fix(ci): add SPDX-License-Identifier header to LICENSE

[hyperpolymath]

Fixes the pre-existing Governance → "Licence consistency" failure on main.

standards' check-licence-consistency.sh scans the caller repo's LICENSE for an SPDX-License-Identifier: header on its first lines and exits 1 if absent. echo-types' LICENSE is the verbatim MPL-2.0 text with no SPDX line, so the gate fails.

This prepends the matching identifier + copyright:

SPDX-License-Identifier: MPL-2.0
SPDX-FileCopyrightText: 2024-2026 Jonathan D.A. Jewell (hyperpolymath) <j.d.a.jewell@open.ac.uk>

No relicensing — the file is already MPL-2.0; this adds the machine-readable identifier the gate requires. Sole-owner repo → MPL-2.0 per estate policy.

🤖 Generated with Claude Code

https://claude.ai/code/session_019awZjBD1qx61tvmEuEKNpn

---

Generated by Claude Code

[github-actions]

🔍 Hypatia Security Scan

Findings: 7 issues detected

Severity	Count
🔴 Critical	0
🟠 High	3
🟡 Medium	4

View findings

[
  {
    "reason": "No test directory or test files found",
    "type": "no_tests",
    "file": "/home/runner/work/echo-types/echo-types",
    "action": "flag",
    "rule_module": "honest_completion",
    "severity": "high",
    "deduction": 20
  },
  {
    "reason": "Issue in push-email-notify.yml",
    "type": "missing_timeout_minutes",
    "file": "push-email-notify.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Repository has 8 non-main remote branch(es). Policy: single main branch only.",
    "type": "GS007",
    "file": ".",
    "action": "delete_remote_branches",
    "rule_module": "git_state",
    "severity": "medium"
  },
  {
    "reason": "Code scanning (Hypatia): hypatia/workflow_audit/missing_timeout_minutes -- Hypatia workflow_audit: missing_timeout_minutes -- 2 day(s) old",
    "type": "CSA001",
    "file": "push-email-notify.yml",
    "action": "review",
    "rule_module": "code_scanning_alerts",
    "severity": "medium"
  },
  {
    "reason": "Code scanning (Scorecard): TokenPermissionsID -- Token-Permissions -- 25 day(s) old [STALE]",
    "type": "CSA001",
    "file": ".github/workflows/scorecard.yml",
    "action": "escalate",
    "rule_module": "code_scanning_alerts",
    "severity": "high"
  },
  {
    "reason": "Code-scanning alert TokenPermissionsID (high) at .github/workflows/scorecard.yml is 25 days old (threshold: 7 days) -- overdue for remediation",
    "type": "CSA003",
    "file": ".github/workflows/scorecard.yml",
    "action": "escalate",
    "rule_module": "code_scanning_alerts",
    "severity": "high"
  },
  {
    "reason": "Code-scanning alert hypatia/code_safety/agda_postulate dismissed as 'false positive' -- ensure dismissal is documented and justified",
    "type": "CSA004",
    "file": "proofs/agda/EchoImageFactorizationPropPostulated.agda",
    "action": "review",
    "rule_module": "code_scanning_alerts",
    "severity": "medium"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence