From 477b4794242a227263400fb2a3ff383a7c1c3cff Mon Sep 17 00:00:00 2001
From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com>
Date: Mon, 18 May 2026 22:09:40 +0100
Subject: [PATCH 1/2] Canonicalize licensing constitution (deliberate policy
 change)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Owner decision 2026-05-18 (option A), taken with the prior lawyer-backed
position in view: supersede 'PMPL-declared + MPL-2.0 invisible fallback'
with 'MPL-2.0 declared default; PMPL = future overlay only'.

- LICENCE-POLICY.adoc rewritten as the constitution; old model recorded
  as explicitly superseded (history kept, not erased).
- Son exception generalised to 'son owns/admins -> AGPL-3.0-or-later'
  with IDApTIK + ASS as named instances (reconciles broad session rule
  with the doc's specific instances).
- 007 reframed: full commercial dual-use, hazardous to declare -> out
  of scope entirely (never scan/label/sweep).
- Rules 5/6 keep third-party-never-relicense + no-automated-edits.
- .machine_readable/licensing-policy.toml: tool-readable rules (NOT a
  REUSE per-file map — that would assert a contradiction with still-
  legacy PMPL headers; encodes rules, not per-file claims).

Transparency: this file's OWN SPDX header flipped PMPL->MPL-2.0. That
is a single owner-directed hand edit of the constitution doc itself
(authoring, not an automated sweep) — the policy doc must not carry the
header it supersedes. Objectable if the owner disagrees.

Refs PR rsr-template-repo#62; LICENSING-DEBT-AND-REMEDIATION.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .machine_readable/licensing-policy.toml |  53 ++++++++
 LICENCE-POLICY.adoc                     | 155 +++++++++++++-----------
 2 files changed, 139 insertions(+), 69 deletions(-)
 create mode 100644 .machine_readable/licensing-policy.toml

diff --git a/.machine_readable/licensing-policy.toml b/.machine_readable/licensing-policy.toml
new file mode 100644
index 00000000..d0fdf824
--- /dev/null
+++ b/.machine_readable/licensing-policy.toml
@@ -0,0 +1,53 @@
+# SPDX-License-Identifier: MPL-2.0
+# SPDX-FileCopyrightText: 2026 Jonathan Jewell (hyperpolymath)
+#
+# Machine-readable form of LICENCE-POLICY.adoc (the constitution).
+# Tools enforce from this; humans read the .adoc. Single source of
+# truth is the .adoc — keep this in sync, do not diverge.
+# NOTE: deliberately NOT a REUSE per-file dep5 map: headers are
+# mid-manual-migration, so a blanket per-file licence map would assert
+# a contradiction with still-legacy PMPL headers. This encodes the
+# RULES, not a per-file claim.
+
+schema = "hyperpolymath.licensing-policy/1"
+revised = "2026-05-18"
+supersedes = "PMPL-declared-with-MPL-fallback (pre-2026-05-18)"
+
+[default]
+spdx = "MPL-2.0"
+scope = "all hyperpolymath original code, docs, config, scripts"
+status = "declared and legally effective today"
+
+[overlay]
+name = "Palimpsest"
+spdx_ref = "LicenseRef-Palimpsest"
+rule = "future overlay ON TOP OF MPL-2.0 only; never standalone; no registered-SPDX PMPL id; no force until council + legal code exist"
+
+[exceptions.son]
+spdx = "AGPL-3.0-or-later"
+rule = "anything the owner's son owns or is repo-admin for"
+instances = ["IDApTIK", "Airborne Submarine Squadron (ASS)"]
+permanent = true
+
+[exceptions.repo_007]
+handling = "OUT-OF-SCOPE"
+reason = "full commercial dual-use; potentially dangerous to declare (export-control / hazardous-tech sensitive)"
+rule = "never touch/normalise/label/add-SPDX/scan/report; surface to owner only"
+
+[third_party]
+rule = "preserve original SPDX exactly; never relicense; flag-not-edit"
+
+[automation]
+allowed = false
+rule = "no bulk/sed/script/agent licence-SPDX changes, ever; remediation is manual, per-file, owner-only"
+exception = "an agent may author NEW files with correct SPDX from birth; a brand-new repo's own top-level LICENSE may be set"
+
+[legacy]
+identifiers = ["PMPL-1.0-or-later", "PMPL-*"]
+status = "debt; migrate manually by owner over time; tolerated meanwhile; not the intended state"
+
+[guard]
+location = "rsr-template-repo/.github/workflows/spdx-policy-guard.yml"
+edits_files = false
+tolerates = ["PMPL-*"]
+fails_on = ["contradictory multi-SPDX in one file", "foreign licences outside policy"]
diff --git a/LICENCE-POLICY.adoc b/LICENCE-POLICY.adoc
index 441be784..3bcacc64 100644
--- a/LICENCE-POLICY.adoc
+++ b/LICENCE-POLICY.adoc
@@ -1,104 +1,121 @@
-// SPDX-License-Identifier: PMPL-1.0-or-later
-= Hyperpolymath Licence Policy
+// SPDX-License-Identifier: MPL-2.0
+// SPDX-FileCopyrightText: 2026 Jonathan Jewell (hyperpolymath)
+= Hyperpolymath Licence Policy (Constitution)
 Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>
 :toc:
 :toc-placement: preamble
+:revdate: 2026-05-18
 
-Canonical licence policy for all hyperpolymath repositories and code.
-All contributors and AI agents must follow this document.
+Canonical, authoritative licence policy for all hyperpolymath
+repositories and code. All contributors and AI agents must follow this
+document. It is the single source of truth; other repos link here, they
+do not copy it.
 
-== Three Rules
+[IMPORTANT]
+====
+*2026-05-18 — deliberate policy change (supersedes the prior model).*
+The previous policy declared `PMPL-1.0-or-later` in every header with
+MPL-2.0 as an invisible legal fallback. That split is *superseded*. The
+operative, *declared* licence is now MPL-2.0; PMPL is repositioned as a
+future overlay only. This was an informed owner decision taken with the
+prior lawyer-backed position in view. The history is recorded here, not
+erased.
+====
 
-=== Rule 1 — PMPL-1.0-or-later Is the Stated Licence
+== The constitution
 
-All hyperpolymath original code carries:
+=== 1 — MPL-2.0 is the declared default
 
-```
-SPDX-License-Identifier: PMPL-1.0-or-later
-```
+All hyperpolymath original code, docs, config and scripts carry:
 
-This applies everywhere — source files, docs, config, scripts — unless
-Rule 2 or Rule 3 applies.
+----
+SPDX-License-Identifier: MPL-2.0
+----
 
-=== Rule 2 — MPL-2.0 Is the Automatic Legal Fallback
+Legally effective today, no qualification. What the header *says* and
+what is *enforceable* are no longer split.
 
-PMPL does not yet have formal legal standing as a standalone licence.
-A lawyer has confirmed: until PMPL is formally recognised, *MPL-2.0 is the
-automatically operative legal fallback* for all code marked
-`PMPL-1.0-or-later`. No additional declaration is needed.
+=== 2 — PMPL is a future overlay only, never standalone
 
-This means:
+The Palimpsest licence (PMPL) is the intended post-quantum,
+age-of-humans-and-things direction, applied as an *overlay on top of*
+MPL-2.0 — never a replacement, never a present standalone claim. Until
+the governing council and an established legal code exist, a bare PMPL
+assertion has no legal force and falls immediately. Express any future
+overlay as `MPL-2.0` plus a `LicenseRef-Palimpsest` notice — never a
+registered-SPDX PMPL identifier. See
+link:https://github.com/hyperpolymath/palimpsest-license[palimpsest-license].
 
-* SPDX headers say `PMPL-1.0-or-later` — this is correct and intentional
-* Legally, the enforceable text today is MPL-2.0
-* When PMPL achieves legal recognition, existing headers take full effect
-  without any re-labelling
+=== 3 — AGPL-3.0-or-later for the son's work
 
-*Platform registries* (crates.io, Hackage, npm) that require OSI-approved
-licences need an explicit MPL-2.0 declaration:
+Anything Jonathan's son owns, or is repo-admin for, carries
+`SPDX-License-Identifier: AGPL-3.0-or-later`. This is the general rule.
+Known concrete instances (co-developed with the son): *IDApTIK*
+(adaptive tutoring game) and *Airborne Submarine Squadron (ASS)*
+(aerial combat game). Permanent exception; never normalised to MPL-2.0.
 
