diff --git a/.claude/CLAUDE.md b/.claude/CLAUDE.md index 1a12148..23ba59a 100644 --- a/.claude/CLAUDE.md +++ b/.claude/CLAUDE.md @@ -1,3 +1,7 @@ + # Formatrix Docs - Claude Code Instructions ## Project Overview diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 0000000..3a3b7f2 --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,34 @@ +# SPDX-License-Identifier: MPL-2.0 +# CODEOWNERS - Define code review assignments for GitHub +# See: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners + +# Default: sole maintainer for all files +* @hyperpolymath + +# Security-sensitive files require explicit ownership +SECURITY.md @hyperpolymath +.github/workflows/ @hyperpolymath +.machine_readable/ @hyperpolymath +contractiles/ @hyperpolymath + +# License files +LICENSE @hyperpolymath +LICENSES/ @hyperpolymath + +# Configuration +.gitignore @hyperpolymath +.github/ @hyperpolymath + +# Documentation +README* @hyperpolymath +CONTRIBUTING* @hyperpolymath +CODE_OF_CONDUCT* @hyperpolymath +GOVERNANCE* @hyperpolymath +MAINTAINERS* @hyperpolymath +CHANGELOG* @hyperpolymath +ROADMAP* @hyperpolymath + +# Build and CI +Justfile @hyperpolymath +Makefile @hyperpolymath +*.sh @hyperpolymath diff --git a/.github/copilot/coding-agent.yml b/.github/copilot/coding-agent.yml new file mode 100644 index 0000000..a719a77 --- /dev/null +++ b/.github/copilot/coding-agent.yml @@ -0,0 +1,6 @@ +mcp_servers: + boj-server: + command: npx + args: ["-y", "@hyperpolymath/boj-server@latest"] + env: + BOJ_URL: http://localhost:7700 diff --git a/.github/workflows/boj-build.yml b/.github/workflows/boj-build.yml index dba7fc8..c201d85 100644 --- a/.github/workflows/boj-build.yml +++ b/.github/workflows/boj-build.yml @@ -1,3 +1,4 @@ +# // Copyright (c) Jonathan D.A. Jewell # SPDX-License-Identifier: MPL-2.0 name: BoJ Server Build Trigger on: @@ -7,6 +8,7 @@ on: jobs: trigger-boj: runs-on: ubuntu-latest + timeout-minutes: 15 steps: - name: Checkout uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 diff --git a/.github/workflows/casket-pages.yml b/.github/workflows/casket-pages.yml index 6084304..89956c4 100644 --- a/.github/workflows/casket-pages.yml +++ b/.github/workflows/casket-pages.yml @@ -1,39 +1,34 @@ +# // Copyright (c) Jonathan D.A. Jewell # SPDX-License-Identifier: MPL-2.0-or-later name: GitHub Pages - on: push: branches: [main] workflow_dispatch: - permissions: contents: read pages: write id-token: write - concurrency: group: "pages" cancel-in-progress: false - jobs: build: runs-on: ubuntu-latest + timeout-minutes: 15 steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 - - name: Checkout casket-ssg uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 with: repository: hyperpolymath/casket-ssg path: .casket-ssg - - name: Setup GHCup uses: haskell-actions/setup@f9150cb1d140e9a9271700670baa38991e6fa25c # v2 with: ghc-version: '9.8.2' cabal-version: '3.10' - - name: Cache Cabal uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 with: @@ -42,11 +37,9 @@ jobs: ~/.cabal/store .casket-ssg/dist-newstyle key: ${{ runner.os }}-casket-${{ hashFiles('.casket-ssg/casket-ssg.cabal') }} - - name: Build casket-ssg working-directory: .casket-ssg run: cabal build - - name: Build site run: | mkdir -p site _site @@ -77,20 +70,18 @@ jobs: fi fi cd .casket-ssg && cabal run casket-ssg -- build ../site ../_site - - name: Setup Pages uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5 - - name: Upload artifact uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v4.0.0 with: path: '_site' - deploy: environment: name: github-pages url: ${{ steps.deployment.outputs.page_url }} runs-on: ubuntu-latest + timeout-minutes: 15 needs: build steps: - name: Deploy to GitHub Pages diff --git a/.github/workflows/cflite_batch.yml b/.github/workflows/cflite_batch.yml index 6e27d9c..18f3994 100644 --- a/.github/workflows/cflite_batch.yml +++ b/.github/workflows/cflite_batch.yml @@ -1,3 +1,4 @@ +# // Copyright (c) Jonathan D.A. Jewell # SPDX-License-Identifier: MPL-2.0 name: ClusterFuzzLite Batch on: @@ -8,6 +9,7 @@ permissions: jobs: BatchFuzzing: runs-on: ubuntu-latest + timeout-minutes: 15 strategy: fail-fast: false matrix: diff --git a/.github/workflows/cflite_pr.yml b/.github/workflows/cflite_pr.yml index aee7e55..7442e8b 100644 --- a/.github/workflows/cflite_pr.yml +++ b/.github/workflows/cflite_pr.yml @@ -1,3 +1,4 @@ +# // Copyright (c) Jonathan D.A. Jewell # SPDX-License-Identifier: MPL-2.0 name: ClusterFuzzLite PR on: @@ -9,6 +10,7 @@ permissions: jobs: PR: runs-on: ubuntu-latest + timeout-minutes: 15 strategy: fail-fast: false matrix: diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 9e32d15..e58ca0c 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,6 +1,6 @@ -# SPDX-License-Identifier: PMPL-1.0 +# // Copyright (c) Jonathan D.A. Jewell +# SPDX-License-Identifier: MPL-2.0 name: CodeQL Security Analysis - on: push: branches: [main, master] @@ -8,7 +8,6 @@ on: branches: [main, master] schedule: - cron: '0 6 * * 1' - # Estate guardrail: cancel superseded runs so re-pushes / rebased PR # updates do not pile up queued runs against the shared account-wide # Actions concurrency pool. Applied only to read-only check workflows @@ -16,13 +15,12 @@ on: concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true - permissions: contents: read - jobs: analyze: runs-on: ubuntu-latest + timeout-minutes: 15 permissions: contents: read security-events: write @@ -32,17 +30,14 @@ jobs: include: - language: javascript-typescript build-mode: none - steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - name: Initialize CodeQL uses: github/codeql-action/init@c6f931105cb2c34c8f901cc885ba1e2e259cf745 # v3 with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} - - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@c6f931105cb2c34c8f901cc885ba1e2e259cf745 # v3 with: diff --git a/.github/workflows/dogfood-gate.yml b/.github/workflows/dogfood-gate.yml index d112e7e..fe0852d 100644 --- a/.github/workflows/dogfood-gate.yml +++ b/.github/workflows/dogfood-gate.yml @@ -5,16 +5,13 @@ # Validates that the repo uses hyperpolymath's own formats and tools. # Companion to static-analysis-gate.yml (security) — this is for format compliance. name: Dogfood Gate - on: pull_request: branches: ['**'] push: branches: [main, master] - permissions: contents: read - jobs: # --------------------------------------------------------------------------- # Job 1: A2ML manifest validation @@ -22,11 +19,10 @@ jobs: a2ml-validate: name: Validate A2ML manifests runs-on: ubuntu-latest - + timeout-minutes: 15 steps: - name: Checkout repository uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - - name: Check for A2ML files id: detect run: | @@ -35,14 +31,12 @@ jobs: if [ "$COUNT" -eq 0 ]; then echo "::warning::No .a2ml manifest files found. Every RSR repo should have 0-AI-MANIFEST.a2ml" fi - - name: Validate A2ML manifests if: steps.detect.outputs.count > 0 uses: hyperpolymath/a2ml-validate-action@6bff6ec134fc977e86d25166a5c522ddea5c1e78 # main with: path: '.' strict: 'false' - - name: Write summary run: | A2ML_COUNT="${{ steps.detect.outputs.count }}" @@ -59,18 +53,16 @@ jobs: echo "" >> "$GITHUB_STEP_SUMMARY" echo "Scanned **${A2ML_COUNT}** .a2ml file(s). See step output for details." >> "$GITHUB_STEP_SUMMARY" fi - # --------------------------------------------------------------------------- # Job 2: K9 contract validation # --------------------------------------------------------------------------- k9-validate: name: Validate K9 contracts runs-on: ubuntu-latest - + timeout-minutes: 15 steps: - name: Checkout repository uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - - name: Check for K9 files id: detect run: | @@ -83,14 +75,12 @@ jobs: if [ "$COUNT" -eq 0 ] && [ "$CONFIG_COUNT" -gt 0 ]; then echo "::warning::Found $CONFIG_COUNT config files but no K9 contracts. Run k9iser to generate contracts." fi - - name: Validate K9 contracts if: steps.detect.outputs.k9_count > 0 uses: hyperpolymath/k9-validate-action@2d96f43c538964b097d159ed3a56ba5b5ceca227 # main with: path: '.' strict: 'false' - - name: Write summary run: | K9_COUNT="${{ steps.detect.outputs.k9_count }}" @@ -108,18 +98,16 @@ jobs: echo "" >> "$GITHUB_STEP_SUMMARY" echo "Validated **${K9_COUNT}** K9 contract(s) against **${CFG_COUNT}** config file(s)." >> "$GITHUB_STEP_SUMMARY" fi - # --------------------------------------------------------------------------- # Job 3: Empty-linter — invisible character detection # --------------------------------------------------------------------------- empty-lint: name: Empty-linter (invisible characters) runs-on: ubuntu-latest - + timeout-minutes: 15 steps: - name: Checkout repository uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - - name: Scan for invisible characters id: lint run: | @@ -153,7 +141,6 @@ jobs: REL_PATH="${filepath#$GITHUB_WORKSPACE/}" echo "::warning file=${REL_PATH}::Invisible Unicode characters detected (zero-width space, BOM, NBSP, etc.)" done < /tmp/empty-lint-results.txt - - name: Write summary run: | if [ "${{ steps.lint.outputs.ready }}" = "true" ]; then @@ -172,18 +159,16 @@ jobs: echo "" >> "$GITHUB_STEP_SUMMARY" echo "Skipped: empty-linter not available." >> "$GITHUB_STEP_SUMMARY" fi - # --------------------------------------------------------------------------- # Job 4: Groove manifest check (for repos that should expose services) # --------------------------------------------------------------------------- groove-check: name: Groove manifest check runs-on: ubuntu-latest - + timeout-minutes: 15 steps: - name: Checkout repository uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - - name: Check for Groove manifest id: groove run: | @@ -220,7 +205,6 @@ jobs: if [ "$HAS_SERVER" = "true" ] && [ "$HAS_MANIFEST" = "false" ] && [ "$HAS_GROOVE_CODE" = "false" ]; then echo "::warning::This repo has server code but no Groove endpoint. Add .well-known/groove/manifest.json for service discovery." fi - - name: Write summary run: | echo "## Groove Protocol Check" >> "$GITHUB_STEP_SUMMARY" @@ -230,20 +214,18 @@ jobs: echo "| Static manifest (.well-known/groove/manifest.json) | ${{ steps.groove.outputs.has_manifest }} |" >> "$GITHUB_STEP_SUMMARY" echo "| Groove endpoint in code | ${{ steps.groove.outputs.has_groove_code }} |" >> "$GITHUB_STEP_SUMMARY" echo "| Has HTTP server code | ${{ steps.groove.outputs.has_server }} |" >> "$GITHUB_STEP_SUMMARY" - # --------------------------------------------------------------------------- # Job 5: Dogfooding summary # --------------------------------------------------------------------------- dogfood-summary: name: Dogfooding compliance summary runs-on: ubuntu-latest + timeout-minutes: 15 needs: [a2ml-validate, k9-validate, empty-lint, groove-check] if: always() - steps: - name: Checkout repository uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - - name: Generate dogfooding scorecard run: | SCORE=0 @@ -306,4 +288,3 @@ jobs: *Generated by the [Dogfood Gate](https://github.com/hyperpolymath/rsr-template-repo) workflow.* *Dogfooding is guinea pig fooding — we test our tools on ourselves.* EOF - diff --git a/.github/workflows/governance.yml b/.github/workflows/governance.yml index 653ef98..febd5bc 100644 --- a/.github/workflows/governance.yml +++ b/.github/workflows/governance.yml @@ -1,3 +1,4 @@ +# // Copyright (c) Jonathan D.A. Jewell # SPDX-License-Identifier: MPL-2.0 # governance.yml — single wrapper calling the shared estate governance bundle # in hyperpolymath/standards instead of carrying per-repo copies. @@ -11,13 +12,11 @@ # (rust-ci, codeql, dependabot, release, scan/mirror/pages plumbing). name: Governance - on: push: branches: [main, master] pull_request: workflow_dispatch: - # Estate guardrail: cancel superseded runs so re-pushes / rebased PR # updates do not pile up queued runs against the shared account-wide # Actions concurrency pool. Applied only to read-only check workflows @@ -25,10 +24,9 @@ on: concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true - permissions: contents: read - jobs: governance: - uses: hyperpolymath/standards/.github/workflows/governance-reusable.yml@main + uses: hyperpolymath/standards/.github/workflows/governance-reusable.yml@861b5e911d9e5dcfb3c0ab3dd2a9a3c8fd0a1613 + timeout-minutes: 10 diff --git a/.github/workflows/hypatia-scan.yml b/.github/workflows/hypatia-scan.yml index c68b9ed..baccf3f 100644 --- a/.github/workflows/hypatia-scan.yml +++ b/.github/workflows/hypatia-scan.yml @@ -1,29 +1,317 @@ +# // Copyright (c) Jonathan D.A. Jewell # SPDX-License-Identifier: MPL-2.0 # Thin wrapper around hyperpolymath/standards hypatia-scan-reusable.yml. # See standards#191 for the reusable's purpose and design. name: Hypatia Security Scan - on: push: branches: [main, master, develop] pull_request: branches: [main, master] schedule: - - cron: '0 0 * * 0' + - cron: '0 0 * * 0' # Weekly on Sunday workflow_dispatch: # Estate guardrail: cancel superseded runs so re-pushes don't pile up. concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true - permissions: contents: read security-events: write pull-requests: write - jobs: - hypatia: - uses: hyperpolymath/standards/.github/workflows/hypatia-scan-reusable.yml@915139d73560e65a8240b8fc7768698658502c89 - secrets: inherit + scan: + name: Hypatia Neurosymbolic Analysis + runs-on: ubuntu-latest + timeout-minutes: 15 + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 0 # Full history for better pattern analysis + - name: Setup Elixir for Hypatia scanner + uses: erlef/setup-beam@fc68ffb90438ef2936bbb3251622353b3dcb2f93 # v1.18.2 + with: + elixir-version: '1.18' + otp-version: '27' + - name: Clone Hypatia + run: | + if [ ! -d "$HOME/hypatia" ]; then + git clone https://github.com/hyperpolymath/hypatia.git "$HOME/hypatia" + fi + - name: Build Hypatia scanner (if needed) + run: | + cd "$HOME/hypatia" + if [ ! -f hypatia ]; then + echo "Building hypatia scanner..." + mix deps.get + mix escript.build + fi + - name: Run Hypatia scan + id: scan + env: + # Pass the built-in Actions token through to Hypatia so the + # DependabotAlerts rule can query this repo's own alerts. + # For cross-repo scanning (fleet-coordinator scan-supervised), + # a PAT with `security_events` scope is required instead. + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + echo "Scanning repository: ${{ github.repository }}" + + # Run scanner (exits non-zero when findings exist — suppress to continue) + HYPATIA_FORMAT=json "$HOME/hypatia/hypatia-cli.sh" scan . --exit-zero > hypatia-findings.json || true + + # Count findings + FINDING_COUNT=$(jq '. | length' hypatia-findings.json 2>/dev/null || echo 0) + echo "findings_count=$FINDING_COUNT" >> $GITHUB_OUTPUT + + # Extract severity counts + CRITICAL=$(jq '[.[] | select(.severity == "critical")] | length' hypatia-findings.json) + HIGH=$(jq '[.[] | select(.severity == "high")] | length' hypatia-findings.json) + MEDIUM=$(jq '[.[] | select(.severity == "medium")] | length' hypatia-findings.json) + + echo "critical=$CRITICAL" >> $GITHUB_OUTPUT + echo "high=$HIGH" >> $GITHUB_OUTPUT + echo "medium=$MEDIUM" >> $GITHUB_OUTPUT + + echo "## Hypatia Scan Results" >> $GITHUB_STEP_SUMMARY + echo "- Total findings: $FINDING_COUNT" >> $GITHUB_STEP_SUMMARY + echo "- Critical: $CRITICAL" >> $GITHUB_STEP_SUMMARY + echo "- High: $HIGH" >> $GITHUB_STEP_SUMMARY + echo "- Medium: $MEDIUM" >> $GITHUB_STEP_SUMMARY + - name: Upload findings artifact + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + with: + name: hypatia-findings + path: hypatia-findings.json + retention-days: 90 + - name: Convert Hypatia findings to SARIF + # Always runs (no findings_count guard): an EMPTY SARIF run is + # valid and intentional — uploading it clears stale Hypatia + # alerts from the code-scanning page when a repo goes clean. + # The converter is dependency-free Node (Node ships on + # ubuntu-latest; no npm install — estate npm ban respected) and + # is hardened against the heterogeneous Hypatia JSON schema: + # most findings are {rule_module,severity,type,file,reason, + # action}; only some carry an integer `line`; `file` may be + # empty or absolute. See lib/hypatia/cli.ex (collect_findings). + run: | + cat > "$RUNNER_TEMP/hypatia-sarif.cjs" <<'CJS' + const fs = require('fs'); + const path = require('path'); + const crypto = require('crypto'); + + const ws = process.env.GITHUB_WORKSPACE || process.cwd(); + + let findings = []; + try { + const parsed = JSON.parse(fs.readFileSync('hypatia-findings.json', 'utf8')); + if (Array.isArray(parsed)) findings = parsed; + } catch (_) { + // Scanner unavailable / empty / malformed -> empty SARIF. + // Intentionally clears stale alerts rather than erroring. + findings = []; + } + + // Mirrors Hypatia's own "github" annotation mapping + // (lib/hypatia/cli.ex output/2): critical|high -> error, + // medium -> warning, everything else -> note. + const levelFor = (sev) => { + switch (String(sev || '').toLowerCase()) { + case 'critical': + case 'high': return 'error'; + case 'medium': return 'warning'; + default: return 'note'; + } + }; + + // SARIF artifactLocation.uri must be a repo-relative POSIX + // path. Hypatia may emit absolute paths (scanned under + // $GITHUB_WORKSPACE) or "" / "." for repo-level findings. + const relUri = (file) => { + if (!file) return '.'; + let f = String(file); + if (path.isAbsolute(f)) { + const rel = path.relative(ws, f); + f = (rel && !rel.startsWith('..')) ? rel : path.basename(f); + } + f = f.replace(/\\/g, '/').replace(/^\.\//, ''); + return f || '.'; + }; + + const rules = new Map(); + const results = findings.map((f) => { + const mod = String(f.rule_module || 'hypatia'); + const type = String(f.type || 'finding'); + const ruleId = `hypatia/${mod}/${type}`; + const level = levelFor(f.severity); + if (!rules.has(ruleId)) { + rules.set(ruleId, { + id: ruleId, + name: `${mod}.${type}`, + shortDescription: { text: `Hypatia ${mod}: ${type}` }, + defaultConfiguration: { level } + }); + } + const uri = relUri(f.file); + const msg = String(f.reason || f.type || 'Hypatia finding'); + const startLine = + Number.isInteger(f.line) && f.line > 0 ? f.line : 1; + // Stable cross-run fingerprint for dedupe (no line, so a + // moved finding in the same file/rule stays one alert). + const fp = crypto + .createHash('sha256') + .update([ruleId, uri, type, msg].join('|')) + .digest('hex'); + return { + ruleId, + level, + message: { text: msg }, + locations: [ + { + physicalLocation: { + artifactLocation: { uri }, + region: { startLine } + } + } + ], + partialFingerprints: { 'hypatiaFindingHash/v1': fp } + }; + }); + + const sarif = { + $schema: 'https://json.schemastore.org/sarif-2.1.0.json', + version: '2.1.0', + runs: [ + { + tool: { + driver: { + name: 'Hypatia', + informationUri: 'https://github.com/hyperpolymath/hypatia', + rules: Array.from(rules.values()) + } + }, + results + } + ] + }; + + fs.writeFileSync('hypatia.sarif', JSON.stringify(sarif, null, 2)); + console.log(`hypatia.sarif written: ${results.length} result(s).`); + CJS + node "$RUNNER_TEMP/hypatia-sarif.cjs" + - name: Upload SARIF to GitHub code scanning + # Fork PRs get a read-only GITHUB_TOKEN, so security-events:write + # is unavailable and upload-sarif cannot publish — skip there + # rather than hard-fail (the push/schedule run on the default + # branch is the authoritative upload). Same-repo PRs and pushes + # do upload. This step is deliberately NOT continue-on-error: + # if the security-surface integration breaks we want a loud red, + # not a silently-ungated scanner (the exact failure mode #35 + # exists to end). The empty-SARIF "clear stale alerts" path is + # handled in the converter above and does not error here. + if: >- + always() && (github.event_name != 'pull_request' || + + + + + + github.event.pull_request.head.repo.fork != true) + uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.28.1 + with: + sarif_file: hypatia.sarif + # Distinct category so Hypatia results coexist with CodeQL's + # (codeql.yml) instead of overwriting them on the same surface. + category: hypatia + - name: Submit findings to gitbot-fleet (Phase 2) + if: steps.scan.outputs.findings_count > 0 + # Phase 2 is the collaborative LEARNING side-channel ("bots share + # findings via gitbot-fleet"), not the security gate. The gate is + # the baseline-aware "Check for critical or high-severity issues" + # step below. A fleet-side regression (e.g. the submit script being + # moved/removed) must NEVER hard-fail every consuming repo's scan. + # Same reasoning as the "Comment on PR with findings" step. + # See hyperpolymath/hypatia#213 (gate decoupling) and the exit-127 + # estate-wide breakage when gitbot-fleet/scripts/submit-finding.sh + # no longer existed on the default branch. + continue-on-error: true + env: + # All GitHub context values surface as env vars so the run + # block never interpolates `${{ … }}` inline (closes the + # workflow_audit/unsafe_curl_payload + actions_expression_injection + # findings). + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + FLEET_PUSH_TOKEN: ${{ secrets.HYPATIA_DISPATCH_PAT }} + FLEET_DISPATCH_TOKEN: ${{ secrets.HYPATIA_DISPATCH_PAT }} + GITHUB_REPOSITORY: ${{ github.repository }} + GITHUB_SHA: ${{ github.sha }} + FINDINGS_COUNT: ${{ steps.scan.outputs.findings_count }} + run: "echo \"\U0001F4E4 Submitting $FINDINGS_COUNT findings to gitbot-fleet...\"\n\n# Clone gitbot-fleet to temp directory. A clone failure (network,\n# repo gone) is non-fatal: learning submission is best-effort.\nFLEET_DIR=\"/tmp/gitbot-fleet-$$\"\nif ! git clone --depth 1 https://github.com/hyperpolymath/gitbot-fleet.git \"$FLEET_DIR\"; then\n echo \"::warning::Could not clone gitbot-fleet — skipping Phase 2 learning submission (non-fatal).