docs(migrations): PMPL→MPL-2.0 sweep runbook + de-brittle SECURITY timeline check#440
Merged
Merged
Conversation
Durable home for the delegation runbook produced during the licence cleanup: a complete, classified inventory of stray PMPL SPDX headers across the org (248+ matches, 9 repos), the per-file execution procedure, and the capabilities/access spec for a delegated agent. Net actionable surface = 22 files across 4 repos (developer-ecosystem, email-octad-experiment, nextgen-databases → MPL-2.0/CC-BY-SA-4.0; idaptik → AGPL-3.0-or-later as a son-shared repo). The bulk of PMPL headers are legitimate (palimpsest carve-outs), must-not-touch (007 ARR), or vendored forks. Phase-2 covers the 236 template-propagated body-text declarations; flags panll's CLAUDE.md/PMPL governance conflict for owner decision. FLAG-AND-PLAN only — no licence change is performed by this doc; every edit it describes stays per-file and owner-approval-gated. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_019awZjBD1qx61tvmEuEKNpn
Category-2's SECURITY.md check required the exact literal substring
"24 hours", failing repos that document the same SLA differently
("Response Timeline" heading, "48 hours", "business day", etc.).
Broaden to a basic-grep alternation covering the common phrasings,
mirroring #390's format/case de-brittling. Licence-content checks
untouched.
standards' own SECURITY.md (Response Timeline / 48 hours) now passes
where it previously failed — one of the 3 residual fails #390 flagged.
Regenerate REGISTRY.a2ml: rhodium-standard-repositories/ is a registered
spec home, so editing rsr-audit.sh changes its content-addressed hash.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_019awZjBD1qx61tvmEuEKNpn
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.



Two related licence-/RSR-housekeeping changes, both owner-requested.
1.
docs/migrations/pmpl-to-mpl-sweep-runbook.adoc(new)A durable home for the estate-wide PMPL → MPL-2.0 sweep runbook — the delegation brief produced during this licence-cleanup pass, so a future (desktop / scope-expanded) agent can execute the actual flips correctly. Contents:
SPDX-License-Identifier: PMPL-1.0[-or-later]headers across the org (248+ matches, 9 repos, deduplicated), mapped onto the estate's 5-way licence policy.developer-ecosystem,email-octad-experiment,nextgen-databases→ MPL-2.0 (code) / CC-BY-SA-4.0 (prose);idaptik→ AGPL-3.0-or-later (son-shared — explicitly not MPL).palimpsest-*carve-outs, 5 in007(ARR), ~60 in vendoredrescript/forks, plus licence-exhibit text.nextgen-databasesresolved (itsrescript/dirs are estate-authored VeriSimDB/Lithoglyph clients, not the vendored compiler → in scope).License: PMPLdeclarations (fix at the scaffold source, not 236× by hand) + 25 bannedMPL-2.0-or-later.panll's governance conflict (body-text PMPL + aCLAUDE.mdthat still mandates PMPL) for owner decision.This doc is FLAG-AND-PLAN only — it performs no licence change. CC-BY-SA-4.0 from birth (prose), per the estate code/prose split.
2.
rsr-audit.sh— de-brittle the SECURITY response-timeline checkCategory-2's check required the exact literal substring "24 hours" in
SECURITY.md, failing repos that document the same SLA differently (a "Response Timeline" heading, "48 hours", "business day", …). Broadened to a basic-grep alternation covering the common phrasings, mirroring the format/case de-brittling #390 already did elsewhere. Licence-content checks untouched.standards' ownSECURITY.md(Response Timeline / 48 hours) now passes where it previously failed — one of the 3 residual fails #390 flagged.Registry regenerated (
rhodium-standard-repositories/is a registered spec home, so editingrsr-audit.shchanges its content-addressedsource_hash).Note: as on #430–#433, the pre-existing
governance / Validate Hypatia Baselinered is repo-wide and token-degraded — not introduced by this diff.🤖 Generated with Claude Code
https://claude.ai/code/session_019awZjBD1qx61tvmEuEKNpn
Generated by Claude Code