-```
-SPDX-License-Identifier: MPL-2.0
-// (PMPL-1.0-or-later preferred; MPL-2.0 required for [platform])
-```
+=== 4 — 007 is out of scope entirely
 
-This is distinct from the automatic fallback — it is a platform-compliance
-declaration, not a signal of preference.
+`007` is a full commercial, dual-use licence where *dual-use means
+potentially dangerous to declare* (export-control / hazardous-tech
+sensitive). Labelling or asserting its licence is itself a sensitive
+act. Never touch, normalise, label, add SPDX to, scan, or include 007
+in any report or sweep. Surface to the owner only.
 
-=== Rule 3 — AGPL-3.0 for Co-Developed Projects
+=== 5 — Third-party code is never relicensed
 
-Two projects are co-developed with Jonathan's son and use AGPL-3.0:
+Preserve the original SPDX header of any third-party / vendored /
+component file *exactly*. Flag, never edit. Prior automated attempts
+falsified third-party licence authorship — this is a legal-integrity
+boundary (see Rule 6).
 
-* **IDApTIK** — adaptive tutoring game
-* **Airborne Submarine Squadron (ASS)** — aerial combat game
+=== 6 — Licence edits are manual, owner-only, never automated
 
-These use `SPDX-License-Identifier: AGPL-3.0-or-later`. This exception is
-permanent. All other hyperpolymath original code follows Rule 1 + Rule 2.
+No automated or bulk SPDX/licence change (sed sweep, script, agent
+pass) on any estate repo, ever. Remediation of the standing legacy is
+*manual, per-file, by the owner, over time*. New files an agent itself
+authors may carry the correct SPDX from birth; a brand-new repo's own
+top-level LICENSE may be set to the owner's chosen licence. That is
+authoring, not relicensing.
 
-== SPDX Header Quick Reference
+== SPDX header quick reference
 
-[cols="2,3,2"]
+[cols="2,2,3"]
 |===
 | Situation | Header | Notes
 
-| Standard hyperpolymath code
-| `PMPL-1.0-or-later`
-| MPL-2.0 is automatic legal fallback
-
-| crates.io / Hackage / npm package
-| `MPL-2.0` + comment
-| Add: `(PMPL-1.0-or-later preferred; MPL-2.0 required for [platform])`
-
-| IDApTIK or Airborne Submarine Squadron
-| `AGPL-3.0-or-later`
-| Permanent exception — co-developed with son
-
-| Third-party code
-| Original SPDX (e.g. `MIT`, `Apache-2.0`)
-| Never relicense; preserve original header exactly
+| Standard hyperpolymath code | `MPL-2.0` | Declared and enforceable today
+| Future Palimpsest overlay | `MPL-2.0` + `LicenseRef-Palimpsest` notice | Never standalone PMPL
+| Son's work (IDApTIK, ASS, or any repo he owns/admins) | `AGPL-3.0-or-later` | Permanent exception
+| 007 | — | Never scanned/labelled/declared; out of scope
+| Third-party code | Original SPDX, unchanged | Never relicense; preserve exactly
+| Legacy `PMPL-*` (not yet migrated) | leave as-is | Owner migrates manually; tolerated meanwhile
 |===
 
-== What PMPL Adds Over MPL-2.0
-
-Once PMPL has legal standing, it adds:
+== Standing legacy & the drift-guard
 
-* *Emotional Lineage* — preserve narrative intent and cultural context
-* *Provenance Integrity* — retain attribution and lineage metadata
-* *Ethical Use Constraints* — explicit consent for non-interpretive AI training
-* *Quantum-Safe Provenance (optional)* — post-quantum signature support
+Most repos still carry legacy `PMPL-1.0-or-later` (and variant `PMPL-*`)
+headers from the old policy and from `rsr-template-repo`. Under this
+constitution those are *debt to be migrated manually by the owner* —
+not drift to be auto-fixed, and no longer the intended state.
 
-MPL-2.0 provides the legal foundation: file-level copyleft, patent grants,
-compatibility with other licences, clear modern language.
+`rsr-template-repo` now defaults new clones to `MPL-2.0` (faucet fixed,
+PR #62) and ships `spdx-policy-guard.yml`: a transition-safe guard that
+*never edits files*, tolerates the whole `PMPL-*` legacy family during
+manual migration, and fails only on (a) contradictory multi-SPDX files
+and (b) foreign licences — stopping new drift without forcing the mop
+or breaking in-flight relicensing.
 
 == Enforcement
 
-* CI: `hypatia-scan.yml` checks SPDX headers on all files
-* Pre-commit: `panic-attack assail` catches missing or wrong SPDX identifiers
-* New repos: rsr-template-repo defaults to `PMPL-1.0-or-later`
+* `rsr-template-repo/.github/workflows/spdx-policy-guard.yml` — drift-guard (report-only, never edits)
+* `hypatia-scan.yml` — SPDX header presence
+* Pre-commit: `panic-attack assail`
+* Machine-readable rules: `.machine_readable/licensing-policy.toml` (this repo)
 
-== See Also
+== See also
 
 * `PALIMPSEST.adoc` (this directory) — full narrative
-* `rhodium-standard-repositories/PALIMPSEST.adoc` — RSR integration
-* link:https://github.com/hyperpolymath/palimpsest-license[palimpsest-license] — PMPL licence text
-* link:https://www.mozilla.org/en-US/MPL/2.0/[MPL-2.0] — legal fallback text
+* link:https://github.com/hyperpolymath/palimpsest-license[palimpsest-license] — PMPL text + overlay
+* link:https://www.mozilla.org/en-US/MPL/2.0/[MPL-2.0] — operative licence text
+* `LICENSES/MPL-2.0.txt`, `LICENSES/PMPL-1.0-or-later.txt` — REUSE texts

From 12570cfa9390e83f568894d138210f9fec02d291 Mon Sep 17 00:00:00 2001
From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com>
Date: Mon, 18 May 2026 22:48:51 +0100
Subject: [PATCH 2/2] Reduce to additive-only: restore original policy +
 clarifying addendum
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Corrects this branch's earlier (mistaken) supersession. A read-only
estate audit confirmed the original three Rules are correct:
PMPL-1.0-or-later is the disciplined estate standard, and PMPL =
Palimpsest-MPL v1.0 (incorporates MPL-2.0 by reference with the Rule 2
MPL-2.0 fallback). The prior policy was internally coherent.

Net diff vs main is now purely ADDITIVE — Rules 1-3 verbatim, plus:
- Addendum A1: 007 out of scope (full commercial dual-use, hazardous
  to declare)
- A2: no automated licence edits (manual, owner-only)
- A3: variant normalisation (PMPL-1.0 / -or-later-or-later ->
  PMPL-1.0-or-later) is the only debt, manual
- A4: son AGPL vs PAGPL-1.0-or-later flagged as OPEN owner question
  (not asserted)
- Enforcement: reference the (reframed) spdx-policy-guard
- .machine_readable/licensing-policy.toml rewritten to the TRUE policy

Pairs with rsr-template-repo#63 (revert of the mistaken default flip).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .machine_readable/licensing-policy.toml |  54 +++----
 LICENCE-POLICY.adoc                     | 199 ++++++++++++++----------
 2 files changed, 141 insertions(+), 112 deletions(-)

diff --git a/.machine_readable/licensing-policy.toml b/.machine_readable/licensing-policy.toml
index d0fdf824..5e2b1659 100644
--- a/.machine_readable/licensing-policy.toml
+++ b/.machine_readable/licensing-policy.toml
@@ -1,35 +1,37 @@
-# SPDX-License-Identifier: MPL-2.0
+# SPDX-License-Identifier: PMPL-1.0-or-later
 # SPDX-FileCopyrightText: 2026 Jonathan Jewell (hyperpolymath)
 #
-# Machine-readable form of LICENCE-POLICY.adoc (the constitution).
-# Tools enforce from this; humans read the .adoc. Single source of
-# truth is the .adoc — keep this in sync, do not diverge.
-# NOTE: deliberately NOT a REUSE per-file dep5 map: headers are
-# mid-manual-migration, so a blanket per-file licence map would assert
-# a contradiction with still-legacy PMPL headers. This encodes the
-# RULES, not a per-file claim.
+# Machine-readable form of LICENCE-POLICY.adoc. Tools enforce from this;
+# humans read the .adoc (the .adoc is the source of truth — keep in
+# sync, do not diverge). NOT a REUSE per-file dep5 map: this encodes
+# the RULES, not per-file claims.
 
 schema = "hyperpolymath.licensing-policy/1"
 revised = "2026-05-18"
-supersedes = "PMPL-declared-with-MPL-fallback (pre-2026-05-18)"
+note = "Rules 1-3 are the standing lawyer-backed policy; addendum is additive (007, no-automation, variant cleanup)."
 
-[default]
-spdx = "MPL-2.0"
+[default]                                # Rule 1
+spdx = "PMPL-1.0-or-later"
+meaning = "Palimpsest-MPL v1.0 — incorporates MPL-2.0 by reference"
 scope = "all hyperpolymath original code, docs, config, scripts"
-status = "declared and legally effective today"
+status = "the disciplined estate standard (audit-confirmed ~75% of files)"
+
+[fallback]                               # Rule 2
+spdx = "MPL-2.0"
+rule = "automatic operative legal fallback for PMPL-1.0-or-later; no separate declaration needed (lawyer-confirmed)"
 
-[overlay]
-name = "Palimpsest"
-spdx_ref = "LicenseRef-Palimpsest"
-rule = "future overlay ON TOP OF MPL-2.0 only; never standalone; no registered-SPDX PMPL id; no force until council + legal code exist"
+[platform_exception]                     # Rule 2, registries
+spdx = "MPL-2.0"
+applies = "crates.io / Hackage / npm and other OSI-only registries"
+note = "explicit MPL-2.0 + comment '(PMPL-1.0-or-later preferred; MPL-2.0 required for [platform])'; compliance, not preference"
 
-[exceptions.son]
+[exceptions.son]                         # Rule 3
 spdx = "AGPL-3.0-or-later"
-rule = "anything the owner's son owns or is repo-admin for"
 instances = ["IDApTIK", "Airborne Submarine Squadron (ASS)"]
 permanent = true
+open_question = "possible move to PAGPL-1.0-or-later (Palimpsest-AGPL) — owner ruling pending, not asserted"
 
-[exceptions.repo_007]
+[exceptions.repo_007]                    # Addendum A1 (overrides Rules 1-3 for 007)
 handling = "OUT-OF-SCOPE"
 reason = "full commercial dual-use; potentially dangerous to declare (export-control / hazardous-tech sensitive)"
 rule = "never touch/normalise/label/add-SPDX/scan/report; surface to owner only"
@@ -37,17 +39,17 @@ rule = "never touch/normalise/label/add-SPDX/scan/report; surface to owner only"
 [third_party]
 rule = "preserve original SPDX exactly; never relicense; flag-not-edit"
 
-[automation]
+[automation]                             # Addendum A2
 allowed = false
-rule = "no bulk/sed/script/agent licence-SPDX changes, ever; remediation is manual, per-file, owner-only"
-exception = "an agent may author NEW files with correct SPDX from birth; a brand-new repo's own top-level LICENSE may be set"
+rule = "no bulk/sed/script/agent licence-SPDX changes ever; remediation is manual, per-file, owner-only"
+exception = "an agent may author NEW files with correct SPDX; a brand-new repo's own top-level LICENSE may be set"
 
-[legacy]
-identifiers = ["PMPL-1.0-or-later", "PMPL-*"]
-status = "debt; migrate manually by owner over time; tolerated meanwhile; not the intended state"
+[debt]                                   # Addendum A3 — the ONLY licence debt
+type = "variant normalisation (manual, owner-driven)"
+fix = "PMPL-1.0 and PMPL-1.0-or-later-or-later -> PMPL-1.0-or-later"
 
 [guard]
 location = "rsr-template-repo/.github/workflows/spdx-policy-guard.yml"
 edits_files = false
 tolerates = ["PMPL-*"]
-fails_on = ["contradictory multi-SPDX in one file", "foreign licences outside policy"]
+fails_on = ["contradictory multi-SPDX in one file", "foreign licences outside the estate family"]
diff --git a/LICENCE-POLICY.adoc b/LICENCE-POLICY.adoc
index 3bcacc64..7cc41d0d 100644
--- a/LICENCE-POLICY.adoc
+++ b/LICENCE-POLICY.adoc
@@ -1,121 +1,148 @@
-// SPDX-License-Identifier: MPL-2.0
-// SPDX-FileCopyrightText: 2026 Jonathan Jewell (hyperpolymath)
-= Hyperpolymath Licence Policy (Constitution)
+// SPDX-License-Identifier: PMPL-1.0-or-later
+= Hyperpolymath Licence Policy
 Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>
 :toc:
 :toc-placement: preamble
-:revdate: 2026-05-18
 
-Canonical, authoritative licence policy for all hyperpolymath
-repositories and code. All contributors and AI agents must follow this
-document. It is the single source of truth; other repos link here, they
-do not copy it.
+Canonical licence policy for all hyperpolymath repositories and code.
+All contributors and AI agents must follow this document.
 
-[IMPORTANT]
-====
-*2026-05-18 — deliberate policy change (supersedes the prior model).*
-The previous policy declared `PMPL-1.0-or-later` in every header with
-MPL-2.0 as an invisible legal fallback. That split is *superseded*. The
-operative, *declared* licence is now MPL-2.0; PMPL is repositioned as a
-future overlay only. This was an informed owner decision taken with the
-prior lawyer-backed position in view. The history is recorded here, not
-erased.
-====
+== Three Rules
 
-== The constitution
+=== Rule 1 — PMPL-1.0-or-later Is the Stated Licence
 
-=== 1 — MPL-2.0 is the declared default
+All hyperpolymath original code carries:
 
-All hyperpolymath original code, docs, config and scripts carry:
+```
+SPDX-License-Identifier: PMPL-1.0-or-later
+```
 
-----
-SPDX-License-Identifier: MPL-2.0
-----
+This applies everywhere — source files, docs, config, scripts — unless
+Rule 2 or Rule 3 applies.
 
-Legally effective today, no qualification. What the header *says* and
-what is *enforceable* are no longer split.
+=== Rule 2 — MPL-2.0 Is the Automatic Legal Fallback
 
-=== 2 — PMPL is a future overlay only, never standalone
+PMPL does not yet have formal legal standing as a standalone licence.
+A lawyer has confirmed: until PMPL is formally recognised, *MPL-2.0 is the
+automatically operative legal fallback* for all code marked
+`PMPL-1.0-or-later`. No additional declaration is needed.
 
-The Palimpsest licence (PMPL) is the intended post-quantum,
-age-of-humans-and-things direction, applied as an *overlay on top of*
-MPL-2.0 — never a replacement, never a present standalone claim. Until
-the governing council and an established legal code exist, a bare PMPL
-assertion has no legal force and falls immediately. Express any future
-overlay as `MPL-2.0` plus a `LicenseRef-Palimpsest` notice — never a
-registered-SPDX PMPL identifier. See
-link:https://github.com/hyperpolymath/palimpsest-license[palimpsest-license].
+This means:
 
-=== 3 — AGPL-3.0-or-later for the son's work
+* SPDX headers say `PMPL-1.0-or-later` — this is correct and intentional
+* Legally, the enforceable text today is MPL-2.0
+* When PMPL achieves legal recognition, existing headers take full effect
+  without any re-labelling
 
-Anything Jonathan's son owns, or is repo-admin for, carries
-`SPDX-License-Identifier: AGPL-3.0-or-later`. This is the general rule.
-Known concrete instances (co-developed with the son): *IDApTIK*
-(adaptive tutoring game) and *Airborne Submarine Squadron (ASS)*
-(aerial combat game). Permanent exception; never normalised to MPL-2.0.
+*Platform registries* (crates.io, Hackage, npm) that require OSI-approved
+licences need an explicit MPL-2.0 declaration:
 
-=== 4 — 007 is out of scope entirely
+```
+SPDX-License-Identifier: MPL-2.0
+// (PMPL-1.0-or-later preferred; MPL-2.0 required for [platform])
+```
 
-`007` is a full commercial, dual-use licence where *dual-use means
-potentially dangerous to declare* (export-control / hazardous-tech
-sensitive). Labelling or asserting its licence is itself a sensitive
-act. Never touch, normalise, label, add SPDX to, scan, or include 007
-in any report or sweep. Surface to the owner only.
+This is distinct from the automatic fallback — it is a platform-compliance
+declaration, not a signal of preference.
 
-=== 5 — Third-party code is never relicensed
+=== Rule 3 — AGPL-3.0 for Co-Developed Projects
 
-Preserve the original SPDX header of any third-party / vendored /
-component file *exactly*. Flag, never edit. Prior automated attempts
-falsified third-party licence authorship — this is a legal-integrity
-boundary (see Rule 6).
+Two projects are co-developed with Jonathan's son and use AGPL-3.0:
 
-=== 6 — Licence edits are manual, owner-only, never automated
+* **IDApTIK** — adaptive tutoring game
+* **Airborne Submarine Squadron (ASS)** — aerial combat game
 
-No automated or bulk SPDX/licence change (sed sweep, script, agent
-pass) on any estate repo, ever. Remediation of the standing legacy is
-*manual, per-file, by the owner, over time*. New files an agent itself
-authors may carry the correct SPDX from birth; a brand-new repo's own
-top-level LICENSE may be set to the owner's chosen licence. That is
-authoring, not relicensing.
+These use `SPDX-License-Identifier: AGPL-3.0-or-later`. This exception is
+permanent. All other hyperpolymath original code follows Rule 1 + Rule 2.
 
-== SPDX header quick reference
+== SPDX Header Quick Reference
 
-[cols="2,2,3"]
+[cols="2,3,2"]
 |===
 | Situation | Header | Notes
 
-| Standard hyperpolymath code | `MPL-2.0` | Declared and enforceable today
-| Future Palimpsest overlay | `MPL-2.0` + `LicenseRef-Palimpsest` notice | Never standalone PMPL
-| Son's work (IDApTIK, ASS, or any repo he owns/admins) | `AGPL-3.0-or-later` | Permanent exception
-| 007 | — | Never scanned/labelled/declared; out of scope
-| Third-party code | Original SPDX, unchanged | Never relicense; preserve exactly
-| Legacy `PMPL-*` (not yet migrated) | leave as-is | Owner migrates manually; tolerated meanwhile
+| Standard hyperpolymath code
+| `PMPL-1.0-or-later`
+| MPL-2.0 is automatic legal fallback
+
+| crates.io / Hackage / npm package
+| `MPL-2.0` + comment
+| Add: `(PMPL-1.0-or-later preferred; MPL-2.0 required for [platform])`
+
+| IDApTIK or Airborne Submarine Squadron
+| `AGPL-3.0-or-later`
+| Permanent exception — co-developed with son
+
+| Third-party code
+| Original SPDX (e.g. `MIT`, `Apache-2.0`)
+| Never relicense; preserve original header exactly
 |===
 
-== Standing legacy & the drift-guard
+== What PMPL Adds Over MPL-2.0
 
-Most repos still carry legacy `PMPL-1.0-or-later` (and variant `PMPL-*`)
-headers from the old policy and from `rsr-template-repo`. Under this
-constitution those are *debt to be migrated manually by the owner* —
-not drift to be auto-fixed, and no longer the intended state.
+Once PMPL has legal standing, it adds:
 
-`rsr-template-repo` now defaults new clones to `MPL-2.0` (faucet fixed,
-PR #62) and ships `spdx-policy-guard.yml`: a transition-safe guard that
-*never edits files*, tolerates the whole `PMPL-*` legacy family during
-manual migration, and fails only on (a) contradictory multi-SPDX files
-and (b) foreign licences — stopping new drift without forcing the mop
-or breaking in-flight relicensing.
+* *Emotional Lineage* — preserve narrative intent and cultural context
+* *Provenance Integrity* — retain attribution and lineage metadata
+* *Ethical Use Constraints* — explicit consent for non-interpretive AI training
+* *Quantum-Safe Provenance (optional)* — post-quantum signature support
+
+MPL-2.0 provides the legal foundation: file-level copyleft, patent grants,
+compatibility with other licences, clear modern language.
 