\"\n exit 0\nfi\n\n# The submission script's location in gitbot-fleet has drifted\n# before (it was absent from the default branch, which exit-127'd\n# every consuming repo's scan). Probe known locations rather than\n# hard-coding one path, and skip gracefully if none is present.\nSUBMIT_SCRIPT=\"\"\nfor cand in \\\n \"$FLEET_DIR/scripts/submit-finding.sh\" \\\n \"$FLEET_DIR/scripts/submit_finding.sh\" \\\n \"$FLEET_DIR/bin/submit-finding.sh\" \\\n \"$FLEET_DIR/submit-finding.sh\"; do\n if [ -f \"$cand\" ]; then\n SUBMIT_SCRIPT=\"$cand\"\n break\n fi\ndone\n\nif [ -z \"$SUBMIT_SCRIPT\" ]; then\n echo \"::warning::gitbot-fleet submit-finding script not found at any known path — skipping Phase 2 learning submission (non-fatal). Findings are still uploaded as an artifact and gated below.\"\n rm -rf \"$FLEET_DIR\"\n exit 0\nfi\n\n# Run submission script. Pass the findings path as ABSOLUTE —\n# the script cd's into its own working dir before reading the\n# file, so a relative path would resolve to the wrong place.\n# A submission-script failure is logged but non-fatal.\nif bash \"$SUBMIT_SCRIPT\" \"$GITHUB_WORKSPACE/hypatia-findings.json\"; then\n echo \"✅ Finding submission complete\"\nelse\n echo \"::warning::gitbot-fleet submission script exited non-zero — Phase 2 learning submission skipped (non-fatal).\"\nfi\n\n# Cleanup\nrm -rf \"$FLEET_DIR\"\n" + - name: Check for critical issues + if: steps.scan.outputs.critical > 0 + # GATING POLICY (explicit, by design — not an oversight): + # Hypatia is ADVISORY here. Critical findings are surfaced + # (step annotation + SARIF alert on the code-scanning page + + # PR comment) but do NOT fail this check. Enforcement is + # delegated to the code-scanning surface: tighten by adding a + # branch-protection "required" status on the `hypatia` SARIF + # category, not by reintroducing an `exit 1` here. This keeps + # the gate decision in one auditable place (hypatia#213 gate + # decoupling) and lets a repo opt into fail-on-critical without + # editing this canonical workflow. To change the policy, change + # branch protection — deliberately no commented-out `exit 1`. + run: | + echo "::warning::Hypatia found critical security issue(s) — advisory." + echo "See the Security → Code scanning page (category: hypatia)" + echo "and the hypatia-findings.json artifact for details." + - name: Generate scan report + run: | + cat << EOF > hypatia-report.md + # Hypatia Security Scan Report + + **Repository:** ${{ github.repository }} + **Scan Date:** $(date -u +"%Y-%m-%d %H:%M:%S UTC") + **Commit:** ${{ github.sha }} + + ## Summary + + | Severity | Count | + |----------|-------| + | Critical | ${{ steps.scan.outputs.critical }} | + | High | ${{ steps.scan.outputs.high }} | + | Medium | ${{ steps.scan.outputs.medium }} | + | **Total**| ${{ steps.scan.outputs.findings_count }} | + + ## Next Steps + + 1. Triage findings on the **Security → Code scanning** page + (SARIF category \`hypatia\`) — dismiss/track them there like + CodeQL alerts. + 2. The full finding set is also attached as the + \`hypatia-findings.json\` build artifact for offline review. + 3. Findings are **advisory** today (surfaced, not gated); the + gating policy is documented in the workflow's "Check for + critical issues" step. + + ## Learning + + These findings feed Hypatia's learning engine to improve future rules. + + --- + *Powered by [Hypatia](https://github.com/hyperpolymath/hypatia) - Neurosymbolic CI/CD Intelligence* + EOF + + cat hypatia-report.md >> $GITHUB_STEP_SUMMARY + - name: Comment on PR with findings + if: github.event_name == 'pull_request' && steps.scan.outputs.findings_count > 0 + # Advisory only — posting findings as a PR comment must never gate + # the scan (hypatia#213 gate decoupling). Belt-and-braces alongside + # the pull-requests: write permission above: a token/API hiccup or + # a fork PR (read-only token) skips the comment, not the check. + continue-on-error: true + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v7 + with: + script: "const fs = require('fs');\nconst findings = JSON.parse(fs.readFileSync('hypatia-findings.json', 'utf8'));\n\nconst critical = findings.filter(f => f.severity === 'critical').length;\nconst high = findings.filter(f => f.severity === 'high').length;\n\nlet comment = `## \U0001F50D Hypatia Security Scan\\n\\n`;\ncomment += `**Findings:** ${findings.length} issues detected\\n\\n`;\ncomment += `| Severity | Count |\\n|----------|-------|\\n`;\ncomment += `| \U0001F534 Critical | ${critical} |\\n`;\ncomment += `| \U0001F7E0 High | ${high} |\\n`;\ncomment += `| \U0001F7E1 Medium | ${findings.length - critical - high} |\\n\\n`;\n\nif (critical > 0) {\n comment += `⚠️ **Action Required:** Critical security issues found!\\n\\n`;\n}\n\ncomment += `
View findings\\n\\n`;\ncomment += `\\`\\`\\`json\\n${JSON.stringify(findings.slice(0, 10), null, 2)}\\n\\`\\`\\`\\n`;\ncomment += `
\\n\\n`;\ncomment += `*Powered by Hypatia Neurosymbolic CI/CD Intelligence*`;\n\ngithub.rest.issues.createComment({\n owner: context.repo.owner,\n repo: context.repo.repo,\n issue_number: context.issue.number,\n body: comment\n});" diff --git a/.github/workflows/instant-sync.yml b/.github/workflows/instant-sync.yml index 228dc43..95867cf 100644 --- a/.github/workflows/instant-sync.yml +++ b/.github/workflows/instant-sync.yml @@ -1,19 +1,18 @@ +# // Copyright (c) Jonathan D.A. Jewell # SPDX-License-Identifier: MPL-2.0 # Instant Forge Sync - Triggers propagation to all forges on push/release name: Instant Sync - on: push: branches: [main, master] release: types: [published] - permissions: contents: read - jobs: dispatch: runs-on: ubuntu-latest + timeout-minutes: 15 steps: - name: Trigger Propagation uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v3 @@ -28,6 +27,5 @@ jobs: "sha": "${{ github.sha }}", "forges": "" } - - name: Confirm run: echo "::notice::Propagation triggered for ${{ github.event.repository.name }}" diff --git a/.github/workflows/mirror.yml b/.github/workflows/mirror.yml index 2083ca6..9db8544 100644 --- a/.github/workflows/mirror.yml +++ b/.github/workflows/mirror.yml @@ -1,15 +1,134 @@ +# // Copyright (c) Jonathan D.A. Jewell # SPDX-License-Identifier: MPL-2.0 name: Mirror to Git Forges - on: push: branches: [main] workflow_dispatch: - permissions: contents: read - jobs: - mirror: - uses: hyperpolymath/standards/.github/workflows/mirror-reusable.yml@e6b2884722350515934d443daf23442f2195796f - secrets: inherit + mirror-gitlab: + runs-on: ubuntu-latest + timeout-minutes: 15 + if: vars.GITLAB_MIRROR_ENABLED == 'true' + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 0 + - if: ${{ env.SSH_PRIVATE_KEY != '' }} + uses: webfactory/ssh-agent@e83874834305fe9a4a2997156cb26c5de65a8555 # v0.10.0 + with: + ssh-private-key: ${{ secrets.GITLAB_SSH_KEY }} + - name: Mirror to GitLab + run: | + ssh-keyscan -t ed25519 gitlab.com >> ~/.ssh/known_hosts + git remote add gitlab git@gitlab.com:${{ vars.GITLAB_ORG || vars.MIRROR_ORG || github.repository_owner }}/${{ github.event.repository.name }}.git || true + git push --force gitlab main + mirror-bitbucket: + runs-on: ubuntu-latest + timeout-minutes: 15 + if: vars.BITBUCKET_MIRROR_ENABLED == 'true' + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 0 + - if: ${{ env.SSH_PRIVATE_KEY != '' }} + uses: webfactory/ssh-agent@e83874834305fe9a4a2997156cb26c5de65a8555 # v0.10.0 + with: + ssh-private-key: ${{ secrets.BITBUCKET_SSH_KEY }} + - name: Mirror to Bitbucket + run: | + ssh-keyscan -t ed25519 bitbucket.org >> ~/.ssh/known_hosts + git remote add bitbucket git@bitbucket.org:${{ vars.BITBUCKET_ORG || vars.MIRROR_ORG || github.repository_owner }}/${{ github.event.repository.name }}.git || true + git push --force bitbucket main + mirror-codeberg: + runs-on: ubuntu-latest + timeout-minutes: 15 + if: vars.CODEBERG_MIRROR_ENABLED == 'true' + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 0 + - if: ${{ env.SSH_PRIVATE_KEY != '' }} + uses: webfactory/ssh-agent@e83874834305fe9a4a2997156cb26c5de65a8555 # v0.10.0 + with: + ssh-private-key: ${{ secrets.CODEBERG_SSH_KEY }} + - name: Mirror to Codeberg + run: | + ssh-keyscan -t ed25519 codeberg.org >> ~/.ssh/known_hosts + git remote add codeberg git@codeberg.org:${{ vars.CODEBERG_ORG || vars.MIRROR_ORG || github.repository_owner }}/${{ github.event.repository.name }}.git || true + git push --force codeberg main + mirror-sourcehut: + runs-on: ubuntu-latest + timeout-minutes: 15 + if: vars.SOURCEHUT_MIRROR_ENABLED == 'true' + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 0 + - if: ${{ env.SSH_PRIVATE_KEY != '' }} + uses: webfactory/ssh-agent@e83874834305fe9a4a2997156cb26c5de65a8555 # v0.10.0 + with: + ssh-private-key: ${{ secrets.SOURCEHUT_SSH_KEY }} + - name: Mirror to SourceHut + run: | + ssh-keyscan -t ed25519 git.sr.ht >> ~/.ssh/known_hosts + git remote add sourcehut git@git.sr.ht:~${{ vars.SOURCEHUT_ORG || vars.MIRROR_ORG || github.repository_owner }}/${{ github.event.repository.name }} || true + git push --force sourcehut main + mirror-disroot: + runs-on: ubuntu-latest + timeout-minutes: 15 + if: vars.DISROOT_MIRROR_ENABLED == 'true' + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 0 + - if: ${{ env.SSH_PRIVATE_KEY != '' }} + uses: webfactory/ssh-agent@e83874834305fe9a4a2997156cb26c5de65a8555 # v0.10.0 + with: + ssh-private-key: ${{ secrets.DISROOT_SSH_KEY }} + - name: Mirror to Disroot + run: | + ssh-keyscan -t ed25519 git.disroot.org >> ~/.ssh/known_hosts + git remote add disroot git@git.disroot.org:${{ vars.DISROOT_ORG || vars.MIRROR_ORG || github.repository_owner }}/${{ github.event.repository.name }}.git || true + git push --force disroot main + mirror-gitea: + runs-on: ubuntu-latest + timeout-minutes: 15 + if: vars.GITEA_MIRROR_ENABLED == 'true' + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 0 + - if: ${{ env.SSH_PRIVATE_KEY != '' }} + uses: webfactory/ssh-agent@e83874834305fe9a4a2997156cb26c5de65a8555 # v0.10.0 + with: + ssh-private-key: ${{ secrets.GITEA_SSH_KEY }} + - name: Mirror to Gitea + run: | + ssh-keyscan -t ed25519 ${{ vars.GITEA_HOST }} >> ~/.ssh/known_hosts + git remote add gitea git@${{ vars.GITEA_HOST }}:${{ vars.GITEA_ORG || vars.MIRROR_ORG || github.repository_owner }}/${{ github.event.repository.name }}.git || true + git push --force gitea main + mirror-radicle: + runs-on: ubuntu-latest + timeout-minutes: 15 + if: vars.RADICLE_MIRROR_ENABLED == 'true' + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 0 + - name: Setup Rust + uses: dtolnay/rust-toolchain@efa25f7f19611383d5b0ccf2d1c8914531636bf9 # stable + with: + toolchain: stable + - name: Install Radicle + run: | + # Install via cargo (safer than curl|sh) + cargo install radicle-cli --locked + echo "$HOME/.cargo/bin" >> $GITHUB_PATH + - name: Mirror to Radicle + run: | + echo "${{ secrets.RADICLE_KEY }}" > ~/.radicle/keys/radicle + chmod 600 ~/.radicle/keys/radicle + rad sync --announce || echo "Radicle sync attempted" diff --git a/.github/workflows/rust-ci.yml b/.github/workflows/rust-ci.yml index 1b1b792..ae30525 100644 --- a/.github/workflows/rust-ci.yml +++ b/.github/workflows/rust-ci.yml @@ -1,17 +1,16 @@ +# // Copyright (c) Jonathan D.A. Jewell # SPDX-License-Identifier: MPL-2.0 # Rust CI — thin wrapper calling the shared estate reusable in # hyperpolymath/standards. Configure once, propagate everywhere. # See: docs/CI-REUSABLE-WORKFLOWS.adoc in standards. name: Rust CI - on: push: branches: [main, master] pull_request: - permissions: contents: read - jobs: rust-ci: - uses: hyperpolymath/standards/.github/workflows/rust-ci-reusable.yml@cc5a372af1af1b202c17f1b21efd954e6c038bef + uses: hyperpolymath/standards/.github/workflows/rust-ci-reusable.yml@f5f0506a6ec88e574753eee701a268e0d4b3a7f2 + timeout-minutes: 10 diff --git a/.github/workflows/scorecard-enforcer.yml b/.github/workflows/scorecard-enforcer.yml index 6933b78..1b03bc7 100644 --- a/.github/workflows/scorecard-enforcer.yml +++ b/.github/workflows/scorecard-enforcer.yml @@ -1,14 +1,13 @@ +# // Copyright (c) Jonathan D.A. Jewell # SPDX-License-Identifier: MPL-2.0 # Prevention workflow - runs OpenSSF Scorecard and fails on low scores name: OpenSSF Scorecard Enforcer - on: push: branches: [main] schedule: - - cron: '0 6 * * 1' # Weekly on Monday + - cron: '0 6 * * 1' # Weekly on Monday workflow_dispatch: - # Estate guardrail: cancel superseded runs so re-pushes / rebased PR # updates do not pile up queued runs against the shared account-wide # Actions concurrency pool. Applied only to read-only check workflows @@ -16,33 +15,29 @@ on: concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true - permissions: contents: read - jobs: scorecard: runs-on: ubuntu-latest + timeout-minutes: 15 permissions: security-events: write - id-token: write # For OIDC + id-token: write # For OIDC steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - - name: Run Scorecard uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3 with: results_file: results.sarif results_format: sarif publish_results: true - - name: Upload SARIF uses: github/codeql-action/upload-sarif@c6f931105cb2c34c8f901cc885ba1e2e259cf745 # v4 with: sarif_file: results.sarif - - name: Check minimum score run: | # Parse score from results @@ -57,20 +52,18 @@ jobs: echo "::error::Scorecard score $SCORE is below minimum $MIN_SCORE" exit 1 fi - # Check specific high-priority items check-critical: runs-on: ubuntu-latest + timeout-minutes: 15 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - name: Check SECURITY.md exists run: | if [ ! -f "SECURITY.md" ]; then echo "::error::SECURITY.md is required" exit 1 fi - - name: Check for pinned dependencies run: | # Check workflows for unpinned actions diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index fc907c2..f6019c5 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -1,16 +1,38 @@ +# // Copyright (c) Jonathan D.A. Jewell # SPDX-License-Identifier: PMPL-1.0 name: Scorecards supply-chain security on: branch_protection_rule: schedule: - - cron: '23 4 * * 1' - push: - branches: [main] - -permissions: read-all - + - cron: '0 4 * * *' + workflow_dispatch: +# Estate guardrail: cancel superseded runs so re-pushes / rebased PR +# updates do not pile up queued runs against the shared account-wide +# Actions concurrency pool. Applied only to read-only check workflows +# (no publish/mutation), so cancelling a superseded run is always safe. +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true +permissions: + contents: read jobs: analysis: - uses: hyperpolymath/standards/.github/workflows/scorecard-reusable.yml@e0caf11508a3989574713c78f5f444f2ce5e33ef - secrets: inherit + runs-on: ubuntu-latest + timeout-minutes: 15 + permissions: + security-events: write + id-token: write + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - name: Run Scorecard + uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.3.1 + with: + results_file: results.sarif + results_format: sarif + - name: Upload results + uses: github/codeql-action/upload-sarif@c6f931105cb2c34c8f901cc885ba1e2e259cf745 # v3.31.8 + with: + sarif_file: results.sarif diff --git a/.github/workflows/secret-scanner.yml b/.github/workflows/secret-scanner.yml index 586cdc0..7fdfdd0 100644 --- a/.github/workflows/secret-scanner.yml +++ b/.github/workflows/secret-scanner.yml @@ -1,19 +1,64 @@ +# // Copyright (c) Jonathan D.A. Jewell # SPDX-License-Identifier: PMPL-1.0 name: Secret Scanner - on: pull_request: push: branches: [main] - +# Estate guardrail: cancel superseded runs so re-pushes / rebased PR +# updates do not pile up queued runs against the shared account-wide +# Actions concurrency pool. Applied only to read-only check workflows +# (no publish/mutation), so cancelling a superseded run is always safe. concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true - permissions: contents: read - jobs: - scan: - uses: hyperpolymath/standards/.github/workflows/secret-scanner-reusable.yml@3e4bd4c93911750727e2e4c66dff859e00079da0 - secrets: inherit + trufflehog: + runs-on: ubuntu-latest + timeout-minutes: 15 + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 + with: + fetch-depth: 0 # Full history for scanning + - name: TruffleHog Secret Scan + uses: trufflesecurity/trufflehog@6c05c4a00b91aa542267d8e32a8254774799d68d # v3 + with: + # The v3 action injects --fail automatically on pull_request events. + # Passing --fail here triggers "flag 'fail' cannot be repeated". + extra_args: --only-verified + # Rust-specific: Check for hardcoded crypto values + rust-secrets: + runs-on: ubuntu-latest + timeout-minutes: 15 + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 + - name: Check for hardcoded secrets in Rust + run: | + if ! find . -name Cargo.toml -not -path './target/*' -print -quit | grep -q .; then + echo 'No Cargo.toml found — skipping Rust secrets check' + exit 0 + fi + # Patterns that suggest hardcoded secrets + PATTERNS=( + 'const.*SECRET.*=.*"' + 'const.*KEY.*=.*"[a-zA-Z0-9]{16,}"' + 'const.*TOKEN.*=.*"' + 'let.*api_key.*=.*"' + 'HMAC.*"[a-fA-F0-9]{32,}"' + 'password.*=.*"[^"]+"' + ) + + found=0 + for pattern in "${PATTERNS[@]}"; do + if grep -rn --include="*.rs" -E "$pattern" src/; then + echo "WARNING: Potential hardcoded secret found matching: $pattern" + found=1 + fi + done + + if [ $found -eq 1 ]; then + echo "::error::Potential hardcoded secrets detected. Use environment variables instead." + exit 1 + fi diff --git a/.machine_readable/6a2/0-AI-MANIFEST.a2ml b/.machine_readable/6a2/0-AI-MANIFEST.a2ml new file mode 100644 index 0000000..6bf1f8c --- /dev/null +++ b/.machine_readable/6a2/0-AI-MANIFEST.a2ml @@ -0,0 +1,31 @@ +# AI Manifest for 6a2 Directory + +## Purpose + +This manifest declares the AI-assistant context for the 6a2 machine-readable metadata directory. + +## Canonical Locations + +The 6 core A2ML files MUST exist in this directory: +1. AGENTIC.a2ml +2. ECOSYSTEM.a2ml +3. META.a2ml +4. NEUROSYM.a2ml +5. PLAYBOOK.a2ml +6. STATE.a2ml + +## Invariants + +- No duplicate files in root directory +- Single source of truth: this directory is authoritative +- No stale metadata + +## Protocol + +When multiple agents may write to A2ML files concurrently: +1. Read file and record git-sha-at-read in [provenance] section +2. Lock by creating .lock- +3. Write updated file with new [provenance] metadata +4. Release by removing lock file +5. On conflict: re-read and retry if git-sha-at-read does not match HEAD + diff --git a/.machine_readable/6a2/README.adoc b/.machine_readable/6a2/README.adoc new file mode 100644 index 0000000..bc033d7 --- /dev/null +++ b/.machine_readable/6a2/README.adoc @@ -0,0 +1,30 @@ +// SPDX-License-Identifier: MPL-2.0 +// Copyright (c) Jonathan D.A. Jewell +# A2ML 6a2 Directory + +This directory contains the 6 core A2ML machine-readable metadata files for this repository. + +## Files + +- `AGENTIC.a2ml` - AI agent operational gating, safety controls +- `ECOSYSTEM.a2ml` - Project ecosystem position, relationships, explicit boundaries +- `META.a2ml` - Architecture decisions (ADRs), development practices, design rationale +- `NEUROSYM.a2ml` - Symbolic semantics, composition algebra +- `PLAYBOOK.a2ml` - Executable plans, operational runbooks +- `STATE.a2ml` - Project state, phase, milestones, session history + +## Standards Compliance + +These files follow the A2ML Format Family specification from: +https://github.com/hyperpolymath/standards/tree/main/a2ml + +## Generation + +These files may be generated from .scm source files using transpilation tools. +Source .scm files should be removed after successful transpilation. + +## See Also + +- [A2ML Repository Template](https://github.com/hyperpolymath/standards/blob/main/A2ML-REPO-TEMPLATE.adoc) +- [6A2 Format Family](https://github.com/hyperpolymath/standards#a2ml-format-family-7-formats) + diff --git a/.machine_readable/6a2/anchor/0-AI-MANIFEST.a2ml b/.machine_readable/6a2/anchor/0-AI-MANIFEST.a2ml new file mode 100644 index 0000000..0dd6825 --- /dev/null +++ b/.machine_readable/6a2/anchor/0-AI-MANIFEST.a2ml @@ -0,0 +1,21 @@ +# AI Manifest for Anchor Directory + +## Purpose + +This manifest declares the AI-assistant context for the anchor machine-readable metadata directory. + +## Canonical Locations + +ANCHOR.a2ml files MUST exist in this directory. + +## Multiple Versions + +Unlike other A2ML files, multiple versions of ANCHOR.a2ml with different dates MAY exist. +Each version represents a specific recalibration point. + +## Invariants + +- Multiple versions with different dates are permitted +- No other A2ML files in this directory +- Single source of truth for anchor documents + diff --git a/.machine_readable/anchors/ANCHOR.a2ml b/.machine_readable/6a2/anchor/ANCHOR.a2ml similarity index 100% rename from .machine_readable/anchors/ANCHOR.a2ml rename to .machine_readable/6a2/anchor/ANCHOR.a2ml diff --git a/.machine_readable/6a2/anchor/README.adoc b/.machine_readable/6a2/anchor/README.adoc new file mode 100644 index 0000000..bd23e35 --- /dev/null +++ b/.machine_readable/6a2/anchor/README.adoc @@ -0,0 +1,25 @@ +// SPDX-License-Identifier: MPL-2.0 +// Copyright (c) Jonathan D.A. Jewell +# A2ML Anchor Directory + +This directory contains ANCHOR.a2ml files for project recalibration and scope intervention. + +## Files + +- `ANCHOR.a2ml` - Project recalibration, scope intervention, canonical authority + +## Multiple Versions + +Unlike other A2ML files, multiple versions of ANCHOR.a2ml with different dates may exist. +Each version represents a specific recalibration point in the project history. + +## Standards Compliance + +These