DO-NOT-MERGE · Scrub internal tracker IDs from shipped source + CI workflow, and tighten the sweep

[Antawari]

What

This is a public tree, yet internal tracker IDs (BON-NNN) had leaked into shipped code and CI, and the existing leak-sweep test allowlisted them rather than forbidding them. This PR cleans all three surfaces and tightens the gate so the leak cannot recur.

• src/bonfire/analysis/models.py — rewrote the seven tracker-bearing docstrings/comments into neutral descriptive prose (e.g. Frozen budget of Cartographer tunables (BON-226 §5). -> Frozen budget of Cartographer tunables.; Gzip-compressed JSON — BON-231 Wave 2b cache seam. -> Gzip-compressed JSON cache seam.). Comments/docstrings only — no identifiers, field names, defaults, validators, or executable code changed. Model behavior is byte-identical.
• .github/workflows/smoke.yml — dropped tracker IDs + internal milestone scaffolding (scout report, comment hash) from workflow comments. The gate steps themselves are unchanged; still valid YAML.
• tests/unit/test_no_bon_ref_in_src_sweep.py — set _ALLOWLIST = frozenset() so any future BON-NNN in src/ fails the sweep instead of being permitted, and scrubbed the tracker refs + workshop vocabulary from the test's own docstrings/comments.

docs/ is intentionally out of scope for this unit (it is the larger separate decision).

Why

A public repo must never ship internal tracker IDs. The previous allowlist made the leak a permanent fixture; emptying it converts the sweep from a recorder of known leaks into a true gate.

How to verify (exact commands)

cd <repo-root>
python -m venv /tmp/bpv2 && /tmp/bpv2/bin/pip -q install pytest pydantic ruff
PYTHONPATH=src /tmp/bpv2/bin/pytest tests/unit/test_no_bon_ref_in_src_sweep.py -q
PYTHONPATH=src /tmp/bpv2/bin/pytest tests/unit/test_analysis_models.py tests/unit/test_analysis_schema.py tests/unit/test_analysis_fingerprint.py -q
/tmp/bpv2/bin/ruff check src/ tests/
/tmp/bpv2/bin/ruff format --check src/ tests/
grep -rnE 'BON-[0-9]' src/ .github/workflows/smoke.yml tests/unit/test_no_bon_ref_in_src_sweep.py && echo 'LEAK REMAINS' || echo 'SRC+CI CLEAN'

TDD trail: with the allowlist emptied and models.py still dirty, the sweep went RED (7 offenders); after the scrub it is GREEN.

Honest gate results (run inside the worktree)

• Sweep test_no_bon_ref_in_src_sweep.py — 2 passed (test_allowlist_entries_still_resolve passes trivially on the empty allowlist).
• Analysis-model suites (test_analysis_models + test_analysis_schema + test_analysis_fingerprint) — 35 passed (behavior byte-identical).
• ruff check src/ tests/ — All checks passed.
• ruff format --check src/ tests/ — 311 files already formatted.
• smoke.yml — valid YAML (PyYAML safe_load, job smoke).
• grep -rnE 'BON-[0-9]' over src/ + smoke.yml + the sweep test — no matches (clean).

Note: the broader tests/unit suite has pre-existing collection errors in this minimal venv (missing runtime deps unrelated to this change); the targeted suites above run clean.

Closes BON-1624

operator merges — do not auto-merge