [[ "$DRY_RUN" == "false" ]]; then
-                    if git -C "$repo_dir" remote get-url upstream >/dev/null 2>&1; then
-                      git -C "$repo_dir" remote set-url upstream "https://github.com/${UPSTREAM_REPO}.git"
-                    else
-                      git -C "$repo_dir" remote add upstream "https://github.com/${UPSTREAM_REPO}.git"
-                    fi
-                    if git -C "$repo_dir" ls-remote --exit-code --heads upstream main >/dev/null 2>&1; then
-                      upstream_ref="main"
-                    else
-                      upstream_ref="master"
-                    fi
-                    git -C "$repo_dir" fetch --depth=1 upstream "$upstream_ref"
-                    branch_name="zeroclaw-${RELEASE_TAG}-${GITHUB_RUN_ID}"
-                    git -C "$repo_dir" checkout -B "$branch_name" "upstream/$upstream_ref"
-                    echo "branch_name=$branch_name" >> "$GITHUB_OUTPUT"
-                  fi
-
-                  tarball_url="${{ steps.release_meta.outputs.tarball_url }}"
-                  tarball_sha="${{ steps.release_meta.outputs.tarball_sha }}"
-
-                  perl -0pi -e "s|^  url \".*\"|  url \"${tarball_url}\"|m" "$formula_file"
-                  perl -0pi -e "s|^  sha256 \".*\"|  sha256 \"${tarball_sha}\"|m" "$formula_file"
-                  perl -0pi -e "s|^  license \".*\"|  license \"Apache-2.0 OR MIT\"|m" "$formula_file"
-                  perl -0pi -e 's|^  head "https://github\.com/zeroclaw-labs/zeroclaw\.git".*|  head "https://github.com/zeroclaw-labs/zeroclaw.git"|m' "$formula_file"
-
-                  git -C "$repo_dir" diff -- "$FORMULA_PATH" > "$tmp_repo/formula.diff"
-                  if [[ ! -s "$tmp_repo/formula.diff" ]]; then
-                    echo "::error::No formula changes generated. Nothing to publish."
-                    exit 1
-                  fi
-
-                  {
-                    echo "### Formula Diff"
-                    echo '```diff'
-                    cat "$tmp_repo/formula.diff"
-                    echo '```'
-                  } >> "$GITHUB_STEP_SUMMARY"
-
-            - name: Push branch and open Homebrew PR
-              if: ${{ inputs.dry_run == false }}
-              shell: bash
-              env:
-                  GH_TOKEN: ${{ secrets.HOMEBREW_UPSTREAM_PR_TOKEN || secrets.HOMEBREW_CORE_BOT_TOKEN }}
-              run: |
-                  set -euo pipefail
-
-                  repo_dir="${{ steps.patch_formula.outputs.tmp_repo }}/homebrew-core"
-                  branch_name="${{ steps.patch_formula.outputs.branch_name }}"
-                  tag_version="${{ steps.release_meta.outputs.tag_version }}"
-                  fork_owner="${BOT_FORK_REPO%%/*}"
-                  bot_email="${BOT_EMAIL:-${fork_owner}@users.noreply.github.com}"
-
-                  git -C "$repo_dir" config user.name "$fork_owner"
-                  git -C "$repo_dir" config user.email "$bot_email"
-                  git -C "$repo_dir" add "$FORMULA_PATH"
-                  git -C "$repo_dir" commit -m "zeroclaw ${tag_version}"
-                  if [[ -z "${GH_TOKEN:-}" ]]; then
-                    echo "::error::Repository secret HOMEBREW_CORE_BOT_TOKEN is missing."
-                    exit 1
-                  fi
-                  gh auth setup-git
-                  git -C "$repo_dir" push --set-upstream origin "$branch_name"
-
-                  pr_title="zeroclaw ${tag_version}"
-                  pr_body=$(cat <<EOF
-                  Automated formula bump from ZeroClaw release workflow.
-
-                  - Release tag: ${RELEASE_TAG}
-                  - Source tarball: ${{ steps.release_meta.outputs.tarball_url }}
-                  - Source sha256: ${{ steps.release_meta.outputs.tarball_sha }}
-                  EOF
-                  )
-
-                  gh pr create \
-                    --repo "$UPSTREAM_REPO" \
-                    --base main \
-                    --head "${fork_owner}:${branch_name}" \
-                    --title "$pr_title" \
-                    --body "$pr_body"
-
-            - name: Summary output
-              shell: bash
-              run: |
-                  set -euo pipefail
-                  if [[ "$DRY_RUN" == "true" ]]; then
-                    echo "Dry run complete: formula diff generated, no push/PR performed."
-                  else
-                    echo "Publish complete: branch pushed and PR opened from bot fork."
-                  fi
diff --git a/docs/ci-map.md b/docs/ci-map.md
index d5e3cb47a..9a6ef69ef 100644
--- a/docs/ci-map.md
+++ b/docs/ci-map.md
@@ -61,19 +61,6 @@ Merge-blocking checks should stay small and deterministic. Optional checks are u
     - Noise control: excludes common test/fixture paths and test file patterns by default (`include_tests=false`)
 - `.github/workflows/pub-release.yml` (`Release`)
     - Purpose: build release artifacts in verification mode (manual/scheduled) and publish GitHub releases on tag push or manual publish mode
-    - Additional behavior: `release_trigger_guard.py` enforces stable-tag contract, annotated-tag requirement, actor authorization allowlist, and emits trigger-provenance audit artifacts
-    - Additional behavior: `release_artifact_guard.py` enforces `.github/release/release-artifact-contract.json` in verify/publish stages and emits auditable guard reports (`release-artifact-guard-verify`, `release-artifact-guard.publish.json`)
-    - Additional behavior: `release_notes_with_supply_chain_refs.py` composes release-note preface links for manifest/SBOM/provenance artifacts while GitHub auto-generates commit-window notes
-- `.github/workflows/pub-prerelease.yml` (`Pub Pre-release`)
-    - Purpose: validate alpha/beta/rc/stable policy matrix integrity, enforce stage progression + monotonic stage numbering + tag/version integrity, publish transition audit trail and release-stage history, and optionally publish GitHub prerelease assets
-- `.github/workflows/ci-canary-gate.yml` (`CI Canary Gate`)
-    - Purpose: evaluate canary metrics against policy thresholds (`promote` / `hold` / `abort`) with auditable artifacts, guarded execute mode, and optional auto-dispatch to `CI Rollback Guard` on `abort`
-- `.github/workflows/docs-deploy.yml` (`Docs Deploy`)
-    - Purpose: docs quality checks + preview artifacts + GitHub Pages production deployment lane
-    - Additional behavior: `docs_deploy_guard.py` enforces `.github/release/docs-deploy-policy.json` for preview/production promotion and manual rollback ref validation, with audit-event artifacts
-- `.github/workflows/pub-homebrew-core.yml` (`Pub Homebrew Core`)
-    - Purpose: manual, bot-owned Homebrew core formula bump PR flow for tagged releases
-    - Guardrail: release tag must match `Cargo.toml` version
 - `.github/workflows/pr-label-policy-check.yml` (`Label Policy Sanity`)
     - Purpose: validate shared contributor-tier policy in `.github/label-policy.json` and ensure label workflows consume that policy
 - `.github/workflows/test-rust-build.yml` (`Rust Reusable Job`)
@@ -113,17 +100,7 @@ Merge-blocking checks should stay small and deterministic. Optional checks are u
 - `Feature Matrix`: PR/push on Rust + workflow paths, merge queue, weekly schedule, manual dispatch
 - `Nightly All-Features`: daily schedule and manual dispatch
 - `Release`: tag push (`v*`), weekly schedule (verification-only), manual dispatch (verification or publish)
-- `Pub Pre-release`: pre-release tag pushes (`v*-alpha.*`, `v*-beta.*`, `v*-rc.*`) and manual dispatch
-- `CI Canary Gate`: weekly schedule (policy check) and manual dispatch (`dry-run` / `execute`)
-- `Docs Deploy`: docs/README path changes on PR/push + manual dispatch (`preview` / `production`)
-- `Connectivity Probes`: manual dispatch only (legacy wrapper)
-- `Pub Homebrew Core`: manual dispatch only
-- `Security Audit`: push to `dev` and `main`, PRs to `dev` and `main`, merge queue `merge_group` for `dev`/`main`, weekly schedule
-- `CI/CD Change Audit`: PR/push on CI/security workflow paths, manual dispatch
-- `CI Provider Connectivity`: schedule every 6 hours, manual dispatch, and PR/push for probe config/script/workflow changes
-- `CI Reproducible Build`: PR/push on Rust/build paths, weekly schedule, manual dispatch
-- `CI Supply Chain Provenance`: push on Rust/build paths, weekly schedule, manual dispatch
-- `CI Rollback Guard`: weekly schedule (plan-only) and manual dispatch (`dry-run` or guarded `execute`)
+- `Security Audit`: push to `dev` and `main`, PRs to `dev` and `main`, weekly schedule
