Skip to content

fix(rsr-audit): LICENSE checks expect MPL-2.0 (owner-approved follow-up to #390)#433

Merged
hyperpolymath merged 2 commits into
mainfrom
claude/hopeful-babbage-pn0l4o
Jun 27, 2026
Merged

fix(rsr-audit): LICENSE checks expect MPL-2.0 (owner-approved follow-up to #390)#433
hyperpolymath merged 2 commits into
mainfrom
claude/hopeful-babbage-pn0l4o

Conversation

@hyperpolymath

Copy link
Copy Markdown
Owner

Summary

Discharges the licence-guardrail flag that #390 raised and explicitly
left for the owner:

🔒 Flagged for owner (NOT changed — licence guardrail): rsr-audit.sh
hardcodes MIT AND Palimpsest as the required LICENSE content, which
contradicts the estate's MPL-2.0-for-sole-owner policy. Updating what
licence the standard mandates is an owner decision — left as-is.

The owner has now approved the change (MPL-2.0 for code, CC-BY-SA-4.0 for
prose docs, per estate policy). This PR makes only that one owner-gated
edit.

Change

rsr-audit.sh Category-2 (documentation) and Category-7 (licensing)
checks previously required every audited repo's LICENSE to contain
MIT + Palimpsest with SPDX-License-Identifier: MIT AND Palimpsest.
Under the estate's five-way licence policy, sole-owner repos are
MPL-2.0 and the Palimpsest carve-out is reserved for exactly three
repos (palimpsest-license, palimpsest-plasma, consent-aware-http).
So every correctly-MPL-2.0 repo was failing two licensing criteria.

Both checks now:

Not touched (deliberate)

  • The RSR toolkit's own header # SPDX-License-Identifier: MPL-2.0 AND Palimpsest-0.8 (line 2) is the framework's intentional dual-licence —
    it is the auditing tool's licence, not an audited target. Unchanged.
  • No SPDX header was swept anywhere; this is a single logic edit to the
    audit script's expectations, per the per-file / no-bulk-sweep mandate.

Effect

Removes two false-negative licensing failures from the self-audit of every
correctly-MPL-2.0 estate repo, nudging Bronze scores upward across the
board without changing any audited repo's actual licence.

🤖 Generated with Claude Code

https://claude.ai/code/session_019awZjBD1qx61tvmEuEKNpn


Generated by Claude Code

claude added 2 commits June 27, 2026 04:45
…olicy

The RSR audit's Category-2 (documentation) and Category-7 (licensing)
checks required every audited repo's LICENSE to contain "MIT" and
"Palimpsest" with `SPDX-License-Identifier: MIT AND Palimpsest`. That
contradicts the estate licence policy: sole-owner repos are MPL-2.0,
and the Palimpsest carve-out is reserved for exactly three repos
(palimpsest-license, palimpsest-plasma, consent-aware-http). Under the
old checks every correctly-MPL-2.0 repo failed two licensing criteria.

Change both audited-repo checks to expect MPL-2.0 ("Mozilla Public
License" + `SPDX-License-Identifier: MPL-2.0`) and to accept either
`LICENSE` or `LICENSE.txt`. The framework's own dual-licensed header
(`MPL-2.0 AND Palimpsest-0.8`, line 2) is unchanged — that is the RSR
toolkit's intentional licensing, not an audited target.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_019awZjBD1qx61tvmEuEKNpn
`rhodium-standard-repositories/` is a registered spec home, so editing
`rsr-audit.sh` changes its `git ls-files -s` blob SHA and therefore the
registry's content-addressed `source_hash`. Regenerate REGISTRY.a2ml via
`scripts/build-registry.sh` so the `registry-check` gate passes. Offline,
deterministic, generator-produced — not hand-edited.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_019awZjBD1qx61tvmEuEKNpn
@hyperpolymath hyperpolymath marked this pull request as ready for review June 27, 2026 09:21
@hyperpolymath hyperpolymath merged commit 583a934 into main Jun 27, 2026
18 of 19 checks passed
@hyperpolymath hyperpolymath deleted the claude/hopeful-babbage-pn0l4o branch June 27, 2026 09:21
@sonarqubecloud

Copy link
Copy Markdown

hyperpolymath added a commit that referenced this pull request Jun 27, 2026
…meline check (#440)

Two related licence-/RSR-housekeeping changes, both owner-requested.

## 1. `docs/migrations/pmpl-to-mpl-sweep-runbook.adoc` (new)

A durable home for the estate-wide **PMPL → MPL-2.0 sweep runbook** —
the delegation brief produced during this licence-cleanup pass, so a
future (desktop / scope-expanded) agent can execute the actual flips
correctly. Contents:

- **Complete classified inventory** of stray `SPDX-License-Identifier:
PMPL-1.0[-or-later]` headers across the org (248+ matches, 9 repos,
deduplicated), mapped onto the estate's 5-way licence policy.
- **Net actionable surface = 22 files / 4 repos:**
`developer-ecosystem`, `email-octad-experiment`, `nextgen-databases` →
MPL-2.0 (code) / CC-BY-SA-4.0 (prose); **`idaptik` → AGPL-3.0-or-later**
(son-shared — explicitly *not* MPL).
- **Bulk is legitimate or must-not-touch:** 200 files in the
`palimpsest-*` carve-outs, 5 in `007` (ARR), ~60 in vendored `rescript/`
forks, plus licence-exhibit text.
- **`nextgen-databases` resolved** (its `rescript/` dirs are
estate-authored VeriSimDB/Lithoglyph *clients*, not the vendored
compiler → in scope).
- **Phase-2 inventory:** 236 template-propagated body-text `License:
PMPL` declarations (fix at the scaffold source, not 236× by hand) + 25
banned `MPL-2.0-or-later`.
- **Flags `panll`'s governance conflict** (body-text PMPL + a
`CLAUDE.md` that still mandates PMPL) for owner decision.
- **Per-file discipline + capabilities/access spec** for the delegated
agent.

This doc is **FLAG-AND-PLAN only** — it performs no licence change.
CC-BY-SA-4.0 from birth (prose), per the estate code/prose split.

## 2. `rsr-audit.sh` — de-brittle the SECURITY response-timeline check

Category-2's check required the exact literal substring **"24 hours"**
in `SECURITY.md`, failing repos that document the same SLA differently
(a "Response Timeline" heading, "48 hours", "business day", …).
Broadened to a basic-grep alternation covering the common phrasings,
mirroring the format/case de-brittling #390 already did elsewhere.
**Licence-content checks untouched.**

`standards`' own `SECURITY.md` (Response Timeline / 48 hours) now passes
where it previously failed — one of the 3 residual fails #390 flagged.

Registry regenerated (`rhodium-standard-repositories/` is a registered
spec home, so editing `rsr-audit.sh` changes its content-addressed
`source_hash`).

---

Note: as on #430#433, the pre-existing `governance / Validate Hypatia
Baseline` red is repo-wide and token-degraded — not introduced by this
diff.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

https://claude.ai/code/session_019awZjBD1qx61tvmEuEKNpn

---
_Generated by [Claude
Code](https://claude.ai/code/session_019awZjBD1qx61tvmEuEKNpn)_

---------

Co-authored-by: Claude <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants