Estate standardization 20260607

.devcontainer/README.adoc

@@ -1,4 +1,5 @@
 // SPDX-License-Identifier: MPL-2.0
+// Copyright (c) Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>
 = Dev Container Usage
 :author: Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>
 

.github/CODE_OF_CONDUCT.md

@@ -1,3 +1,7 @@
+<!--
+SPDX-License-Identifier: MPL-2.0
+Copyright (c) Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>
+-->
 # Code of Conduct
 
 <!-- 

.github/CONTRIBUTING.md

@@ -1,3 +1,7 @@
+<!--
+SPDX-License-Identifier: MPL-2.0
+Copyright (c) Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>
+-->
 # Clone the repository
 git clone https://github.com/hyperpolymath/standards.git
 # Note: A2ML is located in standards/a2ml-validate-action.git
@@ -33,7 +37,7 @@ a2ml-validate-action/
 ├── .machine_readable/   # ALL machine-readable content (Perimeter 1)
 │   ├── *.a2ml           # State files (STATE, META, ECOSYSTEM, etc.)
 │   ├── bot_directives/  # Bot configs
-│   └── contractiles/    # Policy contracts (k9, dust, lust, must, trust)
+│   └── contractiles/    # Policy contracts (k9, dust, intend, must, trust)
 ├── .well-known/         # Protocol files (Perimeter 1-3)
 ├── .github/             # GitHub config (Perimeter 1)
 │   ├── ISSUE_TEMPLATE/

.github/DIRECTORY.adoc

@@ -1 +1,3 @@
+// SPDX-License-Identifier: MPL-2.0
+// Copyright (c) Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>
 = .github Pillar

.github/GOVERNANCE.md

@@ -1,5 +1,7 @@
-<!-- SPDX-License-Identifier: MPL-2.0 -->
-
+<!--
+SPDX-License-Identifier: MPL-2.0
+Copyright (c) Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>
+-->
 # Project Governance
 
 This document describes the governance model for **a2ml-validate-action**.

.github/SECURITY.md

@@ -1,3 +1,7 @@
+<!--
+SPDX-License-Identifier: MPL-2.0
+Copyright (c) Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>
+-->
 # Security Policy
 
 <!-- 

.github/copilot-instructions.md

@@ -1,4 +1,7 @@
-<!-- SPDX-License-Identifier: MPL-2.0 -->
+<!--
+SPDX-License-Identifier: MPL-2.0
+Copyright (c) Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>
+-->
 <!-- Copyright (c) 2026 Jonathan D.A. Jewell (hyperpolymath) <j.d.a.jewell@open.ac.uk> -->
 <!-- Authoritative source: docs/AI-CONVENTIONS.md -->
 

.github/pull_request_template.md

@@ -1,4 +1,7 @@
-<!-- SPDX-License-Identifier: MPL-2.0 -->
+<!--
+SPDX-License-Identifier: MPL-2.0
+Copyright (c) Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>
+-->
 ## Summary
 
 <!-- Briefly describe what this PR does and why. Link to related issues with "Closes #N". -->

.github/workflows/boj-build.yml

@@ -7,6 +7,7 @@ on:
 jobs:
   trigger-boj:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     steps:
       - name: Checkout
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4

.github/workflows/casket-pages.yml

@@ -18,6 +18,7 @@ concurrency:
 jobs:
   build:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     steps:
       - name: Checkout
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
@@ -109,6 +110,7 @@ jobs:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     needs: build
     steps:
       - name: Deploy to GitHub Pages

.github/workflows/codeql.yml

@@ -23,6 +23,7 @@ permissions:
 jobs:
   analyze:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     permissions:
       contents: read
       security-events: write

.github/workflows/dogfood-gate.yml

@@ -22,6 +22,7 @@ jobs:
   a2ml-validate:
     name: Validate A2ML manifests
     runs-on: ubuntu-latest
+    timeout-minutes: 15
 
     steps:
       - name: Checkout repository
@@ -66,6 +67,7 @@ jobs:
   k9-validate:
     name: Validate K9 contracts
     runs-on: ubuntu-latest
+    timeout-minutes: 15
 
     steps:
       - name: Checkout repository
@@ -115,6 +117,7 @@ jobs:
   empty-lint:
     name: Empty-linter (invisible characters)
     runs-on: ubuntu-latest
+    timeout-minutes: 15
 
     steps:
       - name: Checkout repository
@@ -179,6 +182,7 @@ jobs:
   groove-check:
     name: Groove manifest check
     runs-on: ubuntu-latest
+    timeout-minutes: 15
 
     steps:
       - name: Checkout repository
@@ -237,6 +241,7 @@ jobs:
   eclexiaiser-validate:
     name: Validate eclexiaiser manifest
     runs-on: ubuntu-latest
+    timeout-minutes: 15
 
     steps:
       - name: Checkout repository
@@ -300,6 +305,7 @@ print(f'Valid: {project[\"name\"]} ({len(functions)} function(s))')
   dogfood-summary:
     name: Dogfooding compliance summary
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     needs: [a2ml-validate, k9-validate, empty-lint, groove-check, eclexiaiser-validate]
     if: always()
 

.github/workflows/governance.yml

@@ -31,4 +31,5 @@ permissions:
 
 jobs:
   governance:
-    uses: hyperpolymath/standards/.github/workflows/governance-reusable.yml@main
+    uses: hyperpolymath/standards/.github/workflows/governance-reusable.yml@861b5e911d9e5dcfb3c0ab3dd2a9a3c8fd0a1613
+    timeout-minutes: 10

.github/workflows/hypatia-scan.yml

@@ -43,6 +43,7 @@ jobs:
   scan:
     name: Hypatia Neurosymbolic Analysis
     runs-on: ubuntu-latest
+    timeout-minutes: 15
 
     steps:
       - name: Checkout repository

.github/workflows/instant-sync.yml

@@ -14,6 +14,7 @@ permissions:
 jobs:
   dispatch:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     steps:
       - name: Trigger Propagation
         uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v3

.github/workflows/mirror.yml

@@ -13,6 +13,7 @@ permissions:
 jobs:
   mirror-gitlab:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     if: vars.GITLAB_MIRROR_ENABLED == 'true'
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -31,6 +32,7 @@ jobs:
 
   mirror-bitbucket:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     if: vars.BITBUCKET_MIRROR_ENABLED == 'true'
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -49,6 +51,7 @@ jobs:
 
   mirror-codeberg:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     if: vars.CODEBERG_MIRROR_ENABLED == 'true'
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -67,6 +70,7 @@ jobs:
 
   mirror-sourcehut:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     if: vars.SOURCEHUT_MIRROR_ENABLED == 'true'
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -85,6 +89,7 @@ jobs:
 
   mirror-disroot:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     if: vars.DISROOT_MIRROR_ENABLED == 'true'
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -103,6 +108,7 @@ jobs:
 
   mirror-gitea:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     if: vars.GITEA_MIRROR_ENABLED == 'true'
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -121,6 +127,7 @@ jobs:
 
   mirror-radicle:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     if: vars.RADICLE_MIRROR_ENABLED == 'true'
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

.github/workflows/release.yml

@@ -18,6 +18,7 @@ jobs:
   build:
     name: Build Artifacts
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     permissions:
       contents: read
     steps:
@@ -34,14 +35,15 @@ jobs:
           #   mix release
 
       # TODO: Upload build artifacts if needed
-      # - uses: actions/upload-artifact@v4
+      # - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
       #   with:
       #     name: release-artifacts
       #     path: target/release/
 
   changelog:
     name: Generate Changelog
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     permissions:
       contents: read
     outputs:
@@ -88,13 +90,14 @@ jobs:
     name: Create GitHub Release
     needs: [build, changelog]
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     permissions:
       contents: write
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       # TODO: Download build artifacts if uploading to the release
-      # - uses: actions/download-artifact@v4
+      # - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
       #   with:
       #     name: release-artifacts
       #     path: artifacts/

.github/workflows/rhodibot.yml

@@ -27,6 +27,7 @@ permissions:
 jobs:
   rhodibot:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     steps:
       - name: Checkout
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4

.github/workflows/scorecard-enforcer.yml

@@ -23,6 +23,7 @@ permissions:
 jobs:
   scorecard:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     permissions:
       security-events: write
       id-token: write  # For OIDC
@@ -61,6 +62,7 @@ jobs:
   # Check specific high-priority items
   check-critical:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 

.github/workflows/scorecard.yml

@@ -21,6 +21,7 @@ permissions:
 jobs:
   analysis:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     permissions:
       security-events: write
       id-token: write

.github/workflows/secret-scanner.yml

@@ -21,6 +21,7 @@ permissions:
 jobs:
   trufflehog:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
         with:
@@ -35,6 +36,7 @@ jobs:
 
   gitleaks:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
         with:
@@ -48,6 +50,7 @@ jobs:
   # Rust-specific: Check for hardcoded crypto values
   rust-secrets:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
 

.github/workflows/static-analysis-gate.yml

@@ -19,6 +19,7 @@ jobs:
   panic-attack-assail:
     name: panic-attack assail
     runs-on: ubuntu-latest
+    timeout-minutes: 15
 
     steps:
       - name: Checkout repository
@@ -123,6 +124,7 @@ jobs:
   hypatia-scan:
     name: Hypatia neurosymbolic scan
     runs-on: ubuntu-latest
+    timeout-minutes: 15
 
     steps:
       - name: Checkout repository
@@ -235,6 +237,7 @@ jobs:
   deposit-findings:
     name: Deposit findings for gitbot-fleet
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     needs: [panic-attack-assail, hypatia-scan]
     if: always()
 

.machine_readable/6a2/0-AI-MANIFEST.a2ml

@@ -0,0 +1,31 @@
+# AI Manifest for 6a2 Directory
+
+## Purpose
+
+This manifest declares the AI-assistant context for the 6a2 machine-readable metadata directory.
+
+## Canonical Locations
+
+The 6 core A2ML files MUST exist in this directory:
+1. AGENTIC.a2ml
+2. ECOSYSTEM.a2ml
+3. META.a2ml
+4. NEUROSYM.a2ml
+5. PLAYBOOK.a2ml
+6. STATE.a2ml
+
+## Invariants
+
+- No duplicate files in root directory
+- Single source of truth: this directory is authoritative
+- No stale metadata
+
+## Protocol
+
+When multiple agents may write to A2ML files concurrently:
+1. Read file and record git-sha-at-read in [provenance] section
+2. Lock by creating .lock-<FILENAME>
+3. Write updated file with new [provenance] metadata
+4. Release by removing lock file
+5. On conflict: re-read and retry if git-sha-at-read does not match HEAD
+