diff --git a/.github/workflows/affinescript-verify.yml b/.github/workflows/affinescript-verify.yml
index 9b186f8..800f88e 100644
--- a/.github/workflows/affinescript-verify.yml
+++ b/.github/workflows/affinescript-verify.yml
@@ -1,6 +1,22 @@
 # SPDX-License-Identifier: PMPL-1.0-or-later
 name: AffineScript Verify
-on: [push, pull_request]
+# Direct pushes only on integration branches. Feature-branch validation
+# is fully covered by pull_request — running a full AffineScript verify
+# on every WIP push to every branch in every consumer repo was a dominant
+# estate-wide drain on the shared Actions concurrency pool. No coverage
+# is lost: PRs and post-merge main/master still verify.
+on:
+  push:
+    branches: [main, master]
+  pull_request:
+
+# Estate guardrail: cancel superseded runs so re-pushes / rebased PR
+# updates do not pile up queued runs against the shared account-wide
+# Actions concurrency pool. Applied only to read-only check workflows
+# (no publish/mutation), so cancelling a superseded run is always safe.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 
 permissions:
   contents: read
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 300f8ad..9e32d15 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -9,6 +9,14 @@ on:
   schedule:
     - cron: '0 6 * * 1'
 
+# Estate guardrail: cancel superseded runs so re-pushes / rebased PR
+# updates do not pile up queued runs against the shared account-wide
+# Actions concurrency pool. Applied only to read-only check workflows
+# (no publish/mutation), so cancelling a superseded run is always safe.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 permissions:
   contents: read
 
diff --git a/.github/workflows/doc-format.yml b/.github/workflows/doc-format.yml
index 89fe307..d9ba93b 100644
--- a/.github/workflows/doc-format.yml
+++ b/.github/workflows/doc-format.yml
@@ -7,6 +7,14 @@ on:
   pull_request:
     branches: [main, master]
 
+# Estate guardrail: cancel superseded runs so re-pushes / rebased PR
+# updates do not pile up queued runs against the shared account-wide
+# Actions concurrency pool. Applied only to read-only check workflows
+# (no publish/mutation), so cancelling a superseded run is always safe.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 permissions:
   contents: read
 
diff --git a/.github/workflows/echidna-verify.yml b/.github/workflows/echidna-verify.yml
index ed4de5b..9c9140b 100644
--- a/.github/workflows/echidna-verify.yml
+++ b/.github/workflows/echidna-verify.yml
@@ -29,6 +29,14 @@ on:
     - cron: '0 6 * * 1'
   workflow_dispatch:
 
+# Estate guardrail: cancel superseded runs so re-pushes / rebased PR
+# updates do not pile up queued runs against the shared account-wide
+# Actions concurrency pool. Applied only to read-only check workflows
+# (no publish/mutation), so cancelling a superseded run is always safe.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 permissions:
   contents: read
 
diff --git a/.github/workflows/governance.yml b/.github/workflows/governance.yml
index 76bd1a0..4bb50e9 100644
--- a/.github/workflows/governance.yml
+++ b/.github/workflows/governance.yml
@@ -18,6 +18,14 @@ on:
   pull_request:
   workflow_dispatch:
 
+# Estate guardrail: cancel superseded runs so re-pushes / rebased PR
+# updates do not pile up queued runs against the shared account-wide
+# Actions concurrency pool. Applied only to read-only check workflows
+# (no publish/mutation), so cancelling a superseded run is always safe.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 permissions:
   contents: read
 
diff --git a/.github/workflows/language-policy.yml b/.github/workflows/language-policy.yml
index cf8356b..de162ca 100644
--- a/.github/workflows/language-policy.yml
+++ b/.github/workflows/language-policy.yml
@@ -7,6 +7,14 @@ on:
   pull_request:
     branches: [main, master]
 
+# Estate guardrail: cancel superseded runs so re-pushes / rebased PR
+# updates do not pile up queued runs against the shared account-wide
+# Actions concurrency pool. Applied only to read-only check workflows
+# (no publish/mutation), so cancelling a superseded run is always safe.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 permissions:
   contents: read
 
diff --git a/.github/workflows/makefile-blocker.yml b/.github/workflows/makefile-blocker.yml
index 387cfdc..4763e6b 100644
--- a/.github/workflows/makefile-blocker.yml
+++ b/.github/workflows/makefile-blocker.yml
@@ -13,6 +13,14 @@ on:
       - '**/Makefile.*'
       - '**/*.mk'
 
+# Estate guardrail: cancel superseded runs so re-pushes / rebased PR
+# updates do not pile up queued runs against the shared account-wide
+# Actions concurrency pool. Applied only to read-only check workflows
+# (no publish/mutation), so cancelling a superseded run is always safe.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 permissions:
   contents: read
 
diff --git a/.github/workflows/scorecard-enforcer.yml b/.github/workflows/scorecard-enforcer.yml
index e686bf7..04206c0 100644
--- a/.github/workflows/scorecard-enforcer.yml
+++ b/.github/workflows/scorecard-enforcer.yml
@@ -9,6 +9,14 @@ on:
     - cron: '0 6 * * 1'  # Weekly on Monday
   workflow_dispatch:
 
+# Estate guardrail: cancel superseded runs so re-pushes / rebased PR
+# updates do not pile up queued runs against the shared account-wide
+# Actions concurrency pool. Applied only to read-only check workflows
+# (no publish/mutation), so cancelling a superseded run is always safe.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 permissions:
   contents: read
 
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 1048def..29853b2 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -7,6 +7,14 @@ on:
     - cron: '0 4 * * *'
   workflow_dispatch:
 
+# Estate guardrail: cancel superseded runs so re-pushes / rebased PR
+# updates do not pile up queued runs against the shared account-wide
+# Actions concurrency pool. Applied only to read-only check workflows
+# (no publish/mutation), so cancelling a superseded run is always safe.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 permissions:
   contents: read
 
diff --git a/.github/workflows/secret-scanner.yml b/.github/workflows/secret-scanner.yml
index 15b442f..8801d53 100644
--- a/.github/workflows/secret-scanner.yml
+++ b/.github/workflows/secret-scanner.yml
@@ -7,6 +7,14 @@ on:
   push:
     branches: [main]
 
+# Estate guardrail: cancel superseded runs so re-pushes / rebased PR
+# updates do not pile up queued runs against the shared account-wide
+# Actions concurrency pool. Applied only to read-only check workflows
+# (no publish/mutation), so cancelling a superseded run is always safe.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 permissions:
   contents: read
 
@@ -70,4 +78,4 @@ jobs:
           if [ $found -eq 1 ]; then
             echo "::error::Potential hardcoded secrets detected. Use environment variables instead."
             exit 1
-          fi
\ No newline at end of file
+          fi