files follow the ANCHOR.a2ml specification from: +https://github.com/hyperpolymath/standards/tree/main/anchor-a2ml + +## See Also + +- [A2ML Repository Template](https://github.com/hyperpolymath/standards/blob/main/A2ML-REPO-TEMPLATE.adoc) +- [Anchor A2ML Spec](https://github.com/hyperpolymath/standards/tree/main/anchor-a2ml) + diff --git a/.machine_readable/ADJUST.contractile b/.machine_readable/ADJUST.contractile deleted file mode 100644 index 20f81ec..0000000 --- a/.machine_readable/ADJUST.contractile +++ /dev/null @@ -1,126 +0,0 @@ -; SPDX-License-Identifier: MPL-2.0 -; ADJUST.contractile — Accessibility invariants for docmatrix -; "ADJUST" = Accessibility & Digital Justice for Universal Software & Technology -; -; Part of the contractile family: MUST, TRUST, DUST, INTENT, ADJUST -; This file is machine-readable. LLM/SLM agents MUST NOT violate these invariants. - -; ── Definitions ────────────────────────────────────────────────── -; -; ADJUST (noun/verb) -; The accessibility contractile. Defines how software must adapt to serve -; all users regardless of ability, device, or context. Named for the verb -; "adjust" — to make suitable, to adapt, to accommodate — which is the -; core action of accessible design. -; -; Scope: -; ADJUST governs all user-facing interfaces: GUI, TUI, CLI, web, mobile, -; documentation, error messages, and installation flows. It applies to -; both human users and assistive technologies (screen readers, switch -; devices, braille displays, voice control). -; -; Relationship to other contractiles: -; - MUST: ADJUST invariants are a subset of MUST — violating ADJUST -; is a MUST violation. ADJUST exists separately because accessibility -; rules are numerous enough to warrant their own file, and because -; LLMs frequently forget accessibility unless explicitly reminded. -; - TRUST: ADJUST does not affect trust levels. All trust tiers must -; respect ADJUST invariants equally. -; - DUST: Deprecating a feature does not exempt it from ADJUST until -; it is fully removed. Deprecated UI must remain accessible. -; - INTENT: ADJUST supports the anti-purpose "this software is NOT -; only for able-bodied users with modern hardware." -; -; Standard: WCAG 2.2 Level AA (minimum) -; https://www.w3.org/WAI/WCAG22/quickref/?levels=aaa -; -; Why a separate file: -; Experience shows LLMs and developers alike treat accessibility as an -; afterthought. By placing invariants in a contractile that is loaded -; at session start, we make it structurally impossible to forget. -; -; ── End Definitions ────────────────────────────────────────────── - -(adjust-contractile - (version "1.0.0") - (full-name "Accessibility & Digital Justice for Universal Software & Technology") - (standard "WCAG-2.2-AA") - (repo "docmatrix") - - (invariants - ; ── Visual ── - (adjust "colour-contrast-ratio >= 4.5:1 for normal text") - (adjust "colour-contrast-ratio >= 3:1 for large text (18pt+ or 14pt+ bold)") - (adjust "no information conveyed by colour alone") - (adjust "no flashing or strobing content (3 flashes/second max)") - (adjust "text resizable to 200% without loss of content or function") - (adjust "focus indicators visible on all interactive elements") - - ; ── Keyboard ── - (adjust "all interactive elements reachable via keyboard (Tab/Shift+Tab)") - (adjust "no keyboard traps — user can always Tab away") - (adjust "skip navigation link present on pages with repeated blocks") - (adjust "logical focus order follows visual reading order") - - ; ── Screen reader ── - (adjust "all images have meaningful alt text (or alt='' if decorative)") - (adjust "all form inputs have associated labels") - (adjust "ARIA landmarks used for page regions (main, nav, banner, etc.)") - (adjust "dynamic content updates announced via aria-live regions") - (adjust "semantic HTML used (headings, lists, tables) — not div soup") - - ; ── Interactive ── - (adjust "touch targets minimum 44x44px on mobile/touch interfaces") - (adjust "error messages identify the field and describe the error") - (adjust "error messages not conveyed by colour or position alone") - (adjust "form validation provides suggestions for correction") - - ; ── Media ── - (adjust "video has captions (closed or open)") - (adjust "audio-only content has text transcript") - (adjust "no autoplay of media with sound") - - ; ── Motion ── - (adjust "animations respect prefers-reduced-motion media query") - (adjust "no content depends on motion to convey meaning") - - ; ── CLI/TUI ── - (adjust "CLI output must not rely solely on colour (use symbols: [OK] [FAIL])") - (adjust "TUI must support high-contrast mode") - (adjust "all CLI commands support --help with plain-text output") - (adjust "error messages written in plain language, not jargon or codes alone") - - ; ── Documentation ── - (adjust "docs use clear language, short sentences, logical structure") - (adjust "code examples include comments explaining non-obvious steps") - (adjust "diagrams have text descriptions or alt text") - - ; ── Internationalisation (i18n) ── - (adjust "all user-facing strings externalisable for translation") - (adjust "no hardcoded English in error messages — use message keys") - (adjust "date/time/number formats locale-aware") - (adjust "RTL (right-to-left) layout support where applicable") - (adjust "Unicode handled correctly throughout (UTF-8 everywhere)") - ) - - (related-resources - ; LOL — super-parallel corpus crawler for 1500+ languages - ; Use for linguistic data, translation coverage, and i18n validation - (lol "standards/lol — multilingual NLP corpus, see README.adoc") - (polyglot-i18n "polyglot-i18n — i18n framework and WASM translation engine") - ) - - (enforcement - (ci "accessibility linting in quality.yml workflow") - (pr-block "PR blocked if accessibility regression detected") - (tool "axe-core or pa11y for automated checks on web UI") - (tool "CLI output inspected for colour-only signalling") - (manual "manual screen reader test before major releases") - ) - - (notes - "These are MINIMUM requirements. Exceeding them (AAA) is encouraged." - "When in doubt about an accessibility decision, ask — don't guess." - "Accessibility is not optional polish — it is a structural requirement." - ) -) diff --git a/.machine_readable/INTENT.contractile b/.machine_readable/INTENT.contractile deleted file mode 100644 index 6ba6d95..0000000 --- a/.machine_readable/INTENT.contractile +++ /dev/null @@ -1,72 +0,0 @@ -; SPDX-License-Identifier: MPL-2.0 -; INTENT.contractile — Purpose and scope for docmatrix -; Helps LLM/SLM agents understand what this repo IS and IS NOT. -; -; Part of the contractile family: MUST, TRUST, DUST, INTENT, ADJUST - -; ── Definitions ────────────────────────────────────────────────── -; -; INTENT (noun) -; The purpose contractile. Defines what this repository IS, what it is -; NOT (anti-purpose), and which architectural decisions are load-bearing. -; Without INTENT, LLMs drift into scope creep, reverse key decisions, -; or add features that belong in a different repo. -; -; Scope: -; INTENT governs the conceptual boundaries of the project — its reason -; for existing, its domain, and its relationship to the ecosystem. -; It does NOT specify implementation details (that's MUST and code). -; -; Relationship to other contractiles: -; - MUST: INTENT explains WHY certain MUSTs exist. If you don't -; understand a MUST, read INTENT first. -; - TRUST: The "ask-before-touching" section in INTENT maps directly -; to TRUST.trust-deny for the most sensitive areas. -; - ADJUST: INTENT's anti-purpose should include "this software is -; NOT only for users with perfect vision/hearing/mobility." -; - DUST: When INTENT changes (repo pivots), related DUST entries -; should be created for the abandoned direction. -; -; ── End Definitions ────────────────────────────────────────────── - -(intent-contractile - (version "1.0.0") - (repo "docmatrix") - - ; === Purpose (what this repo IS) === - (purpose - "{{ONE_PARAGRAPH_PURPOSE}}" - ) - - ; === Anti-Purpose (what this repo is NOT — prevents scope creep) === - (anti-purpose - "{{ONE_PARAGRAPH_ANTI_PURPOSE}}" - ; Examples: - ; "This is NOT a general-purpose database — it solves one specific problem." - ; "This is NOT a framework — it is a library with a focused API." - ; "This does NOT handle authentication — that is delegated to [other repo]." - ) - - ; === Key Architectural Decisions That Must Not Be Reversed === - (architectural-invariants - ; *REMINDER: List the foundational decisions* - ; ("Idris2 for ABI definitions — dependent types prove interface correctness") - ; ("Zig for FFI — zero-cost C ABI compatibility") - ; ("Elixir for supervision — OTP fault tolerance") - ) - - ; === Sensitive Areas (if in doubt, ask) === - (ask-before-touching - ; *REMINDER: List areas where LLMs should check before modifying* - ; "src/abi/ — formal proofs, changes require re-verification" - ; "ffi/zig/ — C ABI boundary, changes affect all language bindings" - ; ".machine_readable/ — checkpoint files, format is specified" - ) - - ; === Ecosystem Position === - (ecosystem - (belongs-to "{{MONOREPO_OR_STANDALONE}}") - (depends-on ("{{DEP1}}" "{{DEP2}}")) - (depended-on-by ("{{CONSUMER1}}" "{{CONSUMER2}}")) - ) -) diff --git a/.machine_readable/MUST.contractile b/.machine_readable/MUST.contractile deleted file mode 100644 index 925fb6f..0000000 --- a/.machine_readable/MUST.contractile +++ /dev/null @@ -1,91 +0,0 @@ -; SPDX-License-Identifier: MPL-2.0 -; MUST.contractile — Baseline invariants for docmatrix -; These constraints MUST NOT be violated. K9 validators enforce them. -; -; Part of the contractile family: MUST, TRUST, DUST, INTENT, ADJUST - -; ── Definitions ────────────────────────────────────────────────── -; -; MUST (noun/verb) -; The hard-constraint contractile. Defines invariants that are structurally -; required for the repository to function correctly and safely. Violating -; a MUST is always a bug — there are no "soft" MUSTs. -; -; Scope: -; MUST governs code, configuration, CI, and structure. It does NOT govern -; style, preference, or approach — those belong in CLAUDE.md or coding -; standards. MUST is for things that break the project if violated. -; -; Relationship to other contractiles: -; - TRUST: MUST is enforced regardless of trust level. Even maximal-trust -; agents cannot violate MUST constraints. -; - ADJUST: All ADJUST invariants are implicitly MUST invariants too. -; ADJUST exists separately for visibility. -; - INTENT: MUST protects the architectural decisions described in INTENT. -; - DUST: When a feature enters DUST (deprecation), its MUST constraints -; remain active until the feature is fully removed. -; -; Enforcement: -; K9 validators in contractiles/k9/ machine-check MUST constraints. -; CI runs these on every PR. Violations block merge. -; -; ── End Definitions ────────────────────────────────────────────── - -(must-contractile - (version "1.0.0") - (repo "docmatrix") - - ; === Universal Invariants (apply to ALL repos) === - - (invariants - ; Paths - (must "no hardcoded absolute paths (/home/*, /mnt/*, /var/mnt/*)") - (must "all paths use env vars, XDG dirs, or relative references") - - ; Language policy - (must "no new TypeScript files") - (must "no new Python files") - (must "no new Go files") - (must "no npm/bun/yarn/pnpm dependencies — Deno only") - - ; Dangerous patterns - (must "no believe_me (Idris2)") - (must "no assert_total (Idris2)") - (must "no Admitted (Coq)") - (must "no sorry (Lean)") - (must "no unsafeCoerce (Haskell)") - (must "no Obj.magic (OCaml)") - (must "no unsafe {} blocks without safety comment (Rust)") - - ; License - (must "SPDX-License-Identifier header on every source file") - (must "no removal or modification of LICENSE file") - - ; Structure - (must ".machine_readable/ directory preserved") - (must "0-AI-MANIFEST.a2ml preserved") - (must "no SCM files in repo root — only in .machine_readable/") - - ; CI - (must "no removal of CI workflows without explicit approval") - (must "all GitHub Actions SHA-pinned") - - ; Code quality - (must "tests must not be deleted or weakened") - (must "generated code in generated/ directory only") - (must "no introduction of OWASP top 10 vulnerabilities") - - ; ABI/FFI (if applicable) - (must "no modification of ABI contracts without proof update") - (must "no removal of formal verification proofs") - ) - - ; === Project-Specific Invariants === - ; *REMINDER: Add invariants specific to this repo* - ; (must "# Add project-specific invariants here") - - (enforcement - (k9-validator "contractiles/k9/must-check.k9.ncl") - (ci "quality.yml runs must-check on every PR") - ) -) diff --git a/.machine_readable/TRUST.contractile b/.machine_readable/TRUST.contractile deleted file mode 100644 index 18b7827..0000000 --- a/.machine_readable/TRUST.contractile +++ /dev/null @@ -1,80 +0,0 @@ -; SPDX-License-Identifier: MPL-2.0 -; TRUST.contractile — Trust boundaries for docmatrix -; Defines what LLM/SLM agents are trusted to do without asking. -; -; Part of the contractile family: MUST, TRUST, DUST, INTENT, ADJUST - -; ── Definitions ────────────────────────────────────────────────── -; -; TRUST (noun/verb) -; The permission contractile. Defines the boundary between what an AI -; agent may do autonomously and what requires human approval. Trust is -; graduated — not binary — with four levels from minimal to maximal. -; -; Trust levels: -; - maximal: Agent may read, build, test, lint, format, heal freely. -; Only destructive/external actions require approval. -; - standard: Agent may read and build. Test/lint need approval. -; - restricted: Agent may read only. All modifications need approval. -; - minimal: Agent may read specific files only. Everything else blocked. -; -; Scope: -; TRUST governs AI agent behaviour only. It does not affect human -; contributors — humans follow CONTRIBUTING.md and GOVERNANCE.adoc. -; -; Relationship to other contractiles: -; - MUST: Trust never overrides MUST. Even at maximal trust, MUST -; violations are blocked. -; - ADJUST: Trust does not exempt from ADJUST. All trust tiers must -; produce accessible output. -; - INTENT: TRUST.trust-deny protects the sensitive areas listed in -; INTENT.ask-before-touching. -; - DUST: Deprecated features have the same trust rules as active ones. -; -; ── End Definitions ────────────────────────────────────────────── - -(trust-contractile - (version "1.0.0") - (repo "docmatrix") - - (trust-level "maximal") ; maximal | standard | restricted | minimal - - ; === Maximal Trust (default) === - ; LLM may freely do these without asking: - (trust-actions - "read" ; Read any file in the repo - "build" ; Run build commands - "test" ; Run test suites - "lint" ; Run linters and formatters - "format" ; Auto-format code - "doctor" ; Run self-diagnostics - "heal" ; Attempt automatic repair - "git-status" ; Check git status - "git-diff" ; View diffs - "git-log" ; View history - ) - - ; === Denied Actions (always require human approval) === - (trust-deny - "delete-branch" ; Could lose work - "force-push" ; Overwrites history - "modify-ci-secrets" ; Security sensitive - "publish" ; External visibility - "push-to-main" ; Protected branch - "delete-files-bulk" ; More than 5 files at once - "modify-license" ; Legal implications - "modify-security-policy" ; Security implications - "remove-proofs" ; Formal verification regression - "disable-ci-checks" ; Safety regression - ) - - ; === Trust Boundary === - (trust-boundary "repo") ; LLM confined to this repo unless explicitly told otherwise - - ; === Override === - ; Repos requiring tighter trust override these settings with justification: - ; (override - ; (trust-level "restricted") - ; (reason "Contains production secrets / handles PII / etc.") - ; ) -) diff --git a/.machine_readable/agent_instructions/README.adoc b/.machine_readable/bot_directives/README.adoc similarity index 88% rename from .machine_readable/agent_instructions/README.adoc rename to .machine_readable/bot_directives/README.adoc index 9bc2e24..a5315c7 100644 --- a/.machine_readable/agent_instructions/README.adoc +++ b/.machine_readable/bot_directives/README.adoc @@ -1,5 +1,5 @@ // SPDX-License-Identifier: MPL-2.0 -// Copyright (c) 2026 Jonathan D.A. Jewell (hyperpolymath) +// Copyright (c) Jonathan D.A. Jewell = Agent Instructions :toc: preamble @@ -32,7 +32,7 @@ Methodology-aware configuration for AI agents. Read by any AI agent == Relationship to Other Files * `AGENTIC.a2ml` says WHAT agents can do (permissions, gating) -* `agent_instructions/` says HOW agents should work (methodology) +* `bot_directives/` says HOW agents should work (methodology) * `bot_directives/` says what the gitbot-fleet does (fleet-specific) * `CLAUDE.md` says how Claude specifically should work (Claude-specific) diff --git a/.machine_readable/agent_instructions/coverage.a2ml b/.machine_readable/bot_directives/coverage.a2ml similarity index 100% rename from .machine_readable/agent_instructions/coverage.a2ml rename to .machine_readable/bot_directives/coverage.a2ml diff --git a/.machine_readable/agent_instructions/debt.a2ml b/.machine_readable/bot_directives/debt.a2ml similarity index 100% rename from .machine_readable/agent_instructions/debt.a2ml rename to .machine_readable/bot_directives/debt.a2ml diff --git a/.machine_readable/agent_instructions/methodology.a2ml b/.machine_readable/bot_directives/methodology.a2ml similarity index 100% rename from .machine_readable/agent_instructions/methodology.a2ml rename to .machine_readable/bot_directives/methodology.a2ml diff --git a/.machine_readable/contractiles/Adjustfile.a2ml b/.machine_readable/contractiles/Adjustfile.a2ml new file mode 100644 index 0000000..6f01e89 --- /dev/null +++ b/.machine_readable/contractiles/Adjustfile.a2ml @@ -0,0 +1,72 @@ +# SPDX-License-Identifier: MPL-2.0 +# Adjustfile — Drift-tolerance contract for rsr-template-repo +# Author: Jonathan D.A. Jewell +# +# Cumulative-drift catchment: tolerance bands + corrective actions. +# Authority: advisory (Yard) — continue-with-warnings; auto_fix where deterministic. +# Run with: adjust check +# Fix with: adjust fix (applies deterministic patches; advisory otherwise) + +@abstract: +Drift tolerances and corrective actions for rsr-template-repo. Unlike +MUST (hard gate), ADJUST tracks cumulative drift against tolerance bands +and proposes corrective actions. Advisory — it warns and trends, it does +not block. +@end + +## Template Drift + +### placeholder-drift +- description: Template placeholders should be replaced when copied +- tolerance: 0 placeholder markers in copied repos +- corrective: Search and replace all {{PLACEHOLDER}} markers +- severity: advisory +- notes: This check only applies to repos that copied from this template + +### template-version-drift +- description: Template version should match RSR spec version +- tolerance: Template version matches current RSR spec +- corrective: Update template to match latest RSR spec +- severity: advisory + +## Documentation Drift + +### readme-completeness +- description: README should document all template features +- tolerance: README covers all contractiles and directory structure +- corrective: Update README.adoc with missing sections +- severity: advisory + +### example-accuracy +- description: Examples in documentation should match actual template content +- tolerance: All code examples in docs are accurate +- corrective: Audit and fix examples in documentation +- severity: advisory + +## Structural Drift + +### contractile-sync +- description: All contractiles should have matching a2ml and ncl implementations +- tolerance: Every .a2ml has a corresponding .ncl +- corrective: Generate missing .ncl files from .a2ml +- severity: advisory + +### no-broken-symlinks +- description: No broken symbolic links in template structure +- tolerance: 0 broken symlinks +- corrective: Run symlink-check script +- severity: advisory + +## Accessibility Drift + +### adoc-not-md +- description: Template docs should prefer AsciiDoc +- tolerance: New prose docs are *.adoc +- corrective: Convert any new *.md to *.adoc +- severity: advisory + +### spdx-header-consistency +- description: All template files have correct SPDX headers +- tolerance: 0 files missing SPDX-License-Identifier +- corrective: Add SPDX headers to files that need them +- severity: advisory diff --git a/.machine_readable/contractiles/Intentfile.a2ml b/.machine_readable/contractiles/Intentfile.a2ml new file mode 100644 index 0000000..ef74f45 --- /dev/null +++ b/.machine_readable/contractiles/Intentfile.a2ml @@ -0,0 +1,99 @@ +# SPDX-License-Identifier: MPL-2.0 +# Intentfile (A2ML Canonical) — north-star contractile for rsr-template-repo +# Author: Jonathan D.A. Jewell +# +# Paired runner: intend.ncl +# Verb: intend +# +# Semantics: North-star contractile. Declares BOTH concrete committed +# next-actions AND horizon aspirations the project wishes to +# become. Two sections share one file because they answer +# the same question at different ranges: +# [[intents]] — "we WILL do this; track progress" +# status: declared → in_progress → done | +# deferred | retired +# [[wishes]] — "we WISH this were true; revisit later" +# status: declared → in_progress → achieved | +# abandoned +# grouped by horizon: near / mid / far. +# Non-gating — this is a report, not a gate. See the `must` +# contractile for hard gates. + +@abstract: +North-star contractile for rsr-template-repo. This repository is the +canonical template for Rhodium Standard Repository compliance. It provides +the scaffold that all hyperpolymath repos should copy and customize. +@end + +## Purpose + +The