chore: batch RSR compliance — SPDX headers, SHA-pin actions, forbid(unsafe_code), CODE_OF_CONDUCT, CONTRIBUTING

hyperpolymath · claude · hyperpolymath · commit 22a320c5c77e · 2026-03-22T13:22:26.000Z
- Add/fix SPDX-License-Identifier headers (AGPL→PMPL where needed)
- SHA-pin all GitHub Actions to commit hashes
- Add #![forbid(unsafe_code)] to safe Rust crates
- Add CODE_OF_CONDUCT.md (Contributor Covenant v2.1)
- Add CONTRIBUTING.md (standard template)

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/boj-build.yml b/.github/workflows/boj-build.yml
@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: PMPL-1.0-or-later
 name: BoJ Server Build Trigger
 on:
   push:
@@ -8,7 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
       - name: Trigger BoJ Server (Casket/ssg-mcp)
         run: |
           # Send a secure trigger to boj-server to build this repository
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: PMPL-1.0-or-later
 name: Docs
 
 on:
diff --git a/.github/workflows/maintenance.yml b/.github/workflows/maintenance.yml
@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: PMPL-1.0-or-later
 name: Maintenance
 
 on:
diff --git a/.github/workflows/pages.yml b/.github/workflows/pages.yml
@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: PMPL-1.0-or-later
 name: GitHub Pages
 
 on:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: PMPL-1.0-or-later
 name: Release
 
 on:
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: PMPL-1.0-or-later
 name: Security
 
 on:
@@ -33,7 +34,7 @@ jobs:
           languages: ${{ matrix.language }}
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v4
+        uses: github/codeql-action/autobuild@6624720a57d4c312633c7b953db2f2da5bcb4c3a # v3
 
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@6624720a57d4c312633c7b953db2f2da5bcb4c3a # v3
@@ -58,7 +59,7 @@ jobs:
           publish_results: true
 
       - name: Upload SARIF to code scanning
-        uses: github/codeql-action/upload-sarif@v4
+        uses: github/codeql-action/upload-sarif@6624720a57d4c312633c7b953db2f2da5bcb4c3a # v3
         with:
           sarif_file: results.sarif
 
@@ -74,4 +75,4 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Dependency Review
-        uses: actions/dependency-review-action@v4
+        uses: actions/dependency-review-action@4901385134134e04cec5fbe5ddfe3b2c5bd5d976 # v4
diff --git a/.github/workflows/sign-release.yml b/.github/workflows/sign-release.yml
@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: PMPL-1.0-or-later
 name: Sign Release Artefacts
 
 on:
diff --git a/.machine_readable/contractiles/dust/Dustfile.a2ml b/.machine_readable/contractiles/dust/Dustfile.a2ml
@@ -0,0 +1,22 @@
+# SPDX-License-Identifier: PMPL-1.0-or-later
+# Dustfile — Cleanup and Hygiene Contract
+
+[dustfile]
+version = "1.0.0"
+format = "a2ml"
+
+[cleanup]
+stale-branch-policy = "delete-after-merge"
+artifact-retention = "90-days"
+cache-policy = "clear-on-release"
+
+[hygiene]
+linting = "required"
+formatting = "required"
+dead-code-removal = "encouraged"
+todo-tracking = "tracked-in-issues"
+
+[reversibility]
+backup-before-destructive = true
+rollback-mechanism = "git-revert"
+data-retention-policy = "preserve-30-days"
diff --git a/.machine_readable/contractiles/trust/Trustfile.a2ml b/.machine_readable/contractiles/trust/Trustfile.a2ml
@@ -0,0 +1,22 @@
+# SPDX-License-Identifier: PMPL-1.0-or-later
+# Trustfile — Integrity and Provenance Contract
+
+[trustfile]
+version = "1.0.0"
+format = "a2ml"
+
+[provenance]
+source-control = "git"
+forge = "github"
+ci-verified = true
+signing-policy = "commit-signing-preferred"
+
+[integrity]
+spdx-compliant = true
+license-audit = "required"
+dependency-pinning = "sha-pinned"
+
+[verification]
+reproducible-builds = "goal"
+sbom-generation = "required"
+attestation = "sigstore-preferred"
diff --git a/.machine_readable/integrations/feedback-o-tron.a2ml b/.machine_readable/integrations/feedback-o-tron.a2ml
@@ -0,0 +1,13 @@
+# SPDX-License-Identifier: PMPL-1.0-or-later
+# Feedback-o-Tron Integration — Autonomous Bug Reporting
+
+[integration]
+name = "feedback-o-tron"
+type = "bug-reporter"
+repository = "https://github.com/hyperpolymath/feedback-o-tron"
+
+[reporting-config]
+platforms = ["github", "gitlab", "bugzilla"]
+deduplication = true
+audit-logging = true
+auto-file-upstream = "on-external-dependency-failure"
diff --git a/.machine_readable/integrations/proven.a2ml b/.machine_readable/integrations/proven.a2ml
@@ -0,0 +1,18 @@
+# SPDX-License-Identifier: PMPL-1.0-or-later
+# Proven Integration — Formally Verified Safety Library
+
+[integration]
+name = "proven"
+type = "safety-library"
+repository = "https://github.com/hyperpolymath/proven"
+version = "1.2.0"
+
+[binding-policy]
+approach = "thin-ffi-wrapper"
+unsafe-patterns = "replace-with-proven-equivalent"
+modules-available = ["SafeMath", "SafeString", "SafeJSON", "SafeURL", "SafeRegex", "SafeSQL", "SafeFile", "SafeTemplate", "SafeCrypto"]
+
+[adoption-guidance]
+priority = "high"
+scope = "all-string-json-url-crypto-operations"
+migration = "incremental — replace unsafe patterns as encountered"
diff --git a/.machine_readable/integrations/verisimdb.a2ml b/.machine_readable/integrations/verisimdb.a2ml
@@ -0,0 +1,15 @@
+# SPDX-License-Identifier: PMPL-1.0-or-later
+# VeriSimDB Feed — Cross-Repo Analytics Data Store
+
+[integration]
+name = "verisimdb"
+type = "data-feed"
+repository = "https://github.com/hyperpolymath/nextgen-databases"
+data-store = "verisimdb-data"
+
+[feed-config]
+emit-scan-results = true
+emit-build-metrics = true
+emit-dependency-graph = true
+format = "hexad"
+destination = "verisimdb-data/feeds/"
diff --git a/.machine_readable/integrations/vexometer.a2ml b/.machine_readable/integrations/vexometer.a2ml
@@ -0,0 +1,18 @@
+# SPDX-License-Identifier: PMPL-1.0-or-later
+# Vexometer Integration — Irritation Surface Analysis
+
+[integration]
+name = "vexometer"
+type = "friction-measurement"
+repository = "https://github.com/hyperpolymath/vexometer"
+
+[measurement-config]
+dimensions = 10
+emit-isa-reports = true
+lazy-eliminator = true
+satellite-interventions = true
+
+[hooks]
+cli-tools = "measure-on-error"
+ui-panels = "measure-on-interaction"
+build-failures = "measure-on-failure"

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,4 @@`
	`1`	`+# SPDX-License-Identifier: PMPL-1.0-or-later`
`1`	`2`	`name: Docs`
`2`	`3`
`3`	`4`	`on:`
Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,4 @@`
	`1`	`+# SPDX-License-Identifier: PMPL-1.0-or-later`
`1`	`2`	`name: Maintenance`
`2`	`3`
`3`	`4`	`on:`
Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,4 @@`
	`1`	`+# SPDX-License-Identifier: PMPL-1.0-or-later`
`1`	`2`	`name: GitHub Pages`
`2`	`3`
`3`	`4`	`on:`
Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,4 @@`
	`1`	`+# SPDX-License-Identifier: PMPL-1.0-or-later`
`1`	`2`	`name: Release`
`2`	`3`
`3`	`4`	`on:`
Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,4 @@`
	`1`	`+# SPDX-License-Identifier: PMPL-1.0-or-later`
`1`	`2`	`name: Sign Release Artefacts`
`2`	`3`
`3`	`4`	`on:`