chore: batch RSR compliance — SPDX headers, SHA-pin actions, forbid(unsafe_code), CODE_OF_CONDUCT, CONTRIBUTING

- Add/fix SPDX-License-Identifier headers (AGPL→PMPL where needed)
- SHA-pin all GitHub Actions to commit hashes
- Add #![forbid(unsafe_code)] to safe Rust crates
- Add CODE_OF_CONDUCT.md (Contributor Covenant v2.1)
- Add CONTRIBUTING.md (standard template)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: hyperpolymath

.github/workflows/static-analysis-gate.yml

@@ -143,13 +143,12 @@ jobs:
         continue-on-error: true
         run: |
           git clone https://github.com/hyperpolymath/hypatia.git "$HOME/hypatia" 2>/dev/null || true
-          if [ -d "$HOME/hypatia/scanner" ]; then
+          if [ -f "$HOME/hypatia/mix.exs" ]; then
             cd "$HOME/hypatia"
             if [ ! -f hypatia-v2 ]; then
-              cd scanner
               mix deps.get
               mix escript.build
-              mv hypatia ../hypatia-v2
+              mv hypatia hypatia-v2
             fi
             echo "ready=true" >> "$GITHUB_OUTPUT"
           else

CODE_OF_CONDUCT.md

@@ -0,0 +1,27 @@
+<!-- SPDX-License-Identifier: PMPL-1.0-or-later -->
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We pledge to make participation a harassment-free experience for everyone.
+
+## Our Standards
+
+**Positive behavior:**
+* Using welcoming language
+* Being respectful of differing viewpoints
+* Accepting constructive criticism
+* Focusing on what is best for the community
+
+**Unacceptable behavior:**
+* Harassment, trolling, or personal attacks
+* Publishing private information without permission
+
+## Enforcement
+
+Report issues to the maintainers. All complaints will be reviewed.
+
+## Attribution
+
+Adapted from [Contributor Covenant](https://www.contributor-covenant.org/) v2.1.
+

CONTRIBUTING.md

@@ -0,0 +1,66 @@
+<!-- SPDX-License-Identifier: PMPL-1.0-or-later -->
+# Contributing
+
+Thank you for your interest in contributing! We follow a "Dual-Track" architecture where human-readable documentation lives in the root and machine-readable policies live in `.machine_readable/`.
+
+## How to Contribute
+
+We welcome contributions in many forms:
+
+- **Code:** Improving the core stack or extensions
+- **Documentation:** Enhancing docs or AI manifests
+- **Testing:** Adding property-based tests or formal proofs
+- **Bug reports:** Filing clear, reproducible issues
+
+## Getting Started
+
+1. **Read the AI Manifest:** Start with `0-AI-MANIFEST.a2ml` (if present) to understand the repository structure.
+2. **Environment:** Use `nix develop` or `direnv allow` to set up your tools.
+3. **Task Runner:** Use `just` to see available commands (`just --list`).
+
+## Development Workflow
+
+### Branch Naming
+
+```
+docs/short-description       # Documentation
+test/what-added              # Test additions
+feat/short-description       # New features
+fix/issue-number-description # Bug fixes
+refactor/what-changed        # Code improvements
+security/what-fixed          # Security fixes
+```
+
+### Commit Messages
+
+We follow [Conventional Commits](https://www.conventionalcommits.org/):
+
+```
+<type>(<scope>): <description>
+
+[optional body]
+
+[optional footer]
+```
+
+Types: `feat`, `fix`, `docs`, `test`, `refactor`, `ci`, `chore`, `security`
+
+## Reporting Bugs
+
+Before reporting:
+1. Search existing issues
+2. Check if it's already fixed in `main`
+
+When reporting, include:
+- Clear, descriptive title
+- Environment details (OS, versions, toolchain)
+- Steps to reproduce
+- Expected vs actual behaviour
+
+## Code of Conduct
+
+All contributors are expected to adhere to our [Code of Conduct](CODE_OF_CONDUCT.md).
+
+## License
+
+By contributing, you agree that your contributions will be licensed under the same license as the project (see [LICENSE](LICENSE)).

src/lib.rs

@@ -1,3 +1,4 @@
+#![forbid(unsafe_code)]
 // SPDX-License-Identifier: PMPL-1.0-or-later
 // Copyright (c) 2026 Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>
 //

src/main.rs

@@ -1,3 +1,4 @@
+#![forbid(unsafe_code)]
 // SPDX-License-Identifier: PMPL-1.0-or-later
 // Copyright (c) 2026 Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>
 //