rsr-template-repo serves as the master template for all hyperpolymath +repositories. It contains the complete set of contractile files, machine-readable +specifications, and governance documentation that define the Rhodium Standard. + +Every new repository in the hyperpolymath estate should be initialized by +copying this template and substituting the placeholder values with +repo-specific content. + +## Anti-Purpose + +This repository is NOT: +- A general-purpose project scaffold for external use (hyperpolymath-only) +- A replacement for per-repo customization (all files must be bespoke) +- A static template that never changes (evolves with RSR spec) +- A runtime library or framework (build-time only) + +## If In Doubt + +If you are unsure whether a change is in scope, ask. Sensitive areas: +- .machine_readable/ contractile definitions +- RSR specification files +- Governance templates +- License policy documents + +## Committed Next-Actions + +### repo-initialization +- description: Provide just copy-and-substitute template for new repos +- probe: test -f scripts/init-repo.sh +- status: done +- notes: Run with source scripts/init-repo.sh + +### contractile-completeness +- description: Every RSR contractile has an a2ml and ncl implementation +- probe: ls .machine_readable/contractiles/*.a2ml | wc -l | grep -q "^6$" +- status: in_progress +- notes: Currently 6 contractile verbs: intend, must, trust, adjust, bust, dust + +### automation-scripts +- description: All repetitive tasks have just recipes +- probe: grep -c "^# " Justfile | grep -q "^[6-9][0-9]*$" +- status: in_progress + +## Wishes + +### Near Horizon + +#### cross-repo-validation +- description: Tooling to validate all repos against RSR spec +- horizon: near +- status: declared + +#### automated-substitution +- description: Script to automate repo-specific substitution in template +- horizon: near +- status: declared + +### Mid Horizon + +#### formal-verification +- description: Idris2 proofs for all critical contractile invariants +- horizon: mid +- status: declared + +### Far Horizon + +#### ecosystem-visualization +- description: Interactive graph of all hyperpolymath repos and dependencies +- horizon: far +- status: declared diff --git a/.machine_readable/contractiles/Justfile b/.machine_readable/contractiles/Justfile new file mode 100644 index 0000000..5e4797c --- /dev/null +++ b/.machine_readable/contractiles/Justfile @@ -0,0 +1,595 @@ +# Formatrix Docs - RSR Standard Justfile +# SPDX-License-Identifier: MPL-2.0 +# https://just.systems/man/en/ + +set shell := ["bash", "-uc"] +set dotenv-load := true +set positional-arguments := true + +# Use Zig as C compiler/linker (avoids gcc dependency) +import? "contractile.just" + +export CC := env_var_or_default("CC", justfile_directory() / "zig-cc") +export AR := env_var_or_default("AR", justfile_directory() / "zig-ar") + +# Project metadata +project := "formatrix-docs" +version := "0.1.0" +tier := "2" + +# ═══════════════════════════════════════════════════════════════════════════════ +# DEFAULT & HELP +# ═══════════════════════════════════════════════════════════════════════════════ + +# Show all available recipes with descriptions +default: + @just --list --unsorted + +# Show detailed help for a specific recipe +help recipe="": + #!/usr/bin/env bash + if [ -z "{{recipe}}" ]; then + just --list --unsorted + echo "" + echo "Usage: just help " + echo " just cookbook # Generate full documentation" + echo " just combinations # Show matrix recipes" + else + just --show "{{recipe}}" 2>/dev/null || echo "Recipe '{{recipe}}' not found" + fi + +# Show this project's info +info: + @echo "Project: {{project}}" + @echo "Version: {{version}}" + @echo "RSR Tier: {{tier}}" + @echo "Recipes: $(just --summary | wc -w)" + @[ -f STATE.scm ] && grep -oP '\(phase\s+\.\s+\K[^)]+' STATE.scm | head -1 | xargs -I{} echo "Phase: {}" || true + +# ═══════════════════════════════════════════════════════════════════════════════ +# BUILD & COMPILE +# ═══════════════════════════════════════════════════════════════════════════════ + +# Build all components (Rust + Ada + ReScript) +build: build-core build-gui build-tui build-ui + @echo "All components built!" + +# Build Rust core library +build-core: + @echo "Building formatrix-core..." + cargo build -p formatrix-core + +# Build Rust GUI (Tauri - requires GTK/WebKit dev libs) +build-gui: build-core + #!/usr/bin/env bash + echo "Building formatrix-gui..." + if ! pkg-config --exists glib-2.0 2>/dev/null; then + echo "SKIP: glib-2.0 not found (install gtk4-devel webkit2gtk4.1-devel)" + exit 0 + fi + cargo build -p formatrix-gui + +# Build Ada TUI (requires GNAT + ncurses-ada) +build-tui: + #!/usr/bin/env bash + echo "Building formatrix-tui..." + if ! command -v gprbuild > /dev/null 2>&1; then + echo "SKIP: gprbuild not found (install gcc-gnat gprbuild)" + exit 0 + fi + # Check for ncurses.gpr availability + NCURSES_GPR="" + for path in /usr/share/gpr/ncurses.gpr /usr/lib64/gnat/ncurses.gpr /usr/share/ada/adainclude/ncurses.gpr; do + if [ -f "$path" ]; then + NCURSES_GPR="$path" + break + fi + done + if [ -z "$NCURSES_GPR" ]; then + echo "SKIP: ncurses.gpr not found (install terminal_interface-curses-devel or florist-devel)" + exit 0 + fi + cd tui && gprbuild -P formatrix_tui.gpr -XMODE=debug + +# Build ReScript UI +build-ui: + @echo "Building ReScript UI..." + @cd ui && deno task build:res 2>&1 | tail -5 + +# Build in release mode +build-release: + @echo "Building all (release)..." + cargo build --release + @command -v gprbuild > /dev/null 2>&1 && cd tui && gprbuild -P formatrix_tui.gpr -XMODE=release || echo "SKIP: TUI (gprbuild not found)" + cd ui && deno task build 2>/dev/null || true + +# Clean build artifacts +clean: + @echo "Cleaning..." + cargo clean + cd tui && gnatclean -P formatrix_tui.gpr 2>/dev/null || true + rm -rf tui/obj tui/bin ui/dist ui/lib + +# ═══════════════════════════════════════════════════════════════════════════════ +# TEST & QUALITY +# ═══════════════════════════════════════════════════════════════════════════════ + +# Run all tests +test: test-core test-tui + @echo "All tests passed!" + +# Test Rust core +test-core: + @echo "Testing formatrix-core..." + cargo test -p formatrix-core + +# Test Ada TUI (compile check) +test-tui: build-tui + @echo "Testing formatrix-tui..." + @[ -f tui/bin/formatrix-tui ] && echo "TUI binary exists" || echo "SKIP: TUI not built (missing dependencies)" + +# Test ReScript UI +test-ui: + @echo "Testing UI..." + cd ui && deno task test 2>/dev/null || echo "UI tests not configured yet" + +# Run integration tests +test-integration: + @echo "Running integration tests..." + cargo test --workspace -- --ignored + +# ═══════════════════════════════════════════════════════════════════════════════ +# LINT & FORMAT +# ═══════════════════════════════════════════════════════════════════════════════ + +# Format all source files +fmt: + @echo "Formatting..." + cargo fmt + cd ui && deno fmt 2>/dev/null || true + @if command -v gnatpp > /dev/null 2>&1; then \ + find tui/src -name "*.adb" -o -name "*.ads" | xargs -I{} gnatpp -rnb --max-line-length=120 {} 2>/dev/null || true; \ + fi + +# Check formatting +fmt-check: + @echo "Checking formatting..." + cargo fmt -- --check + cd ui && deno fmt --check 2>/dev/null || true + +# Run linter +lint: + @echo "Linting..." + cargo clippy --workspace -- -D warnings + cd ui && deno lint 2>/dev/null || true + +# Run all quality checks +quality: fmt-check lint test + @echo "All quality checks passed!" + +# ═══════════════════════════════════════════════════════════════════════════════ +# RUN & EXECUTE +# ═══════════════════════════════════════════════════════════════════════════════ + +# Run GUI application +run-gui *args: build-gui + cargo run -p formatrix-gui -- {{args}} + +# Run TUI application +run-tui *args: build-tui + tui/bin/formatrix-tui {{args}} + +# Run with debug logging +run-debug: + RUST_LOG=debug cargo run -p formatrix-gui + +# ═══════════════════════════════════════════════════════════════════════════════ +# DEPENDENCIES +# ═══════════════════════════════════════════════════════════════════════════════ + +# Install all dependencies +deps: + @echo "Checking dependencies..." + @command -v cargo > /dev/null 2>&1 || { echo "ERROR: cargo not found"; exit 1; } + @command -v deno > /dev/null 2>&1 || { echo "ERROR: deno not found"; exit 1; } + @echo "Rust: $(rustc --version)" + @echo "Deno: $(deno --version | head -1)" + @command -v gnat > /dev/null 2>&1 && echo "GNAT: $(gnat --version | head -1)" || echo "WARN: gnat not found (TUI disabled)" + @command -v gprbuild > /dev/null 2>&1 || echo "WARN: gprbuild not found (TUI disabled)" + @echo "Core dependencies satisfied" + +# Audit dependencies for vulnerabilities +deps-audit: + @echo "Auditing dependencies..." + cargo audit 2>/dev/null || echo "cargo-audit not installed" + @if command -v trivy > /dev/null 2>&1; then \ + trivy fs --severity HIGH,CRITICAL --quiet . || true; \ + fi + +# ═══════════════════════════════════════════════════════════════════════════════ +# DOCUMENTATION +# ═══════════════════════════════════════════════════════════════════════════════ + +# Generate all documentation +docs: + @mkdir -p docs/generated docs/man + cargo doc --workspace --no-deps + just cookbook + @echo "Documentation generated in docs/ and target/doc/" + +# Generate justfile cookbook +cookbook: + #!/usr/bin/env bash + mkdir -p docs + OUTPUT="docs/just-cookbook.adoc" + echo "= {{project}} Justfile Cookbook" > "$OUTPUT" + echo ":toc: left" >> "$OUTPUT" + echo "" >> "$OUTPUT" + echo "Generated: $(date -Iseconds)" >> "$OUTPUT" + echo "" >> "$OUTPUT" + just --list --unsorted >> "$OUTPUT" + echo "Generated: $OUTPUT" + +# ═══════════════════════════════════════════════════════════════════════════════ +# CONTAINERS (nerdctl-first, podman-fallback) +# ═══════════════════════════════════════════════════════════════════════════════ + +# Detect container runtime: nerdctl > podman > docker +[private] +container-cmd: + #!/usr/bin/env bash + if command -v nerdctl >/dev/null 2>&1; then + echo "nerdctl" + elif command -v podman >/dev/null 2>&1; then + echo "podman" + elif command -v docker >/dev/null 2>&1; then + echo "docker" + else + echo "ERROR: No container runtime found (install nerdctl, podman, or docker)" >&2 + exit 1 + fi + +# Build container image +container-build tag="latest": + #!/usr/bin/env bash + CTR=$(just container-cmd) + echo "Building container with $CTR..." + $CTR build -t {{project}}:{{tag}} -f container/Dockerfile.wolfi . + +# Run container (GUI) +container-run tag="latest" cmd="": + #!/usr/bin/env bash + CTR=$(just container-cmd) + $CTR run --rm -it \ + -e DISPLAY=$DISPLAY \ + -v /tmp/.X11-unix:/tmp/.X11-unix:ro \ + {{project}}:{{tag}} {{cmd}} + +# Run container (TUI) +container-run-tui tag="latest": + #!/usr/bin/env bash + CTR=$(just container-cmd) + $CTR run --rm -it \ + -e TERM=$TERM \ + {{project}}:{{tag}} /usr/local/bin/formatrix-tui + +# Start all services with compose +compose-up: + #!/usr/bin/env bash + CTR=$(just container-cmd) + cd container && $CTR compose up -d + +# Stop all services +compose-down: + #!/usr/bin/env bash + CTR=$(just container-cmd) + cd container && $CTR compose down + +# View logs +compose-logs: + #!/usr/bin/env bash + CTR=$(just container-cmd) + cd container && $CTR compose logs -f + +# Push container image +container-push registry="ghcr.io/hyperpolymath" tag="latest": + #!/usr/bin/env bash + CTR=$(just container-cmd) + $CTR tag {{project}}:{{tag}} {{registry}}/{{project}}:{{tag}} + $CTR push {{registry}}/{{project}}:{{tag}} + +# ═══════════════════════════════════════════════════════════════════════════════ +# CI & AUTOMATION +# ═══════════════════════════════════════════════════════════════════════════════ + +# Run full CI pipeline locally +ci: deps quality + @echo "CI pipeline complete!" + +# Install git hooks +install-hooks: + #!/usr/bin/env bash + mkdir -p .git/hooks + printf '%s\n' '#!/bin/bash' 'just fmt-check || exit 1' 'just lint || exit 1' > .git/hooks/pre-commit + chmod +x .git/hooks/pre-commit + echo "Git hooks installed" + +# ═══════════════════════════════════════════════════════════════════════════════ +# SECURITY +# ═══════════════════════════════════════════════════════════════════════════════ + +# Run security audit +security: deps-audit + @echo "=== Security Audit ===" + @command -v trivy >/dev/null && trivy fs --severity HIGH,CRITICAL . || true + @echo "Security audit complete" + +# Generate SBOM +sbom: + @mkdir -p docs/security + @command -v syft >/dev/null && syft . -o spdx-json > docs/security/sbom.spdx.json || echo "syft not found" + +# ═══════════════════════════════════════════════════════════════════════════════ +# VALIDATION & COMPLIANCE +# ═══════════════════════════════════════════════════════════════════════════════ + +# Validate RSR compliance +validate-rsr: + #!/usr/bin/env bash + echo "=== RSR Compliance Check ===" + MISSING="" + for f in .editorconfig .gitignore justfile RSR_COMPLIANCE.adoc README.adoc; do + [ -f "$f" ] || MISSING="$MISSING $f" + done + for f in STATE.scm ECOSYSTEM.scm META.scm; do + [ -f "$f" ] || MISSING="$MISSING $f" + done + if [ -n "$MISSING" ]; then + echo "MISSING:$MISSING" + exit 1 + fi + echo "RSR compliance: PASS" + +# Validate STATE.scm syntax +validate-state: + @if [ -f "STATE.scm" ]; then \ + guile -c "(primitive-load \"STATE.scm\")" 2>/dev/null && echo "STATE.scm: valid" || echo "STATE.scm: INVALID"; \ + fi + +# Full validation suite +validate: validate-rsr validate-state + @echo "All validations passed!" + +# ═══════════════════════════════════════════════════════════════════════════════ +# STATE MANAGEMENT +# ═══════════════════════════════════════════════════════════════════════════════ + +# Update STATE.scm timestamp +state-touch: + @if [ -f "STATE.scm" ]; then \ + sed -i 's/(updated . "[^"]*")/(updated . "'"$(date -Iseconds)"'")/' STATE.scm && \ + echo "STATE.scm timestamp updated"; \ + fi + +# Show current phase from STATE.scm +state-phase: + @grep -oP '\(phase\s+\.\s+\K[^)]+' STATE.scm 2>/dev/null | head -1 || echo "unknown" + +# ═══════════════════════════════════════════════════════════════════════════════ +# GUIX & NIX +# ═══════════════════════════════════════════════════════════════════════════════ + +# Enter Guix development shell (primary) +guix-shell: + guix shell -D -f guix/formatrix.scm + +# Build with Guix +guix-build: + guix build -f guix/formatrix.scm + +# Enter Nix development shell (fallback) +nix-shell: + @if [ -f "nix/flake.nix" ]; then cd nix && nix develop; else echo "No flake.nix"; fi + +# ═══════════════════════════════════════════════════════════════════════════════ +# RELEASE +# ═══════════════════════════════════════════════════════════════════════════════ + +# Create a release +release version: + @echo "Creating release {{version}}..." + @sed -i 's/version = "[^"]*"/version = "{{version}}"/' Cargo.toml + @sed -i 's/(version . "[^"]*")/(version . "{{version}}")/' STATE.scm + git add -A + git commit -m "Release {{version}}" + git tag -a "v{{version}}" -m "Release {{version}}" + @echo "Release {{version}} created. Run 'git push && git push --tags' to publish." + +# ═══════════════════════════════════════════════════════════════════════════════ +# UTILITIES +# ═══════════════════════════════════════════════════════════════════════════════ + +# Count lines of code +loc: + @tokei . 2>/dev/null || find . \( -name "*.rs" -o -name "*.res" -o -name "*.adb" -o -name "*.ads" \) | xargs wc -l 2>/dev/null | tail -1 + +# Show TODO comments +todos: + @grep -rn "TODO\|FIXME" --include="*.rs" --include="*.res" --include="*.adb" --include="*.ads" . 2>/dev/null || echo "No TODOs" + +# Open in editor +edit: + ${EDITOR:-code} . + +# Git status +status: + @git status --short + +# Show recent commits +log count="20": + @git log --oneline -{{count}} + +# ═══════════════════════════════════════════════════════════════════════════════ +# MATRIX RECIPES +# ═══════════════════════════════════════════════════════════════════════════════ + +# Build matrix: [debug|release] × [core|gui|tui|ui|all] +build-matrix mode="debug" target="all": + @echo "Build matrix: mode={{mode}} target={{target}}" + @case "{{target}}" in \ + core) cargo build $([ "{{mode}}" = "release" ] && echo "--release") -p formatrix-core ;; \ + gui) cargo build $([ "{{mode}}" = "release" ] && echo "--release") -p formatrix-gui ;; \ + tui) cd tui && gprbuild -P formatrix_tui.gpr -XMODE={{mode}} ;; \ + ui) cd ui && deno task build ;; \ + all) just build$([ "{{mode}}" = "release" ] && echo "-release") ;; \ + esac + +# Show all matrix combinations +combinations: + @echo "=== Combinatoric Matrix Recipes ===" + @echo "" + @echo "Build Matrix: just build-matrix [debug|release] [core|gui|tui|ui|all]" + @echo "Container: just container-build [tag]" + @echo "Run: just run-gui|run-tui|run-debug" + +# [AUTO-GENERATED] Multi-arch / RISC-V target +build-riscv: + @echo "Building for RISC-V..." + cross build --target riscv64gc-unknown-linux-gnu + +# Run panic-attacker pre-commit scan +assail: + @command -v panic-attack >/dev/null 2>&1 && panic-attack assail . || echo "panic-attack not found — install from https://github.com/hyperpolymath/panic-attacker" + +# ═══════════════════════════════════════════════════════════════════════════════ +# ONBOARDING & DIAGNOSTICS +# ═══════════════════════════════════════════════════════════════════════════════ + +# Check all required toolchain dependencies and report health +doctor: + #!/usr/bin/env bash + echo "═══════════════════════════════════════════════════" + echo " Docmatrix Doctor — Toolchain Health Check" + echo "═══════════════════════════════════════════════════" + echo "" + PASS=0; FAIL=0; WARN=0 + check() { + local name="$1" cmd="$2" min="$3" + if command -v "$cmd" >/dev/null 2>&1; then + VER=$("$cmd" --version 2>&1 | head -1) + echo " [OK] $name — $VER" + PASS=$((PASS + 1)) + else + echo " [FAIL] $name — not found (need $min+)" + FAIL=$((FAIL + 1)) + fi + } + check "just" just "1.25" + check "git" git "2.40" + check "Rust (cargo)" cargo "1.80" + check "Zig" zig "0.13" +# Optional tools +if command -v panic-attack >/dev/null 2>&1; then + echo " [OK] panic-attack — available" + PASS=$((PASS + 1)) +else + echo " [WARN] panic-attack — not found (pre-commit scanner)" + WARN=$((WARN + 1)) +fi + echo "" + echo " Result: $PASS passed, $FAIL failed, $WARN warnings" + if [ "$FAIL" -gt 0 ]; then + echo " Run 'just heal' to attempt automatic repair." + exit 1 + fi + echo " All required tools present." + +# Attempt to automatically install missing tools +heal: + #!/usr/bin/env bash + echo "═══════════════════════════════════════════════════" + echo " Docmatrix Heal — Automatic Tool Installation" + echo "═══════════════════════════════════════════════════" + echo "" +if ! command -v cargo >/dev/null 2>&1; then + echo "Installing Rust via rustup..." + curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y + source "$HOME/.cargo/env" +fi +if ! command -v just >/dev/null 2>&1; then + echo "Installing just..." + cargo install just 2>/dev/null || echo "Install just from https://just.systems" +fi + echo "" + echo "Heal complete. Run 'just doctor' to verify." + +# Guided tour of the project structure and key concepts +tour: + #!/usr/bin/env bash + echo "═══════════════════════════════════════════════════" + echo " Docmatrix — Guided Tour" + echo "═══════════════════════════════════════════════════" + echo "" + echo '// SPDX-License-Identifier: MPL-2.0-or-later' + echo "" + echo "Key directories:" + echo " src/ Source code" + echo " ffi/ Foreign function interface (Zig)" + echo " src/abi/ Idris2 ABI definitions" + echo " docs/ Documentation" + echo " .github/workflows/ CI/CD workflows" + echo " contractiles/ Must/Trust/Dust contracts" + echo " .machine_readable/ Machine-readable metadata" + echo " container/ Container configuration" + echo " examples/ Usage examples" + echo "" + echo "Quick commands:" + echo " just doctor Check toolchain health" + echo " just heal Fix missing tools" + echo " just help-me Common workflows" + echo " just default List all recipes" + echo "" + echo "Read more: README.adoc, EXPLAINME.adoc" + +# Show help for common workflows +help-me: + #!/usr/bin/env bash + echo "═══════════════════════════════════════════════════" + echo " Docmatrix — Common Workflows" + echo "═══════════════════════════════════════════════════" + echo "" +echo "FIRST TIME SETUP:" +echo " just doctor Check toolchain" +echo " just heal Fix missing tools" +echo "" + echo "DEVELOPMENT:" + echo " cargo build Build the project" + echo " cargo test Run tests" + echo "" +echo "PRE-COMMIT:" +echo " just assail Run panic-attacker scan" +echo "" +echo "LEARN:" +echo " just tour Guided project tour" +echo " just default List all recipes" + + +# Print the current CRG grade (reads from READINESS.md '**Current Grade:** X' line) +crg-grade: + @grade=$$(grep -oP '(?<=\*\*Current Grade:\*\* )[A-FX]' READINESS.md 2>/dev/null | head -1); \ + [ -z "$$grade" ] && grade="X"; \ + echo "$$grade" + +# Generate a shields.io badge markdown for the current CRG grade +# Looks for '**Current Grade:** X' in READINESS.md; falls back to X +crg-badge: + @grade=$$(grep -oP '(?<=\*\*Current Grade:\*\* )[A-FX]' READINESS.md 2>/dev/null | head -1); \ + [ -z "$$grade" ] && grade="X"; \ + case "$$grade" in \ + A) color="brightgreen" ;; B) color="green" ;; C) color="yellow" ;; \ + D) color="orange" ;; E) color="red" ;; F) color="critical" ;; \ + *) color="lightgrey" ;; esac; \ + echo "[![CRG $$grade](https://img.shields.io/badge/CRG-$$grade-$$color?style=flat-square)](https://github.com/hyperpolymath/standards/tree/main/component-readiness-grades)" + +secret-scan-trufflehog: + @command -v trufflehog >/dev/null && trufflehog filesystem . --only-verified || true diff --git a/.machine_readable/contractiles/Mustfile.a2ml b/.machine_readable/contractiles/Mustfile.a2ml new file mode 100644 index 0000000..55f8ab4 --- /dev/null +++ b/.machine_readable/contractiles/Mustfile.a2ml @@ -0,0 +1,102 @@ +# SPDX-License-Identifier: MPL-2.0 +# Mustfile — Physical state contract for rsr-template-repo +# Author: Jonathan D.A. Jewell +# +# What MUST be true about this repository. Hard requirements. +# Run with: must check +# Fix with: must fix (where a deterministic fix exists) + +@abstract: +Physical-state invariants for rsr-template-repo. This is the canonical +RSR template repository. These are hard requirements — CI and pre-commit +hooks fail if any check fails. +@end + +## File Presence + +### license-present +- description: LICENSE file must exist +- run: test -f LICENSE +- severity: critical + +### readme-present +- description: README.adoc must exist +- run: test -f README.adoc +- severity: critical + +### security-policy +- description: SECURITY.md must exist +- run: test -f SECURITY.md +- severity: critical + +### ai-manifest +- description: 0-AI-MANIFEST.a2ml must exist +- run: test -f 0-AI-MANIFEST.a2ml +- severity: critical + +### governance-docs +- description: GOVERNANCE.adoc, MAINTAINERS.adoc, CODEOWNERS must exist +- run: test -f GOVERNANCE.adoc && test -f MAINTAINERS.adoc && test -f .github/CODEOWNERS +- severity: critical + +### machine-readable-dir +- description: .machine_readable/ directory must exist +- run: test -d .machine_readable +- severity: critical + +## Directory Structure + +### contractiles-complete +- description: All required contractile directories exist +- run: test -d .machine_readable/contractiles && test -d .machine_readable/contractiles/bust && test -d .machine_readable/contractiles/dust +- severity: critical + +### contractiles-files-present +- description: All four primary contractile files exist +- run: test -f .machine_readable/contractiles/Intentfile.a2ml && test -f .machine_readable/contractiles/Mustfile.a2ml && test -f .machine_readable/contractiles/Trustfile.a2ml && test -f .machine_readable/contractiles/Adjustfile.a2ml +- severity: critical + +### bust-dust-files-present +- description: Bustfile and Dustfile exist in their directories +- run: test -f .machine_readable/contractiles/bust/Bustfile.a2ml && test -f .machine_readable/contractiles/dust/Dustfile.a2ml +- severity: critical + +### six-directory-present +- description: 6a2 directory exists with required files +- run: test -d .machine_readable/6a2 && test -f .machine_readable/6a2/META.a2ml && test -f .machine_readable/6a2/ECOSYSTEM.a2ml && test -f .machine_readable/6a2/STATE.a2ml && test -f .machine_readable/6a2/PLAYBOOK.a2ml && test -f .machine_readable/6a2/AGENTIC.a2ml && test -f .machine_readable/6a2/NEUROSYM.a2ml +- severity: critical + +### anchors-directory +- description: anchors directory exists in 6a2 +- run: test -d .machine_readable/6a2/anchors +- severity: warning + +### self-validating-structure +- description: self-validating directory has k9-svc and examples +- run: test -d .machine_readable/self-validating && test -d .machine_readable/self-validating/k9-svc && test -d .machine_readable/self-validating/examples +- severity: warning + +## Template Integrity + +### no-placeholder-values +- description: No placeholder values remain in template files +- run: test -z "$(grep -r '{{' .machine_readable/contractiles/ 2>/dev/null)" +- severity: critical +- notes: All placeholders must be substituted when copying this template + +### template-readonly +- description: Template marker files are not modified +- run: grep -q 'RSR_TEMPLATE_DO_NOT_EDIT' .machine_readable/0.1-AI-MANIFEST.a2ml +- severity: warning + +## Git State + +### no-untracked-contractiles +- description: All contractile files are tracked in git +- run: test -z "$(git ls-files -o --exclude-standard .machine_readable/contractiles/ 2>/dev/null)" +- severity: critical + +### signed-commits +- description: All commits must be signed +- run: git verify-commit HEAD +- severity: critical diff --git a/.machine_readable/contractiles/Trustfile.a2ml b/.machine_readable/contractiles/Trustfile.a2ml new file mode 100644 index 0000000..e2028b5 --- /dev/null +++ b/.machine_readable/contractiles/Trustfile.a2ml @@ -0,0 +1,88 @@ +# SPDX-License-Identifier: MPL-2.0 +# Trustfile — Trust boundaries and integrity invariants for rsr-template-repo +# Author: Jonathan D.A. Jewell +# +# Defines what LLM/SLM agents are trusted to do without asking, and +# integrity invariants that verify the repo has not been tampered with. + +@abstract: +Trust boundaries and integrity checks for rsr-template-repo. This file +combines the trust-level definitions from the original TRUST.contractile +with the integrity invariants from the old Trustfile.a2ml. It defines +what AI agents may do autonomously and what requires human approval, +plus checks that verify repository integrity. +@end + +## Trust Levels + +The rsr-template-repo operates at trust level: maximal + +Trust levels: +- maximal: Agent may read, build, test, lint, format, heal freely. + Only destructive/external actions require approval. +- standard: Agent may read and build. Test/lint need approval. +- restricted: Agent may read only. All modifications need approval. +- minimal: Agent may read specific files only. Everything else blocked. + +Current trust level: maximal + +## Integrity Invariants + +### Secrets + +#### no-secrets-committed +- description: No credential files in repo +- run: test ! -f .env && test ! -f credentials.json && test ! -f .env.local && test ! -f .env.production +- severity: critical + +#### no-private-keys +- description: No private key files committed +- run: "! find . -name '*.pem' -o -name '*.key' -o -name 'id_rsa' -o -name 'id_ed25519' 2>/dev/null | grep -v node_modules | head -1 | grep -q ." +- severity: critical + +#### no-tokens-in-source +- description: No hardcoded API tokens in source +- run: "! grep -rE '(api[_-]?key|secret|token|password)\s*[:=]\s*[\"'\\''][A-Za-z0-9]{16,}' --include='*.js' --include='*.ts' --include='*.res' --include='*.py' . 2>/dev/null | grep -v node_modules | head -1 | grep -q ." +- severity: critical + +## Provenance + +#### author-correct +- description: Git author matches expected identity +- run: "git log -1 --format='%ae' | grep -qE '(hyperpolymath|j\\.d\\.a\\.jewell)'" +- severity: warning + +#### license-content +- description: LICENSE contains expected identifier +- run: grep -q 'PMPL\|MPL\|MIT\|Apache\|LGPL' LICENSE +- severity: warning + +## Template-Specific Trust + +### template-files-readonly +- description: Template scaffold files should not be modified except by maintainer +- run: test -z "$(git status --short .machine_readable/ 2>/dev/null | grep -v '^??' || true)" +- severity: advisory +- notes: Changes to template files require careful review + +### trust-deny-areas +- description: Sensitive areas from INTENT.contractile require explicit approval +- run: echo "Check .machine_readable/ contractiles and governance docs" +- severity: advisory +- areas: + - .machine_readable/ + - GOVERNANCE.adoc + - MAINTAINERS.adoc + - .github/CODEOWNERS + +## Container Security + +#### container-images-pinned +- description: Containerfile uses pinned base images +- run: test ! -f Containerfile || grep -q 'cgr.dev\|@sha256:' Containerfile +- severity: warning + +#### no-dockerfile +- description: No Dockerfile (use Containerfile) +- run: test ! -f Dockerfile +- severity: warning diff --git a/.machine_readable/contractiles/dust/Dustfile.a2ml b/.machine_readable/contractiles/dust/Dustfile.a2ml deleted file mode 100644 index 0d619ee..0000000 --- a/.machine_readable/contractiles/dust/Dustfile.a2ml +++ /dev/null @@ -1,22 +0,0 @@ -# SPDX-License-Identifier: MPL-2.0 -# Dustfile — Cleanup and Hygiene Contract - -[dustfile] -version = "1.0.0" -format = "a2ml" - -[cleanup] -stale-branch-policy = "delete-after-merge" -artifact-retention = "90-days" -cache-policy = "clear-on-release" - -[hygiene] -linting = "required" -formatting = "required" -dead-code-removal = "encouraged" -todo-tracking = "tracked-in-issues" - -[reversibility] -backup-before-destructive = true -rollback-mechanism = "git-revert" -data-retention-policy = "preserve-30-days" diff --git a/.machine_readable/contractiles/trust/Trustfile.a2ml b/.machine_readable/contractiles/trust/Trustfile.a2ml deleted file mode 100644 index f2a4f95..0000000 --- a/.machine_readable/contractiles/trust/Trustfile.a2ml +++ /dev/null @@ -1,50 +0,0 @@ -# SPDX-License-Identifier: MPL-2.0 -# Trustfile — Integrity and provenance verification -# Author: Jonathan D.A. Jewell - -@abstract: -Integrity invariants for this repository. These verify that the repo -has not been tampered with, secrets are not leaked, and provenance -is traceable. -@end - -## Secrets - -### no-secrets-committed -- description: No credential files in repo -- run: test ! -f .env && test ! -f credentials.json && test ! -f .env.local && test ! -f .env.production -- severity: critical - -### no-private-keys -- description: No private key files committed -- run: "! find . -name '*.pem' -o -name '*.key' -o -name 'id_rsa' -o -name 'id_ed25519' 2>/dev/null | grep -v node_modules | head -1 | grep -q ." -- severity: critical - -### no-tokens-in-source -- description: No hardcoded API tokens in source -- run: "! grep -rE '(api[_-]?key|secret|token|password)\s*[:=]\s*[\"'\\''][A-Za-z0-9]{16,}' --include='*.js' --include='*.ts' --include='*.res' --include='*.py' . 2>/dev/null | grep -v node_modules | head -1 | grep -q ." -- severity: critical - -## Provenance - -### author-correct -- description: Git author matches expected identity -- run: "git log -1 --format='%ae' | grep -qE '(hyperpolymath|j\\.d\\.a\\.jewell)'" -- severity: warning - -### license-content -- description: LICENSE contains expected identifier -- run: grep -q 'PMPL\|MPL\|MIT\|Apache\|LGPL' LICENSE -- severity: warning - -## Container Security - -### container-images-pinned -- description: Containerfile uses pinned base images -- run: test ! -f Containerfile || grep -q 'cgr.dev\|@sha256:' Containerfile -- severity: warning - -### no-dockerfile -- description: No Dockerfile (use Containerfile) -- run: test ! -f Dockerfile -- severity: warning diff --git a/ABI-FFI-README.md b/ABI-FFI-README.md index f06f72c..af300f5 100644 --- a/ABI-FFI-README.md +++ b/ABI-FFI-README.md @@ -1,3 +1,7 @@ + {{~ Aditionally delete this line and fill out the template below ~}} # {{PROJECT}} ABI/FFI Documentation diff --git a/CHANGELOG.md b/CHANGELOG.md index c4ffcf3..ca82be9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ SPDX-License-Identifier: MPL-2.0 SPDX-FileCopyrightText: 2026 Jonathan D.A. Jewell (hyperpolymath) --> diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md index 43a9361..035e690 100644 --- a/CODE_OF_CONDUCT.md +++ b/CODE_OF_CONDUCT.md @@ -1,3 +1,7 @@ + # Code of Conduct # Clone the repository git clone https://github.com/hyperpolymath/docmatrix.git cd docmatrix diff --git a/EXPLAINME.adoc b/EXPLAINME.adoc index cda2923..78f728d 100644 --- a/EXPLAINME.adoc +++ b/EXPLAINME.adoc @@ -1,4 +1,5 @@ // SPDX-License-Identifier: MPL-2.0 +// Copyright (c) Jonathan D.A. Jewell = DocMatrix — Show Me The Receipts :toc: :icons: font diff --git a/GOVERNANCE.adoc b/GOVERNANCE.adoc new file mode 100644 index 0000000..8bbf167 --- /dev/null +++ b/GOVERNANCE.adoc @@ -0,0 +1,162 @@ +// SPDX-License-Identifier: MPL-2.0 +// SPDX-FileCopyrightText: 2026 Jonathan D.A. Jewell += Governance Model +:toc: preamble + +This document describes the governance model for this repository. + +== Overview + +This repository follows a **Sole Maintainer Governance Model**: + +* Single maintainer (@hyperpolymath) has full authority over the project +* All contributions are welcome and reviewed by the maintainer +* Decisions are made transparently through GitHub issues and discussions +* The project adheres to the hyperpolymath estate policies where applicable + +== Core Principles + +[cols="1,2"] +|=== +| Principle | Description + +| **Benevolent Dictatorship** | Maintainer has final decision authority but seeks community input + +| **Meritocracy** | Contributions are judged on technical merit, not contributor identity + +| **Transparency** | All significant decisions are documented publicly + +| **Consensus-Seeking** | Maintainer prefers consensus but will decide when necessary + +| **Open Contribution** | Anyone can contribute via fork and pull request + +|=== + +== Roles and Permissions + +[cols="1,2,2"] +|=== +| Role | Permissions | Assignment + +| **Maintainer** | Write access, merge rights, admin | @hyperpolymath +| **Contributors** | Read access, fork, submit PRs | All GitHub users +| **Users** | Use the software, report issues | All GitHub users + +|=== + +== Decision Making Framework + +=== Routine Decisions + +* Bug fixes +* Documentation improvements +* Minor feature additions +* Dependency updates + +**Process**: Maintainer reviews and merges PRs that meet quality standards. + +=== Significant Changes + +* New major features +* API changes +* Architecture modifications +* Breaking changes + +**Process**: +. Open issue describing the change +. Discuss with community (minimum 72 hours) +. Maintainer makes final decision +. Document rationale in issue/PR + +=== Structural Decisions + +* Repository purpose/renaming +* License changes +* Ownership transfer +* Deprecation/archival + +**Process**: +. Extended discussion (minimum 1 week) +. Maintainer makes final decision +. Document in CHANGELOG and governance docs + +== Contribution Lifecycle + +[cols="1,2"] +|=== +| Stage | Process + +| **Ideation** | Open issue, discuss feasibility + +| **Development** | Fork, implement, test thoroughly + +| **Review** | Submit PR, maintainer reviews within 7 days + +| **Merge** | Maintainer merges or requests changes + +| **Release** | Maintainer publishes according to project conventions + +|=== + +== Conflict Resolution + +In case of disagreements: + +. Discuss in the relevant GitHub issue or PR +. Provide technical justification for positions +. Maintainer mediates and makes final decision +. Decision is documented and can be revisited later + +== Project Policies + +This repository adheres to hyperpolymath estate-wide policies: + +* **License**: MPL-2.0 for code, CC-BY-SA-4.0 for prose (per standards/LICENCE-POLICY.adoc) +* **Code of Conduct**: Follows hyperpolymath CODE_OF_CONDUCT.md +* **Security**: Follows hyperpolymath SECURITY.md +* **Contributing**: Follows hyperpolymath CONTRIBUTING.adoc conventions + +== Repository-Specific Conventions + +[cols="1,2"] +|=== +| Convention | Description + +| **Signing** | All commits must be signed (SSH or GPG) + +| **SPDX Headers** | All source files must have SPDX license identifiers + +| **Contractiles** | Mustfile, Trustfile, Intendfile, Adjustfile in root + +| **Machine Readable** | META.a2ml in .machine_readable/6a2/ + +| **CI/CD** | GitHub Actions workflows in .github/workflows/ + +|=== + +== Governance Evolution + +As the project grows, this governance model may evolve: + +* **Adding Co-Maintainers**: When contribution volume warrants it +* **Forming a Team**: For complex multi-maintainer projects +* **Adopting TPCF**: For large, multi-repository projects (see rhodium-standard-repositories) + +Changes to this document require the same process as Significant Changes above. + +== See Also + +* link:MAINTAINERS.adoc[Maintainers] +* link:CODE_OF_CONDUCT.md[Code of Conduct] +* link:CONTRIBUTING.adoc[Contributing Guide] +* link:https://github.com/hyperpolymath/standards/blob/main/LICENCE-POLICY.adoc[Estate License Policy] +* link:https://github.com/hyperpolymath/standards[rhodium-standard-repositories (TPCF)] + +== Changelog + +[cols="1,1,1"] +|=== +| Date | Change | By + +| 2026-06-07 | Initial governance model established | @hyperpolymath +|=== diff --git a/Justfile b/Justfile index b5553be..ec91f1e 100644 --- a/Justfile +++ b/Justfile @@ -1,4 +1,5 @@ # Formatrix Docs - RSR Standard Justfile +// Copyright (c) Jonathan D.A. Jewell # SPDX-License-Identifier: MPL-2.0 # https://just.systems/man/en/ @@ -321,7 +322,6 @@ install-hooks: # Run security audit security: deps-audit @echo "=== Security Audit ===" - @command -v gitleaks >/dev/null && gitleaks detect --source . --verbose || true @command -v trivy >/dev/null && trivy fs --severity HIGH,CRITICAL . || true @echo "Security audit complete" @@ -591,3 +591,6 @@ crg-badge: D) color="orange" ;; E) color="red" ;; F) color="critical" ;; \ *) color="lightgrey" ;; esac; \ echo "[![CRG $$grade](https://img.shields.io/badge/CRG-$$grade-$$color?style=flat-square)](https://github.com/hyperpolymath/standards/tree/main/component-readiness-grades)" + +secret-scan-trufflehog: + @command -v trufflehog >/dev/null && trufflehog filesystem . --only-verified || true diff --git a/LICENSE b/LICENSE index 4a7f1aa..d0a1fa1 100644 --- a/LICENSE +++ b/LICENSE @@ -1,38 +1,3 @@ -SPDX-License-Identifier: MPL-2.0 -SPDX-FileCopyrightText: 2024-2026 Jonathan D.A. Jewell (hyperpolymath) - ------------------------------------------------------------------------- -PREFERRED LICENCE: Palimpsest License (MPL-2.0) ------------------------------------------------------------------------- - -This work is governed by the Palimpsest License (MPL-2.0) as -its primary intended licence. MPL-2.0 extends the Mozilla -Public License 2.0 (MPL-2.0) with additional provisions for ethical use, -post-quantum cryptographic provenance, and emotional lineage protection. -The canonical PMPL text and stewardship information are maintained at: - https://github.com/hyperpolymath/palimpsest-license - ------------------------------------------------------------------------- -FALLBACK LICENCE: Mozilla Public License 2.0 (MPL-2.0) ------------------------------------------------------------------------- - -Because MPL-2.0 is not yet recognised by the Open Source -Initiative (OSI) or equivalent bodies, this work also carries MPL-2.0 -as its legally-recognised fallback licence. - -In any jurisdiction, platform, or context where MPL-2.0 is -not accepted as a valid licence, or where an OSI-approved licence is -required, this work is instead governed by the Mozilla Public License, -Version 2.0. - -MPL-2.0 was chosen as the fallback because MPL-2.0 is -explicitly based on and extends MPL-2.0; it is therefore the closest -recognised equivalent to the intended licence. - -The complete MPL-2.0 text follows below. - ------------------------------------------------------------------------- - Mozilla Public License Version 2.0 ================================== @@ -109,17 +74,17 @@ Mozilla Public License Version 2.0 means the form of the work preferred for making modifications. 1.14. "You" (or "Your") - means an individual or a legal entity exercising rights under - this License. For legal entities, "You" includes any entity that - controls, is controlled by, or is under common control with You. - For the purposes of this definition, "control" means (a) the power, - direct or indirect, to cause the direction or management of such - entity, whether by contract or otherwise, or (b) ownership of more - than fifty percent (50%) of the outstanding shares or beneficial + means an individual or a legal entity exercising rights under this + License. For legal entities, "You" includes any entity that + controls, is controlled by, or is under common control with You. For + purposes of this definition, "control" means (a) the power, direct + or indirect, to cause the direction or management of such entity, + whether by contract or otherwise, or (b) ownership of more than + fifty percent (50%) of the outstanding shares or beneficial ownership of such entity. 2. License Grants and Conditions ---------------------------------- +-------------------------------- 2.1. Grants @@ -144,11 +109,11 @@ distributes such Contribution. 2.3. Limitations on Grant Scope -The licenses granted in this Section 2 are the only rights granted -under this License. No additional rights or licenses will be implied -from the distribution or licensing of Covered Software under this -License. Notwithstanding Section 2.1(b) above, no patent license is -granted by a Contributor: +The licenses granted in this Section 2 are the only rights granted under +this License. No additional rights or licenses will be implied from the +distribution or licensing of Covered Software under this License. +Notwithstanding Section 2.1(b) above, no patent license is granted by a +Contributor: (a) for any code that a Contributor has removed from Covered Software; or @@ -158,19 +123,19 @@ granted by a Contributor: Contributions with other software (except as part of its Contributor Version); or -(c) under Patent Claims infringed by Covered Software in the absence - of its Contributions. +(c) under Patent Claims infringed by Covered Software in the absence of + its Contributions. -This License does not grant any rights in the trademarks, service -marks, or logos of any Contributor (except as may be necessary to -comply with the notice requirements in Section 3.4). +This License does not grant any rights in the trademarks, service marks, +or logos of any Contributor (except as may be necessary to comply with +the notice requirements in Section 3.4). 