diff --git a/.github/workflows/gate.yml b/.github/workflows/gate.yml
index 965d7f1d..a9b29f49 100644
--- a/.github/workflows/gate.yml
+++ b/.github/workflows/gate.yml
@@ -46,12 +46,35 @@ concurrency:
 
 jobs:
   build-and-test:
+    # Matrix is computed from `github.repository` at plan time so the
+    # macos-14 leg (≈10× Linux cost) only exists on contributor forks,
+    # not on the canonical Lucent-Financial-Group/Zeta repo. On any
+    # fork both legs exist; on the canonical repo only the ubuntu leg
+    # exists. This keeps the YAML byte-identical on both sides — no
+    # repo-specific variable, no second workflow file — with runtime
+    # differentiation driven by the built-in `github.repository`
+    # context.
+    #
+    # Job-level `if:` with `matrix.*` is rejected by actionlint (the
+    # matrix context is not available at job-level), so the split is
+    # done at strategy-expansion time via `fromJSON`. The expression
+    # evaluates once per workflow run; each matrix leg that survives
+    # creates its own check status.
+    #
+    # Rationale: maintainer 2026-04-21 "Mac is very very expensive
+    # to run" + "we should leave [LFG's] build as linux only if
+    # that's possible where a contributor fork also builds mac".
+    # `build-and-test (macos-14)` is NOT in the canonical repo's
+    # required-checks list — it was removed from branch protection
+    # on the same change that introduced this matrix split so PRs
+    # don't block on a leg that
+    # no longer exists there.
     name: build-and-test (${{ matrix.os }})
     timeout-minutes: 45
     strategy:
       fail-fast: false
       matrix:
-        os: [ubuntu-22.04, macos-14]
+        os: ${{ fromJSON(github.repository == 'Lucent-Financial-Group/Zeta' && '["ubuntu-22.04"]' || '["ubuntu-22.04","macos-14"]') }}
     runs-on: ${{ matrix.os }}
 
     steps:
diff --git a/docs/GITHUB-SETTINGS.md b/docs/GITHUB-SETTINGS.md
index 634073d5..4e37950f 100644
--- a/docs/GITHUB-SETTINGS.md
+++ b/docs/GITHUB-SETTINGS.md
@@ -137,16 +137,28 @@ advanced-setup (untested).
 
 ### Classic branch protection (on `main`)
 
-Overlaps with the ruleset; kept as defence-in-depth. Six
+Overlaps with the ruleset; kept as defence-in-depth. Five
 required status checks (strict mode):
 
 - `build-and-test (ubuntu-22.04)`
-- `build-and-test (macos-14)`
 - `lint (semgrep)`
 - `lint (shellcheck)`
 - `lint (actionlint)`
 - `lint (markdownlint)`
 
+Note on `build-and-test (macos-14)`: intentionally NOT in the
+required-checks list on the canonical repo. The `gate.yml`
+workflow computes its matrix from `github.repository` at plan
+time, so the macos-14 leg only exists on contributor forks, not
+on the canonical repo. Cost rationale: macOS runner minutes run
+≈10× Linux minutes; keeping the canonical-repo gate Linux-only
+while forks retain the full Linux+macOS parity matrix buys
+cross-platform coverage on the contributor side without billing
+it against the canonical-repo cost surface. Reason: maintainer
+2026-04-21 "Mac is very very expensive to run" + "we should
+leave [the canonical repo's] build as linux only if that's
+possible where a contributor fork also builds mac".
+
 Other protections: dismiss stale reviews on; required linear
 history; required conversation resolution; force pushes and
 deletions blocked; enforce_admins off.
diff --git a/tools/hygiene/github-settings.expected.json b/tools/hygiene/github-settings.expected.json
index 73eb03ea..a593f833 100644
--- a/tools/hygiene/github-settings.expected.json
+++ b/tools/hygiene/github-settings.expected.json
@@ -131,7 +131,6 @@
     "required_signatures": false,
     "required_status_checks": {
       "contexts": [
-        "build-and-test (macos-14)",
         "build-and-test (ubuntu-22.04)",
         "lint (actionlint)",
         "lint (markdownlint)",