Skip to content

docs(migrations): PMPL→MPL-2.0 sweep runbook + de-brittle SECURITY timeline check#440

Merged
hyperpolymath merged 2 commits into
mainfrom
claude/hopeful-babbage-pn0l4o
Jun 27, 2026
Merged

docs(migrations): PMPL→MPL-2.0 sweep runbook + de-brittle SECURITY timeline check#440
hyperpolymath merged 2 commits into
mainfrom
claude/hopeful-babbage-pn0l4o

Conversation

@hyperpolymath

Copy link
Copy Markdown
Owner

Two related licence-/RSR-housekeeping changes, both owner-requested.

1. docs/migrations/pmpl-to-mpl-sweep-runbook.adoc (new)

A durable home for the estate-wide PMPL → MPL-2.0 sweep runbook — the delegation brief produced during this licence-cleanup pass, so a future (desktop / scope-expanded) agent can execute the actual flips correctly. Contents:

  • Complete classified inventory of stray SPDX-License-Identifier: PMPL-1.0[-or-later] headers across the org (248+ matches, 9 repos, deduplicated), mapped onto the estate's 5-way licence policy.
  • Net actionable surface = 22 files / 4 repos: developer-ecosystem, email-octad-experiment, nextgen-databases → MPL-2.0 (code) / CC-BY-SA-4.0 (prose); idaptik → AGPL-3.0-or-later (son-shared — explicitly not MPL).
  • Bulk is legitimate or must-not-touch: 200 files in the palimpsest-* carve-outs, 5 in 007 (ARR), ~60 in vendored rescript/ forks, plus licence-exhibit text.
  • nextgen-databases resolved (its rescript/ dirs are estate-authored VeriSimDB/Lithoglyph clients, not the vendored compiler → in scope).
  • Phase-2 inventory: 236 template-propagated body-text License: PMPL declarations (fix at the scaffold source, not 236× by hand) + 25 banned MPL-2.0-or-later.
  • Flags panll's governance conflict (body-text PMPL + a CLAUDE.md that still mandates PMPL) for owner decision.
  • Per-file discipline + capabilities/access spec for the delegated agent.

This doc is FLAG-AND-PLAN only — it performs no licence change. CC-BY-SA-4.0 from birth (prose), per the estate code/prose split.

2. rsr-audit.sh — de-brittle the SECURITY response-timeline check

Category-2's check required the exact literal substring "24 hours" in SECURITY.md, failing repos that document the same SLA differently (a "Response Timeline" heading, "48 hours", "business day", …). Broadened to a basic-grep alternation covering the common phrasings, mirroring the format/case de-brittling #390 already did elsewhere. Licence-content checks untouched.

standards' own SECURITY.md (Response Timeline / 48 hours) now passes where it previously failed — one of the 3 residual fails #390 flagged.

Registry regenerated (rhodium-standard-repositories/ is a registered spec home, so editing rsr-audit.sh changes its content-addressed source_hash).


Note: as on #430#433, the pre-existing governance / Validate Hypatia Baseline red is repo-wide and token-degraded — not introduced by this diff.

🤖 Generated with Claude Code

https://claude.ai/code/session_019awZjBD1qx61tvmEuEKNpn


Generated by Claude Code

claude added 2 commits June 27, 2026 18:23
Durable home for the delegation runbook produced during the licence
cleanup: a complete, classified inventory of stray PMPL SPDX headers
across the org (248+ matches, 9 repos), the per-file execution
procedure, and the capabilities/access spec for a delegated agent.

Net actionable surface = 22 files across 4 repos (developer-ecosystem,
email-octad-experiment, nextgen-databases → MPL-2.0/CC-BY-SA-4.0;
idaptik → AGPL-3.0-or-later as a son-shared repo). The bulk of PMPL
headers are legitimate (palimpsest carve-outs), must-not-touch (007
ARR), or vendored forks. Phase-2 covers the 236 template-propagated
body-text declarations; flags panll's CLAUDE.md/PMPL governance
conflict for owner decision.

FLAG-AND-PLAN only — no licence change is performed by this doc; every
edit it describes stays per-file and owner-approval-gated.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_019awZjBD1qx61tvmEuEKNpn
Category-2's SECURITY.md check required the exact literal substring
"24 hours", failing repos that document the same SLA differently
("Response Timeline" heading, "48 hours", "business day", etc.).
Broaden to a basic-grep alternation covering the common phrasings,
mirroring #390's format/case de-brittling. Licence-content checks
untouched.

standards' own SECURITY.md (Response Timeline / 48 hours) now passes
where it previously failed — one of the 3 residual fails #390 flagged.

Regenerate REGISTRY.a2ml: rhodium-standard-repositories/ is a registered
spec home, so editing rsr-audit.sh changes its content-addressed hash.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_019awZjBD1qx61tvmEuEKNpn
@hyperpolymath hyperpolymath marked this pull request as ready for review June 27, 2026 18:27
@hyperpolymath hyperpolymath merged commit bf32531 into main Jun 27, 2026
18 of 19 checks passed
@hyperpolymath hyperpolymath deleted the claude/hopeful-babbage-pn0l4o branch June 27, 2026 18:27
@sonarqubecloud

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants