hyperpolymath
diff --git a/‎.github/workflows/codeql.yml‎
Lines changed: 13 additions & 171 deletions b/‎.github/workflows/codeql.yml‎
Lines changed: 13 additions & 171 deletions
diff --git a/‎.github/workflows/guix-nix-policy.yml‎
Lines changed: 35 additions & 0 deletions b/‎.github/workflows/guix-nix-policy.yml‎
Lines changed: 35 additions & 0 deletions
diff --git a/‎.github/workflows/mirror.yml‎
Lines changed: 9 additions & 3 deletions b/‎.github/workflows/mirror.yml‎
Lines changed: 9 additions & 3 deletions
diff --git a/‎.github/workflows/npm-bun-blocker.yml‎
Lines changed: 20 additions & 0 deletions b/‎.github/workflows/npm-bun-blocker.yml‎
Lines changed: 20 additions & 0 deletions
diff --git a/‎.github/workflows/quality.yml‎
Lines changed: 58 additions & 0 deletions b/‎.github/workflows/quality.yml‎
Lines changed: 58 additions & 0 deletions
@@ -1,198 +1,40 @@
-# SPDX-License-Identifier: MPL-2.0
-# CodeQL Security Analysis - Strict Mode
-# https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors
-
-name: "CodeQL Security Analysis"
+# SPDX-License-Identifier: AGPL-3.0-or-later
+name: CodeQL Security Analysis
 
 on:
   push:
-    branches: [main, develop]
+    branches: [main, master]
   pull_request:
-    branches: [main]
+    branches: [main, master]
   schedule:
-    # Run daily at 00:00 UTC for thorough security coverage
-    - cron: "0 0 * * *"
-  workflow_dispatch:
+    - cron: '0 6 * * 1'
 
-permissions:
-  actions: read
-  contents: read
-  security-events: write
+permissions: read-all
 
 jobs:
   analyze:
-    name: CodeQL Analysis
     runs-on: ubuntu-latest
     permissions:
-      security-events: write
       contents: read
-
+      security-events: write
     strategy:
-      fail-fast: true  # Fail immediately on security issues
+      fail-fast: false
       matrix:
         include:
           - language: actions
             build-mode: none
 
