diff --git a/.github/workflows/boj-build.yml b/.github/workflows/boj-build.yml index b59be5f..410dc3c 100644 --- a/.github/workflows/boj-build.yml +++ b/.github/workflows/boj-build.yml @@ -1,19 +1,19 @@ +# SPDX-License-Identifier: PMPL-1.0-or-later name: BoJ Server Build Trigger - on: push: - branches: [ main, master ] + branches: [main, master] workflow_dispatch: - jobs: trigger-boj: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 - + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Trigger BoJ Server (Casket/ssg-mcp) run: | # Send a secure trigger to boj-server to build this repository curl -X POST "http://boj-server.local:7700/cartridges/ssg-mcp/invoke" -H "Content-Type: application/json" -d "{\"repo\": \"${{ github.repository }}\", \"branch\": \"${{ github.ref_name }}\", \"engine\": \"casket\\"}"} continue-on-error: true +permissions: + contents: read diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 369dc8e..895d4cd 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -5,7 +5,8 @@ name: CodeQL Security Analysis on: workflow_dispatch: # Manual trigger only -permissions: read-all +permissions: + contents: read jobs: placeholder: diff --git a/.github/workflows/guix-nix-policy.yml b/.github/workflows/guix-nix-policy.yml index 94417d1..bffa3ff 100644 --- a/.github/workflows/guix-nix-policy.yml +++ b/.github/workflows/guix-nix-policy.yml @@ -1,5 +1,6 @@ # SPDX-License-Identifier: PMPL-1.0-or-later -permissions: read-all +permissions: + contents: read name: Guix/Nix Package Policy on: [push, pull_request] diff --git a/.github/workflows/hypatia-scan.yml b/.github/workflows/hypatia-scan.yml index f2bf132..1250a56 100644 --- a/.github/workflows/hypatia-scan.yml +++ b/.github/workflows/hypatia-scan.yml @@ -11,7 +11,8 @@ on: - cron: '0 0 * * 0' # Weekly on Sunday workflow_dispatch: -permissions: read-all +permissions: + contents: read jobs: scan: diff --git a/.github/workflows/mirror.yml b/.github/workflows/mirror.yml index c30063e..5eae0f8 100644 --- a/.github/workflows/mirror.yml +++ b/.github/workflows/mirror.yml @@ -7,7 +7,8 @@ on: branches: [main] workflow_dispatch: -permissions: read-all +permissions: + contents: read jobs: mirror-gitlab: diff --git a/.github/workflows/npm-bun-blocker.yml b/.github/workflows/npm-bun-blocker.yml index 232f191..c6312ce 100644 --- a/.github/workflows/npm-bun-blocker.yml +++ b/.github/workflows/npm-bun-blocker.yml @@ -2,7 +2,8 @@ name: NPM/Bun Blocker on: [push, pull_request] -permissions: read-all +permissions: + contents: read jobs: check: diff --git a/.github/workflows/quality.yml b/.github/workflows/quality.yml index 79b0ae2..720ed36 100644 --- a/.github/workflows/quality.yml +++ b/.github/workflows/quality.yml @@ -1,5 +1,6 @@ # SPDX-License-Identifier: PMPL-1.0-or-later -permissions: read-all +permissions: + contents: read name: Code Quality on: [push, pull_request] diff --git a/.github/workflows/rsr-antipattern.yml b/.github/workflows/rsr-antipattern.yml index 24ebdf7..e89406f 100644 --- a/.github/workflows/rsr-antipattern.yml +++ b/.github/workflows/rsr-antipattern.yml @@ -5,7 +5,8 @@ # Enforces: No TypeScript, No Go, No Python (except SaltStack), No npm # Allows: ReScript, Deno, WASM, Rust, OCaml, Haskell, Guile/Scheme -permissions: read-all +permissions: + contents: read name: RSR Anti-Pattern Check diff --git a/.github/workflows/scorecard-enforcer.yml b/.github/workflows/scorecard-enforcer.yml index e18f75e..45575a6 100644 --- a/.github/workflows/scorecard-enforcer.yml +++ b/.github/workflows/scorecard-enforcer.yml @@ -9,7 +9,8 @@ on: - cron: '0 6 * * 1' # Weekly on Monday workflow_dispatch: -permissions: read-all +permissions: + contents: read jobs: scorecard: diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 4f50b48..5cbfad5 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -6,7 +6,8 @@ on: schedule: - cron: '0 4 * * 0' -permissions: read-all +permissions: + contents: read jobs: analysis: @@ -26,6 +27,6 @@ jobs: results_format: sarif - name: Upload results - uses: github/codeql-action/upload-sarif@v4.31.10 + uses: github/codeql-action/upload-sarif@6624720a57d4c312633c7b953db2f2da5bcb4c3a # v3.31.10 with: sarif_file: results.sarif diff --git a/.github/workflows/secret-scanner.yml b/.github/workflows/secret-scanner.yml index 1486c72..76d2b2e 100644 --- a/.github/workflows/secret-scanner.yml +++ b/.github/workflows/secret-scanner.yml @@ -7,7 +7,8 @@ on: push: branches: [main] -permissions: read-all +permissions: + contents: read jobs: trufflehog: diff --git a/.github/workflows/security-policy.yml