Fix/licence drift

.github/workflows/codeql.yml

@@ -1,6 +1,5 @@
 # SPDX-License-Identifier: MPL-2.0
 name: CodeQL Security Analysis
-
 on:
   push:
     branches: [main, master]
@@ -16,10 +15,8 @@ on:
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
-
 permissions:
   contents: read
-
 jobs:
   analyze:
     runs-on: ubuntu-latest
@@ -33,7 +30,6 @@ jobs:
         include:
           - language: actions
             build-mode: none
-
     steps:
       - name: Checkout
         uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
@@ -43,7 +39,6 @@ jobs:
         with:
           languages: ${{ matrix.language }}
           build-mode: ${{ matrix.build-mode }}
-
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v3
         with:

.github/workflows/governance.yml

@@ -16,20 +16,12 @@ on:
   push:
     branches: [main, master]
   pull_request:
+    branches: [main, master]
   workflow_dispatch:
 
-# Estate guardrail: cancel superseded runs so re-pushes / rebased PR
-# updates do not pile up queued runs against the shared account-wide
-# Actions concurrency pool. Applied only to read-only check workflows
-# (no publish/mutation), so cancelling a superseded run is always safe.
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
 permissions:
   contents: read
 
 jobs:
   governance:
-    uses: hyperpolymath/standards/.github/workflows/governance-reusable.yml@861b5e911d9e5dcfb3c0ab3dd2a9a3c8fd0a1613
-    timeout-minutes: 10
+    uses: hyperpolymath/standards/.github/workflows/governance-reusable.yml@5a93d9d57cc04de4002d6d0ecd336fc7a8698910

.github/workflows/hypatia-scan.yml

@@ -1,43 +1,18 @@
-# SPDX-License-Identifier: MPL-2.0
-# Hypatia Neurosymbolic CI/CD Security Scan
+# SPDX-License-Identifier: PMPL-1.0-or-later
 name: Hypatia Security Scan
 
 on:
   push:
-    branches: [ main, master, develop ]
+    branches: [main, master, develop]
   pull_request:
-    branches: [ main, master ]
+    branches: [main, master]
   schedule:
-    - cron: '0 0 * * 0'  # Weekly on Sunday
+    - cron: '0 0 * * 0'
   workflow_dispatch:
-# Estate guardrail: cancel superseded runs so re-pushes don't pile up
-# queued runs across the estate. Safe here because this workflow only
-# performs read-only checks/lint/test/scan with no publish or mutation.
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
 
 permissions:
   contents: read
-  # security-events: write serves two purposes (write implies read):
-  #   1. read — lets the built-in GITHUB_TOKEN query this repo's own
-  #      Dependabot alerts via the Hypatia DependabotAlerts rule
-  #      (DA001-DA004). Without read, `scan_from_path` gets HTTP 403
-  #      and the rule silently returns no findings.
-  #      See 007-lang/audits/audit-dependabot-automation-gap-2026-04-17.md.
-  #   2. write — lets the "Upload SARIF to code scanning" step publish
-  #      Hypatia findings to the Security → Code scanning page so they
-  #      are triaged/deduplicated like CodeQL alerts instead of living
-  #      only in a build artifact nobody is required to look at.
-  #      See hyperpolymath/burble#35 (SARIF integration).
-  # This is a single-job workflow, so job-level scoping would not
-  # narrow the grant further; it stays workflow-level and documented.
-  security-events: write
-  # pull-requests: write lets the advisory "Comment on PR with findings"
-  # step post its summary. Without it the built-in GITHUB_TOKEN gets
-  # "Resource not accessible by integration" and (absent continue-on-error)
-  # hard-fails the scan — exactly what the gate-decoupling design forbids.
-  pull-requests: write
+  security-events: read
 
 jobs:
   scan:

