chore: remove CODEOWNERS chassis and the code-owner review gate

The repo is a 2-person team where both maintainers own every path, so the
CODEOWNERS machinery (generated CODEOWNERS, roles yml, render script, the two
drift/hand-edit CI jobs) gated nothing real while adding friction: every PR
showed "Review required" and own-PRs merged only via admin/bypass override.

Remove the whole chassis and drop the review gate:
- delete .github/CODEOWNERS, codeowners-roles.yml, render-codeowners.py,
  the CODEOWNERS workflow, and docs/dev/codeowners.md
- branch-protection.json: drop the two CODEOWNERS required status checks,
  set require_code_owner_reviews=false and required_approving_review_count=0
  (CI checks are the gate; maintainers merge their own PRs once green)
- scrub CODEOWNERS references from AGENTS.md, docs indexes, branch-protection
  and ci docs, GOVERNANCE.md, and CONTRIBUTING.md

The policy change is inert until an admin runs scripts/apply-branch-protection.sh.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

.github/CODEOWNERS

@@ -1,18 +0,0 @@
-# AUTOGENERATED from .github/codeowners-roles.yml. Do not edit by hand.
-#
-# To change role membership or path assignments:
-#   1. Edit .github/codeowners-roles.yml
-#   2. Run `python3 .github/scripts/render-codeowners.py`
-#   3. Commit both files together
-#
-# CI fails if this file drifts from its source, and rejects PRs that
-# edit this file directly without also editing the yml.
-
-*             @aaltshuler @ragnorc
-
-crates/**     @aaltshuler @ragnorc
-docs/**       @aaltshuler @ragnorc
-README.md     @aaltshuler @ragnorc
-AGENTS.md     @aaltshuler @ragnorc
-CLAUDE.md     @aaltshuler @ragnorc
-SECURITY.md   @aaltshuler @ragnorc

.github/branch-protection.json

@@ -1,27 +1,19 @@
 {
-  "_comment": "Branch protection policy for main. Applied via scripts/apply-branch-protection.sh. See docs/branch-protection.md for rationale. NOTE: bypass_pull_request_allowances.users must mirror the engineering owners in .github/codeowners-roles.yml — code owners merge their own PRs without a second review; non-owners still need a code-owner approval. (render-codeowners.py does NOT generate this list; keep it in sync by hand.)",
+  "_comment": "Branch protection policy for main. Applied via scripts/apply-branch-protection.sh. See docs/dev/branch-protection.md for rationale. CODEOWNERS was removed (2-person team where both maintainers own everything, so code-owner review added friction without value). Review is no longer code-owner-scoped and no approvals are required; the required CI status checks are the gate. Maintainers merge their own PRs once checks pass.",
   "required_status_checks": {
     "strict": true,
     "contexts": [
       "Classify Changes",
       "Check AGENTS.md Links",
-      "Test omnigraph-server --features aws",
-      "CODEOWNERS matches source",
-      "CODEOWNERS not hand-edited"
+      "Test omnigraph-server --features aws"
     ]
   },
   "enforce_admins": false,
   "required_pull_request_reviews": {
-    "dismissal_restrictions": {},
-    "dismiss_stale_reviews": true,
-    "require_code_owner_reviews": true,
-    "required_approving_review_count": 1,
-    "require_last_push_approval": false,
-    "bypass_pull_request_allowances": {
-      "users": ["ragnorc", "aaltshuler"],
-      "teams": [],
-      "apps": []
-    }
+    "dismiss_stale_reviews": false,
+    "require_code_owner_reviews": false,
+    "required_approving_review_count": 0,
+    "require_last_push_approval": false
   },
   "restrictions": null,
   "required_linear_history": true,

.github/codeowners-roles.yml

@@ -1,56 +0,0 @@
-# Source of truth for .github/CODEOWNERS.
-#
-# How to change role membership or path assignments:
-#   1. Edit this file.
-#   2. Run `python3 .github/scripts/render-codeowners.py` to regenerate
-#      .github/CODEOWNERS.
-#   3. Commit both files in the same PR.
-#
-# CI fails on drift between this source and the generated CODEOWNERS
-# (see .github/workflows/codeowners.yml). CI also rejects direct edits
-# to .github/CODEOWNERS that don't accompany a change here.
-#
-# Why a generator instead of editing CODEOWNERS directly?
-# The yml is the audit trail: `git log .github/codeowners-roles.yml`
-# shows every role change with a reviewable diff and a merge commit.
-# The rendered CODEOWNERS is what GitHub reads at PR time.
-
-roles:
-  engineering:
-    description: >
-      All production code under crates/**. Engine, CLI, server,
-      compiler.
-    members:
-      - aaltshuler
-      - ragnorc
-
-  docs:
-    description: >
-      Documentation under docs/**, plus repo-level docs (README.md,
-      AGENTS.md, CLAUDE.md symlink, SECURITY.md).
-    members:
-      - aaltshuler
-      - ragnorc
-
-# Path → role mapping. GitHub CODEOWNERS uses "last match wins"
-# semantics — when multiple patterns match a file, only the last
-# matching pattern's owners apply. The generator handles this by
-# emitting `default` as the first `*` line and the specific patterns
-# below afterward, so specific paths override the catch-all.
-#
-# Within this list, order matters only between overlapping specific
-# patterns (the later one wins). Today nothing overlaps; future
-# additions should keep more-specific patterns later.
-paths:
-  "crates/**": [engineering]
-  "docs/**": [docs]
-  "README.md": [docs]
-  "AGENTS.md": [docs]
-  "CLAUDE.md": [docs]
-  "SECURITY.md": [docs]
-
-# Catch-all for paths not explicitly mapped (.github/, scripts/,
-# Cargo.toml, Cargo.lock, openapi.json, LICENSE, etc.). Defaults to
-# engineering — every change to repo infrastructure needs the
-# engineering owner's review.
-default: [engineering]

.github/scripts/render-codeowners.py

@@ -1,205 +0,0 @@
-#!/usr/bin/env python3
-"""Render .github/CODEOWNERS and the ownership tables in
-docs/dev/codeowners.md from .github/codeowners-roles.yml.
-
-The yml is the source of truth. This script expands the role-based yml
-into (1) the flat path→owners format GitHub expects in
-`.github/CODEOWNERS`, and (2) the "who owns what" markdown tables spliced
-between the generated-region markers in `docs/dev/codeowners.md`. Both are
-derived artifacts; CI re-renders them on every PR (see
-.github/workflows/codeowners.yml) and auto-commits the result on same-repo
-PRs, so the source of truth and the human-readable view never drift.
-
-Usage:
-    python3 .github/scripts/render-codeowners.py
-
-Exits non-zero on:
-    - Missing PyYAML.
-    - Unknown role referenced in `paths` or `default`.
-    - Role with no members (a role must always resolve to at least
-      one owner; otherwise CODEOWNERS would assign nobody and GitHub
-      would silently fall back to "no required reviewer", which
-      defeats the purpose).
-    - Missing generated-region markers in docs/dev/codeowners.md.
-"""
-
-from __future__ import annotations
-
-import sys
-from pathlib import Path
-
-try:
-    import yaml
-except ImportError:
-    sys.exit(
-        "error: PyYAML is required. Install with `pip install pyyaml` "
-        "or `python3 -m pip install pyyaml`."
-    )
-
-REPO_ROOT = Path(__file__).resolve().parents[2]
-SOURCE = REPO_ROOT / ".github" / "codeowners-roles.yml"
-OUTPUT = REPO_ROOT / ".github" / "CODEOWNERS"
-DOCS = REPO_ROOT / "docs" / "dev" / "codeowners.md"
-
-# The "who owns what" tables in docs/dev/codeowners.md are spliced between
-# these markers so the human-readable view never drifts from the source of
-# truth. Edit codeowners-roles.yml and re-render — never the table by hand.
-DOCS_BEGIN = "<!-- BEGIN GENERATED OWNERSHIP — edit codeowners-roles.yml + run render-codeowners.py -->"
-DOCS_END = "<!-- END GENERATED OWNERSHIP -->"
-
-BANNER = """\
-# AUTOGENERATED from .github/codeowners-roles.yml. Do not edit by hand.
-#
-# To change role membership or path assignments:
-#   1. Edit .github/codeowners-roles.yml
-#   2. Run `python3 .github/scripts/render-codeowners.py`
-#   3. Commit both files together
-#
-# CI fails if this file drifts from its source, and rejects PRs that
-# edit this file directly without also editing the yml.
-"""
-
-
-def resolve(role_name: str, roles: dict) -> list[str]:
-    role = roles.get(role_name)
-    if role is None:
-        sys.exit(
-            f"error: unknown role '{role_name}'. "
-            f"Known roles: {sorted(roles.keys())}"
-        )
-    members = role.get("members") or []
-    if not members:
-        sys.exit(
-            f"error: role '{role_name}' has no members. "
-            f"A role must resolve to at least one owner."
-        )
-    return members
-
-
-def owners_for(role_names: list[str], roles: dict) -> list[str]:
-    """Return @-prefixed GitHub handles, deduped, preserving order."""
-    seen: list[str] = []
-    for role_name in role_names:
-        for member in resolve(role_name, roles):
-            handle = f"@{member}"
-            if handle not in seen:
-                seen.append(handle)
-    return seen
-
-
-def _oneline(text: str) -> str:
-    """Collapse a folded/multi-line YAML description into one cell of text."""
-    return " ".join((text or "").split())
-
-
-def ownership_tables(spec: dict, roles: dict) -> str:
-    """Render the human-readable "who owns what" markdown — a path→owners
-    table (the operative view at PR time, in last-match-wins order with the
-    catch-all first) plus a role→members table. Spliced into the docs between
-    the markers so it is always current with the source of truth."""
-    out: list[str] = []
-
-    out.append("**Path → owners** (GitHub applies *last match wins*; the `*` "
-               "catch-all is listed first and is overridden by the specific "
-               "patterns below it):")
-    out.append("")
-    out.append("| Path | Owners | Role(s) |")
-    out.append("|---|---|---|")
-    if "default" in spec:
-        owners = " ".join(owners_for(spec["default"], roles))
-        out.append(f"| `*` | {owners} | {', '.join(spec['default'])} |")
-    for pattern, role_names in (spec.get("paths") or {}).items():
-        owners = " ".join(owners_for(role_names, roles))
-        out.append(f"| `{pattern}` | {owners} | {', '.join(role_names)} |")
-    out.append("")
-
-    out.append("**Roles**:")
-    out.append("")
-    out.append("| Role | Members | Description |")
-    out.append("|---|---|---|")
-    for name, role in roles.items():
-        members = " ".join(f"@{m}" for m in (role.get("members") or []))
-        out.append(f"| `{name}` | {members} | {_oneline(role.get('description', ''))} |")
-    out.append("")
-
-    return "\n".join(out)
-
-
-def splice_docs(table_md: str) -> None:
-    """Replace the region between DOCS_BEGIN/DOCS_END in the docs file with the
-    freshly generated tables, leaving surrounding prose untouched."""
-    if not DOCS.exists():
-        sys.exit(f"error: docs file not found: {DOCS}")
-    text = DOCS.read_text()
-    if DOCS_BEGIN not in text or DOCS_END not in text:
-        sys.exit(
-            f"error: ownership markers not found in {DOCS.relative_to(REPO_ROOT)}. "
-            f"Add the lines:\n  {DOCS_BEGIN}\n  {DOCS_END}\n"
-            f"around the generated table region."
-        )
-    head, rest = text.split(DOCS_BEGIN, 1)
-    _, tail = rest.split(DOCS_END, 1)
-    new = f"{head}{DOCS_BEGIN}\n\n{table_md}\n{DOCS_END}{tail}"
-    DOCS.write_text(new)
-
-
-def main() -> int:
-    if not SOURCE.exists():
-        sys.exit(f"error: source file not found: {SOURCE}")
-    spec = yaml.safe_load(SOURCE.read_text())
-
-    roles = spec.get("roles") or {}
-    if not roles:
-        sys.exit("error: codeowners-roles.yml declares no roles")
-
-    paths = spec.get("paths") or {}
-    if not paths:
-        sys.exit("error: codeowners-roles.yml declares no paths")
-
-    lines: list[str] = [BANNER]
-
-    # Pad the path column for alignment. Width is the longest pattern
-    # plus a small margin.
-    width = max(len(p) for p in paths) + 2
-
-    # GitHub CODEOWNERS uses "last match wins" semantics. Emit the
-    # default catch-all `*` FIRST so specific patterns below override
-    # it for the paths they cover. If we emitted `*` last, every file
-    # would resolve to the default owners regardless of more-specific
-    # rules — which would silently nullify any role distinction.
-    if "default" in spec:
-        default_owners = owners_for(spec["default"], roles)
-        lines.append(f"{'*':<{width}} {' '.join(default_owners)}")
-        lines.append("")
-
-    for pattern, role_names in paths.items():
-        owners = owners_for(role_names, roles)
-        lines.append(f"{pattern:<{width}} {' '.join(owners)}")
-
-    lines.append("")  # trailing newline so the file ends cleanly
-
-    rendered = "\n".join(lines)
-
-    # Regression check: the catch-all `*` line (if any) must precede
-    # every specific-path line. Failure here means the generator is
-    # silently nullifying specific rules.
-    if "default" in spec:
-        non_comment = [ln for ln in rendered.splitlines() if ln and not ln.startswith("#")]
-        first_pattern = non_comment[0].split()[0] if non_comment else None
-        if first_pattern != "*":
-            sys.exit(
-                f"error: generator invariant violated — first emitted pattern is "
-                f"{first_pattern!r}, expected '*'. CODEOWNERS uses last-match-wins; "
-                f"the catch-all must come first."
-            )
-
-    OUTPUT.write_text(rendered)
-    print(f"wrote {OUTPUT.relative_to(REPO_ROOT)}")
-
-    splice_docs(ownership_tables(spec, roles))
-    print(f"updated {DOCS.relative_to(REPO_ROOT)}")
-    return 0
-
-
-if __name__ == "__main__":
-    sys.exit(main())