2.4. Subsequent Licenses No Contributor makes additional grants as a result of Your choice to distribute the Covered Software under a subsequent version of this -License (see Section 10.2) or under the terms of a Secondary License -(if permitted under the terms of Section 3.3). +License (see Section 10.2) or under the terms of a Secondary License (if +permitted under the terms of Section 3.3). 2.5. Representation @@ -186,11 +151,11 @@ equivalents. 2.7. Conditions -Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses -granted in Section 2.1. +Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted +in Section 2.1. 3. Responsibilities --------------------- +------------------- 3.1. Distribution of Source Form @@ -207,10 +172,10 @@ Form. If You distribute Covered Software in Executable Form then: (a) such Covered Software must also be made available in Source Code - Form, as described in Section 3.1, and You must inform recipients - of the Executable Form how they can obtain a copy of such Source - Code Form by reasonable means in a timely manner, at a charge no - more than the cost of distribution to the recipient; and + Form, as described in Section 3.1, and You must inform recipients of + the Executable Form how they can obtain a copy of such Source Code + Form by reasonable means in a timely manner, at a charge no more + than the cost of distribution to the recipient; and (b) You may distribute such Executable Form under the terms of this License, or sublicense it under different terms, provided that the @@ -222,8 +187,8 @@ If You distribute Covered Software in Executable Form then: You may create and distribute a Larger Work under terms of Your choice, provided that You also comply with the requirements of this License for the Covered Software. If the Larger Work is a combination of Covered -Software with a work governed by one or more Secondary Licenses, and -the Covered Software is not Incompatible With Secondary Licenses, this +Software with a work governed by one or more Secondary Licenses, and the +Covered Software is not Incompatible With Secondary Licenses, this License permits You to additionally distribute such Covered Software under the terms of such Secondary License(s), so that the recipient of the Larger Work may, at their option, further distribute the Covered @@ -241,28 +206,28 @@ the extent required to remedy known factual inaccuracies. 3.5. Application of Additional Terms You may choose to offer, and to charge a fee for, warranty, support, -indemnity or liability obligations to one or more recipients of -Covered Software. However, You may do so only on Your own behalf, and -not on behalf of any Contributor. You must make it absolutely clear -that any such warranty, support, indemnity, or liability obligation is -offered by You alone, and You hereby agree to indemnify every -Contributor for any liability incurred by such Contributor as a result -of warranty, support, indemnity or liability terms You offer. You may -include additional disclaimers of warranty and limitations of liability -specific to any jurisdiction. +indemnity or liability obligations to one or more recipients of Covered +Software. However, You may do so only on Your own behalf, and not on +behalf of any Contributor. You must make it absolutely clear that any +such warranty, support, indemnity, or liability obligation is offered by +You alone, and You hereby agree to indemnify every Contributor for any +liability incurred by such Contributor as a result of warranty, support, +indemnity or liability terms You offer. You may include additional +disclaimers of warranty and limitations of liability specific to any +jurisdiction. 4. Inability to Comply Due to Statute or Regulation ------------------------------------------------------ +--------------------------------------------------- If it is impossible for You to comply with any of the terms of this License with respect to some or all of the Covered Software due to statute, judicial order, or regulation then You must: (a) comply with the terms of this License to the maximum extent possible; and (b) -describe the limitations and the code they affect. Such description -must be placed in a text file included with all distributions of the -Covered Software under this License. Except to the extent prohibited -by statute or regulation, such description must be sufficiently -detailed for a recipient of ordinary skill to be able to understand it. +describe the limitations and the code they affect. Such description must +be placed in a text file included with all distributions of the Covered +Software under this License. Except to the extent prohibited by statute +or regulation, such description must be sufficiently detailed for a +recipient of ordinary skill to be able to understand it. 5. Termination -------------- @@ -271,27 +236,27 @@ detailed for a recipient of ordinary skill to be able to understand it. if You fail to comply with any of its terms. However, if You become compliant, then the rights granted under this License from a particular Contributor are reinstated (a) provisionally, unless and until such -Contributor explicitly and finally terminates Your grants, and (b) on -an ongoing basis, if such Contributor fails to notify You of the +Contributor explicitly and finally terminates Your grants, and (b) on an +ongoing basis, if such Contributor fails to notify You of the non-compliance by some reasonable means prior to 60 days after You have come back into compliance. Moreover, Your grants from a particular Contributor are reinstated on an ongoing basis if such Contributor -notifies You of the non-compliance by some reasonable means, this is -the first time You have received notice of non-compliance with this -License from such Contributor, and You become compliant prior to 30 -days after Your receipt of the notice. +notifies You of the non-compliance by some reasonable means, this is the +first time You have received notice of non-compliance with this License +from such Contributor, and You become compliant prior to 30 days after +Your receipt of the notice. -5.2. If You initiate litigation against any entity by asserting a -patent infringement claim (excluding declaratory judgment actions, +5.2. If You initiate litigation against any entity by asserting a patent +infringement claim (excluding declaratory judgment actions, counter-claims, and cross-claims) alleging that a Contributor Version directly or indirectly infringes any patent, then the rights granted to You by any and all Contributors for the Covered Software under Section 2.1 of this License shall terminate. 5.3. In the event of termination under Sections 5.1 or 5.2 above, all -end user license agreements (excluding distributors and resellers) -which have been validly granted by You or Your distributors under this -License prior to termination shall survive termination. +end user license agreements (excluding distributors and resellers) which +have been validly granted by You or Your distributors under this License +prior to termination shall survive termination. ************************************************************************ * * @@ -346,7 +311,7 @@ Nothing in this Section shall prevent a party's ability to bring cross-claims or counter-claims. 9. Miscellaneous ------------------ +---------------- This License represents the complete agreement concerning the subject matter hereof. If any provision of this License is held to be @@ -356,14 +321,14 @@ that the language of a contract shall be construed against the drafter shall not be used to construe this License against a Contributor. 10. Versions of the License ----------------------------- +--------------------------- 10.1. New Versions -Mozilla Foundation is the license steward. Except as provided in -Section 10.3, no one other than the license steward has the right to -modify or publish new versions of this License. Each version will be -given a distinguishing version number. +Mozilla Foundation is the license steward. Except as provided in Section +10.3, no one other than the license steward has the right to modify or +publish new versions of this License. Each version will be given a +distinguishing version number. 10.2. Effect of New Versions @@ -392,17 +357,17 @@ Exhibit A - Source Code Form License Notice This Source Code Form is subject to the terms of the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this - file, You can obtain one at http://mozilla.org/MPL/2.0/. + file, You can obtain one at https://mozilla.org/MPL/2.0/. If it is not possible or desirable to put the notice in a particular file, then You may include the notice in a location (such as a LICENSE -file in a relevant directory) where a recipient would be likely to -look for such a notice. +file in a relevant directory) where a recipient would be likely to look +for such a notice. You may add additional accurate notices of copyright ownership. Exhibit B - "Incompatible With Secondary Licenses" Notice ----------------------------------------------------------- +--------------------------------------------------------- This Source Code Form is "Incompatible With Secondary Licenses", as defined by the Mozilla Public License, v. 2.0. diff --git a/MAINTAINERS.adoc b/MAINTAINERS.adoc index b5154a0..becaa3e 100644 --- a/MAINTAINERS.adoc +++ b/MAINTAINERS.adoc @@ -1,4 +1,5 @@ -// SPDX-License-Identifier: MPL-2.0-or-later +// SPDX-License-Identifier: MPL-2.0 +// Copyright (c) Jonathan D.A. Jewell = Maintainers :toc: preamble diff --git a/PALIMPSEST.adoc b/PALIMPSEST.adoc index ebaa6d0..aa923dd 100644 --- a/PALIMPSEST.adoc +++ b/PALIMPSEST.adoc @@ -1,18 +1,20 @@ -= Palimpsest License +// SPDX-License-Identifier: MPL-2.0 +// Copyright (c) Jonathan D.A. Jewell += MPL-2.0 :toc: :toc-placement!: -image:https://img.shields.io/badge/License-PMPL--1.0-blue.svg[License: PMPL-1.0,link="https://github.com/hyperpolymath/palimpsest-license"] +image:https://img.shields.io/badge/License-PMPL--1.0-blue.svg[License: MPL-2.0,link="https://github.com/hyperpolymath/palimpsest-license"] image:https://img.shields.io/badge/Philosophy-Palimpsest-indigo.svg[Palimpsest,link="https://github.com/hyperpolymath/palimpsest-license"] toc::[] == Legal Status -This project is licensed under the **Palimpsest-MPL License 1.0 (PMPL-1.0)**. +This project is licensed under the **MPL-2.0 License 1.0 (MPL-2.0)**. For SPDX and tooling, use **MPL-2.0**. -PMPL-1.0 incorporates the Mozilla Public License 2.0 by reference and adds +MPL-2.0 incorporates the Mozilla Public License 2.0 by reference and adds ethical-use, provenance, and lineage requirements. == What PMPL Adds @@ -24,7 +26,7 @@ ethical-use, provenance, and lineage requirements. == How to Adopt -1. Include the PMPL-1.0 license text in `LICENSE`. +1. Include the MPL-2.0 license text in `LICENSE`. 2. Add SPDX headers to source files: `SPDX-License-Identifier: MPL-2.0` 3. Add a Palimpsest badge to your README (see `assets/badges/` and `embed/license-blocks/`). @@ -32,7 +34,7 @@ ethical-use, provenance, and lineage requirements. == Versioning See `VERSIONING.adoc` for the release process and the "-or-later" model. -The current legal text is PMPL-1.0. +The current legal text is MPL-2.0. == References diff --git a/PROOF-NEEDS.md b/PROOF-NEEDS.md index 8950320..566ed20 100644 --- a/PROOF-NEEDS.md +++ b/PROOF-NEEDS.md @@ -1,3 +1,7 @@ + # PROOF-NEEDS.md ## Template ABI Cleanup (2026-03-29) diff --git a/QUICKSTART-DEV.adoc b/QUICKSTART-DEV.adoc index 17838a0..73cd7c7 100644 --- a/QUICKSTART-DEV.adoc +++ b/QUICKSTART-DEV.adoc @@ -1,3 +1,5 @@ +// SPDX-License-Identifier: MPL-2.0 +// Copyright (c) Jonathan D.A. Jewell = Docmatrix — Developer Quickstart :toc: preamble diff --git a/QUICKSTART-MAINTAINER.adoc b/QUICKSTART-MAINTAINER.adoc index ce338de..ffa7724 100644 --- a/QUICKSTART-MAINTAINER.adoc +++ b/QUICKSTART-MAINTAINER.adoc @@ -1,3 +1,5 @@ +// SPDX-License-Identifier: MPL-2.0 +// Copyright (c) Jonathan D.A. Jewell = Docmatrix — Maintainer Quickstart :toc: preamble diff --git a/QUICKSTART-USER.adoc b/QUICKSTART-USER.adoc index 8bed325..76128f5 100644 --- a/QUICKSTART-USER.adoc +++ b/QUICKSTART-USER.adoc @@ -1,3 +1,5 @@ +// SPDX-License-Identifier: MPL-2.0 +// Copyright (c) Jonathan D.A. Jewell = Docmatrix — User Quickstart :toc: preamble diff --git a/README.adoc b/README.adoc index f9034f8..107a905 100644 --- a/README.adoc +++ b/README.adoc @@ -1,6 +1,9 @@ +// SPDX-License-Identifier: MPL-2.0 +// Copyright (c) Jonathan D.A. Jewell image:https://img.shields.io/badge/License-MPL_2.0-blue.svg[MPL-2.0-or-later,link="https://opensource.org/licenses/MPL-2.0"] -// SPDX-License-Identifier: MPL-2.0-or-later = DocMatrix +image:https://img.shields.io/badge/OpenSSF-Best_Practices-green?logo=openssourcesecurity[OpenSSF Best Practices,link="https://www.bestpractices.dev/en/projects/new?repo_url=https://github.com/hyperpolymath/docmatrix"] + @@ -15,7 +18,7 @@ image:https://img.shields.io/badge/Philosophy-Palimpsest-indigo.svg[Palimpsest,l This project must declare **MPL-2.0-or-later** for platform/tooling compatibility. -Philosophy: **Palimpsest**. The Palimpsest-MPL (PMPL) text is provided in `license/PMPL-1.0.txt`, and the canonical source is the palimpsest-license repository. +Philosophy: **Palimpsest**. The MPL-2.0 (PMPL) text is provided in `license/MPL-2.0.txt`, and the canonical source is the palimpsest-license repository. Cross-platform document editor with format tabs (TXT/MD/ADOC/DJOT/ORG/RST/TYP). Gossamer GUI + Ada TUI. Graph visualization, OCR, TTS/STT, Nickel pipelines. @@ -136,7 +139,7 @@ These scripts follow the same language policy (Bash, Rust, ReScript, Deno, Gleam == License -PMPL-1.0 with Palimpsest philosophy. +MPL-2.0 with Palimpsest philosophy. == Links diff --git a/README.md b/README.md index 71c03de..31f8084 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,5 @@ [![Sponsor](https://img.shields.io/badge/Sponsor-%E2%9D%A4-pink?logo=github)](https://github.com/sponsors/hyperpolymath) + image:https://img.shields.io/badge/License-MPL_2.0-blue.svg[MPL-2.0-or-later,link="https://opensource.org/licenses/MPL-2.0"] // SPDX-License-Identifier: MPL-2.0-or-later diff --git a/ROADMAP.adoc b/ROADMAP.adoc index 0811d3e..6550fcc 100644 --- a/ROADMAP.adoc +++ b/ROADMAP.adoc @@ -1,4 +1,5 @@ // SPDX-License-Identifier: MPL-2.0 +// Copyright (c) Jonathan D.A. Jewell = Docmatrix Roadmap == Current Status diff --git a/RSR_COMPLIANCE.adoc b/RSR_COMPLIANCE.adoc index d28bbff..0aef8d5 100644 --- a/RSR_COMPLIANCE.adoc +++ b/RSR_COMPLIANCE.adoc @@ -1,4 +1,5 @@ -// SPDX-License-Identifier: MPL-2.0-or-later +// SPDX-License-Identifier: MPL-2.0 +// Copyright (c) Jonathan D.A. Jewell = Rhodium Standard Repositories (RSR) Compliance :toc: left :toclevels: 2 diff --git a/RSR_OUTLINE.adoc b/RSR_OUTLINE.adoc index e429244..7848673 100644 --- a/RSR_OUTLINE.adoc +++ b/RSR_OUTLINE.adoc @@ -1,6 +1,8 @@ +// SPDX-License-Identifier: MPL-2.0 +// Copyright (c) Jonathan D.A. Jewell = RSR Template Repository -image:[Palimpsest-MPL-1.0,link="https://github.com/hyperpolymath/palimpsest-license"] image:[Palimpsest,link="https://github.com/hyperpolymath/palimpsest-license"] +image:[MPL-2.0-1.0,link="https://github.com/hyperpolymath/palimpsest-license"] image:[Palimpsest,link="https://github.com/hyperpolymath/palimpsest-license"] :toc: :sectnums: diff --git a/SECURITY.md b/SECURITY.md index d865fc5..76ed0e6 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,3 +1,7 @@ + # Security Policy # Test Coverage Report: CRG Blitz D→C ## CRG Grade: C — ACHIEVED 2026-04-04 diff --git a/TOPOLOGY.md b/TOPOLOGY.md index 72aa419..306ec79 100644 --- a/TOPOLOGY.md +++ b/TOPOLOGY.md @@ -1,4 +1,7 @@ - + diff --git a/bindings/zig/README.md b/bindings/zig/README.md index a33fc9f..689ec34 100644 --- a/bindings/zig/README.md +++ b/bindings/zig/README.md @@ -1,3 +1,7 @@ + # Zig FFI Bindings The Zig FFI bindings have been moved to a separate repository for reusability: diff --git a/bindings/zig/build.zig b/bindings/zig/build.zig index 634a28b..c455871 100644 --- a/bindings/zig/build.zig +++ b/bindings/zig/build.zig @@ -1,4 +1,5 @@ // SPDX-License-Identifier: MPL-2.0 +// Copyright (c) Jonathan D.A. Jewell //! Build configuration for formatrix Zig bindings //! //! Links against libformatrix_core from the Rust crate. diff --git a/bindings/zig/example.zig b/bindings/zig/example.zig index a3445af..a125ef0 100644 --- a/bindings/zig/example.zig +++ b/bindings/zig/example.zig @@ -1,4 +1,5 @@ // SPDX-License-Identifier: MPL-2.0 +// Copyright (c) Jonathan D.A. Jewell //! Example usage of formatrix Zig bindings const std = @import("std"); diff --git a/bindings/zig/formatrix.zig b/bindings/zig/formatrix.zig index ac162d6..86b1916 100644 --- a/bindings/zig/formatrix.zig +++ b/bindings/zig/formatrix.zig @@ -1,4 +1,5 @@ // SPDX-License-Identifier: MPL-2.0 +// Copyright (c) Jonathan D.A. Jewell //! Zig bindings for formatrix-core //! //! Provides a type-safe Zig interface to the Formatrix document library. diff --git a/container/nerdctl-compose.yml b/container/nerdctl-compose.yml index a8720ca..b25367d 100644 --- a/container/nerdctl-compose.yml +++ b/container/nerdctl-compose.yml @@ -1,4 +1,5 @@ # SPDX-License-Identifier: MPL-2.0-or-later +// Owner: Jonathan D.A. Jewell # Formatrix Docs - nerdctl compose configuration # Copyright (C) 2025 Jonathan D.A. Jewell # diff --git a/contractiles/README.adoc b/contractiles/README.adoc deleted file mode 100644 index d19a387..0000000 --- a/contractiles/README.adoc +++ /dev/null @@ -1,19 +0,0 @@ -= Contractiles Template Set -:toc: -:sectnums: - -This directory contains the generalized contractiles templates. Copy the `contractiles/` directory into a new repo to establish a consistent operational, validation, trust, recovery, and intent framework. - -== Fill-In Instructions - -1. Update the Mustfile to reflect your real invariants (paths, schema versions, ports). -2. Replace Trustfile.hs placeholders with your actual key paths and verification commands. -3. Adjust Dustfile handlers to match your rollback and recovery tooling. -4. Update Intentfile to mirror the roadmap you want the system to evolve toward. - -== Contents - -* `must/Mustfile` - required invariants and validations. -* `trust/Trustfile.hs` - cryptographic verification steps. -* `dust/Dustfile` - rollback and recovery semantics. -* `lust/Intentfile` - future intent and roadmap direction. diff --git a/contractiles/dust/Dustfile b/contractiles/dust/Dustfile deleted file mode 100644 index 6f93c6a..0000000 --- a/contractiles/dust/Dustfile +++ /dev/null @@ -1,29 +0,0 @@ -# SPDX-License-Identifier: PLMP-1.0-or-later -# Dustfile template - recovery and rollback semantics - -version: 1 - -recovery: - logs: - - name: decision-log - path: logs/decisions.json - reversible: true - handler: "log-replay --reverse logs/decisions.json" - - policy: - - name: policy-rollback - path: policy/policy.ncl - rollback: "git checkout HEAD~1 -- policy/policy.ncl" - notes: "Rollback policy to the previous known-good revision." - - gateway: - - name: bad-deployment - event: "deploy.failure" - undo: "kubectl rollout undo deployment/gateway" - notes: "Undo a failed deployment while preserving audit logs." - - dust-events: - - name: decision-log-to-dust - source: logs/decisions.json - transform: "dustify --input logs/decisions.json --output logs/dust-events.json" - notes: "Map gateway decision logs into reversible dust events." diff --git a/contractiles/intend/Intentfile.a2ml b/contractiles/intend/Intentfile.a2ml deleted file mode 100644 index 1293351..0000000 --- a/contractiles/intend/Intentfile.a2ml +++ /dev/null @@ -1,22 +0,0 @@ -# SPDX-License-Identifier: MPL-2.0 -# Intentfile (A2ML Canonical) -# Copyright (c) 2026 Jonathan D.A. Jewell (hyperpolymath) - -@abstract: -Declared intent and purpose for Docmatrix. -@end - -## Purpose - -Docmatrix — // SPDX-License-Identifier: MPL-2.0-or-later - -## Anti-Purpose - -This project is NOT: -- A fork or wrapper around another tool -- A monorepo (unless explicitly structured as one) - -## If In Doubt - -If you are unsure whether a change is in scope, ask. -Sensitive areas: ABI definitions, license headers, CI workflows. diff --git a/contractiles/k9/README.adoc b/contractiles/k9/README.adoc deleted file mode 100644 index 9c3099f..0000000 --- a/contractiles/k9/README.adoc +++ /dev/null @@ -1,178 +0,0 @@ -// SPDX-License-Identifier: MPL-2.0 -= K9 Contractiles -:toc: left -:icons: font - -== What Are K9 Contractiles? - -K9 contractiles are self-validating components that combine configuration, validation, and deployment logic in a single file format. They implement the RSR principle of "self-describing artifacts" by embedding contracts and orchestration directly in the component. - -== The Three Security Levels - -K9 components declare their trust requirements using "The Leash" security model: - -[horizontal] -`'Kennel`:: Pure data, no execution (safest) -`'Yard`:: Nickel evaluation with contracts (medium trust) -`'Hunt`:: Full execution with Just recipes (requires signature) - -== Example Components - -This directory contains example K9 contractiles for common repository tasks: - -=== Kennel Level (Pure Data) - -**File:** `examples/project-metadata.k9.ncl` - -Pure configuration data with no execution. Safe to include in any repository. - -**Use cases:** -- Project metadata (name, version, description) -- Build configuration -- Tool settings -- Data schemas - -**Security:** No signature required, data-only. - -=== Yard Level (Validated Config) - -**File:** `examples/ci-config.k9.ncl` - -Configuration with Nickel contracts for runtime validation. Evaluated safely without I/O. - -**Use cases:** -- CI/CD configuration with validation -- Deployment parameters -- Database