diff --git a/.github/workflows/boj-build.yml b/.github/workflows/boj-build.yml index e9b7b17..166615e 100644 --- a/.github/workflows/boj-build.yml +++ b/.github/workflows/boj-build.yml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: PMPL-1.0-or-later name: BoJ Server Build Trigger on: push: @@ -8,10 +9,11 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Trigger BoJ Server (Casket/ssg-mcp) run: | # Send a secure trigger to boj-server to build this repository curl -X POST "http://boj-server.local:7700/cartridges/ssg-mcp/invoke" -H "Content-Type: application/json" -d "{\"repo\": \"${{ github.repository }}\", \"branch\": \"${{ github.ref_name }}\", \"engine\": \"casket\\"}"} continue-on-error: true -permissions: read-all +permissions: + contents: read diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index a90076e..982a028 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -9,7 +9,8 @@ on: schedule: - cron: '0 6 * * 1' -permissions: read-all +permissions: + contents: read jobs: analyze: diff --git a/.github/workflows/guix-nix-policy.yml b/.github/workflows/guix-nix-policy.yml index 3e1103a..a8e8f4e 100644 --- a/.github/workflows/guix-nix-policy.yml +++ b/.github/workflows/guix-nix-policy.yml @@ -2,7 +2,8 @@ name: Guix/Nix Package Policy on: [push, pull_request] -permissions: read-all +permissions: + contents: read jobs: check: diff --git a/.github/workflows/hypatia-scan.yml b/.github/workflows/hypatia-scan.yml index 23adfcd..8c9d807 100644 --- a/.github/workflows/hypatia-scan.yml +++ b/.github/workflows/hypatia-scan.yml @@ -11,7 +11,8 @@ on: - cron: '0 0 * * 0' # Weekly on Sunday workflow_dispatch: -permissions: read-all +permissions: + contents: read jobs: scan: diff --git a/.github/workflows/mirror.yml b/.github/workflows/mirror.yml index f914ba3..1bb153e 100644 --- a/.github/workflows/mirror.yml +++ b/.github/workflows/mirror.yml @@ -7,7 +7,8 @@ on: branches: [main] workflow_dispatch: -permissions: read-all +permissions: + contents: read jobs: mirror-gitlab: diff --git a/.github/workflows/npm-bun-blocker.yml b/.github/workflows/npm-bun-blocker.yml index 2d2783b..c6b6726 100644 --- a/.github/workflows/npm-bun-blocker.yml +++ b/.github/workflows/npm-bun-blocker.yml @@ -2,7 +2,8 @@ name: NPM/Bun Blocker on: [push, pull_request] -permissions: read-all +permissions: + contents: read jobs: check: diff --git a/.github/workflows/quality.yml b/.github/workflows/quality.yml index 6bf5e48..284758d 100644 --- a/.github/workflows/quality.yml +++ b/.github/workflows/quality.yml @@ -3,7 +3,8 @@ name: Code Quality on: [push, pull_request] -permissions: read-all +permissions: + contents: read jobs: lint: diff --git a/.github/workflows/rsr-antipattern.yml b/.github/workflows/rsr-antipattern.yml index a001dcd..e81eafa 100644 --- a/.github/workflows/rsr-antipattern.yml +++ b/.github/workflows/rsr-antipattern.yml @@ -14,7 +14,8 @@ on: branches: [main, master, develop] -permissions: read-all +permissions: + contents: read jobs: antipattern-check: diff --git a/.github/workflows/scorecard-enforcer.yml b/.github/workflows/scorecard-enforcer.yml index 971951f..0e89dff 100644 --- a/.github/workflows/scorecard-enforcer.yml +++ b/.github/workflows/scorecard-enforcer.yml @@ -9,7 +9,8 @@ on: - cron: '0 6 * * 1' # Weekly on Monday workflow_dispatch: -permissions: read-all +permissions: + contents: read jobs: scorecard: diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 5521169..b68bcca 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -7,7 +7,8 @@ on: - cron: '0 4 * * *' workflow_dispatch: -permissions: read-all +permissions: + contents: read jobs: analysis: diff --git a/.github/workflows/secret-scanner.yml b/.github/workflows/secret-scanner.yml index a68f9ac..e1c1da8 100644 --- a/.github/workflows/secret-scanner.yml +++ b/.github/workflows/secret-scanner.yml @@ -7,7 +7,8 @@ on: push: branches: [main] -permissions: read-all +permissions: + contents: read jobs: trufflehog: diff --git a/.github/workflows/security-policy.yml b/.github/workflows/security-policy.yml index d4e9701..06d030c 100644 --- a/.github/workflows/security-policy.yml +++ b/.github/workflows/security-policy.yml @@ -2,7 +2,8 @@ name: Security Policy on: [push, pull_request] -permissions: read-all +permissions: + contents: read jobs: check: diff --git a/.github/workflows/ts-blocker.yml b/.github/workflows/ts-blocker.yml index 5c34a58..6a09ba2 100644 --- a/.github/workflows/ts-blocker.yml +++ b/.github/workflows/ts-blocker.yml @@ -2,7 +2,8 @@ name: TypeScript/JavaScript Blocker on: [push, pull_request] -permissions: read-all +permissions: + contents: read jobs: check: diff --git a/.github/workflows/wellknown-enforcement.yml b/.github/workflows/wellknown-enforcement.yml index 125b20c..351b0da 100644 --- a/.github/workflows/wellknown-enforcement.yml +++ b/.github/workflows/wellknown-enforcement.yml @@ -15,7 +15,8 @@ on: workflow_dispatch: -permissions: read-all +permissions: + contents: read jobs: validate: diff --git a/.github/workflows/workflow-linter.yml b/.github/workflows/workflow-linter.yml index 9bb4d39..62506ed 100644 --- a/.github/workflows/workflow-linter.yml +++ b/.github/workflows/workflow-linter.yml @@ -12,7 +12,8 @@ on: - '.github/workflows/**' workflow_dispatch: -permissions: read-all +permissions: + contents: read jobs: lint-workflows: @@ -53,7 +54,8 @@ jobs: fi done if [ $failed -eq 1 ]; then - echo "Add 'permissions: read-all' at workflow level" + echo "Add 'permissions: + contents: read' at workflow level" exit 1 fi echo "All workflows have permissions declared" diff --git a/.machine_readable/contractiles/dust/Dustfile.a2ml b/.machine_readable/contractiles/dust/Dustfile.a2ml new file mode 100644 index 0000000..d7dfc19 --- /dev/null +++ b/.machine_readable/contractiles/dust/Dustfile.a2ml @@ -0,0 +1,22 @@ +# SPDX-License-Identifier: PMPL-1.0-or-later +# Dustfile — Cleanup and Hygiene Contract + +[dustfile] +version = "1.0.0" +format = "a2ml" + +[cleanup] +stale-branch-policy = "delete-after-merge" +artifact-retention = "90-days" +cache-policy = "clear-on-release" + +[hygiene] +linting = "required" +formatting = "required" +dead-code-removal = "encouraged" +todo-tracking = "tracked-in-issues" + +[reversibility] +backup-before-destructive = true +rollback-mechanism = "git-revert" +data-retention-policy = "preserve-30-days" diff --git a/.machine_readable/contractiles/trust/Trustfile.a2ml b/.machine_readable/contractiles/trust/Trustfile.a2ml new file mode 100644 index 0000000..6f2c39c --- /dev/null +++ b/.machine_readable/contractiles/trust/Trustfile.a2ml @@ -0,0 +1,22 @@ +# SPDX-License-Identifier: PMPL-1.0-or-later +# Trustfile — Integrity and Provenance Contract + +[trustfile] +version = "1.0.0" +format = "a2ml" + +[provenance] +source-control = "git" +forge = "github" +ci-verified = true +signing-policy = "commit-signing-preferred" + +[integrity] +spdx-compliant = true +license-audit = "required" +dependency-pinning = "sha-pinned" + +[verification] +reproducible-builds = "goal" +sbom-generation = "required" +attestation = "sigstore-preferred" diff --git a/.machine_readable/integrations/feedback-o-tron.a2ml b/.machine_readable/integrations/feedback-o-tron.a2ml new file mode 100644 index 0000000..1c473ae --- /dev/null +++ b/.machine_readable/integrations/feedback-o-tron.a2ml @@ -0,0 +1,13 @@ +# SPDX-License-Identifier: PMPL-1.0-or-later +# Feedback-o-Tron Integration — Autonomous Bug Reporting + +[integration] +name = "feedback-o-tron" +type = "bug-reporter" +repository = "https://github.com/hyperpolymath/feedback-o-tron" + +[reporting-config] +platforms = ["github", "gitlab", "bugzilla"] +deduplication = true +audit-logging = true +auto-file-upstream = "on-external-dependency-failure" diff --git a/.machine_readable/integrations/proven.a2ml b/.machine_readable/integrations/proven.a2ml new file mode 100644 index 0000000..6b3e805 --- /dev/null +++ b/.machine_readable/integrations/proven.a2ml @@ -0,0 +1,18 @@ +# SPDX-License-Identifier: PMPL-1.0-or-later +# Proven Integration — Formally Verified Safety Library + +[integration] +name = "proven" +type = "safety-library" +repository = "https://github.com/hyperpolymath/proven" +version = "1.2.0" + +[binding-policy] +approach = "thin-ffi-wrapper" +unsafe-patterns = "replace-with-proven-equivalent" +modules-available = ["SafeMath", "SafeString", "SafeJSON", "SafeURL", "SafeRegex", "SafeSQL", "SafeFile", "SafeTemplate", "SafeCrypto"] + +[adoption-guidance] +priority = "high" +scope = "all-string-json-url-crypto-operations" +migration = "incremental — replace unsafe patterns as encountered" diff --git a/.machine_readable/integrations/verisimdb.a2ml b/.machine_readable/integrations/verisimdb.a2ml new file mode 100644 index 0000000..2c8f8f5 --- /dev/null +++ b/.machine_readable/integrations/verisimdb.a2ml @@ -0,0 +1,15 @@ +# SPDX-License-Identifier: PMPL-1.0-or-later +# VeriSimDB Feed — Cross-Repo Analytics Data Store + +[integration] +name = "verisimdb" +type = "data-feed" +repository = "https://github.com/hyperpolymath/nextgen-databases" +data-store = "verisimdb-data" + +[feed-config] +emit-scan-results = true +emit-build-metrics = true +emit-dependency-graph = true +format = "hexad" +destination = "verisimdb-data/feeds/" diff --git a/.machine_readable/integrations/vexometer.a2ml b/.machine_readable/integrations/vexometer.a2ml new file mode 100644 index 0000000..bb7fc43 --- /dev/null +++ b/.machine_readable/integrations/vexometer.a2ml @@ -0,0 +1,18 @@ +# SPDX-License-Identifier: PMPL-1.0-or-later +# Vexometer Integration — Irritation Surface Analysis + +[integration] +name = "vexometer" +type = "friction-measurement" +repository = "https://github.com/hyperpolymath/vexometer" + +[measurement-config] +dimensions = 10 +emit-isa-reports = true +lazy-eliminator = true +satellite-interventions = true + +[hooks] +cli-tools = "measure-on-error" +ui-panels = "measure-on-interaction" +build-failures = "measure-on-failure" diff --git a/tests/fuzz/placeholder.txt b/tests/fuzz/placeholder.txt new file mode 100644 index 0000000..8621280 --- /dev/null +++ b/tests/fuzz/placeholder.txt @@ -0,0 +1 @@ +Scorecard requirement placeholder