fix(rsr-audit): LICENSE checks expect MPL-2.0 (owner-approved follow-up to #390)#433
Merged
Merged
Conversation
…olicy
The RSR audit's Category-2 (documentation) and Category-7 (licensing)
checks required every audited repo's LICENSE to contain "MIT" and
"Palimpsest" with `SPDX-License-Identifier: MIT AND Palimpsest`. That
contradicts the estate licence policy: sole-owner repos are MPL-2.0,
and the Palimpsest carve-out is reserved for exactly three repos
(palimpsest-license, palimpsest-plasma, consent-aware-http). Under the
old checks every correctly-MPL-2.0 repo failed two licensing criteria.
Change both audited-repo checks to expect MPL-2.0 ("Mozilla Public
License" + `SPDX-License-Identifier: MPL-2.0`) and to accept either
`LICENSE` or `LICENSE.txt`. The framework's own dual-licensed header
(`MPL-2.0 AND Palimpsest-0.8`, line 2) is unchanged — that is the RSR
toolkit's intentional licensing, not an audited target.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_019awZjBD1qx61tvmEuEKNpn
`rhodium-standard-repositories/` is a registered spec home, so editing `rsr-audit.sh` changes its `git ls-files -s` blob SHA and therefore the registry's content-addressed `source_hash`. Regenerate REGISTRY.a2ml via `scripts/build-registry.sh` so the `registry-check` gate passes. Offline, deterministic, generator-produced — not hand-edited. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_019awZjBD1qx61tvmEuEKNpn
|
hyperpolymath
added a commit
that referenced
this pull request
Jun 27, 2026
…meline check (#440) Two related licence-/RSR-housekeeping changes, both owner-requested. ## 1. `docs/migrations/pmpl-to-mpl-sweep-runbook.adoc` (new) A durable home for the estate-wide **PMPL → MPL-2.0 sweep runbook** — the delegation brief produced during this licence-cleanup pass, so a future (desktop / scope-expanded) agent can execute the actual flips correctly. Contents: - **Complete classified inventory** of stray `SPDX-License-Identifier: PMPL-1.0[-or-later]` headers across the org (248+ matches, 9 repos, deduplicated), mapped onto the estate's 5-way licence policy. - **Net actionable surface = 22 files / 4 repos:** `developer-ecosystem`, `email-octad-experiment`, `nextgen-databases` → MPL-2.0 (code) / CC-BY-SA-4.0 (prose); **`idaptik` → AGPL-3.0-or-later** (son-shared — explicitly *not* MPL). - **Bulk is legitimate or must-not-touch:** 200 files in the `palimpsest-*` carve-outs, 5 in `007` (ARR), ~60 in vendored `rescript/` forks, plus licence-exhibit text. - **`nextgen-databases` resolved** (its `rescript/` dirs are estate-authored VeriSimDB/Lithoglyph *clients*, not the vendored compiler → in scope). - **Phase-2 inventory:** 236 template-propagated body-text `License: PMPL` declarations (fix at the scaffold source, not 236× by hand) + 25 banned `MPL-2.0-or-later`. - **Flags `panll`'s governance conflict** (body-text PMPL + a `CLAUDE.md` that still mandates PMPL) for owner decision. - **Per-file discipline + capabilities/access spec** for the delegated agent. This doc is **FLAG-AND-PLAN only** — it performs no licence change. CC-BY-SA-4.0 from birth (prose), per the estate code/prose split. ## 2. `rsr-audit.sh` — de-brittle the SECURITY response-timeline check Category-2's check required the exact literal substring **"24 hours"** in `SECURITY.md`, failing repos that document the same SLA differently (a "Response Timeline" heading, "48 hours", "business day", …). Broadened to a basic-grep alternation covering the common phrasings, mirroring the format/case de-brittling #390 already did elsewhere. **Licence-content checks untouched.** `standards`' own `SECURITY.md` (Response Timeline / 48 hours) now passes where it previously failed — one of the 3 residual fails #390 flagged. Registry regenerated (`rhodium-standard-repositories/` is a registered spec home, so editing `rsr-audit.sh` changes its content-addressed `source_hash`). --- Note: as on #430–#433, the pre-existing `governance / Validate Hypatia Baseline` red is repo-wide and token-degraded — not introduced by this diff. 🤖 Generated with [Claude Code](https://claude.com/claude-code) https://claude.ai/code/session_019awZjBD1qx61tvmEuEKNpn --- _Generated by [Claude Code](https://claude.ai/code/session_019awZjBD1qx61tvmEuEKNpn)_ --------- Co-authored-by: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.



Summary
Discharges the licence-guardrail flag that #390 raised and explicitly
left for the owner:
The owner has now approved the change (MPL-2.0 for code, CC-BY-SA-4.0 for
prose docs, per estate policy). This PR makes only that one owner-gated
edit.
Change
rsr-audit.shCategory-2 (documentation) and Category-7 (licensing)checks previously required every audited repo's LICENSE to contain
MIT+PalimpsestwithSPDX-License-Identifier: MIT AND Palimpsest.Under the estate's five-way licence policy, sole-owner repos are
MPL-2.0 and the Palimpsest carve-out is reserved for exactly three
repos (
palimpsest-license,palimpsest-plasma,consent-aware-http).So every correctly-MPL-2.0 repo was failing two licensing criteria.
Both checks now:
Mozilla Public License+SPDX-License-Identifier: MPL-2.0;LICENSEorLICENSE.txt(matching feat(rsr): standards RSR compliance pass — Bronze (58% → 86%) #390's bare-LICENSEtolerance).Not touched (deliberate)
# SPDX-License-Identifier: MPL-2.0 AND Palimpsest-0.8(line 2) is the framework's intentional dual-licence —it is the auditing tool's licence, not an audited target. Unchanged.
audit script's expectations, per the per-file / no-bulk-sweep mandate.
Effect
Removes two false-negative licensing failures from the self-audit of every
correctly-MPL-2.0 estate repo, nudging Bronze scores upward across the
board without changing any audited repo's actual licence.
🤖 Generated with Claude Code
https://claude.ai/code/session_019awZjBD1qx61tvmEuEKNpn
Generated by Claude Code