schemas with constraints -- API specifications - -**Security:** Signature recommended, Nickel evaluation only. - -=== Hunt Level (Full Execution) - -**File:** `examples/setup-repo.k9.ncl` - -Full execution with Just recipes. Can run shell commands and modify filesystem. - -**Use cases:** -- Repository setup scripts -- Deployment automation -- System configuration -- Package installation - -**Security:** **Signature required**, full system access. - -== Usage in Your Repository - -=== 1. Create K9 Components - -Choose the appropriate security level for your use case: - -[source,bash] ----- -# Kennel: Pure configuration -cp contractiles/k9/examples/project-metadata.k9.ncl config/metadata.k9.ncl - -# Yard: Validated configuration -cp contractiles/k9/examples/ci-config.k9.ncl .github/ci.k9.ncl - -# Hunt: Full automation -cp contractiles/k9/examples/setup-repo.k9.ncl scripts/setup.k9.ncl ----- - -=== 2. Validate Components - -[source,bash] ----- -# Validate Nickel syntax and contracts -nickel typecheck config/metadata.k9.ncl - -# Verify Hunt-level signature (if signed) -./must verify scripts/setup.k9.ncl ----- - -=== 3. Execute Components - -[source,bash] ----- -# Kennel: Export as JSON -nickel export config/metadata.k9.ncl > metadata.json - -# Yard: Evaluate with validation -nickel eval .github/ci.k9.ncl - -# Hunt: Run with Just (dry-run first!) -./must --dry-run run scripts/setup.k9.ncl -./must run scripts/setup.k9.ncl ----- - -== Integration with RSR - -K9 contractiles integrate with other RSR standards: - -**STATE.scm**:: K9 components can generate or validate STATE.scm -**ECOSYSTEM.scm**:: K9 can automate cross-repo operations -**META.scm**:: K9 can enforce architectural decisions - -== Security Best Practices - -=== For Kennel/Yard Components - -✅ **Safe to use without signatures** + -✅ **Review Nickel code before use** + -✅ **Validate contracts match expectations** - -=== For Hunt Components - -⚠️ **ALWAYS verify signatures** + -⚠️ **Review Just recipes carefully** + -⚠️ **Run dry-run mode first** + -⚠️ **Never run as root unless required** + -⚠️ **Sandbox external components** - -**See:** https://github.com/hyperpolymath/standards/blob/main/k9-svc/docs/SECURITY-BEST-PRACTICES.adoc - -== Template Files - -Use these as starting points for your own K9 components: - -- `template-kennel.k9.ncl` - Pure data template -- `template-yard.k9.ncl` - Validated config template -- `template-hunt.k9.ncl` - Full execution template - -== Dependencies - -To use K9 contractiles in your repository: - -[source,bash] ----- -# Install Nickel (configuration language) -curl -L https://github.com/tweag/nickel/releases/latest/download/nickel-linux-x86_64 -o nickel -chmod +x nickel && sudo mv nickel /usr/local/bin/ - -# Install Just (task runner, for Hunt level) -cargo install just - -# Clone K9-SVC (for must shim and tooling) -git clone https://github.com/hyperpolymath/standards.git -# Note: K9-SVC is located in standards/k9-svc ----- - -== Learn More - -- **K9-SVC Specification:** https://github.com/hyperpolymath/standards/blob/main/k9-svc/SPEC.adoc -- **K9 User Guide:** https://github.com/hyperpolymath/standards/blob/main/k9-svc/GUIDE.adoc -- **Security Documentation:** https://github.com/hyperpolymath/standards/blob/main/k9-svc/docs/SECURITY-FAQ.adoc -- **IANA Media Type:** `application/vnd.k9+nickel` - -== Contributing - -When adding K9 contractiles to your repository: - -1. Use appropriate security level (Kennel > Yard > Hunt) -2. Document what each component does -3. Include validation contracts in Yard/Hunt components -4. Sign Hunt-level components before committing -5. Add K9 validation to CI/CD pipeline - -**Questions?** Open an issue on https://github.com/hyperpolymath/standards/tree/main/k9-svc diff --git a/contractiles/k9/examples/ci-config.k9.ncl b/contractiles/k9/examples/ci-config.k9.ncl deleted file mode 100644 index 9fe314e..0000000 --- a/contractiles/k9/examples/ci-config.k9.ncl +++ /dev/null @@ -1,126 +0,0 @@ -K9! -# SPDX-License-Identifier: MPL-2.0 -# Example Yard-level K9 component: CI/CD configuration with validation -# Security Level: Yard (Nickel evaluation, contract validation) -# Signature recommended but not required - -{ - pedigree = { - schema_version = "1.0.0", - component_type = "ci-configuration", - security = { - leash = 'Yard, - trust_level = "validated-config", - allow_network = false, - allow_filesystem_write = false, - allow_subprocess = false, - }, - metadata = { - name = "ci-config", - version = "1.0.0", - description = "CI/CD configuration with runtime validation", - author = "Jonathan D.A. Jewell ", - }, - }, - - # CI/CD configuration with Nickel contracts - ci = { - # Platform must be a known CI provider - platform - | [| 'GitHubActions, 'GitLabCI, 'CircleCI, 'TravisCI |] - = 'GitHubActions, - - # Build matrix with validation - matrix = { - # Operating systems to test on - os - | Array String - | std.array.NonEmpty - = ["ubuntu-latest", "macos-latest"], - - # Language versions to test - versions - | Array String - | std.array.NonEmpty - = ["stable", "beta"], - }, - - # Workflow steps with validation - steps = [ - { - name = "Checkout", - action = "actions/checkout@v4", - # Version must be SHA-pinned for security - sha | String | std.string.NonEmpty = "b4ffde65f46336ab88eb53be808477a3936bae11", - }, - { - name = "Build", - run = "just build", - }, - { - name = "Test", - run = "just test", - }, - { - name = "Lint", - run = "just lint", - }, - ], - - # Deployment configuration - deploy = { - enabled | Bool = false, - - # Only deploy from main branch - branch - | String - | std.contract.from_predicate (fun b => b == "main" || b == "master") - = "main", - - # Deployment requires manual approval - requires_approval | Bool = true, - }, - - # Security scanning - security = { - enabled | Bool = true, - - scanners = [ - { - name = "CodeQL", - languages = ["rust", "javascript"], - }, - { - name = "OSSF Scorecard", - enabled = true, - }, - { - name = "TruffleHog", - scan_for = "secrets", - }, - ], - }, - - # Notification settings - notifications = { - on_success = "never", - on_failure = "always", - channels = ["email"], - }, - }, - - # Validation rules (enforced by Nickel) - validation = { - # At least one OS must be specified - check_os = std.array.length ci.matrix.os > 0, - - # At least one version must be tested - check_versions = std.array.length ci.matrix.versions > 0, - - # Must have at least build and test steps - check_steps = std.array.length ci.steps >= 2, - - # Security scanning must be enabled - check_security = ci.security.enabled == true, - }, -} diff --git a/contractiles/k9/examples/project-metadata.k9.ncl b/contractiles/k9/examples/project-metadata.k9.ncl deleted file mode 100644 index b2299b4..0000000 --- a/contractiles/k9/examples/project-metadata.k9.ncl +++ /dev/null @@ -1,57 +0,0 @@ -K9! -# SPDX-License-Identifier: MPL-2.0 -# Example Kennel-level K9 component: Project metadata -# Security Level: Kennel (pure data, no execution) -# No signature required - -{ - pedigree = { - schema_version = "1.0.0", - component_type = "project-metadata", - security = { - leash = 'Kennel, - trust_level = "data-only", - allow_network = false, - allow_filesystem_write = false, - allow_subprocess = false, - }, - metadata = { - name = "project-metadata", - version = "1.0.0", - description = "Pure data configuration for project metadata", - author = "Jonathan D.A. Jewell ", - }, - }, - - # Project configuration - project = { - name = "my-project", - version = "0.1.0", - description = "A project following Rhodium Standard Repositories", - - repository = { - url = "https://github.com/hyperpolymath/my-project", - type = "git", - }, - - author = { - name = "Jonathan D.A. Jewell", - email = "j.d.a.jewell@open.ac.uk", - organization = "The Open University", - }, - - license = "MPL-2.0", - - keywords = [ - "rhodium-standard", - "rsr", - "hyperpolymath", - ], - }, - - # Export as JSON for other tools - export = { - format = "json", - destination = "project-metadata.json", - }, -} diff --git a/contractiles/k9/examples/setup-repo.k9.ncl b/contractiles/k9/examples/setup-repo.k9.ncl deleted file mode 100644 index b635d5b..0000000 --- a/contractiles/k9/examples/setup-repo.k9.ncl +++ /dev/null @@ -1,167 +0,0 @@ -K9! -# SPDX-License-Identifier: MPL-2.0 -# Example Hunt-level K9 component: Repository setup automation -# Security Level: Hunt (full execution with Just recipes) -# ⚠️ SIGNATURE REQUIRED - DO NOT RUN WITHOUT VERIFICATION - -{ - pedigree = { - schema_version = "1.0.0", - component_type = "repository-setup", - security = { - leash = 'Hunt, - trust_level = "full-system-access", - allow_network = true, - allow_filesystem_write = true, - allow_subprocess = true, - signature_required = true, - }, - metadata = { - name = "setup-repo", - version = "1.0.0", - description = "Automated repository setup with RSR standards", - author = "Jonathan D.A. Jewell ", - }, - warnings = [ - "This component has full system access", - "Only run from trusted sources with verified signatures", - "Review Just recipes before execution", - "Use dry-run mode first: ./must --dry-run run setup-repo.k9.ncl", - ], - }, - - # Configuration with contracts - config = { - repo_name - | String - | std.string.NonEmpty - = "my-new-repo", - - repo_type - | [| 'Library, 'Application, 'Tool, 'Specification |] - = 'Application, - - primary_language - | String - | std.string.NonEmpty - = "rust", - - # RSR compliance features to enable - features = { - checkpoint_files | Bool = true, # STATE.scm, ECOSYSTEM.scm, META.scm - security_workflows | Bool = true, # CodeQL, Scorecard, etc. - quality_checks | Bool = true, # Linting, formatting - mirroring | Bool = false, # GitLab/Bitbucket mirrors - }, - - # Git configuration - git = { - default_branch = "main", - initial_commit | Bool = true, - remote_url | String = "", - }, - }, - - # Just recipes for execution - # These run when: ./must run setup-repo.k9.ncl - recipes = { - # Main entry point - default = { - recipe = "setup", - description = "Set up RSR-compliant repository", - }, - - # Individual setup tasks - setup = { - dependencies = ["check-env", "create-structure", "init-git", "setup-workflows"], - commands = [ - "echo '✅ Repository setup complete!'", - "echo 'Run: git status to see changes'", - ], - }, - - "check-env" = { - description = "Verify required tools are installed", - commands = [ - "command -v git || (echo 'ERROR: git not found' && exit 1)", - "command -v just || (echo 'ERROR: just not found' && exit 1)", - "command -v nickel || (echo 'ERROR: nickel not found' && exit 1)", - "echo '✓ All required tools present'", - ], - }, - - "create-structure" = { - description = "Create RSR directory structure", - commands = [ - "mkdir -p src/ docs/ tests/ scripts/", - "mkdir -p .github/workflows/", - "mkdir -p contractiles/k9/", - "echo '✓ Directory structure created'", - ], - }, - - "init-git" = { - description = "Initialize Git repository", - commands = [ - "git init -b %{config.git.default_branch}", - "git config user.name 'Jonathan D.A. Jewell'", - "git config user.email 'j.d.a.jewell@open.ac.uk'", - "echo '✓ Git initialized'", - ], - }, - - "setup-workflows" = { - description = "Add RSR-compliant workflows", - commands = [ - # This would copy workflow templates - # In a real implementation, would fetch from rsr-template-repo - "echo '✓ Workflows configured'", - ], - }, - - "create-checkpoint-files" = { - description = "Create STATE.scm, ECOSYSTEM.scm, META.scm", - commands = [ - "echo '(state (version \"1.0.0\") (project \"%{config.repo_name}\"))' > STATE.scm", - "echo '(ecosystem (version \"1.0.0\") (name \"%{config.repo_name}\"))' > ECOSYSTEM.scm", - "echo '(meta (version \"1.0.0\") (project \"%{config.repo_name}\"))' > META.scm", - "echo '✓ Checkpoint files created'", - ], - }, - - "add-license" = { - description = "Add PMPL-1.0 license", - commands = [ - "curl -sL https://raw.githubusercontent.com/hyperpolymath/pmpl/main/LICENSE -o LICENSE", - "echo '✓ License added'", - ], - }, - - "add-readme" = { - description = "Create README.adoc from template", - commands = [ - "echo '= %{config.repo_name}' > README.adoc", - "echo '' >> README.adoc", - "echo 'Part of the Hyperpolymath ecosystem.' >> README.adoc", - "echo '✓ README created'", - ], - }, - - clean = { - description = "Remove generated files (careful!)", - commands = [ - "echo '⚠️ This will delete all generated files'", - "echo 'Press Ctrl+C to cancel, or wait 5 seconds...'", - "sleep 5", - "rm -f STATE.scm ECOSYSTEM.scm META.scm", - "echo '✓ Cleaned'", - ], - }, - }, - - # Validation (Yard-level checks before Hunt execution) - validation = { - check_repo_name = std.string.length config.repo_name > 0, - check_language = std.string.length config.primary_language > 0, - }, -} diff --git a/contractiles/k9/template-hunt.k9.ncl b/contractiles/k9/template-hunt.k9.ncl deleted file mode 100644 index b3fcb47..0000000 --- a/contractiles/k9/template-hunt.k9.ncl +++ /dev/null @@ -1,136 +0,0 @@ -K9! -# SPDX-License-Identifier: MPL-2.0 -# K9 Hunt-level template: Full execution with Just recipes -# Security Level: Hunt (full system access) -# ⚠️ SIGNATURE REQUIRED - Review carefully before use - -{ - pedigree = { - schema_version = "1.0.0", - component_type = "TODO: describe component type (e.g., 'deployment', 'setup-script')", - security = { - leash = 'Hunt, - trust_level = "full-system-access", - allow_network = true, - allow_filesystem_write = true, - allow_subprocess = true, - signature_required = true, - }, - metadata = { - name = "TODO: component-name", - version = "1.0.0", - description = "TODO: Detailed description of what this component does", - author = "Jonathan D.A. Jewell ", - }, - warnings = [ - "This component has full system access", - "Only run from trusted sources with verified signatures", - "Review all Just recipes before execution", - "Use dry-run mode first: ./must --dry-run run your-file.k9.ncl", - ], - side_effects = [ - "TODO: List what files/directories this creates or modifies", - "TODO: List what commands this executes", - "TODO: List what network access this requires", - ], - }, - - # Configuration with contracts (Yard-level validation) - config = { - # Add your configuration here with appropriate contracts - target_dir - | String - | std.string.NonEmpty - = "/tmp/k9-output", - - dry_run | Bool = false, - - # Add more config as needed - }, - - # Just recipes for execution - # These run when: ./must run your-file.k9.ncl - recipes = { - # Main entry point (runs by default) - default = { - recipe = "TODO: main-task", - description = "TODO: What the default recipe does", - }, - - # Define your recipes here - "main-task" = { - dependencies = ["check-prerequisites"], - commands = [ - "echo 'TODO: Add your commands here'", - # Example: Create directory - # "mkdir -p %{config.target_dir}", - # Example: Run a command - # "just build", - # Example: Conditional execution - # "@if [ \"%{config.dry_run}\" = \"true\" ]; then echo '[DRY-RUN] Would execute'; else actual-command; fi", - ], - }, - - "check-prerequisites" = { - description = "Verify required tools and permissions", - commands = [ - # Example: Check for required tools - # "command -v git || (echo 'ERROR: git not found' && exit 1)", - # Example: Check permissions - # "[ -w %{config.target_dir} ] || (echo 'ERROR: Cannot write to target directory' && exit 1)", - "echo '✓ Prerequisites checked'", - ], - }, - - # Add more recipes as needed - "build" = { - description = "Build the project", - commands = [ - "echo 'TODO: Add build commands'", - ], - }, - - "deploy" = { - description = "Deploy the application", - dependencies = ["build"], - commands = [ - "echo 'TODO: Add deployment commands'", - ], - }, - - "clean" = { - description = "Clean up generated files", - commands = [ - "echo '⚠️ This will delete files - waiting 3 seconds...'", - "sleep 3", - "echo 'TODO: Add cleanup commands'", - # "rm -rf %{config.target_dir}", - ], - }, - }, - - # Validation (Yard-level checks before Hunt execution) - validation = { - check_target_dir = std.string.length config.target_dir > 0, - # Add more validation as needed - }, -} - -# Usage: -# 1. Fill in TODO items above -# 2. Define configuration with contracts -# 3. Implement Just recipes with your commands -# 4. Test with dry-run: ./must --dry-run run your-file.k9.ncl -# 5. Review dry-run output carefully -# 6. Sign the component: ./must sign your-file.k9.ncl -# 7. Distribute with signature: your-file.k9.ncl.sig -# 8. Users verify and run: ./must verify && ./must run your-file.k9.ncl -# -# Security checklist: -# ✓ All TODO items filled in -# ✓ side_effects documented accurately -# ✓ Commands reviewed for safety -# ✓ No hardcoded secrets or credentials -# ✓ Proper error handling in recipes -# ✓ Tested in dry-run mode -# ✓ Component signed with trusted key diff --git a/contractiles/k9/template-kennel.k9.ncl b/contractiles/k9/template-kennel.k9.ncl deleted file mode 100644 index 4228b26..0000000 --- a/contractiles/k9/template-kennel.k9.ncl +++ /dev/null @@ -1,54 +0,0 @@ -K9! -# SPDX-License-Identifier: MPL-2.0 -# K9 Kennel-level template: Pure data configuration -# Security Level: Kennel (data-only, no execution) -# No signature required - safe for any use - -{ - pedigree = { - schema_version = "1.0.0", - component_type = "TODO: describe component type (e.g., 'build-config', 'metadata')", - security = { - leash = 'Kennel, - trust_level = "data-only", - allow_network = false, - allow_filesystem_write = false, - allow_subprocess = false, - }, - metadata = { - name = "TODO: component-name", - version = "1.0.0", - description = "TODO: Brief description of what this component contains", - author = "Jonathan D.A. Jewell ", - }, - }, - - # Your configuration data here - config = { - # Example: Pure data values - setting_1 = "value", - setting_2 = 42, - setting_3 = true, - - nested = { - key = "value", - }, - - list = [ - "item1", - "item2", - ], - }, - - # Optional: Export format specification - export = { - format = "json", # or "yaml", "toml" - destination = "output.json", - }, -} - -# Usage: -# 1. Fill in TODO items above -# 2. Add your configuration data to config = { ... } -# 3. Validate: nickel typecheck your-file.k9.ncl -# 4. Export: nickel export your-file.k9.ncl > output.json diff --git a/contractiles/k9/template-yard.k9.ncl b/contractiles/k9/template-yard.k9.ncl deleted file mode 100644 index a723f5a..0000000 --- a/contractiles/k9/template-yard.k9.ncl +++ /dev/null @@ -1,84 +0,0 @@ -K9! -# SPDX-License-Identifier: MPL-2.0 -# K9 Yard-level template: Configuration with validation -# Security Level: Yard (Nickel evaluation with contracts) -# Signature recommended but not required - -{ - pedigree = { - schema_version = "1.0.0", - component_type = "TODO: describe component type (e.g., 'validated-config', 'schema')", - security = { - leash = 'Yard, - trust_level = "validated-config", - allow_network = false, - allow_filesystem_write = false, - allow_subprocess = false, - }, - metadata = { - name = "TODO: component-name", - version = "1.0.0", - description = "TODO: Brief description with validation details", - author = "Jonathan D.A. Jewell ", - }, - }, - - # Configuration with Nickel contracts for validation - config = { - # Example: String that cannot be empty - name - | String - | std.string.NonEmpty - = "TODO: default value", - - # Example: Number with range constraint - port - | Number - | std.contract.from_predicate (fun p => p > 0 && p < 65536) - = 8080, - - # Example: Boolean flag - enabled | Bool = true, - - # Example: Enum (one of several values) - environment - | [| 'Development, 'Staging, 'Production |] - = 'Development, - - # Example: List with non-empty constraint - items - | Array String - | std.array.NonEmpty - = ["item1", "item2"], - - # Example: Nested object with contracts - database = { - host | String | std.string.NonEmpty = "localhost", - port | Number | std.contract.from_predicate (fun p => p > 0 && p < 65536) = 5432, - name | String | std.string.NonEmpty = "mydb", - }, - }, - - # Validation rules (additional cross-field checks) - validation = { - # Example: Check that at least one item exists - check_items = std.array.length config.items > 0, - - # Example: Check that production has secure settings - check_production = - if config.environment == 'Production then - config.enabled == true - else - true, - - # Add your custom validation rules here - }, -} - -# Usage: -# 1. Fill in TODO items above -# 2. Define your config with appropriate contracts -# 3. Add validation rules in validation = { ... } -# 4. Validate: nickel typecheck your-file.k9.ncl -# 5. Evaluate: nickel eval your-file.k9.ncl -# 6. If validation passes, use in your application diff --git a/contractiles/lust/Intentfile b/contractiles/lust/Intentfile deleted file mode 100644 index 12a7fc5..0000000 --- a/contractiles/lust/Intentfile +++ /dev/null @@ -1,21 +0,0 @@ -# SPDX-License-Identifier: PLMP-1.0-or-later -# Intentfile template - declared future intent - -version: 1 - -future: - trust-engine: - - "Integrate hardware-backed key management." - - "Support node attestation for deployments." - - control-plane: - - "Move to GitOps-backed configuration promotion." - - "Add canary and staged rollout support." - - pipeline: - - "Adopt Nickel (or your DSL) as the primary policy language." - - "Automate policy promotion from dev to prod with signed artifacts." - - introspection: - - "Expose decision latency and policy evaluation metrics." - - "Add tracing for end-to-end request decisions." diff --git a/contractiles/must/Mustfile b/contractiles/must/Mustfile deleted file mode 100644 index dc2c6b6..0000000 --- a/contractiles/must/Mustfile +++ /dev/null @@ -1,35 +0,0 @@ -# SPDX-License-Identifier: PLMP-1.0-or-later -# Mustfile - declarative state contract (template) -# See: https://github.com/hyperpolymath/mustfile - -version: 1 - -metadata: - name: project-state-contract - spec: v0.0.1 - description: "Invariant checks for config, policy, gateway, logs, and schema." - -parameters: - gateway_port: "8080" - schema_version: "v0.0.1" - -checks: - - name: config-valid - description: "config/service.yaml must be valid." - run: "yq -e '.' config/service.yaml >/dev/null" - - - name: policy-compiles - description: "policy/policy.ncl must compile." - run: "nickel check policy/policy.ncl" - - - name: gateway-exposes-port - description: "Service must expose the configured port." - run: "bash -uc 'ss -lnt | rg \":${GATEWAY_PORT:-8080}\"'" - - - name: logs-are-json - description: "Logs must be JSON." - run: "bash -uc 'rg --files -g \"*.json\" logs | xargs -r jq -e .'" - - - name: schema-version-matches - description: "Schema must match version spec." - run: "bash -uc 'rg -n \"${SCHEMA_VERSION:-v0.0.1}\" schema'" diff --git a/contractiles/trust/Trustfile.a2ml b/contractiles/trust/Trustfile.a2ml deleted file mode 100644 index 0f27695..0000000 --- a/contractiles/trust/Trustfile.a2ml +++ /dev/null @@ -1,25 +0,0 @@ -# SPDX-License-Identifier: MPL-2.0 -# Trustfile (A2ML Canonical) -# Copyright (c) 2026 Jonathan D.A. Jewell (hyperpolymath) - -@abstract: -Trust and provenance verification for Docmatrix. -Maximal trust by default — LLM may read, build, test, lint, format. -@end - -@trust-level: maximal -@trust-boundary: repo -@trust-actions: [read, build, test, lint, format] -@trust-deny: [delete-branch, force-push, modify-ci-secrets, publish] - -## Integrity - -### license-content -- description: LICENSE contains expected SPDX identifier -- run: grep -q 'SPDX\|License\|MIT\|Apache\|PMPL\|MPL' LICENSE -- severity: critical - -### no-secrets-committed -- description: No .env or credential files in repo -- run: test ! -f .env && test ! -f credentials.json && test ! -f .env.local -- severity: critical diff --git a/crates/formatrix-core/benches/format_bench.rs b/crates/formatrix-core/benches/format_bench.rs index de0444a..286dc23 100644 --- a/crates/formatrix-core/benches/format_bench.rs +++ b/crates/formatrix-core/benches/format_bench.rs @@ -1,4 +1,5 @@ // SPDX-License-Identifier: MPL-2.0 +// Copyright (c) Jonathan D.A. Jewell //! Benchmark tests for format conversion performance use formatrix_core::{ diff --git a/crates/formatrix-core/src/ast.rs b/crates/formatrix-core/src/ast.rs index 1b9ef57..5b426cd 100644 --- a/crates/formatrix-core/src/ast.rs +++ b/crates/formatrix-core/src/ast.rs @@ -1,4 +1,5 @@ // SPDX-License-Identifier: MPL-2.0 +// Copyright (c) Jonathan D.A. Jewell //! Unified document AST for multi-format conversion //! //! This AST is designed to be format-neutral while preserving semantic meaning. diff --git a/crates/formatrix-core/src/ffi.rs b/crates/formatrix-core/src/ffi.rs index 89edc6e..0dfefcc 100644 --- a/crates/formatrix-core/src/ffi.rs +++ b/crates/formatrix-core/src/ffi.rs @@ -1,4 +1,5 @@ // SPDX-License-Identifier: MPL-2.0 +// Copyright (c) Jonathan D.A. Jewell //! C FFI exports for Ada TUI integration (FD-M10) //! //! These functions provide a C-compatible interface for the Ada TUI diff --git a/crates/formatrix-core/src/file_ops.rs b/crates/formatrix-core/src/file_ops.rs index f913701..234e19f 100644 --- a/crates/formatrix-core/src/file_ops.rs +++ b/crates/formatrix-core/src/file_ops.rs @@ -1,4 +1,5 @@ // SPDX-License-Identifier: MPL-2.0 +// Copyright (c) Jonathan D.A. Jewell //! File operations for document loading and saving (FD-M06) //! //! Provides: diff --git a/crates/formatrix-core/src/formats/asciidoc.rs b/crates/formatrix-core/src/formats/asciidoc.rs index 5d114f3..54d45e2 100644 --- a/crates/formatrix-core/src/formats/asciidoc.rs +++ b/crates/formatrix-core/src/formats/asciidoc.rs @@ -1,4 +1,5 @@ // SPDX-License-Identifier: MPL-2.0 +// Copyright (c) Jonathan D.A. Jewell //! AsciiDoc format handler using asciidoc-parser //! FD-S01: SHOULD requirement diff --git a/crates/formatrix-core/src/formats/djot.rs b/crates/formatrix-core/src/formats/djot.rs index 3a0346b..bb930e3 100644 --- a/crates/formatrix-core/src/formats/djot.rs +++ b/crates/formatrix-core/src/formats/djot.rs @@ -1,4 +1,5 @@ // SPDX-License-Identifier: MPL-2.0 +// Copyright (c) Jonathan D.A. Jewell //! Djot format handler using jotdown use crate::ast::{ diff --git a/crates/formatrix-core/src/formats/markdown.rs b/crates/formatrix-core/src/formats/markdown.rs index 5d94fd7..8fc85b6 100644 --- a/crates/formatrix-core/src/formats/markdown.rs +++ b/crates/formatrix-core/src/formats/markdown.rs @@ -1,4 +1,5 @@ // SPDX-License-Identifier: MPL-2.0 +// Copyright (c) Jonathan D.A. Jewell //! Markdown format handler using comrak use crate::ast::{ diff --git a/crates/formatrix-core/src/formats/mod.rs b/crates/formatrix-core/src/formats/mod.rs index 9a50d88..04ab438 100644 --- a/crates/formatrix-core/src/formats/mod.rs +++ b/crates/formatrix-core/src/formats/mod.rs @@ -1,4 +1,5 @@ // SPDX-License-Identifier: MPL-2.0 +// Copyright (c) Jonathan D.A. Jewell //! Format handlers for each supported format pub mod djot; diff --git a/crates/formatrix-core/src/formats/orgmode.rs b/crates/formatrix-core/src/formats/orgmode.rs index 1a7466b..891d81f 100644 --- a/crates/formatrix-core/src/formats/orgmode.rs +++ b/crates/formatrix-core/src/formats/orgmode.rs @@ -1,4 +1,5 @@ // SPDX-License-Identifier: MPL-2.0 +// Copyright (c) Jonathan D.A. Jewell //! Org-mode format handler using orgize use crate::ast::{ diff --git a/crates/formatrix-core/src/formats/plaintext.rs b/crates/formatrix-core/src/formats/plaintext.rs index e07abd0..75b392d 100644 --- a/crates/formatrix-core/src/formats/plaintext.rs +++ b/crates/formatrix-core/src/formats/plaintext.rs @@ -1,4 +1,5 @@ // SPDX-License-Identifier: MPL-2.0 +// Copyright (c) Jonathan D.A. Jewell //! Plain text format handler use crate::ast::{Block, Document, DocumentMeta, Inline, SourceFormat}; diff --git a/crates/formatrix-core/src/formats/rst.rs b/crates/formatrix-core/src/formats/rst.rs index 816053d..33b1a5b 100644 --- a/crates/formatrix-core/src/formats/rst.rs +++ b/crates/formatrix-core/src/formats/rst.rs @@ -1,4 +1,5 @@ // SPDX-License-Identifier: MPL-2.0 +// Copyright (c) Jonathan D.A. Jewell //! reStructuredText format handler using rst_parser //! FD-S02: SHOULD requirement diff --git a/crates/formatrix-core/src/formats/typst.rs b/crates/formatrix-core/src/formats/typst.rs index 352c46a..54dce31 100644 --- a/crates/formatrix-core/src/formats/typst.rs +++ b/crates/formatrix-core/src/formats/typst.rs @@ -1,4 +1,5 @@ // SPDX-License-Identifier: MPL-2.0 +// Copyright (c) Jonathan D.A. Jewell //! Typst format handler using typst-syntax //! FD-S03: SHOULD requirement diff --git a/crates/formatrix-core/src/lib.rs b/crates/formatrix-core/src/lib.rs index 1f2229f..2bbd7d0 100644 --- a/crates/formatrix-core/src/lib.rs +++ b/crates/formatrix-core/src/lib.rs @@ -1,4 +1,5 @@ // SPDX-License-Identifier: MPL-2.0 +// Copyright (c) Jonathan D.A. Jewell //! Formatrix Core - Unified document AST and format converters //! //! This crate provides: diff --git a/crates/formatrix-core/src/traits.rs b/crates/formatrix-core/src/traits.rs index fd57aab..0dda0c7 100644 --- a/crates/formatrix-core/src/traits.rs +++ b/crates/formatrix-core/src/traits.rs @@ -1,4 +1,5 @@ // SPDX-License-Identifier: MPL-2.0 +// Copyright (c) Jonathan D.A. Jewell //! Parser and Renderer traits for format handlers use crate::ast::{Document, SourceFormat}; diff --git a/crates/formatrix-core/tests/aspect_test.rs b/crates/formatrix-core/tests/aspect_test.rs index c0bc52e..d530291 100644 --- a/crates/formatrix-core/tests/aspect_test.rs +++ b/crates/formatrix-core/tests/aspect_test.rs @@ -1,4 +1,5 @@ // SPDX-License-Identifier: MPL-2.0 +// Copyright (c) Jonathan D.A. Jewell //! Aspect and cross-cutting concern tests use formatrix_core::{ diff --git a/crates/formatrix-core/tests/e2e_test.rs b/crates/formatrix-core/tests/e2e_test.rs index ebb7881..e0fbfd8 100644 --- a/crates/formatrix-core/tests/e2e_test.rs +++ b/crates/formatrix-core/tests/e2e_test.rs @@ -1,4 +1,5 @@ // SPDX-License-Identifier: MPL-2.0 +// Copyright (c) Jonathan D.A. Jewell //! End-to-end format conversion tests use formatrix_core::{ diff --git a/crates/formatrix-core/tests/property_test.rs b/crates/formatrix-core/tests/property_test.rs index 4add6f3..819fa38 100644 --- a/crates/formatrix-core/tests/property_test.rs +++ b/crates/formatrix-core/tests/property_test.rs @@ -1,4 +1,5 @@ // SPDX-License-Identifier: MPL-2.0 +// Copyright (c) Jonathan D.A. Jewell //! Property-based tests for format conversion correctness use formatrix_core::{ diff --git a/crates/formatrix-core/tests/unit_test.rs b/crates/formatrix-core/tests/unit_test.rs index e43feb8..818ad49 100644 --- a/crates/formatrix-core/tests/unit_test.rs +++ b/crates/formatrix-core/tests/unit_test.rs @@ -1,4 +1,5 @@ // SPDX-License-Identifier: MPL-2.0 +// Copyright (c) Jonathan D.A. Jewell //! Comprehensive unit tests for formatrix-core use formatrix_core::{ diff --git a/crates/formatrix-db/src/lib.rs b/crates/formatrix-db/src/lib.rs index dd0da14..e7ebcc7 100644 --- a/crates/formatrix-db/src/lib.rs +++ b/crates/formatrix-db/src/lib.rs @@ -1,4 +1,5 @@ // SPDX-License-Identifier: MPL-2.0 +// Copyright (c) Jonathan D.A. Jewell //! Formatrix DB - ArangoDB client for gist library and graph storage //! //! Provides: diff --git a/crates/formatrix-gui/src/commands.rs b/crates/formatrix-gui/src/commands.rs index 998eebb..a8d5599 100644 --- a/crates/formatrix-gui/src/commands.rs +++ b/crates/formatrix-gui/src/commands.rs @@ -1,4 +1,5 @@ // SPDX-License-Identifier: MPL-2.0 +// Copyright (c) Jonathan D.A. Jewell //! Gossamer commands for document operations //! //! Each public function is registered as a Gossamer IPC command in main.rs. diff --git a/crates/formatrix-gui/src/lib.rs b/crates/formatrix-gui/src/lib.rs index 6f0e616..250ec4d 100644 --- a/crates/formatrix-gui/src/lib.rs +++ b/crates/formatrix-gui/src/lib.rs @@ -1,4 +1,5 @@ // SPDX-License-Identifier: MPL-2.0 +// Copyright (c) Jonathan D.A. Jewell //! Formatrix GUI - Gossamer desktop application //! //! Document editor commands exposed via Gossamer IPC. diff --git a/crates/formatrix-gui/src/main.rs b/crates/formatrix-gui/src/main.rs index 0ccdbda..f4fbaed 100644 --- a/crates/formatrix-gui/src/main.rs +++ b/crates/formatrix-gui/src/main.rs @@ -1,4 +1,5 @@ // SPDX-License-Identifier: MPL-2.0 +// Copyright (c) Jonathan D.A. Jewell //! Formatrix Docs - Gossamer desktop application //! //! Cross-platform document editor with format tabs. diff --git a/crates/formatrix-pipeline/src/lib.rs b/crates/formatrix-pipeline/src/lib.rs index 4f2d7a0..515fff2 100644 --- a/crates/formatrix-pipeline/src/lib.rs +++ b/crates/formatrix-pipeline/src/lib.rs @@ -1,4 +1,5 @@ // SPDX-License-Identifier: MPL-2.0 +// Copyright (c) Jonathan D.A. Jewell //! Formatrix Pipeline - Nickel-based content transformation engine //! //! Pipelines define content transformations for import/export: diff --git a/docs/CITATIONS.adoc b/docs/CITATIONS.adoc index 6958b05..548dd9c 100644 --- a/docs/CITATIONS.adoc +++ b/docs/CITATIONS.adoc @@ -1,3 +1,5 @@ +// SPDX-License-Identifier: MPL-2.0 +// Copyright (c) Jonathan D.A. Jewell = docmatrix - Citation Guide :toc: diff --git a/docs/DOCUMENTATION-SYSTEM-ARCHITECTURE.adoc b/docs/DOCUMENTATION-SYSTEM-ARCHITECTURE.adoc index dbb3011..9fc6060 100644 --- a/docs/DOCUMENTATION-SYSTEM-ARCHITECTURE.adoc +++ b/docs/DOCUMENTATION-SYSTEM-ARCHITECTURE.adoc @@ -1,9 +1,10 @@ +// SPDX-License-Identifier: MPL-2.0 +// Copyright (c) Jonathan D.A. Jewell = Documentation System Architecture :toc: left :toclevels: 3 :icons: font :source-highlighter: highlightjs -// SPDX-License-Identifier: MPL-2.0-or-later == Overview diff --git a/docs/MOSCOW-REQUIREMENTS.adoc b/docs/MOSCOW-REQUIREMENTS.adoc index d84b9a3..c1a4f9d 100644 --- a/docs/MOSCOW-REQUIREMENTS.adoc +++ b/docs/MOSCOW-REQUIREMENTS.adoc @@ -1,9 +1,10 @@ +// SPDX-License-Identifier: MPL-2.0 +// Copyright (c) Jonathan D.A. Jewell = MoSCoW Requirements - Documentation Ecosystem :toc: left :toclevels: 4 :icons: font :source-highlighter: highlightjs -// SPDX-License-Identifier: MPL-2.0-or-later == Overview diff --git a/docs/SEAM-CHECK-MUSTS.adoc b/docs/SEAM-CHECK-MUSTS.adoc index 21d8d51..c2ca82e 100644 --- a/docs/SEAM-CHECK-MUSTS.adoc +++ b/docs/SEAM-CHECK-MUSTS.adoc @@ -1,4 +1,5 @@ -// SPDX-License-Identifier: MPL-2.0-or-later +// SPDX-License-Identifier: MPL-2.0 +// Copyright (c) Jonathan D.A. Jewell = Seam Check Report: MUST Requirements :author: Claude Code :revdate: 2025-01-03 diff --git a/docs/V1-PUBLISH-ROADMAP.adoc b/docs/V1-PUBLISH-ROADMAP.adoc index 52f88bd..e7a2c31 100644 --- a/docs/V1-PUBLISH-ROADMAP.adoc +++ b/docs/V1-PUBLISH-ROADMAP.adoc @@ -1,4 +1,5 @@ -// SPDX-License-Identifier: MPL-2.0-or-later +// SPDX-License-Identifier: MPL-2.0 +// Copyright (c) Jonathan D.A. Jewell = Formatrix Ecosystem v1 Publish Roadmap :toc: left :toclevels: 3 diff --git a/docs/tech-debt-2026-05-26.md b/docs/tech-debt-2026-05-26.md index 68816a5..e0eb536 100644 --- a/docs/tech-debt-2026-05-26.md +++ b/docs/tech-debt-2026-05-26.md @@ -1,4 +1,5 @@ SPDX-License-Identifier: MPL-2.0 SPDX-FileCopyrightText: 2026 Jonathan D.A. Jewell (hyperpolymath) --> diff --git a/examples/example.zig b/examples/example.zig index aad02e0..7470ea8 100644 --- a/examples/example.zig +++ b/examples/example.zig @@ -1,4 +1,5 @@ // SPDX-License-Identifier: MPL-2.0 +// Copyright (c) Jonathan D.A. Jewell //! Example usage of zig-formatrix-ffi const std = @import("std"); diff --git a/ffi/zig/build.zig b/ffi/zig/build.zig index 4a2e049..c02617f 100644 --- a/ffi/zig/build.zig +++ b/ffi/zig/build.zig @@ -1,5 +1,6 @@ -// {{PROJECT}} FFI Build Configuration // SPDX-License-Identifier: MPL-2.0 +// Copyright (c) Jonathan D.A. Jewell +// {{PROJECT}} FFI Build Configuration const std = @import("std"); diff --git a/ffi/zig/src/main.zig b/ffi/zig/src/main.zig index db69aec..d9b48a6 100644 --- a/ffi/zig/src/main.zig +++ b/ffi/zig/src/main.zig @@ -1,9 +1,10 @@ +// SPDX-License-Identifier: MPL-2.0 +// Copyright (c) Jonathan D.A. Jewell // DOCMATRIX FFI Implementation // // This module implements the C-compatible FFI declared in src/abi/Foreign.idr // All types and layouts must match the Idris2 ABI definitions. // -// SPDX-License-Identifier: MPL-2.0 const std = @import("std"); diff --git a/ffi/zig/test/integration_test.zig b/ffi/zig/test/integration_test.zig index 0341994..e481508 100644 --- a/ffi/zig/test/integration_test.zig +++ b/ffi/zig/test/integration_test.zig @@ -1,5 +1,6 @@ -// {{PROJECT}} Integration Tests // SPDX-License-Identifier: MPL-2.0 +// Copyright (c) Jonathan D.A. Jewell +// {{PROJECT}} Integration Tests // // These tests verify that the Zig FFI correctly implements the Idris2 ABI diff --git a/flake.nix b/flake.nix deleted file mode 100644 index 9f4bea6..0000000 --- a/flake.nix +++ /dev/null @@ -1,116 +0,0 @@ -{ - description = "docmatrix - {project-description}"; - - # *REMINDER: Update inputs with actual dependencies* - inputs = { - nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; - flake-utils.url = "github:numtide/flake-utils"; - # Add language-specific inputs: - # rust-overlay.url = "github:oxalica/rust-overlay"; # For Rust - # fenix.url = "github:nix-community/fenix"; # Alternative Rust - }; - - outputs = { self, nixpkgs, flake-utils, ... }@inputs: - flake-utils.lib.eachDefaultSystem (system: - let - pkgs = import nixpkgs { - inherit system; - # overlays = [ (import inputs.rust-overlay) ]; # For Rust - }; - - # *REMINDER: Define build dependencies* - buildInputs = with pkgs; [ - # Language-specific dependencies: - # gnat13 # Ada - # cargo rustc # Rust - # elixir # Elixir - # For build tools: - just - podman - git - ]; - - # *REMINDER: Define development dependencies* - nativeBuildInputs = with pkgs; [ - # Development tools: - ripgrep # Code search - lychee # Link validation - # Language-specific: - # rustfmt clippy # Rust - # mix # Elixir - ]; - - in - { - # Development shell - devShells.default = pkgs.mkShell { - inherit buildInputs nativeBuildInputs; - - shellHook = '' - echo "🚀 docmatrix development environment" - echo "Language: rust" - echo "" - echo "Available commands:" - echo " just --list # Show all tasks" - echo " just setup # Set up environment" - echo " just build # Build project" - echo " just test # Run tests" - echo " just validate # RSR compliance" - echo "" - # *REMINDER: Add language-specific environment setup* - # export CARGO_HOME=$PWD/.cargo # Rust - # export MIX_HOME=$PWD/.mix # Elixir - ''; - }; - - # Packages - packages.default = pkgs.stdenv.mkDerivation { - pname = "docmatrix"; - version = "0.1.0"; - src = ./.; - - inherit buildInputs nativeBuildInputs; - - buildPhase = '' - # *REMINDER: Add build commands* - # For Rust: cargo build --release - # For Elixir: mix compile - # For Ada: gprbuild -P docmatrix.gpr -XMODE=release - ''; - - installPhase = '' - mkdir -p $out/bin - # *REMINDER: Add install commands* - # cp target/release/docmatrix $out/bin/ # Rust - # cp bin/docmatrix $out/bin/ # Ada - ''; - - meta = with pkgs.lib; { - description = "{project-description}"; - homepage = "{repo-url}"; - license = with licenses; [ mit ]; # MIT + Palimpsest - maintainers = [ "{maintainer-name}" ]; - platforms = platforms.unix; - }; - }; - - # Apps - apps.default = { - type = "app"; - program = "${self.packages.${system}.default}/bin/docmatrix"; - }; - - # Checks (CI/CD integration) - checks = { - build = self.packages.${system}.default; - # *REMINDER: Add test checks* - test = pkgs.runCommand "test-docmatrix" { - buildInputs = [ self.packages.${system}.default ]; - } '' - # Run tests here - touch $out - ''; - }; - } - ); -} diff --git a/fuzz/fuzz_targets/fuzz_main.rs b/fuzz/fuzz_targets/fuzz_main.rs index 1f71ba3..c8b2200 100644 --- a/fuzz/fuzz_targets/fuzz_main.rs +++ b/fuzz/fuzz_targets/fuzz_main.rs @@ -1,3 +1,5 @@ +// SPDX-License-Identifier: MPL-2.0 +// Copyright (c) Jonathan D.A. Jewell #![no_main] use libfuzzer_sys::fuzz_target; diff --git a/llm-warmup-dev.md b/llm-warmup-dev.md index 6ce7f12..7f9157b 100644 --- a/llm-warmup-dev.md +++ b/llm-warmup-dev.md @@ -1,3 +1,7 @@ + # LLM Warmup — docmatrix (Developer) ## What is docmatrix? diff --git a/llm-warmup-user.md b/llm-warmup-user.md index de18786..914cb0c 100644 --- a/llm-warmup-user.md +++ b/llm-warmup-user.md @@ -1,3 +1,7 @@ + # LLM Warmup — docmatrix (User) ## What is docmatrix? diff --git a/nix/flake.nix b/nix/flake.nix deleted file mode 100644 index 628b481..0000000 --- a/nix/flake.nix +++ /dev/null @@ -1,134 +0,0 @@ -# SPDX-License-Identifier: MPL-2.0 -# Formatrix Docs - Nix Flake (Fallback for non-Guix systems) -# Copyright (C) 2025 Jonathan D.A. Jewell -{ - description = "Cross-platform document editor with format tabs"; - - inputs = { - nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; - rust-overlay.url = "github:oxalica/rust-overlay"; - flake-utils.url = "github:numtide/flake-utils"; - }; - - outputs = { self, nixpkgs, rust-overlay, flake-utils, ... }: - flake-utils.lib.eachDefaultSystem (system: - let - overlays = [ (import rust-overlay) ]; - pkgs = import nixpkgs { - inherit system overlays; - }; - - rustToolchain = pkgs.rust-bin.stable.latest.default.override { - extensions = [ "rust-src" "rust-analyzer" ]; - targets = [ "wasm32-unknown-unknown" ]; - }; - in - { - devShells.default = pkgs.mkShell { - buildInputs = with pkgs; [ - # Rust - rustToolchain - pkg-config - openssl - - # Ada/GNAT - gnat - gprbuild - - # TUI dependencies - ncurses - - # GUI dependencies (Tauri) - gtk3 - webkitgtk - libsoup - - # ReScript/Deno - deno - nodejs_20 - - # External tools - tesseract - espeak-ng - hunspell - pandoc - - # Database - arangodb - - # Nickel - nickel - - # Development - just - ]; - - shellHook = '' - echo "Formatrix Docs development environment" - echo " Rust: $(rustc --version)" - echo " GNAT: $(gnat --version | head -1)" - echo " Deno: $(deno --version | head -1)" - echo "" - echo "Run 'just' to see available commands" - ''; - - RUST_SRC_PATH = "${rustToolchain}/lib/rustlib/src/rust/library"; - }; - - packages = { - formatrix-core = pkgs.rustPlatform.buildRustPackage { - pname = "formatrix-core"; - version = "0.1.0"; - src = ../.; - cargoLock.lockFile = ../Cargo.lock; - buildAndTestSubdir = "crates/formatrix-core"; - }; - - formatrix-gui = pkgs.rustPlatform.buildRustPackage { - pname = "formatrix-gui"; - version = "0.1.0"; - src = ../.; - cargoLock.lockFile = ../Cargo.lock; - buildAndTestSubdir = "crates/formatrix-gui"; - - nativeBuildInputs = with pkgs; [ - pkg-config - ]; - - buildInputs = with pkgs; [ - gtk3 - webkitgtk - libsoup - openssl - ]; - }; - - formatrix-tui = pkgs.stdenv.mkDerivation { - pname = "formatrix-tui"; - version = "0.1.0"; - src = ../tui; - - nativeBuildInputs = with pkgs; [ - gnat - gprbuild - ]; - - buildInputs = with pkgs; [ - ncurses - ]; - - buildPhase = '' - gprbuild -P formatrix_tui.gpr -XMODE=release - ''; - - installPhase = '' - mkdir -p $out/bin - cp bin/formatrix-tui $out/bin/ - ''; - }; - - default = self.packages.${system}.formatrix-gui; - }; - } - ); -} diff --git a/src/formatrix.zig b/src/formatrix.zig index ac162d6..86b1916 100644 --- a/src/formatrix.zig +++ b/src/formatrix.zig @@ -1,4 +1,5 @@ // SPDX-License-Identifier: MPL-2.0 +// Copyright (c) Jonathan D.A. Jewell //! Zig bindings for formatrix-core //! //! Provides a type-safe Zig interface to the Formatrix document library.