 == Enforcement
 
-* `rsr-template-repo/.github/workflows/spdx-policy-guard.yml` — drift-guard (report-only, never edits)
-* `hypatia-scan.yml` — SPDX header presence
-* Pre-commit: `panic-attack assail`
-* Machine-readable rules: `.machine_readable/licensing-policy.toml` (this repo)
+* CI: `hypatia-scan.yml` checks SPDX headers on all files
+* Pre-commit: `panic-attack assail` catches missing or wrong SPDX identifiers
+* New repos: rsr-template-repo defaults to `PMPL-1.0-or-later`
+* CI: `rsr-template-repo/.github/workflows/spdx-policy-guard.yml` —
+  report-only drift-guard (never edits); fails on foreign SPDX and
+  contradictory multi-SPDX files; tolerates the `PMPL-*` family
+
+== Addendum — 2026-05-18 clarifications (additive; Rules 1–3 unchanged)
+
+These refine, they do not supersede. The three Rules above are correct
+and remain in force (a read-only estate audit confirmed PMPL-1.0-or-later
+is the disciplined estate standard, and PMPL = Palimpsest-MPL v1.0,
+which incorporates MPL-2.0 by reference with the MPL-2.0 fallback of
+Rule 2 — i.e. the model is internally coherent).
+
+=== A1 — `007` is out of scope entirely
+
+`007` carries a full commercial, dual-use licence where *dual-use means
+potentially dangerous to declare* (export-control / hazardous-tech
+sensitive). Labelling or asserting its licence is itself a sensitive
+act. Never touch, normalise, label, add SPDX to, scan, or include 007
+in any report or sweep. Surface to the owner only. This overrides
+Rules 1–3 for 007.
+
+=== A2 — Licence edits are manual, owner-only, never automated
+
+No automated or bulk SPDX/licence change (sed sweep, script, agent
+pass) on any estate repo, ever. Prior automated attempts falsified
+third-party licence authorship — a legal-integrity hazard. Remediation
+is manual, per-file, by the owner. An agent may author *new* files with
+the correct SPDX from birth, and may set a brand-new repo's own
+top-level LICENSE — that is authoring, not relicensing.
+
+=== A3 — Variant normalisation is the only standing debt
+
+A few files carry malformed variants — `PMPL-1.0` (missing
+`-or-later`) and `PMPL-1.0-or-later-or-later` (doubled suffix). These
+should read `PMPL-1.0-or-later`. This is the *only* licence debt, and
+it is owner-driven manual cleanup (per A2) — not a drift to auto-fix.
+
+=== A4 — Open question (owner ruling pending)
+
+Rule 3 uses `AGPL-3.0-or-later` for the son's co-developed projects.
+The Palimpsest family has a canonical member `PAGPL-1.0-or-later`
+(Palimpsest-AGPL). Whether the son's work should move to
+`PAGPL-1.0-or-later` is an *open owner decision* — not yet ruled, not
+asserted here.
 
-== See also
+== See Also
 
 * `PALIMPSEST.adoc` (this directory) — full narrative
-* link:https://github.com/hyperpolymath/palimpsest-license[palimpsest-license] — PMPL text + overlay
-* link:https://www.mozilla.org/en-US/MPL/2.0/[MPL-2.0] — operative licence text
-* `LICENSES/MPL-2.0.txt`, `LICENSES/PMPL-1.0-or-later.txt` — REUSE texts
+* `rhodium-standard-repositories/PALIMPSEST.adoc` — RSR integration
+* link:https://github.com/hyperpolymath/palimpsest-license[palimpsest-license] — PMPL licence text
+* link:https://www.mozilla.org/en-US/MPL/2.0/[MPL-2.0] — legal fallback text