bug: CRITICAL — sovereign-ci.yml silently swallows all cargo failures (rubber stamp CI)

[noahgift]

Summary

The sovereign-ci.yml reusable workflow silently passes even when ALL cargo commands fail. Every cargo command is chained with || echo "::warning::..." which exits 0 regardless of failure. This makes CI a rubber stamp across all 38 repos using this workflow.

Five-Whys

1. Why does CI show green? — Every cargo command has || echo "::warning::..." fallthrough
2. Why was the fallthrough added? — During containerized CI migration (commit ~2026-03-31) to handle workspace path dep resolution differences
3. Why is this dangerous? — Compilation errors, test failures, lint failures ALL silently swallowed
4. Why hasn't it been noticed? — Warnings are emitted as GitHub annotations but don't fail the job. Easy to miss
5. Why does the underlying cargo error persist? — Repos with provable-contracts path deps fail cargo metadata, triggering the fallthrough

Evidence

paiml/paiml-mcp-agent-toolkit CI shows green but does ZERO actual work — all cargo commands hit provable-contracts path resolution error and fall through to the warning echo.

Fix

Remove || echo "::warning::..." from all cargo commands in sovereign-ci.yml. Replace with proper error handling:

• If the intent was to handle path deps gracefully: add sibling checkout steps
• If the intent was continue-on-error for specific jobs: use GitHub Actions continue-on-error: true at job level (not command level)

Impact

ALL repos in the paiml org using sovereign-ci.yml may have silently broken CI. This is the highest priority fix in the fleet.