Skip to content

chore(licence): set repo primary licence to MPL-2.0 (core tech); keep AGPL game-content tier#656

Merged
hyperpolymath merged 1 commit into
mainfrom
claude/practical-mendel-liz1c3
Jun 21, 2026
Merged

chore(licence): set repo primary licence to MPL-2.0 (core tech); keep AGPL game-content tier#656
hyperpolymath merged 1 commit into
mainfrom
claude/practical-mendel-liz1c3

Conversation

@hyperpolymath

@hyperpolymath hyperpolymath commented Jun 21, 2026

Copy link
Copy Markdown
Owner

Resolves the flagged licence inconsistency: the root LICENSE was AGPL-3.0-or-later while the guix files and CLAUDE.md treat the repo as MPL-2.0. Per owner decision, the repository's primary licence is now MPL-2.0 (with CC-BY-SA-4.0 for prose), matching the estate standard and the dual-SPDX pattern used in oikosbot.

Crucially, this is not a blanket relicence — docs/governance/LICENSING-GUIDE.md documents a deliberate three-tier structure, which I've preserved:

Tier Licence This PR
Core Technology (compiler, runtime, stdlib, tooling, editors) MPL-2.0 set to MPL-2.0 (was mislabeled AGPL in places)
Game Content (proposals/idaptik/**, game examples/**) AGPL-3.0-or-later untouched
Foundational (Gossamer, Burble) PMPL-1.0 / MPL-2.0 unchanged

Changed (Core Technology → MPL-2.0)

  • LICENSE: AGPL-3.0-or-later text → MPL-2.0 with dual SPDX header (MPL-2.0 + CC-BY-SA-4.0).
  • Distribution metadata: runtime/Cargo.toml, packages/{affinescript-cli,affine-js,affine-vscode}, affinescript-tea, editors/{vscode,tree-sitter-affinescript,tree-sitter-rescript} licence fields/headers AGPL → MPL-2.0.
  • Repo infra: .gitattributes, .gitignore SPDX → MPL-2.0.
  • README.adoc licence section → three-tier framing (MPL-2.0 core / AGPL game / PMPL foundational).

Deliberately NOT changed

  • proposals/idaptik/** (146 files) — the IDApTIK AGPL game; TRUST.contractile explicitly forbids modifying IDApTIK without explicit instruction, and relicensing AGPL-derived game code would be improper.
  • game examples/** — documented AGPL "Game Content" per the licensing guide.
  • LICENSES/LICENSE-AGPL-3.0 — retained (the AGPL tier still exists).

Follow-ups (flagged, not done here)

  • A handful of clearly-core-tech source SPDX headers (e.g. lib/version.ml, bin/dune, js/dune, tests/**) are still AGPL-labeled; reconciling those to MPL-2.0 is a tidy-up that needs per-file care against the three-tier guide.
  • docs/governance/LICENSING-GUIDE.md still frames the primary licence as PMPL/AGPL; it should be reworded to MPL-2.0-primary.

🤖 Generated with Claude Code

https://claude.ai/code/session_015wqBHniW8sHDCqCoEvBe9n

Generated by Claude Code

@claude
chore(licence): set repo primary licence to MPL-2.0 (core technology)
1a08b65 
Per owner decision, the repository's primary licence is MPL-2.0 (with
CC-BY-SA-4.0 for prose), matching the estate standard. Resolves the flagged
inconsistency where the root LICENSE was AGPL-3.0-or-later while the guix files
and CLAUDE.md treated the repo as MPL-2.0.

- LICENSE: AGPL-3.0-or-later text -> MPL-2.0 with the dual SPDX header
  (MPL-2.0 + CC-BY-SA-4.0), identical to the estate-canonical file.
- Core-technology metadata/headers AGPL-3.0-or-later -> MPL-2.0: runtime
  (runtime/Cargo.toml), distribution packages (affinescript-cli, affine-js,
  affine-vscode, affinescript-tea), editor integrations (vscode + tree-sitter-*),
  and repo infra (.gitattributes, .gitignore). These were mislabeled AGPL but are
  "Core Technology" per docs/governance/LICENSING-GUIDE.md.
- README licence section updated to the three-tier framing.

DELIBERATELY UNCHANGED (documented AGPL "Game Content" tier per LICENSING-GUIDE.md
+ TRUST.contractile): proposals/idaptik/** (the IDApTIK AGPL game; the contractile
forbids modifying it) and game-specific examples/**, plus LICENSES/LICENSE-AGPL-3.0.
The repo stays multi-licensed; MPL-2.0 is the primary/headline licence.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_015wqBHniW8sHDCqCoEvBe9n
@github-actions

github-actions Bot commented Jun 21, 2026

Copy link
Copy Markdown

🔍 Hypatia Security Scan

Findings: 41 issues detected

Severity Count
🔴 Critical 2
🟠 High 23
🟡 Medium 16

⚠️ Action Required: Critical security issues found!

View findings 
[
  {
    "reason": "Action denoland/setup-deno@v2 needs attention",
    "type": "unpinned_action",
    "file": "publish-jsr.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in instant-sync.yml",
    "type": "secret_action_without_presence_gate",
    "file": "instant-sync.yml",
    "action": "peter-evans/repository-dispatch",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Shell execution -- validate input before passing to shell (1 occurrences, CWE-78)",
    "type": "js_exec_sync",
    "file": "/home/runner/work/affinescript/affinescript/packages/affinescript-cli/mod.js",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "Shell execution -- validate input before passing to shell (2 occurrences, CWE-78)",
    "type": "js_exec_sync",
    "file": "/home/runner/work/affinescript/affinescript/packages/affine-vscode/mod.js",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "Shell execution -- validate input before passing to shell (1 occurrences, CWE-78)",
    "type": "js_exec_sync",
    "file": "/home/runner/work/affinescript/affinescript/affinescript-vite/src/affine-plugin-improved.js",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "expect() in hot path (32 occurrences, CWE-754)",
    "type": "expect_in_hot_path",
    "file": "/home/runner/work/affinescript/affinescript/affinescriptiser/src/codegen/wasm_gen.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "medium"
  },
  {
    "reason": "expect() in hot path (29 occurrences, CWE-754)",
    "type": "expect_in_hot_path",
    "file": "/home/runner/work/affinescript/affinescript/affinescriptiser/src/codegen/affine_gen.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "medium"
  },
  {
    "reason": "unsafe block -- requires SAFETY comment (2 occurrences, CWE-676)",
    "type": "unsafe_block",
    "file": "/home/runner/work/affinescript/affinescript/runtime/src/panic.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "medium"
  },
  {
    "reason": "unsafe block -- requires SAFETY comment (1 occurrences, CWE-676)",
    "type": "unsafe_block",
    "file": "/home/runner/work/affinescript/affinescript/runtime/src/alloc.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "medium"
  },
  {
    "reason": "unsafe block -- requires SAFETY comment (3 occurrences, CWE-676)",
    "type": "unsafe_block",
    "file": "/home/runner/work/affinescript/affinescript/runtime/src/ffi.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "medium"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence

@hyperpolymath hyperpolymath marked this pull request as ready for review June 21, 2026 23:41
@hyperpolymath hyperpolymath merged commit 1f0d4eb into main Jun 21, 2026
17 checks passed
@hyperpolymath hyperpolymath deleted the claude/practical-mendel-liz1c3 branch June 21, 2026 23:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hyperpolymath @claude