License normalisation: docs → CC-BY-SA-4.0; remove residual PMPL#234
Merged
Conversation
🏁 path-claims benchCommit NumbersHost-dependent — compare deltas across commits, not absolute values. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
There was a problem hiding this comment.
Hypatia found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.
🔍 Hypatia Security ScanFindings: 214 issues detected
View findings[
{
"reason": "Issue in scorecard-enforcer.yml",
"type": "missing_timeout_minutes",
"file": "scorecard-enforcer.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in scorecard-enforcer.yml",
"type": "scorecard_publish_with_run_step",
"file": "scorecard-enforcer.yml",
"action": "split_scorecard_publish_job",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in instant-sync.yml",
"type": "secret_action_without_presence_gate",
"file": "instant-sync.yml",
"action": "peter-evans/repository-dispatch",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in codeql.yml",
"type": "codeql_missing_actions_language",
"file": "codeql.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/academic-workflow-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/ephapax-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/bofig-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/fireflag-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/sanctify-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/hesiod-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
Code stays MPL-2.0; prose documentation becomes CC-BY-SA-4.0. - 598 estate-authored docs relicensed via a per-file SPDX-header change (518 .adoc + 80 .md, including AI-agent instruction files). Only the SPDX-License-Identifier header line is changed. - Delete stale GEMINI.md (Hypatia root_hygiene flag). Excluded / unchanged: all source code; the third-party Contributor-Covenant CODE_OF_CONDUCT.md (x2); the LICENSES/ texts; the pmpl-mcp cartridge. Code- describing SPDX *examples* inside docs (zig/nickel snippets, the "every source file" convention, the OSI-approved cartridge requirement, the RSR project-license section) were kept as MPL-2.0. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01XrPAh7eBSUcVKauTVdXH9Y
boj-server is MPL-2.0 (code) / CC-BY-SA-4.0 (docs). Removes Palimpsest-MPL residue that still declared or enforced PMPL on this repository. Deleted: LICENSES/PMPL-1.0-or-later.txt, LICENSES/EXHIBIT-A-ETHICAL-USE.txt, LICENSES/EXHIBIT-B-QUANTUM-SAFE.txt, coord-tui/LICENSE-PMPL-1.0-or-later.txt. Edited (the last four were residue found beyond the original flag — surfaced here for review): - NOTICE: drop the "voluntarily adopts PMPL" paragraph; state the two-licence scheme. - docs/index.html: PMPL-2.0-or-later SPDX header / badge / footer -> MPL-2.0 + CC-BY-SA-4.0. - .well-known/humans.txt + ai.txt: drop "(Palimpsest MPL)" / "per PMPL Section 3". - Mustfile: invariants + the LICENSE grep-check no longer require "Palimpsest-MPL 1.0" (that check was already failing against the MPL-2.0 LICENSE). - Intentfile: AI-agent invariant now references MPL-2.0. - docs/RSR_OUTLINE.adoc: PMPL badges -> MPL-2.0 badge; drop deleted EXHIBIT entries from the tree. - docs/outreach/show-hn-post.md: "PMPL-licensed (MPL-2.0 fallback)" -> "MPL-2.0-licensed". Kept (legitimate, not a licence declaration): the pmpl-mcp cartridge (a product *about* the licence), catalog.json data, README catalogue entry, topical federation/provenance references, and the consent-aware-http prospective-PMPL note (correct per estate policy). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01XrPAh7eBSUcVKauTVdXH9Y
hyperpolymath
force-pushed
the
claude/awesome-davinci-8afqgy
branch
from
e2bfd68 to
92b60ff
Compare
🔍 Hypatia Security ScanFindings: 214 issues detected
View findings[
{
"reason": "Issue in scorecard-enforcer.yml",
"type": "missing_timeout_minutes",
"file": "scorecard-enforcer.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in scorecard-enforcer.yml",
"type": "scorecard_publish_with_run_step",
"file": "scorecard-enforcer.yml",
"action": "split_scorecard_publish_job",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in instant-sync.yml",
"type": "secret_action_without_presence_gate",
"file": "instant-sync.yml",
"action": "peter-evans/repository-dispatch",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in codeql.yml",
"type": "codeql_missing_actions_language",
"file": "codeql.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/academic-workflow-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/ephapax-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/bofig-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/fireflag-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/sanctify-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/hesiod-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
hyperpolymath
added a commit
that referenced
this pull request
Jun 24, 2026
Follow-up to #234, per your refined scope ("revert agent-meta + scrub philosophical mentions"). Docs-only, surgical. Draft for review. ## 1. Agent-instruction files back to MPL-2.0 #234 relicensed these to CC-BY-SA-4.0; you've since decided agent-instruction files should **not** count as relicensable docs. Reverted (SPDX header only): - `.claude/CLAUDE.md`, `.claude/PROJECT.md`, `.github/copilot-instructions.md` ## 2. Scrub residual PMPL-as-licence-philosophy - **`docs/FEDERATION.adoc`** — removed the sentence *"The PMPL license encodes this same principle legally…"*; reworded the provenance bullet (`PMPL provenance` → `Cryptographic provenance`). - **`docs/architecture/README.adoc`** — reworded the provenance bullet to drop the *"the license's … requirements ARE the attestation"* framing. - **`docs/status/ROADMAP.adoc`** & **`docs/outreach/show-hn-draft.md`** — clarified these reference the **`pmpl-mcp` cartridge** (a real product feature), not boj-server adopting PMPL. ## Kept on purpose (not residue) - The `consent-aware-http` *"PMPL applies prospectively"* note in `docs/planning/…` — **correct estate policy** (it's one of the three genuine PMPL repos). - The `pmpl-mcp` cartridge, `catalog.json`, README catalogue entry, and machine-readable provenance format/protocol fields (subject matter about the product). ## Left untouched (flagging for your call) - A conceptual PMPL comment in **`src/abi/Boj/Federation.idr`** — that's **code**, out of scope for this docs pass. Say the word for a separate code-comment sweep. - The k9 example fixture `setup-repo.k9.ncl` ("Add PMPL-1.0 license" sample step) — a framework example, not a boj-server declaration. No code files and no `flake.lock` touched (verified); 7 doc/meta files changed. 🤖 Generated with [Claude Code](https://claude.com/claude-code) --- _Generated by [Claude Code](https://claude.ai/code/session_01XrPAh7eBSUcVKauTVdXH9Y)_ Co-authored-by: Claude <noreply@anthropic.com>
hyperpolymath
added a commit
that referenced
this pull request
Jun 24, 2026
…reen) (#237) Fixes the pre-existing Idris2 failure surfaced on #234/#236 (not caused by either — they just triggered the path-gated Idris2 job by touching a `.idr`). ## Root cause `allTake` was defined **twice** in `src/abi/Boj/SafetyLemmas.idr`: - lines ~122–130 — `{p} -> {n} -> {xs} -> allRec p xs = True -> allRec p (take n xs) = True` - lines ~213–221 — same lemma, implicit args in a different order (`{p} -> {xs} -> {n}`) → `Error: Boj.SafetyLemmas.allTake is already defined` → the **core ABI package `boj.ipkg` failed** type-check (`PASS=104 FAIL=1`). It was masked normally because the Idris2 job is path-gated and skips unless a `.idr` changes. ## Fix Kept the **first** definition — a complete, **total** proof (no `postulate`, no `believe_me`) — and removed the redundant second copy. No proof is weakened or stubbed. Both callers use inferred implicits, so the removed copy's argument order didn't matter to them: - `Boj/SafePromptInjection.idr:168` — `MkDelimiterCharsafe (take n cs) {prf = allTake prf}` - `Boj/SafeHTTP.idr:139` — `MkHeaderCharsafe (take n cs) {prf = allTake prf}` ## Verification Expected: `scripts/typecheck-proofs.sh` → **PASS=105 FAIL=0**. Idris2 isn't available in the authoring environment, so the **Idris2 type-check CI job is the proof verification** here — it should go from failing to green on this PR (and this is the first PR that *should* pass it cleanly when the job runs). 🤖 Generated with [Claude Code](https://claude.com/claude-code) --- _Generated by [Claude Code](https://claude.ai/code/session_01XrPAh7eBSUcVKauTVdXH9Y)_ Co-authored-by: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Owner-directed licensing normalisation (two steps you approved: "sweep 1, then do 2"). Surgical, per-file, no code or third-party text touched. Draft for your review.
1. Relicense documentation MPL-2.0 → CC-BY-SA-4.0 (
64cd25d)Code stays MPL-2.0; prose documentation becomes CC-BY-SA-4.0.
.adoc+ 80.md), including AI-agent files (CLAUDE.md, PROJECT.md, copilot-instructions) per your choice. Only theSPDX-License-Identifierheader line changed.root_hygieneflag).CODE_OF_CONDUCT.md(×2); theLICENSES/texts; thepmpl-mcpcartridge.2. Remove residual PMPL artifacts (
e2bfd68)boj-server is MPL-2.0 / CC-BY-SA-4.0 — removed Palimpsest-MPL residue that still declared/enforced PMPL here.
LICENSES/PMPL-1.0-or-later.txt,LICENSES/EXHIBIT-A-ETHICAL-USE.txt,LICENSES/EXHIBIT-B-QUANTUM-SAFE.txt,coord-tui/LICENSE-PMPL-1.0-or-later.txt.NOTICE(dropped the "voluntarily adopts PMPL" paragraph),docs/index.html(PMPL header/badge/footer → MPL-2.0 + CC-BY-SA-4.0),.well-known/humans.txt+ai.txt(dropped PMPL drift).I found these still asserting PMPL and fixed them; revert any you disagree with:
Mustfile— invariants + the LICENSE grep-check no longer require"Palimpsest-MPL 1.0". Note this check (grep -q "Palimpsest-MPL 1.0" LICENSE) was already failing against the MPL-2.0 LICENSE; now it checks"Mozilla Public License".Intentfile— AI-agent invariant now references MPL-2.0.docs/RSR_OUTLINE.adoc— PMPL badges → MPL-2.0 badge; removed deleted-EXHIBIT entries from the file tree.docs/outreach/show-hn-post.md— "PMPL-licensed (MPL-2.0 fallback)" → "MPL-2.0-licensed".Kept (legitimate — subject matter, not a licence declaration)
pmpl-mcpcartridge,catalog.json, README catalogue entry, topical federation/provenance references, and theconsent-aware-http"PMPL applies prospectively" note (correct per estate policy — it's one of the three PMPL carve-out repos).One borderline item left untouched (your call)
.machine_readable/svc/self-validating/examples/setup-repo.k9.nclhas an example k9 step "Add PMPL-1.0 license" (fetches from thepmplrepo). It's a framework example fixture, not boj-server's own licence — I left it. Say the word if you want it changed.Verified: zero PMPL SPDX headers remain; zero broken references to deleted files;
LICENSES/reduces cleanly toMPL-2.0.txt+CC-BY-SA-4.0.txt+README.adoc.🤖 Generated with Claude Code
Generated by Claude Code