b/.github/workflows/security-policy.yml index 56a55a5..91ac34b 100644 --- a/.github/workflows/security-policy.yml +++ b/.github/workflows/security-policy.yml @@ -1,5 +1,6 @@ # SPDX-License-Identifier: PMPL-1.0-or-later -permissions: read-all +permissions: + contents: read name: Security Policy on: [push, pull_request] diff --git a/.github/workflows/ts-blocker.yml b/.github/workflows/ts-blocker.yml index a26367b..854bf8b 100644 --- a/.github/workflows/ts-blocker.yml +++ b/.github/workflows/ts-blocker.yml @@ -2,7 +2,8 @@ name: TypeScript/JavaScript Blocker on: [push, pull_request] -permissions: read-all +permissions: + contents: read jobs: check: diff --git a/.github/workflows/wellknown-enforcement.yml b/.github/workflows/wellknown-enforcement.yml index 9a4a866..f8c6b90 100644 --- a/.github/workflows/wellknown-enforcement.yml +++ b/.github/workflows/wellknown-enforcement.yml @@ -1,5 +1,6 @@ # SPDX-License-Identifier: PMPL-1.0-or-later -permissions: read-all +permissions: + contents: read name: Well-Known Standards (RFC 9116 + RSR) on: diff --git a/.github/workflows/workflow-linter.yml b/.github/workflows/workflow-linter.yml index 1103b32..7c27e69 100644 --- a/.github/workflows/workflow-linter.yml +++ b/.github/workflows/workflow-linter.yml @@ -12,7 +12,8 @@ on: - '.github/workflows/**' workflow_dispatch: -permissions: read-all +permissions: + contents: read jobs: lint-workflows: @@ -53,7 +54,8 @@ jobs: fi done if [ $failed -eq 1 ]; then - echo "Add 'permissions: read-all' at workflow level" + echo "Add 'permissions: + contents: read' at workflow level" exit 1 fi echo "All workflows have permissions declared" @@ -63,7 +65,7 @@ jobs: echo "=== Checking Action Pinning ===" # Find any uses: lines that don't have @SHA format # Pattern: uses: owner/repo@<40-char-hex> - unpinned=$(grep -rn "uses:" .github/workflows/ | \ + unpinned=$(grep -rnE "^[[:space:]]+uses:" .github/workflows/ | \ grep -v "@[a-f0-9]\{40\}" | \ grep -v "uses: \./\|uses: docker://\|uses: actions/github-script" || true) diff --git a/.machine_readable/contractiles/dust/Dustfile.a2ml b/.machine_readable/contractiles/dust/Dustfile.a2ml new file mode 100644 index 0000000..d7dfc19 --- /dev/null +++ b/.machine_readable/contractiles/dust/Dustfile.a2ml @@ -0,0 +1,22 @@ +# SPDX-License-Identifier: PMPL-1.0-or-later +# Dustfile — Cleanup and Hygiene Contract + +[dustfile] +version = "1.0.0" +format = "a2ml" + +[cleanup] +stale-branch-policy = "delete-after-merge" +artifact-retention = "90-days" +cache-policy = "clear-on-release" + +[hygiene] +linting = "required" +formatting = "required" +dead-code-removal = "encouraged" +todo-tracking = "tracked-in-issues" + +[reversibility] +backup-before-destructive = true +rollback-mechanism = "git-revert" +data-retention-policy = "preserve-30-days" diff --git a/.machine_readable/contractiles/trust/Trustfile.a2ml b/.machine_readable/contractiles/trust/Trustfile.a2ml new file mode 100644 index 0000000..6f2c39c --- /dev/null +++ b/.machine_readable/contractiles/trust/Trustfile.a2ml @@ -0,0 +1,22 @@ +# SPDX-License-Identifier: PMPL-1.0-or-later +# Trustfile — Integrity and Provenance Contract + +[trustfile] +version = "1.0.0" +format = "a2ml" + +[provenance] +source-control = "git" +forge = "github" +ci-verified = true +signing-policy = "commit-signing-preferred" + +[integrity] +spdx-compliant = true +license-audit = "required" +dependency-pinning = "sha-pinned" + +[verification] +reproducible-builds = "goal" +sbom-generation = "required" +attestation = "sigstore-preferred" diff --git a/.machine_readable/integrations/feedback-o-tron.a2ml b/.machine_readable/integrations/feedback-o-tron.a2ml new file mode 100644 index 0000000..1c473ae --- /dev/null +++ b/.machine_readable/integrations/feedback-o-tron.a2ml @@ -0,0 +1,13 @@ +# SPDX-License-Identifier: PMPL-1.0-or-later +# Feedback-o-Tron Integration — Autonomous Bug Reporting + +[integration] +name = "feedback-o-tron" +type = "bug-reporter" +repository = "https://github.com/hyperpolymath/feedback-o-tron" + +[reporting-config] +platforms = ["github", "gitlab", "bugzilla"] +deduplication = true +audit-logging = true +auto-file-upstream = "on-external-dependency-failure" diff --git a/.machine_readable/integrations/proven.a2ml b/.machine_readable/integrations/proven.a2ml new file mode 100644 index 0000000..6b3e805 --- /dev/null +++ b/.machine_readable/integrations/proven.a2ml @@ -0,0 +1,18 @@ +# SPDX-License-Identifier: PMPL-1.0-or-later +# Proven Integration — Formally Verified Safety Library + +[integration] +name = "proven" +type = "safety-library" +repository = "https://github.com/hyperpolymath/proven" +version = "1.2.0" + +[binding-policy] +approach = "thin-ffi-wrapper" +unsafe-patterns = "replace-with-proven-equivalent" +modules-available = ["SafeMath", "SafeString", "SafeJSON", "SafeURL", "SafeRegex", "SafeSQL", "SafeFile", "SafeTemplate", "SafeCrypto"] + +[adoption-guidance] +priority = "high" +scope = "all-string-json-url-crypto-operations" +migration = "incremental — replace unsafe patterns as encountered" diff --git a/.machine_readable/integrations/verisimdb.a2ml b/.machine_readable/integrations/verisimdb.a2ml new file mode 100644 index 0000000..2c8f8f5 --- /dev/null +++ b/.machine_readable/integrations/verisimdb.a2ml @@ -0,0 +1,15 @@ +# SPDX-License-Identifier: PMPL-1.0-or-later +# VeriSimDB Feed — Cross-Repo Analytics Data Store + +[integration] +name = "verisimdb" +type = "data-feed" +repository = "https://github.com/hyperpolymath/nextgen-databases" +data-store = "verisimdb-data" + +[feed-config] +emit-scan-results = true +emit-build-metrics = true +emit-dependency-graph = true +format = "hexad" +destination = "verisimdb-data/feeds/" diff --git a/.machine_readable/integrations/vexometer.a2ml b/.machine_readable/integrations/vexometer.a2ml new file mode 100644 index 0000000..bb7fc43 --- /dev/null +++ b/.machine_readable/integrations/vexometer.a2ml @@ -0,0 +1,18 @@ +# SPDX-License-Identifier: PMPL-1.0-or-later +# Vexometer Integration — Irritation Surface Analysis + +[integration] +name = "vexometer" +type = "friction-measurement" +repository = "https://github.com/hyperpolymath/vexometer" + +[measurement-config] +dimensions = 10 +emit-isa-reports = true +lazy-eliminator = true +satellite-interventions = true + +[hooks] +cli-tools = "measure-on-error" +ui-panels = "measure-on-interaction" +build-failures = "measure-on-failure" diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..37747fa --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,66 @@ + +# Contributing + +Thank you for your interest in contributing! We follow a "Dual-Track" architecture where human-readable documentation lives in the root and machine-readable policies live in `.machine_readable/`. + +## How to Contribute + +We welcome contributions in many forms: + +- **Code:** Improving the core stack or extensions +- **Documentation:** Enhancing docs or AI manifests +- **Testing:** Adding property-based tests or formal proofs +- **Bug reports:** Filing clear, reproducible issues + +## Getting Started + +1. **Read the AI Manifest:** Start with `0-AI-MANIFEST.a2ml` (if present) to understand the repository structure. +2. **Environment:** Use `nix develop` or `direnv allow` to set up your tools. +3. **Task Runner:** Use `just` to see available commands (`just --list`). + +## Development Workflow + +### Branch Naming + +``` +docs/short-description # Documentation +test/what-added # Test additions +feat/short-description # New features +fix/issue-number-description # Bug fixes +refactor/what-changed # Code improvements +security/what-fixed # Security fixes +``` + +### Commit Messages + +We follow [Conventional Commits](https://www.conventionalcommits.org/): + +``` +(): + +[optional body] + +[optional footer] +``` + +Types: `feat`, `fix`, `docs`, `test`, `refactor`, `ci`, `chore`, `security` + +## Reporting Bugs + +Before reporting: +1. Search existing issues +2. Check if it's already fixed in `main` + +When reporting, include: +- Clear, descriptive title +- Environment details (OS, versions, toolchain) +- Steps to reproduce +- Expected vs actual behaviour + +## Code of Conduct + +All contributors are expected to adhere to our [Code of Conduct](CODE_OF_CONDUCT.md). + +## License + +By contributing, you agree that your contributions will be licensed under the same license as the project (see [LICENSE](LICENSE)). diff --git a/justfile b/justfile index 9606e17..969caba 100644 --- a/justfile +++ b/justfile @@ -70,3 +70,7 @@ validate: test rsr-check verify-scanning build-riscv: @echo "Building for RISC-V..." cross build --target riscv64gc-unknown-linux-gnu + +# Run panic-attacker pre-commit scan +assail: + @command -v panic-attack >/dev/null 2>&1 && panic-attack assail . || echo "panic-attack not found — install from https://github.com/hyperpolymath/panic-attacker" diff --git a/tests/fuzz/placeholder.txt b/tests/fuzz/placeholder.txt new file mode 100644 index 0000000..8621280 --- /dev/null +++ b/tests/fuzz/placeholder.txt @@ -0,0 +1 @@ +Scorecard requirement placeholder