.github/workflows/codeowners.yml

@@ -1,110 +0,0 @@
-name: CODEOWNERS
-
-# Runs on EVERY pull request (no paths filter). The two jobs below are
-# required status checks on `main`; a path-filtered required check never
-# reports for PRs outside the filter and leaves them permanently "pending"
-# (the trap that forced admin-override merges). Always-run + cheap
-# short-circuit is what keeps them honest.
-on:
-  pull_request:
-  workflow_dispatch:
-
-# `drift` auto-commits the regenerated artifacts back to same-repo PR
-# branches, so it needs write access.
-permissions:
-  contents: write
-
-jobs:
-  # NOTE: the job `name:` values below ("CODEOWNERS matches source" /
-  # "CODEOWNERS not hand-edited") ARE the status-check contexts that
-  # .github/branch-protection.json must list verbatim. Renaming a job here
-  # is a branch-protection change — update the JSON and re-apply.
-  drift:
-    name: CODEOWNERS matches source
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v5.0.1
-
-      - name: Set up Python
-        uses: actions/setup-python@v5.4.0
-        with:
-          python-version: '3.13'
-
-      - name: Install PyYAML
-        run: pip install pyyaml
-
-      - name: Re-render CODEOWNERS + ownership docs
-        run: python3 .github/scripts/render-codeowners.py
-
-      # Same-repo PR: push the regenerated artifacts back so contributors
-      # never have to run the script locally. Mirrors the openapi.json
-      # auto-commit in ci.yml (separate shallow clone of the head branch so
-      # the pushed commit carries only the regenerated files).
-      - name: Commit regenerated artifacts to PR branch
-        if: |
-          github.event_name == 'pull_request' &&
-          github.event.pull_request.head.repo.full_name == github.repository
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          if git diff --quiet -- .github/CODEOWNERS docs/dev/codeowners.md; then
-            echo "CODEOWNERS and ownership docs already in sync."
-            exit 0
-          fi
-          tmp=$(mktemp -d)
-          git clone --depth 1 --branch "${{ github.head_ref }}" \
-            "https://x-access-token:${GITHUB_TOKEN}@github.com/${{ github.repository }}.git" \
-            "$tmp"
-          cp .github/CODEOWNERS "$tmp/.github/CODEOWNERS"
-          cp docs/dev/codeowners.md "$tmp/docs/dev/codeowners.md"
-          cd "$tmp"
-          if git diff --quiet -- .github/CODEOWNERS docs/dev/codeowners.md; then
-            echo "Head branch already matches; nothing to push."
-            exit 0
-          fi
-          git config user.name "github-actions[bot]"
-          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          git add .github/CODEOWNERS docs/dev/codeowners.md
-          git commit -m "chore: regenerate CODEOWNERS + ownership docs"
-          git push
-
-      # Fork PR / workflow_dispatch: cannot push back, so enforce drift
-      # strictly. The contributor runs the script and commits the result.
-      - name: Verify in sync (forks / manual runs)
-        if: |
-          !(github.event_name == 'pull_request' &&
-            github.event.pull_request.head.repo.full_name == github.repository)
-        run: |
-          if ! git diff --quiet -- .github/CODEOWNERS docs/dev/codeowners.md; then
-            echo "::error::Generated CODEOWNERS / ownership docs are out of sync with .github/codeowners-roles.yml."
-            echo "::error::Run \`python3 .github/scripts/render-codeowners.py\` and commit the result."
-            echo "--- diff ---"
-            git --no-pager diff -- .github/CODEOWNERS docs/dev/codeowners.md
-            exit 1
-          fi
-          echo "Generated artifacts are in sync with their source."
-
-  noedit:
-    name: CODEOWNERS not hand-edited
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v5.0.1
-        with:
-          # Need history so we can diff against the PR base.
-          fetch-depth: 0
-
-      - name: Reject hand-edits to generated file
-        # Only meaningful for PRs (needs a base to diff against).
-        if: github.event_name == 'pull_request'
-        run: |
-          base="origin/${{ github.base_ref }}"
-          git fetch origin "${{ github.base_ref }}" --quiet
-          changed=$(git diff --name-only "$base" HEAD)
-          edited_generated=$(echo "$changed" | grep -E '^\.github/CODEOWNERS$' || true)
-          edited_source=$(echo "$changed" | grep -E '^\.github/codeowners-roles\.yml$' || true)
-          if [ -n "$edited_generated" ] && [ -z "$edited_source" ]; then
-            echo "::error::This PR edits .github/CODEOWNERS but not its source .github/codeowners-roles.yml."
-            echo "::error::Edit the yml and regenerate via \`python3 .github/scripts/render-codeowners.py\`."
-            exit 1
-          fi
-          echo "CODEOWNERS edits accompany source edits (or no CODEOWNERS edits in this PR)."