diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index a0a6ea9..1a43f0c 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,41 +1,22 @@ -# For most projects, this workflow file will not need changing; you simply need -# to commit it to your repository. -# -# You may wish to alter this file to override the set of languages analyzed, -# or to provide custom queries or build logic. -# -# ******** NOTE ******** -# We have attempted to detect the languages in your repository. Please check -# the `language` matrix defined below to confirm you have the correct set of -# supported CodeQL languages. -# +# SPDX-License-Identifier: MIT OR AGPL-3.0-or-later +# CodeQL Advanced Analysis name: "CodeQL Advanced" on: push: - branches: [ "claude/vae-decoded-images-012e7jgjUF6nEpdaXK8Ja4ya" ] + branches: [main, master] pull_request: - branches: [ "claude/vae-decoded-images-012e7jgjUF6nEpdaXK8Ja4ya" ] + branches: [main, master] schedule: - cron: '18 5 * * 3' jobs: analyze: name: Analyze (${{ matrix.language }}) - # Runner size impacts CodeQL analysis time. To learn more, please see: - # - https://gh.io/recommended-hardware-resources-for-running-codeql - # - https://gh.io/supported-runners-and-hardware-resources - # - https://gh.io/using-larger-runners (GitHub.com only) - # Consider using larger runners or machines with greater resources for possible analysis time improvements. runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} permissions: - # required for all workflows security-events: write - - # required to fetch internal or private CodeQL packs packages: read - - # only required for workflows in private repositories actions: read contents: read @@ -45,43 +26,17 @@ jobs: include: - language: rust build-mode: none - # CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift' - # Use `c-cpp` to analyze code written in C, C++ or both - # Use 'java-kotlin' to analyze code written in Java, Kotlin or both - # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both - # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, - # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning. - # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how - # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages + steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - # Add any setup steps before running the `github/codeql-action/init` action. - # This includes steps like installing compilers or runtimes (`actions/setup-node` - # or others). This is typically only required for manual builds. - # - name: Setup runtime (example) - # uses: actions/setup-example@v1 - - # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v4 + uses: github/codeql-action/init@45c373516f557556c15d420e3f5e0aa3d64366bc # v3.31.9 with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - - # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs - # queries: security-extended,security-and-quality - # If the analyze step fails for one of the languages you are analyzing with - # "We were unable to automatically build your code", modify the matrix above - # to set the build mode to "manual" for that language. Then modify this step - # to build your code. - # ℹī¸ Command-line programs to run using the OS shell. - # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - name: Run manual build steps if: matrix.build-mode == 'manual' shell: bash @@ -94,6 +49,6 @@ jobs: exit 1 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 + uses: github/codeql-action/analyze@45c373516f557556c15d420e3f5e0aa3d64366bc # v3.31.9 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/guix-nix-policy.yml b/.github/workflows/guix-nix-policy.yml index a776006..cb08f2e 100644 --- a/.github/workflows/guix-nix-policy.yml +++ b/.github/workflows/guix-nix-policy.yml @@ -1,22 +1,23 @@ +# SPDX-License-Identifier: MIT OR AGPL-3.0-or-later name: Guix/Nix Package Policy on: [push, pull_request] jobs: check: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Enforce Guix primary / Nix fallback run: | # Check for package manager files HAS_GUIX=$(find . -name "*.scm" -o -name ".guix-channel" -o -name "guix.scm" 2>/dev/null | head -1) HAS_NIX=$(find . -name "*.nix" 2>/dev/null | head -1) - + # Block new package-lock.json, yarn.lock, Gemfile.lock, etc. NEW_LOCKS=$(git diff --name-only --diff-filter=A HEAD~1 2>/dev/null | grep -E 'package-lock\.json|yarn\.lock|Gemfile\.lock|Pipfile\.lock|poetry\.lock|cargo\.lock' || true) if [ -n "$NEW_LOCKS" ]; then echo "⚠ī¸ Lock files detected. Prefer Guix manifests for reproducibility." fi - + # Prefer Guix, fallback to Nix if [ -n "$HAS_GUIX" ]; then echo "✅ Guix package management detected (primary)" @@ -25,5 +26,5 @@ jobs: else echo "ℹī¸ Consider adding guix.scm or flake.nix for reproducible builds" fi - + echo "✅ Package policy check passed" diff --git a/.github/workflows/jekyll-gh-pages.yml b/.github/workflows/jekyll-gh-pages.yml index e31d81c..20e22b9 100644 --- a/.github/workflows/jekyll-gh-pages.yml +++ b/.github/workflows/jekyll-gh-pages.yml @@ -1,44 +1,37 @@ -# Sample workflow for building and deploying a Jekyll site to GitHub Pages +# SPDX-License-Identifier: MIT OR AGPL-3.0-or-later +# Deploy Jekyll site to GitHub Pages name: Deploy Jekyll with GitHub Pages dependencies preinstalled on: - # Runs on pushes targeting the default branch push: branches: ["main"] - - # Allows you to run this workflow manually from the Actions tab workflow_dispatch: -# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages permissions: contents: read pages: write id-token: write -# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued. -# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. concurrency: group: "pages" cancel-in-progress: false jobs: - # Build job build: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Setup Pages - uses: actions/configure-pages@v5 + uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5.0.0 - name: Build with Jekyll - uses: actions/jekyll-build-pages@v1 + uses: actions/jekyll-build-pages@44a6e6beabd48582f863aeeb6cb2151cc1716697 # v1.0.13 with: source: ./ destination: ./_site - name: Upload artifact - uses: actions/upload-pages-artifact@v3 + uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3.0.1 - # Deployment job deploy: environment: name: github-pages @@ -48,4 +41,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v4 + uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5 diff --git a/.github/workflows/mirror.yml b/.github/workflows/mirror.yml index 2e6e8b6..82a91ee 100644 --- a/.github/workflows/mirror.yml +++ b/.github/workflows/mirror.yml @@ -1,4 +1,4 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later +# SPDX-License-Identifier: MIT OR AGPL-3.0-or-later name: Mirror to GitLab and Bitbucket on: @@ -19,12 +19,12 @@ jobs: steps: - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 - name: Setup SSH - uses: webfactory/ssh-agent@dc588b651fe13675774614f8e6a936a468676387 # v0.9.0 + uses: webfactory/ssh-agent@a6f90b1f127823b31d4d4a8d96047790581349bd # v0.9.1 with: ssh-private-key: ${{ secrets.GITLAB_SSH_KEY }} @@ -49,12 +49,12 @@ jobs: steps: - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 - name: Setup SSH - uses: webfactory/ssh-agent@dc588b651fe13675774614f8e6a936a468676387 # v0.9.0 + uses: webfactory/ssh-agent@a6f90b1f127823b31d4d4a8d96047790581349bd # v0.9.1 with: ssh-private-key: ${{ secrets.BITBUCKET_SSH_KEY }} diff --git a/.github/workflows/npm-bun-blocker.yml b/.github/workflows/npm-bun-blocker.yml index e19c080..cd58f3e 100644 --- a/.github/workflows/npm-bun-blocker.yml +++ b/.github/workflows/npm-bun-blocker.yml @@ -1,10 +1,11 @@ +# SPDX-License-Identifier: MIT OR AGPL-3.0-or-later name: NPM/Bun Blocker on: [push, pull_request] jobs: check: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Block npm/bun run: | if [ -f "package-lock.json" ] || [ -f "bun.lockb" ] || [ -f ".npmrc" ]; then diff --git a/.github/workflows/quality.yml b/.github/workflows/quality.yml index eb78d2c..5c5f848 100644 --- a/.github/workflows/quality.yml +++ b/.github/workflows/quality.yml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: MIT OR AGPL-3.0-or-later name: Code Quality on: [push, pull_request] @@ -5,44 +6,44 @@ jobs: lint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + - name: Check file permissions run: | find . -type f -perm /111 -name "*.sh" | head -10 || true - + - name: Check for secrets - uses: trufflesecurity/trufflehog@main + uses: trufflesecurity/trufflehog@05cccb53bc9e13bc6d17997db5a6bcc3df44bf2f # v3.92.3 with: path: ./ base: ${{ github.event.pull_request.base.sha || github.event.before }} head: ${{ github.sha }} continue-on-error: true - + - name: Check TODO/FIXME run: | echo "=== TODOs ===" grep -rn "TODO\|FIXME\|HACK\|XXX" --include="*.rs" --include="*.res" --include="*.py" --include="*.ex" . | head -20 || echo "None found" - + - name: Check for large files run: | find . -type f -size +1M -not -path "./.git/*" | head -10 || echo "No large files" - + - name: EditorConfig check - uses: editorconfig-checker/action-editorconfig-checker@main + uses: editorconfig-checker/action-editorconfig-checker@4b6cd6190d435e7e084fb35e36a096e98506f7b9 # v2.1.0 continue-on-error: true docs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Check documentation run: | MISSING="" [ ! -f "README.md" ] && [ ! -f "README.adoc" ] && MISSING="$MISSING README" [ ! -f "LICENSE" ] && [ ! -f "LICENSE.txt" ] && [ ! -f "LICENSE.md" ] && MISSING="$MISSING LICENSE" [ ! -f "CONTRIBUTING.md" ] && [ ! -f "CONTRIBUTING.adoc" ] && MISSING="$MISSING CONTRIBUTING" - + if [ -n "$MISSING" ]; then echo "::warning::Missing docs:$MISSING" else diff --git a/.github/workflows/rsr-antipattern.yml b/.github/workflows/rsr-antipattern.yml index ac08939..9d06bd6 100644 --- a/.github/workflows/rsr-antipattern.yml +++ b/.github/workflows/rsr-antipattern.yml @@ -1,5 +1,5 @@ # RSR Anti-Pattern CI Check -# SPDX-License-Identifier: AGPL-3.0-or-later +# SPDX-License-Identifier: MIT OR AGPL-3.0-or-later # # Enforces: No TypeScript, No Go, No Python (except SaltStack), No npm # Allows: ReScript, Deno, WASM, Rust, OCaml, Haskell, Guile/Scheme @@ -16,7 +16,7 @@ jobs: antipattern-check: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Check for TypeScript run: | diff --git a/.github/workflows/rust-ci.yml b/.github/workflows/rust-ci.yml index 2c0841a..baf90e0 100644 --- a/.github/workflows/rust-ci.yml +++ b/.github/workflows/rust-ci.yml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: MIT OR AGPL-3.0-or-later name: Rust CI on: [push, pull_request] env: @@ -8,29 +9,32 @@ jobs: test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: dtolnay/rust-toolchain@stable + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + - uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561 # master with: + toolchain: stable components: rustfmt, clippy - - uses: Swatinem/rust-cache@v2 - + - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2 + - name: Check formatting run: cargo fmt --all -- --check - + - name: Clippy lints run: cargo clippy --all-targets --all-features -- -D warnings - + - name: Run tests run: cargo test --all-features - + - name: Build release run: cargo build --release security: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: dtolnay/rust-toolchain@stable + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + - uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561 # master + with: + toolchain: stable - name: Install cargo-audit run: cargo install cargo-audit - name: Security audit @@ -41,12 +45,14 @@ jobs: coverage: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: dtolnay/rust-toolchain@stable + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + - uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561 # master + with: + toolchain: stable - name: Install tarpaulin run: cargo install cargo-tarpaulin - name: Generate coverage run: cargo tarpaulin --out Xml - - uses: codecov/codecov-action@v3 + - uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0 with: files: cobertura.xml diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index a073b17..922fdf2 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: MIT OR AGPL-3.0-or-later name: OSSF Scorecard on: push: @@ -14,17 +15,17 @@ jobs: security-events: write id-token: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: persist-credentials: false - + - name: Run Scorecard - uses: ossf/scorecard-action@v2.3.1 + uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3 with: results_file: results.sarif results_format: sarif - + - name: Upload results - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@45c373516f557556c15d420e3f5e0aa3d64366bc # v3.31.9 with: sarif_file: results.sarif diff --git a/.github/workflows/security-policy.yml b/.github/workflows/security-policy.yml index c20bbc7..1317847 100644 --- a/.github/workflows/security-policy.yml +++ b/.github/workflows/security-policy.yml @@ -1,37 +1,38 @@ +# SPDX-License-Identifier: MIT OR AGPL-3.0-or-later name: Security Policy on: [push, pull_request] jobs: check: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Security checks run: | FAILED=false - + # Block MD5/SHA1 for security (allow for checksums/caching) WEAK_CRYPTO=$(grep -rE 'md5\(|sha1\(' --include="*.py" --include="*.rb" --include="*.js" --include="*.ts" --include="*.go" --include="*.rs" . 2>/dev/null | grep -v 'checksum\|cache\|test\|spec' | head -5 || true) if [ -n "$WEAK_CRYPTO" ]; then echo "⚠ī¸ Weak crypto (MD5/SHA1) detected. Use SHA256+ for security:" echo "$WEAK_CRYPTO" fi - + # Block HTTP URLs (except localhost) HTTP_URLS=$(grep -rE 'http://[^l][^o][^c]' --include="*.py" --include="*.js" --include="*.ts" --include="*.go" --include="*.rs" --include="*.yaml" --include="*.yml" . 2>/dev/null | grep -v 'localhost\|127.0.0.1\|example\|test\|spec' | head -5 || true) if [ -n "$HTTP_URLS" ]; then echo "⚠ī¸ HTTP URLs found. Use HTTPS:" echo "$HTTP_URLS" fi - + # Block hardcoded secrets patterns SECRETS=$(grep -rEi '(api_key|apikey|secret_key|password)\s*[=:]\s*["\x27][A-Za-z0-9+/=]{20,}' --include="*.py" --include="*.js" --include="*.ts" --include="*.go" --include="*.rs" --include="*.env" . 2>/dev/null | grep -v 'example\|sample\|test\|mock\|placeholder' | head -3 || true) if [ -n "$SECRETS" ]; then echo "❌ Potential hardcoded secrets detected!" FAILED=true fi - + if [ "$FAILED" = true ]; then exit 1 fi - + echo "✅ Security policy check passed" diff --git a/.github/workflows/wellknown-enforcement.yml b/.github/workflows/wellknown-enforcement.yml index 809d209..08784a4 100644 --- a/.github/workflows/wellknown-enforcement.yml +++ b/.github/workflows/wellknown-enforcement.yml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: MIT OR AGPL-3.0-or-later name: Well-Known Standards (RFC 9116 + RSR) on: push: @@ -17,28 +18,28 @@ jobs: validate: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + - name: RFC 9116 security.txt validation run: | SECTXT="" [ -f ".well-known/security.txt" ] && SECTXT=".well-known/security.txt" [ -f "security.txt" ] && SECTXT="security.txt" - + if [ -z "$SECTXT" ]; then echo "::warning::No security.txt found. See https://github.com/hyperpolymath/well-known-ecosystem" exit 0 fi - + # Required: Contact grep -q "^Contact:" "$SECTXT" || { echo "::error::Missing Contact field"; exit 1; } - + # Required: Expires if ! grep -q "^Expires:" "$SECTXT"; then echo "::error::Missing Expires field" exit 1 fi - + # Check expiry EXPIRES=$(grep "^Expires:" "$SECTXT" | cut -d: -f2- | tr -d ' ' | head -1) if date -d "$EXPIRES" > /dev/null 2>&1; then @@ -59,7 +60,7 @@ jobs: [ ! -f ".well-known/security.txt" ] && [ ! -f "security.txt" ] && MISSING="$MISSING security.txt" [ ! -f ".well-known/ai.txt" ] && MISSING="$MISSING ai.txt" [ ! -f ".well-known/humans.txt" ] && MISSING="$MISSING humans.txt" - + if [ -n "$MISSING" ]; then echo "::warning::Missing RSR recommended files:$MISSING" echo "Reference: https://github.com/hyperpolymath/well-known-ecosystem/.well-known/" diff --git a/ECOSYSTEM.scm b/ECOSYSTEM.scm index 1067904..98791d0 100644 --- a/ECOSYSTEM.scm +++ b/ECOSYSTEM.scm @@ -1,20 +1,33 @@ -;; SPDX-License-Identifier: AGPL-3.0-or-later -;; SPDX-FileCopyrightText: 2025 Jonathan D.A. Jewell -;; ECOSYSTEM.scm — zerostep +;; SPDX-License-Identifier: MIT OR AGPL-3.0-or-later +;; SPDX-FileCopyrightText: 2024-2025 hyperpolymath +;; ECOSYSTEM.scm — zerostep (VAE Dataset Normalizer) (ecosystem (version "1.0.0") (name "zerostep") (type "project") - (purpose "// SPDX-FileCopyrightText: 2024 Joshua Jewell") + (purpose "Normalize VAE-decoded image datasets with cryptographic integrity +and formal verification for AI image detection model training.") (position-in-ecosystem - "Part of hyperpolymath ecosystem. Follows RSR guidelines.") + "Part of hyperpolymath ecosystem. Follows RSR guidelines for reproducible, +secure, and well-documented software.") (related-projects (project (name "rhodium-standard-repositories") (url "https://github.com/hyperpolymath/rhodium-standard-repositories") - (relationship "standard"))) + (relationship "standard")) + (project (name "VAEDecodedImages-SDXL") + (url "https://huggingface.co/datasets/joshuajewell/VAEDecodedImages-SDXL") + (relationship "dataset"))) - (what-this-is "// SPDX-FileCopyrightText: 2024 Joshua Jewell") - (what-this-is-not "- NOT exempt from RSR compliance")) + (what-this-is "A Rust CLI tool for processing VAE-decoded image datasets: +- SHAKE256 checksums for cryptographic integrity +- Train/test/val/cal splits (random + stratified) +- CUE metadata with Dublin Core +- Isabelle/HOL formal verification proofs +- Julia/Flux training utilities") + + (what-this-is-not "- NOT a VAE model implementation +- NOT a training framework +- NOT exempt from RSR compliance")) diff --git a/META.scm b/META.scm index 0195063..6fa37b5 100644 --- a/META.scm +++ b/META.scm @@ -1,5 +1,5 @@ -;; SPDX-License-Identifier: AGPL-3.0-or-later -;; SPDX-FileCopyrightText: 2025 Jonathan D.A. Jewell +;; SPDX-License-Identifier: MIT OR AGPL-3.0-or-later +;; SPDX-FileCopyrightText: 2024-2025 hyperpolymath ;;; META.scm — zerostep (define-module (zerostep meta) @@ -10,15 +10,42 @@ (title . "RSR Compliance") (status . "accepted") (date . "2025-12-15") - (context . "// SPDX-FileCopyrightText: 2024 Joshua Jewell") + (context . "Project needs consistent, secure, reproducible infrastructure") (decision . "Follow Rhodium Standard Repository guidelines") - (consequences . ("RSR Gold target" "SHA-pinned actions" "SPDX headers" "Multi-platform CI"))))) + (consequences . ("RSR Gold target" "SHA-pinned actions" "SPDX headers" "Multi-platform CI"))) + (adr-002 + (title . "Cryptographic Integrity") + (status . "accepted") + (date . "2025-12-15") + (context . "Dataset integrity verification needed for ML training") + (decision . "Use SHAKE256 (FIPS 202) for all file checksums") + (consequences . ("FIPS compliant" "Extensible output" "No custom crypto"))) + (adr-003 + (title . "Formal Verification") + (status . "accepted") + (date . "2025-12-15") + (context . "Split algorithms must guarantee disjoint, complete partitions") + (decision . "Isabelle/HOL proofs for critical algorithms") + (consequences . ("Mathematically verified" "Increased confidence" "Documentation overhead"))))) (define development-practices - '((code-style (languages . ("Dockerfile" "Isabelle" "Julia" "Just" "Nickel" "Nix" "Rust" "Scheme" "Shell")) (formatter . "auto-detect") (linter . "auto-detect")) - (security (sast . "CodeQL") (credentials . "env vars only")) - (testing (coverage-minimum . 70)) - (versioning (scheme . "SemVer 2.0.0")))) + '((code-style + (languages . ("Rust" "Julia" "Isabelle" "Nix" "Scheme" "Shell")) + (formatter . "rustfmt") + (linter . "clippy")) + (security + (sast . "CodeQL") + (credentials . "env vars only") + (crypto . "SHAKE256 (SHA3 family)") + (containers . "Chainguard Wolfi base")) + (testing + (coverage-minimum . 70) + (framework . "cargo test")) + (versioning + (scheme . "SemVer 2.0.0")))) (define design-rationale - '((why-rsr "RSR ensures consistency, security, and maintainability."))) + '((why-rsr "RSR ensures consistency, security, and maintainability across the hyperpolymath ecosystem.") + (why-rust "Memory safety without GC, excellent performance for data processing, strong type system.") + (why-shake256 "FIPS 202 compliant, extensible output length, part of SHA-3 family.") + (why-isabelle "Industry-proven theorem prover with excellent Isar proof language."))) diff --git a/ROADMAP.md b/ROADMAP.md index 5c32ba9..75f4df8 100644 --- a/ROADMAP.md +++ b/ROADMAP.md @@ -1,5 +1,5 @@ - - + + # Roadmap @@ -14,12 +14,15 @@ high-quality paired datasets with formal guarantees. ✅ **Complete**: - Core normalization functionality -- SHAKE256 checksums +- SHAKE256 checksums (FIPS 202 compliant) - Train/test/val/cal splits (random + stratified) - CUE metadata with Dublin Core - Isabelle/HOL formal proofs - Julia/Flux training utilities -- RSR compliance +- RSR compliance (Gold target) +- SHA-pinned GitHub Actions (supply chain security) +- CodeQL security scanning +- OSSF Scorecard integration ## Short-Term (v1.1.0) diff --git a/STATE.scm b/STATE.scm index 868d4ad..018480f 100644 --- a/STATE.scm +++ b/STATE.scm @@ -1,22 +1,41 @@ ;;; STATE.scm — zerostep -;; SPDX-License-Identifier: AGPL-3.0-or-later -;; SPDX-FileCopyrightText: 2025 Jonathan D.A. Jewell +;; SPDX-License-Identifier: MIT OR AGPL-3.0-or-later +;; SPDX-FileCopyrightText: 2024-2025 hyperpolymath (define metadata - '((version . "0.1.0") (updated . "2025-12-15") (project . "zerostep"))) + '((version . "1.0.0") (updated . "2025-12-17") (project . "zerostep"))) (define current-position - '((phase . "v0.1 - Initial Setup") - (overall-completion . 25) - (components ((rsr-compliance ((status . "complete") (completion . 100))))))) + '((phase . "v1.0 - Production Ready") + (overall-completion . 80) + (components + ((core-normalization ((status . "complete") (completion . 100))) + (shake256-checksums ((status . "complete") (completion . 100))) + (dataset-splits ((status . "complete") (completion . 100))) + (cue-metadata ((status . "complete") (completion . 100))) + (formal-proofs ((status . "complete") (completion . 100))) + (julia-utilities ((status . "complete") (completion . 100))) + (rsr-compliance ((status . "complete") (completion . 100))) + (multi-vae-support ((status . "planned") (completion . 0))) + (parallel-processing ((status . "planned") (completion . 0))))))) (define blockers-and-issues '((critical ()) (high-priority ()))) (define critical-next-actions - '((immediate (("Verify CI/CD" . high))) (this-week (("Expand tests" . medium))))) + '((immediate + (("Multi-VAE support" . medium) + ("Parallel processing" . medium))) + (this-week + (("Export formats" . low) + ("Memory-mapped I/O" . low))))) (define session-history - '((snapshots ((date . "2025-12-15") (session . "initial") (notes . "SCM files added"))))) + '((snapshots + ((date . "2025-12-15") (session . "initial") (notes . "SCM files added")) + ((date . "2025-12-17") (session . "security-review") (notes . "SHA-pinned GHA, fixed SCM files"))))) (define state-summary - '((project . "zerostep") (completion . 25) (blockers . 0) (updated . "2025-12-15"))) + '((project . "zerostep") + (completion . 80) + (blockers . 0) + (updated . "2025-12-17"))) diff --git a/guix.scm b/guix.scm index b4d6015..ebf979b 100644 --- a/guix.scm +++ b/guix.scm @@ -1,3 +1,5 @@ +;; SPDX-License-Identifier: MIT OR AGPL-3.0-or-later +;; SPDX-FileCopyrightText: 2024-2025 hyperpolymath ;; ZeroStep - Guix Package Definition ;; Run: guix shell -D -f guix.scm @@ -10,16 +12,19 @@ (define-public zerostep (package - (name "ZeroStep") - (version "0.1.0") - (source (local-file "." "ZeroStep-checkout" + (name "vae-normalizer") + (version "1.0.0") + (source (local-file "." "zerostep-checkout" #:recursive? #t #:select? (git-predicate "."))) (build-system cargo-build-system) - (synopsis "Rust application") - (description "Rust application - part of the RSR ecosystem.") - (home-page "https://github.com/hyperpolymath/ZeroStep") - (license license:agpl3+))) + (synopsis "VAE dataset normalizer with formal verification") + (description "Normalize VAE-decoded image datasets with cryptographic +integrity verification and formal proofs. Supports train/test/val/cal splits, +SHAKE256 checksums, and CUE metadata with Dublin Core.") + (home-page "https://github.com/hyperpolymath/zerostep") + ;; Dual licensed: MIT OR AGPL-3.0-or-later + (license (list license:expat license:agpl3+)))) ;; Return package for guix shell zerostep