 - `Sec Vorpal Reviewdog`: manual dispatch only
 - `Workflow Sanity`: PR/push when `.github/workflows/**`, `.github/*.yml`, or `.github/*.yaml` change
 - `Main Promotion Gate`: PRs to `main` only; requires PR author `willsarg`/`theonlyhennygod` and head branch `dev` in the same repository
@@ -141,27 +118,12 @@ Merge-blocking checks should stay small and deterministic. Optional checks are u
 2. Docker failures on PRs: inspect `.github/workflows/pub-docker-img.yml` `pr-smoke` job.
    - For tag-publish failures, inspect `ghcr-publish-contract.json` / `audit-event-ghcr-publish-contract.json`, `ghcr-vulnerability-gate.json` / `audit-event-ghcr-vulnerability-gate.json`, and Trivy artifacts from `pub-docker-img.yml`.
 3. Release failures (tag/manual/scheduled): inspect `.github/workflows/pub-release.yml` and the `prepare` job outputs.
-   - Start with `release-trigger-guard.json` / `audit-event-release-trigger-guard.json` artifacts for authorization and provenance failures.
-   - Then inspect `release-artifact-guard.verify.json` / `release-artifact-guard.publish.json` and corresponding audit-event envelopes for contract completeness failures.
-4. Homebrew formula publish failures: inspect `.github/workflows/pub-homebrew-core.yml` summary output and bot token/fork variables.
-5. Security failures: inspect `.github/workflows/sec-audit.yml` and `deny.toml`.
-6. Connectivity probe failures: inspect `connectivity-summary.md` and `connectivity-report.json` artifacts from `.github/workflows/ci-connectivity-probes.yml`; apply runbook in `docs/operations/connectivity-probes-runbook.md`.
-7. CI policy failures (`unpinned action` / `pipe-to-shell` / `permissions: write-all` / `pull_request_target`): inspect `.github/workflows/ci-change-audit.yml` summary + artifact.
-8. Provider connectivity drift/incidents: inspect `.github/workflows/ci-provider-connectivity.yml` summary + artifact.
-9. Reproducibility drift signals: inspect `.github/workflows/ci-reproducible-build.yml` artifacts.
-10. Provenance/signing failures: inspect `.github/workflows/ci-supply-chain-provenance.yml` logs and bundle artifacts.
-11. Rollback planning/execution issues: inspect `.github/workflows/ci-rollback.yml` summary + `ci-rollback-plan` artifact.
-12. Workflow syntax/lint failures: inspect `.github/workflows/workflow-sanity.yml`.
-13. PR intake failures: inspect `.github/workflows/pr-intake-checks.yml` sticky comment and run logs.
-14. Label policy parity failures: inspect `.github/workflows/pr-label-policy-check.yml`.
-15. Docs failures in CI: inspect `docs-quality` job logs in `.github/workflows/ci-run.yml`.
-16. Strict delta lint failures in CI: inspect `lint-strict-delta` job logs and compare with `BASE_SHA` diff scope.
-17. Suspected flaky tests: inspect `Test Flake Retry Probe` summary and `test-flake-probe` artifact in `.github/workflows/ci-run.yml`.
-18. Feature-combo regressions: inspect `.github/workflows/feature-matrix.yml` summary artifact and lane JSON reports.
-19. Nightly integration drift: inspect `.github/workflows/nightly-all-features.yml` summary and lane owner mapping.
-20. Pre-release stage gate failures: inspect `.github/workflows/pub-prerelease.yml` guard artifact (`prerelease-guard.json`), starting from `transition` and `stage_history` fields.
-21. Canary gate hold/abort decisions: inspect `.github/workflows/ci-canary-gate.yml` guard artifact (`canary-guard.json`); on `abort`, verify rollback dispatch summary and follow-up `ci-rollback` run.
-22. Docs deploy failures: inspect `.github/workflows/docs-deploy.yml` quality lane + preview/deploy artifacts and `docs-deploy-guard.json` / `audit-event-docs-deploy-guard.json`.
+4. Security failures: inspect `.github/workflows/sec-audit.yml` and `deny.toml`.
+5. Workflow syntax/lint failures: inspect `.github/workflows/workflow-sanity.yml`.
+6. PR intake failures: inspect `.github/workflows/pr-intake-checks.yml` sticky comment and run logs.
+7. Label policy parity failures: inspect `.github/workflows/pr-label-policy-check.yml`.
+8. Docs failures in CI: inspect `docs-quality` job logs in `.github/workflows/ci-run.yml`.
+9. Strict delta lint failures in CI: inspect `lint-strict-delta` job logs and compare with `BASE_SHA` diff scope.
 
 ## Maintenance Rules
 
diff --git a/docs/release-process.md b/docs/release-process.md
index 29be99960..feceea01b 100644
--- a/docs/release-process.md
+++ b/docs/release-process.md
@@ -22,9 +22,6 @@ Last verified: **February 25, 2026**.
 Release automation lives in:
 
 - `.github/workflows/pub-release.yml`
-- `.github/workflows/pub-prerelease.yml`
-- `.github/workflows/ci-canary-gate.yml`
-- `.github/workflows/pub-homebrew-core.yml` (manual Homebrew formula PR, bot-owned)
 
 Modes:
 
@@ -157,26 +154,6 @@ For staged release confidence:
    - `stage_history.per_stage` and `stage_history.latest_stage`
 4. Publish prerelease assets only after guard passes.
 
-### 6) Publish Homebrew Core formula (bot-owned)
-
-Run `Pub Homebrew Core` manually:
-
-- `release_tag`: `vX.Y.Z`
-- `dry_run`: `true` first, then `false`
-
-Required repository settings for non-dry-run:
-
-- secret: `HOMEBREW_CORE_BOT_TOKEN` (token from a dedicated bot account, not a personal maintainer account)
-- variable: `HOMEBREW_CORE_BOT_FORK_REPO` (for example `zeroclaw-release-bot/homebrew-core`)
-- optional variable: `HOMEBREW_CORE_BOT_EMAIL`
-
-Workflow guardrails:
-
-- release tag must match `Cargo.toml` version
-- formula source URL and SHA256 are updated from the tagged tarball
-- formula license is normalized to `Apache-2.0 OR MIT`
-- PR is opened from the bot fork into `Homebrew/homebrew-core:master`
-
 ## Emergency / Recovery Path
 
 If tag-push release fails after artifacts are validated: