From 7ac56bf962218289289ec9d4411cc52669780eb4 Mon Sep 17 00:00:00 2001 From: Claude Date: Sat, 27 Jun 2026 04:45:14 +0000 Subject: [PATCH 1/2] fix(rsr-audit): LICENSE checks expect MPL-2.0 per estate sole-owner policy MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The RSR audit's Category-2 (documentation) and Category-7 (licensing) checks required every audited repo's LICENSE to contain "MIT" and "Palimpsest" with `SPDX-License-Identifier: MIT AND Palimpsest`. That contradicts the estate licence policy: sole-owner repos are MPL-2.0, and the Palimpsest carve-out is reserved for exactly three repos (palimpsest-license, palimpsest-plasma, consent-aware-http). Under the old checks every correctly-MPL-2.0 repo failed two licensing criteria. Change both audited-repo checks to expect MPL-2.0 ("Mozilla Public License" + `SPDX-License-Identifier: MPL-2.0`) and to accept either `LICENSE` or `LICENSE.txt`. The framework's own dual-licensed header (`MPL-2.0 AND Palimpsest-0.8`, line 2) is unchanged — that is the RSR toolkit's intentional licensing, not an audited target. Co-Authored-By: Claude Opus 4.8 Claude-Session: https://claude.ai/code/session_019awZjBD1qx61tvmEuEKNpn --- rhodium-standard-repositories/rsr-audit.sh | 28 ++++++++++++---------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/rhodium-standard-repositories/rsr-audit.sh b/rhodium-standard-repositories/rsr-audit.sh index 91e124be..ac231041 100755 --- a/rhodium-standard-repositories/rsr-audit.sh +++ b/rhodium-standard-repositories/rsr-audit.sh @@ -226,11 +226,14 @@ audit_category_2_documentation() { check_file_exists "MAINTAINERS.md" "MAINTAINERS.md present" check_file_exists "CHANGELOG.md" "CHANGELOG.md present" - # LICENSE.txt validation - if [[ -f "$REPO_PATH/LICENSE.txt" ]]; then - check_file_contains "LICENSE.txt" "SPDX-License-Identifier" "LICENSE.txt has SPDX identifier" - check_file_contains "LICENSE.txt" "MIT" "LICENSE.txt includes MIT license" - check_file_contains "LICENSE.txt" "Palimpsest" "LICENSE.txt includes Palimpsest license" + # LICENSE validation — estate policy: sole-owner repos are MPL-2.0 + # (accept `LICENSE` or `LICENSE.txt`). + local _license="" + [[ -f "$REPO_PATH/LICENSE.txt" ]] && _license="LICENSE.txt" + [[ -z "$_license" && -f "$REPO_PATH/LICENSE" ]] && _license="LICENSE" + if [[ -n "$_license" ]]; then + check_file_contains "$_license" "SPDX-License-Identifier" "LICENSE has SPDX identifier" + check_file_contains "$_license" "Mozilla Public License" "LICENSE is MPL-2.0 (estate sole-owner policy)" fi # README validation @@ -458,14 +461,13 @@ audit_category_7_licensing() { # License clarity check_file_exists "LICENSE.txt" "LICENSE.txt present (plain text, not LICENSE.md)" - if [[ -f "$REPO_PATH/LICENSE.txt" ]]; then - check_file_contains "LICENSE.txt" "MIT" "MIT license included" - check_file_contains "LICENSE.txt" "Palimpsest" "Palimpsest license included (ethical AI)" - fi - - # SPDX identifier in LICENSE.txt - if [[ -f "$REPO_PATH/LICENSE.txt" ]]; then - check_file_contains "LICENSE.txt" "SPDX-License-Identifier: MIT AND Palimpsest" "Correct SPDX identifier in LICENSE.txt" + # estate policy: sole-owner repos are MPL-2.0 (accept LICENSE or LICENSE.txt) + local _license="" + [[ -f "$REPO_PATH/LICENSE.txt" ]] && _license="LICENSE.txt" + [[ -z "$_license" && -f "$REPO_PATH/LICENSE" ]] && _license="LICENSE" + if [[ -n "$_license" ]]; then + check_file_contains "$_license" "Mozilla Public License" "LICENSE is MPL-2.0" + check_file_contains "$_license" "SPDX-License-Identifier: MPL-2.0" "Correct SPDX identifier in LICENSE (MPL-2.0)" fi # FUNDING.yml for funding transparency From f93322407e822c02393d943950358ce6dba320f8 Mon Sep 17 00:00:00 2001 From: Claude Date: Sat, 27 Jun 2026 04:49:15 +0000 Subject: [PATCH 2/2] chore(registry): regenerate after rsr-audit.sh change MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit `rhodium-standard-repositories/` is a registered spec home, so editing `rsr-audit.sh` changes its `git ls-files -s` blob SHA and therefore the registry's content-addressed `source_hash`. Regenerate REGISTRY.a2ml via `scripts/build-registry.sh` so the `registry-check` gate passes. Offline, deterministic, generator-produced — not hand-edited. Co-Authored-By: Claude Opus 4.8 Claude-Session: https://claude.ai/code/session_019awZjBD1qx61tvmEuEKNpn --- .machine_readable/REGISTRY.a2ml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.machine_readable/REGISTRY.a2ml b/.machine_readable/REGISTRY.a2ml index 68e3c9fa..b9f84045 100644 --- a/.machine_readable/REGISTRY.a2ml +++ b/.machine_readable/REGISTRY.a2ml @@ -216,7 +216,7 @@ name = "RSR — Rhodium Standard Repositories" stream = "governance" home = "rhodium-standard-repositories/" canonical_doc = "rhodium-standard-repositories/README.adoc" -source_hash = "sha256:830dca99ac78da5834a0f796da50bc4e3a1874782206347141530f6db49e3b97" +source_hash = "sha256:2d4e465bee215808306f28053a84d2f146a7fb7f6e6e3780e5d6f4c1d18c7404" route = "the repository-compliance standard every repo is graded against" [[spec]]