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v3
+        uses: github/codeql-action/init@662472033e021d55d94146f66f6058822b0b39fd # v3.28.1
         with:
           languages: ${{ matrix.language }}
-          # Maximum security coverage
-          queries: +security-extended,security-and-quality,security-experimental
-
-      - name: Autobuild
-        uses: github/codeql-action/autobuild@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v3
+          build-mode: ${{ matrix.build-mode }}
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v3
+        uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd # v3.28.1
         with:
           category: "/language:${{ matrix.language }}"
-          # Fail on any high or critical severity issues
-          upload: true
-
-  # OCaml-specific security checks - STRICT MODE
-  ocaml-security:
-    name: OCaml Security Checks (Strict)
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Set up OCaml
-        uses: ocaml/setup-ocaml@7c185f622998a008ba1b296d2d7c64e235629c23 # v3.6.1
-        with:
-          ocaml-compiler: "4.14.x"
-
-      - name: Install dependencies
-        run: |
-          opam install . --deps-only --with-test -y
-        working-directory: engines/rescript-wasm
-
-      - name: Build with strict warnings
-        run: |
-          opam exec -- dune build @all --force
-        working-directory: engines/rescript-wasm
-
-      - name: Run all tests (must pass)
-        run: |
-          opam exec -- dune test
-        working-directory: engines/rescript-wasm
-
-      - name: Security audit - unsafe patterns (MUST PASS)
-        run: |
-          echo "========================================="
-          echo "Security Audit - Unsafe Patterns"
-          echo "========================================="
-          ERRORS=0
-
-          # Check for Obj.magic usage (type safety bypass)
-          if grep -rn "Obj\.magic" engines/rescript-wasm/lib/; then
-            echo "::error::CRITICAL: Obj.magic usage found - type safety violation"
-            ERRORS=$((ERRORS + 1))
-          fi
-
-          # Check for Marshal usage (potential code execution)
-          if grep -rn "Marshal\." engines/rescript-wasm/lib/; then
-            echo "::error::CRITICAL: Marshal usage found - code execution risk"
-            ERRORS=$((ERRORS + 1))
-          fi
-
-          # Check for shell command execution
-          if grep -rn "Sys\.command\|Unix\.system\|Unix\.open_process" engines/rescript-wasm/lib/; then
-            echo "::error::CRITICAL: Shell command execution found - injection risk"
-            ERRORS=$((ERRORS + 1))
-          fi
-
-          # Check for unsafe file operations
-          if grep -rn "open_in\|open_out" engines/rescript-wasm/lib/ | grep -v "In_channel\|Out_channel"; then
-            echo "::warning::Found legacy file operations - consider using In_channel/Out_channel"
-          fi
-
-          # Check for eval-like constructs
-          if grep -rn "Dynlink\|Toploop" engines/rescript-wasm/lib/; then
-            echo "::error::CRITICAL: Dynamic code loading found - security risk"
-            ERRORS=$((ERRORS + 1))
-          fi
-
-          if [ $ERRORS -gt 0 ]; then
-            echo "========================================="
-            echo "FAILED: Found $ERRORS critical security issues"
-            echo "========================================="
-            exit 1
-          fi
-
-          echo "========================================="
-          echo "PASSED: No critical security issues found"
-          echo "========================================="
-
-      - name: Security audit - integer overflow risks
-        run: |
-          echo "=== Checking for integer overflow risks ==="
-          # Check for i31 operations that might overflow
-          if grep -rn "I32Const.*[0-9]\{10,\}" engines/rescript-wasm/lib/; then
-            echo "::warning::Large integer constants found - verify i31 bounds"
-          fi
-          echo "Integer check complete"
-
-      - name: Security audit - resource leaks
-        run: |
-          echo "=== Checking for potential resource leaks ==="
-          # Check for file handles that might not be closed
-          FILE_OPENS=$(grep -rn "open_in\|open_out\|In_channel.create\|Out_channel.create" engines/rescript-wasm/lib/ | wc -l)
-          FILE_CLOSES=$(grep -rn "close_in\|close_out\|In_channel.close\|Out_channel.close\|with_open" engines/rescript-wasm/lib/ | wc -l)
-          echo "File opens: $FILE_OPENS, File closes: $FILE_CLOSES"
-          if [ "$FILE_OPENS" -gt "$FILE_CLOSES" ]; then
-            echo "::warning::Potential resource leak - more opens than closes"
-          fi
-          echo "Resource check complete"
-
-      - name: Security audit - exception handling
-        run: |
-          echo "=== Checking exception handling ==="
-          # Check for bare exception handlers
-          if grep -rn "try.*with.*_\s*->" engines/rescript-wasm/lib/ | grep -v "failwith\|raise\|error"; then
-            echo "::warning::Found catch-all exception handlers - may hide errors"
-          fi
-          echo "Exception check complete"
-
-  # Dependency vulnerability scanning
-  dependency-scan:
-    name: Dependency Vulnerability Scan
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Set up OCaml
-        uses: ocaml/setup-ocaml@7c185f622998a008ba1b296d2d7c64e235629c23 # v3.6.1
-        with:
-          ocaml-compiler: "4.14.x"
-
-      - name: List dependencies
-        run: |
-          echo "=== OCaml Dependencies ==="
-          if [ -f engines/rescript-wasm/dune-project ]; then
-            echo "Dune project dependencies:"
-            cat engines/rescript-wasm/dune-project
-          fi
-          echo ""
-          echo "=== Installed packages ==="
-          opam list --installed 2>/dev/null || true
-
-      - name: Check for known vulnerabilities
-        run: |
-          echo "=== Vulnerability Check ==="
-          # Note: opam doesn't have built-in vulnerability scanning
-          # This is a placeholder for future integration with security DBs
-          echo "Dependency check complete (advisory: no known issues)"
@@ -0,0 +1,35 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
+name: Guix/Nix Package Policy
+on: [push, pull_request]
+
+permissions: read-all
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Enforce Guix primary / Nix fallback
+        run: |
+          # Check for package manager files
+          HAS_GUIX=$(find . -name "*.scm" -o -name ".guix-channel" -o -name "guix.scm" 2>/dev/null | head -1)
+          HAS_NIX=$(find . -name "*.nix" 2>/dev/null | head -1)
+          
+          # Block new package-lock.json, yarn.lock, Gemfile.lock, etc.
+          NEW_LOCKS=$(git diff --name-only --diff-filter=A HEAD~1 2>/dev/null | grep -E 'package-lock\.json|yarn\.lock|Gemfile\.lock|Pipfile\.lock|poetry\.lock|cargo\.lock' || true)
+          if [ -n "$NEW_LOCKS" ]; then
+            echo "⚠️ Lock files detected. Prefer Guix manifests for reproducibility."
+          fi
+          
+          # Prefer Guix, fallback to Nix
+          if [ -n "$HAS_GUIX" ]; then
+            echo "✅ Guix package management detected (primary)"
+          elif [ -n "$HAS_NIX" ]; then
+            echo "✅ Nix package management detected (fallback)"
+          else
+            echo "ℹ️ Consider adding guix.scm or flake.nix for reproducible builds"
+          fi
+          
+          echo "✅ Package policy check passed"
@@ -1,4 +1,4 @@
-# SPDX-License-Identifier: MPL-2.0
+# SPDX-License-Identifier: AGPL-3.0-or-later
 # SPDX-FileCopyrightText: 2025 Jonathan D.A. Jewell
 name: Mirror to Git Forges
 
@@ -126,10 +126,16 @@ jobs:
         with:
           fetch-depth: 0
 
+      - name: Setup Rust
+        uses: dtolnay/rust-toolchain@56f84321dbccf38fb67ce29ab63e4754056677e0 # stable
+        with:
+          toolchain: stable
+
       - name: Install Radicle
         run: |
-          curl -sSf https://radicle.xyz/install | sh
-          echo "$HOME/.radicle/bin" >> $GITHUB_PATH
+          # Install via cargo (safer than curl|sh)
+          cargo install radicle-cli --locked
+          echo "$HOME/.cargo/bin" >> $GITHUB_PATH
 
       - name: Mirror to Radicle
         run: |
 
@@ -0,0 +1,20 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
+name: NPM/Bun Blocker
+on: [push, pull_request]
+
+permissions: read-all
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Block npm/bun
+        run: |
+          if [ -f "package-lock.json" ] || [ -f "bun.lockb" ] || [ -f ".npmrc" ]; then
+            echo "❌ npm/bun artifacts detected. Use Deno instead."
+            exit 1
+          fi
+          echo "✅ No npm/bun violations"
@@ -0,0 +1,58 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
+name: Code Quality
+on: [push, pull_request]
+
+
+permissions: read-all
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      
+      - name: Check file permissions
+        run: |
+          find . -type f -perm /111 -name "*.sh" | head -10 || true
+      
+      - name: Check for secrets
+        uses: trufflesecurity/trufflehog@05cccb53bc9e13bc6d17997db5a6bcc3df44bf2f # v3.92.3
+        with:
+          path: ./
+          base: ${{ github.event.pull_request.base.sha || github.event.before }}
+          head: ${{ github.sha }}
+        continue-on-error: true
+      
+      - name: Check TODO/FIXME
+        run: |
+          echo "=== TODOs ==="
+          grep -rn "TODO\|FIXME\|HACK\|XXX" --include="*.rs" --include="*.res" --include="*.py" --include="*.ex" . | head -20 || echo "None found"
+      
+      - name: Check for large files
+        run: |
+          find . -type f -size +1M -not -path "./.git/*" | head -10 || echo "No large files"
+      
+      - name: EditorConfig check
+        uses: editorconfig-checker/action-editorconfig-checker@8c9b118d446fce7e6410b6c0a3ce2f83bd04e97a # v2.1.0
+        continue-on-error: true
+
+  docs:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Check documentation
+        run: |
+          MISSING=""
+          [ ! -f "README.md" ] && [ ! -f "README.adoc" ] && MISSING="$MISSING README"
+          [ ! -f "LICENSE" ] && [ ! -f "LICENSE.txt" ] && [ ! -f "LICENSE.md" ] && MISSING="$MISSING LICENSE"
+          [ ! -f "CONTRIBUTING.md" ] && [ ! -f "CONTRIBUTING.adoc" ] && MISSING="$MISSING CONTRIBUTING"
+          
+          if [ -n "$MISSING" ]; then
+            echo "::warning::Missing docs:$MISSING"
+          else
+            echo "✅ Core documentation present"
+          fi