.github/workflows/mirror.yml

@@ -1,15 +1,12 @@
 # SPDX-License-Identifier: AGPL-3.0-or-later
 # SPDX-FileCopyrightText: 2026 Jonathan D.A. Jewell
 name: Mirror to Git Forges
-
 on:
   push:
     branches: [main]
   workflow_dispatch:
-
 permissions:
   contents: read
-
 jobs:
   mirror-gitlab:
     runs-on: ubuntu-latest
@@ -24,13 +21,11 @@ jobs:
         if: ${{ secrets.GITLAB_SSH_KEY != '' }}
         with:
           ssh-private-key: ${{ secrets.GITLAB_SSH_KEY }}
-
       - name: Mirror to GitLab
         run: |
           ssh-keyscan -t ed25519 gitlab.com >> ~/.ssh/known_hosts
           git remote add gitlab git@gitlab.com:${{ vars.GITLAB_ORG || vars.MIRROR_ORG || github.repository_owner }}/${{ github.event.repository.name }}.git || true
           git push --force gitlab main
-
   mirror-bitbucket:
     runs-on: ubuntu-latest
     timeout-minutes: 15
@@ -44,13 +39,11 @@ jobs:
         if: ${{ secrets.BITBUCKET_SSH_KEY != '' }}
         with:
           ssh-private-key: ${{ secrets.BITBUCKET_SSH_KEY }}
-
       - name: Mirror to Bitbucket
         run: |
           ssh-keyscan -t ed25519 bitbucket.org >> ~/.ssh/known_hosts
           git remote add bitbucket git@bitbucket.org:${{ vars.BITBUCKET_ORG || vars.MIRROR_ORG || github.repository_owner }}/${{ github.event.repository.name }}.git || true
           git push --force bitbucket main
-
   mirror-codeberg:
     runs-on: ubuntu-latest
     timeout-minutes: 15
@@ -64,13 +57,11 @@ jobs:
         if: ${{ secrets.CODEBERG_SSH_KEY != '' }}
         with:
           ssh-private-key: ${{ secrets.CODEBERG_SSH_KEY }}
-
       - name: Mirror to Codeberg
         run: |
           ssh-keyscan -t ed25519 codeberg.org >> ~/.ssh/known_hosts
           git remote add codeberg git@codeberg.org:${{ vars.CODEBERG_ORG || vars.MIRROR_ORG || github.repository_owner }}/${{ github.event.repository.name }}.git || true
           git push --force codeberg main
-
   mirror-sourcehut:
     runs-on: ubuntu-latest
     timeout-minutes: 15
@@ -84,13 +75,11 @@ jobs:
         if: ${{ secrets.SOURCEHUT_SSH_KEY != '' }}
         with:
           ssh-private-key: ${{ secrets.SOURCEHUT_SSH_KEY }}
-
       - name: Mirror to SourceHut
         run: |
           ssh-keyscan -t ed25519 git.sr.ht >> ~/.ssh/known_hosts
           git remote add sourcehut git@git.sr.ht:~${{ vars.SOURCEHUT_ORG || vars.MIRROR_ORG || github.repository_owner }}/${{ github.event.repository.name }} || true
           git push --force sourcehut main
-
   mirror-disroot:
     runs-on: ubuntu-latest
     timeout-minutes: 15
@@ -104,13 +93,11 @@ jobs:
         if: ${{ secrets.DISROOT_SSH_KEY != '' }}
         with:
           ssh-private-key: ${{ secrets.DISROOT_SSH_KEY }}
-
       - name: Mirror to Disroot
         run: |
           ssh-keyscan -t ed25519 git.disroot.org >> ~/.ssh/known_hosts
           git remote add disroot git@git.disroot.org:${{ vars.DISROOT_ORG || vars.MIRROR_ORG || github.repository_owner }}/${{ github.event.repository.name }}.git || true
           git push --force disroot main
-
   mirror-gitea:
     runs-on: ubuntu-latest
     timeout-minutes: 15
@@ -124,13 +111,11 @@ jobs:
         if: ${{ secrets.GITEA_SSH_KEY != '' }}
         with:
           ssh-private-key: ${{ secrets.GITEA_SSH_KEY }}
-
       - name: Mirror to Gitea
         run: |
           ssh-keyscan -t ed25519 ${{ vars.GITEA_HOST }} >> ~/.ssh/known_hosts
           git remote add gitea git@${{ vars.GITEA_HOST }}:${{ vars.GITEA_ORG || vars.MIRROR_ORG || github.repository_owner }}/${{ github.event.repository.name }}.git || true
           git push --force gitea main
-
   mirror-radicle:
     runs-on: ubuntu-latest
     timeout-minutes: 15
@@ -139,18 +124,15 @@ jobs:
       - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
         with:
           fetch-depth: 0
-
       - name: Setup Rust
         uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 # stable
         with:
           toolchain: stable
-
       - name: Install Radicle
         run: |
           # Install via cargo (safer than curl|sh)
           cargo install radicle-cli --locked
           echo "$HOME/.cargo/bin" >> $GITHUB_PATH
-
       - name: Mirror to Radicle
         run: |
           echo "${{ secrets.RADICLE_KEY }}" > ~/.radicle/keys/radicle

.github/workflows/scorecard.yml

@@ -1,20 +1,13 @@
-# SPDX-License-Identifier: PMPL-1.0
+# SPDX-License-Identifier: PMPL-1.0-or-later
 name: OSSF Scorecard
+
 on:
   push:
     branches: [main, master]
   schedule:
     - cron: '0 4 * * *'
   workflow_dispatch:
 
-# Estate guardrail: cancel superseded runs so re-pushes / rebased PR
-# updates do not pile up queued runs against the shared account-wide
-# Actions concurrency pool. Applied only to read-only check workflows
-# (no publish/mutation), so cancelling a superseded run is always safe.
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
 permissions:
   contents: read
 

.github/workflows/secret-scanner.yml

@@ -1,32 +1,27 @@
 # SPDX-License-Identifier: PMPL-1.0
 # Prevention workflow - scans for hardcoded secrets before they reach main
 name: Secret Scanner
-
 on:
   pull_request:
   push:
     branches: [main]
-
 # Estate guardrail: cancel superseded runs so re-pushes / rebased PR
 # updates do not pile up queued runs against the shared account-wide
 # Actions concurrency pool. Applied only to read-only check workflows
 # (no publish/mutation), so cancelling a superseded run is always safe.
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
-
 permissions:
   contents: read
-
 jobs:
   trufflehog:
     runs-on: ubuntu-latest
     timeout-minutes: 15
     steps:
       - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v4
         with:
-          fetch-depth: 0  # Full history for scanning
-
+          fetch-depth: 0 # Full history for scanning
       - name: TruffleHog Secret Scan
         uses: trufflesecurity/trufflehog@30d5bb91af1a771378349dbbb0c82129392acf70 # v3
         with: