hyperpolymath · hyperpolymath · Jun 11, 2026 · May 26, 2026 · May 31, 2026 · Jun 4, 2026
diff --git a/.devcontainer/README.adoc b/.devcontainer/README.adoc
@@ -1,4 +1,5 @@
 // SPDX-License-Identifier: MPL-2.0
+// Copyright (c) Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>
 = Dev Container Usage
 :author: {{AUTHOR}} <{{AUTHOR_EMAIL}}>
 

diff --git a/.github/CODE_OF_CONDUCT.md b/.github/CODE_OF_CONDUCT.md
@@ -1,3 +1,7 @@
+<!--
+SPDX-License-Identifier: MPL-2.0
+Copyright (c) Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>
+-->
 # Code of Conduct
 
 <!-- 

diff --git a/.github/CONTRIBUTING.md b/.github/CONTRIBUTING.md
@@ -1,3 +1,7 @@
+<!--
+SPDX-License-Identifier: MPL-2.0
+Copyright (c) Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>
+-->
 # Clone the repository
 git clone https://{{FORGE}}/{{OWNER}}/{{REPO}}.git
 cd {{REPO}}

diff --git a/.github/DIRECTORY.adoc b/.github/DIRECTORY.adoc
@@ -1 +1,3 @@
+// SPDX-License-Identifier: MPL-2.0
+// Copyright (c) Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>
 = .github Pillar
diff --git a/.github/GOVERNANCE.md b/.github/GOVERNANCE.md
@@ -1,5 +1,7 @@
-<!-- SPDX-License-Identifier: MPL-2.0 -->
-
+<!--
+SPDX-License-Identifier: MPL-2.0
+Copyright (c) Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>
+-->
 # Project Governance
 
 This document describes the governance model for **{{PROJECT_NAME}}**.

diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -1,3 +1,7 @@
+<!--
+SPDX-License-Identifier: MPL-2.0
+Copyright (c) Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>
+-->
 ---
 name: Bug report
 about: Create a report to help us improve

diff --git a/.github/ISSUE_TEMPLATE/custom.md b/.github/ISSUE_TEMPLATE/custom.md
@@ -1,3 +1,7 @@
+<!--
+SPDX-License-Identifier: MPL-2.0
+Copyright (c) Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>
+-->
 ---
 name: Custom issue template
 about: Describe this issue template's purpose here.

diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -1,3 +1,7 @@
+<!--
+SPDX-License-Identifier: MPL-2.0
+Copyright (c) Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>
+-->
 ---
 name: Feature request
 about: Suggest an idea for this project

diff --git a/.github/SECURITY.md b/.github/SECURITY.md
@@ -1,3 +1,7 @@
+<!--
+SPDX-License-Identifier: MPL-2.0
+Copyright (c) Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>
+-->
 # Security Policy
 
 <!-- 

diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md
@@ -1,4 +1,7 @@
-<!-- SPDX-License-Identifier: MPL-2.0 -->
+<!--
+SPDX-License-Identifier: MPL-2.0
+Copyright (c) Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>
+-->
 <!-- Copyright (c) {{CURRENT_YEAR}} {{AUTHOR}} ({{OWNER}}) <{{AUTHOR_EMAIL}}> -->
 <!-- Authoritative source: docs/AI-CONVENTIONS.md -->
 

diff --git a/.github/copilot/coding-agent.yml b/.github/copilot/coding-agent.yml
@@ -0,0 +1,6 @@
+mcp_servers:
+  boj-server:
+    command: npx
+    args: ["-y", "@hyperpolymath/boj-server@latest"]
+    env:
+      BOJ_URL: http://localhost:7700
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
@@ -1,4 +1,7 @@
-<!-- SPDX-License-Identifier: MPL-2.0 -->
+<!--
+SPDX-License-Identifier: MPL-2.0
+Copyright (c) Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>
+-->
 ## Summary
 
 <!-- Briefly describe what this PR does and why. Link to related issues with "Closes #N". -->

diff --git a/.github/workflows/boj-build.yml b/.github/workflows/boj-build.yml
@@ -1,3 +1,4 @@
+# // Copyright (c) Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>
 # SPDX-License-Identifier: MPL-2.0
 #
 # OPTIONAL: BoJ Server Build Trigger
@@ -6,18 +7,16 @@
 # To enable: set BOJ_SERVER_URL as a repository secret or variable.
 # To disable: delete this file or leave BOJ_SERVER_URL unset.
 name: BoJ Server Build Trigger
-
 on:
   push:
     branches: [main, master]
   workflow_dispatch:
-
 permissions:
   contents: read
-
 jobs:
   trigger-boj:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     if: ${{ vars.BOJ_SERVER_URL != '' || secrets.BOJ_SERVER_URL != '' }}
     steps:
       - name: Checkout

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -1,28 +1,26 @@
-# SPDX-License-Identifier: PMPL-1.0
+# // Copyright (c) Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>
+# SPDX-License-Identifier: MPL-2.0
 name: CodeQL Security Analysis
-
 on:
   push:
     branches: [main, master]
   pull_request:
     branches: [main, master]
   schedule:
     - cron: '0 6 * * 1'
-
 # Estate guardrail: cancel superseded runs so re-pushes / rebased PR
 # updates do not pile up queued runs against the shared account-wide
 # Actions concurrency pool. Applied only to read-only check workflows
 # (no publish/mutation), so cancelling a superseded run is always safe.
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
-
 permissions:
   contents: read
-
 jobs:
   analyze:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     permissions:
       contents: read
       security-events: write
@@ -32,7 +30,6 @@ jobs:
         include:
           - language: javascript-typescript
             build-mode: none
-
     steps:
       - name: Checkout
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
@@ -42,7 +39,6 @@ jobs:
         with:
           languages: ${{ matrix.language }}
           build-mode: ${{ matrix.build-mode }}
-
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v3
         with:

diff --git a/.github/workflows/dependabot-automerge.yml b/.github/workflows/dependabot-automerge.yml
@@ -1,3 +1,4 @@
+# // Copyright (c) Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>
 # SPDX-License-Identifier: MPL-2.0
 #
 # dependabot-automerge.yml — enable GitHub's native auto-merge on
@@ -35,29 +36,25 @@
 # bumps for dependabot/fetch-metadata flow through the same path.
 
 name: Dependabot Auto-Merge
-
 on:
   pull_request:
     types: [opened, reopened, synchronize]
-
 permissions:
-  contents: write        # needed to enable auto-merge
-  pull-requests: write   # needed to approve
+  contents: write # needed to enable auto-merge
+  pull-requests: write # needed to approve
   # NB: keep narrow — do NOT add secrets: read or id-token: write here.
-
 jobs:
   automerge:
     # Only run for PRs actually authored by Dependabot.
     if: github.actor == 'dependabot[bot]' && github.event.pull_request.user.login == 'dependabot[bot]'
     runs-on: ubuntu-latest
-
+    timeout-minutes: 15
     steps:
       - name: Fetch Dependabot metadata
         id: meta
         uses: dependabot/fetch-metadata@25dd0e34f4fe68f24cc83900b1fe3fe149efef98 # v3.1.0
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
-
       # --- Policy gate -------------------------------------------------------
       # Outputs from fetch-metadata we care about:
       #   update-type      → version-update:semver-{patch,minor,major}
@@ -106,7 +103,6 @@ jobs:
           echo "security=$is_security" >> "$GITHUB_OUTPUT"
           echo "update_type=$UPDATE_TYPE" >> "$GITHUB_OUTPUT"
           echo "ghsa=$GHSA_ID" >> "$GITHUB_OUTPUT"
-
       - name: Approve PR (if policy allows)
         if: steps.policy.outputs.action == 'automerge'
         env:
@@ -115,15 +111,13 @@ jobs:
         run: |
           gh pr review --approve "$PR_URL" \
             --body "Auto-approving Dependabot security update (${{ steps.policy.outputs.ghsa }}, ${{ steps.policy.outputs.update_type }}). Policy: low/moderate security patches/minors only."
-
       - name: Enable auto-merge (if policy allows)
         if: steps.policy.outputs.action == 'automerge'
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           PR_URL: ${{ github.event.pull_request.html_url }}
         run: |
           gh pr merge --auto --squash "$PR_URL"
-
       - name: Write decision to step summary
         env:
           ACTION: ${{ steps.policy.outputs.action }}

diff --git a/.github/workflows/dogfood-gate.yml b/.github/workflows/dogfood-gate.yml
@@ -5,24 +5,21 @@
 # Validates that the repo uses hyperpolymath's own formats and tools.
 # Companion to static-analysis-gate.yml (security) — this is for format compliance.
 name: Dogfood Gate
-
 on:
   pull_request:
     branches: ['**']
   push:
     branches: [main, master]
-
 permissions:
   contents: read
-
 jobs:
   # ---------------------------------------------------------------------------
   # Job 1: A2ML manifest validation
   # ---------------------------------------------------------------------------
   a2ml-validate:
     name: Validate A2ML manifests
     runs-on: ubuntu-latest
-
+    timeout-minutes: 15
     steps:
       - name: Checkout repository
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
@@ -35,14 +32,12 @@ jobs:
           if [ "$COUNT" -eq 0 ]; then
             echo "::warning::No .a2ml manifest files found. Every RSR repo should have 0-AI-MANIFEST.a2ml"
           fi
-
       - name: Validate A2ML manifests
         if: steps.detect.outputs.count > 0
         uses: hyperpolymath/a2ml-validate-action@6bff6ec134fc977e86d25166a5c522ddea5c1e78 # main
         with:
           path: '.'
           strict: 'false'
-
       - name: Write summary
         run: |
           A2ML_COUNT="${{ steps.detect.outputs.count }}"
@@ -59,14 +54,13 @@ jobs:
             echo "" >> "$GITHUB_STEP_SUMMARY"
             echo "Scanned **${A2ML_COUNT}** .a2ml file(s). See step output for details." >> "$GITHUB_STEP_SUMMARY"
           fi
-
   # ---------------------------------------------------------------------------
   # Job 2: K9 contract validation
   # ---------------------------------------------------------------------------
   k9-validate:
     name: Validate K9 contracts
     runs-on: ubuntu-latest
-
+    timeout-minutes: 15
     steps:
       - name: Checkout repository
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
@@ -83,14 +77,12 @@ jobs:
           if [ "$COUNT" -eq 0 ] && [ "$CONFIG_COUNT" -gt 0 ]; then
             echo "::warning::Found $CONFIG_COUNT config files but no K9 contracts. Run k9iser to generate contracts."
           fi
-
       - name: Validate K9 contracts
         if: steps.detect.outputs.k9_count > 0
         uses: hyperpolymath/k9-validate-action@2d96f43c538964b097d159ed3a56ba5b5ceca227 # main
         with:
           path: '.'
           strict: 'false'
-
       - name: Write summary
         run: |
           K9_COUNT="${{ steps.detect.outputs.k9_count }}"
@@ -108,14 +100,13 @@ jobs:
             echo "" >> "$GITHUB_STEP_SUMMARY"
             echo "Validated **${K9_COUNT}** K9 contract(s) against **${CFG_COUNT}** config file(s)." >> "$GITHUB_STEP_SUMMARY"
           fi
-
   # ---------------------------------------------------------------------------
   # Job 3: Empty-linter — invisible character detection
   # ---------------------------------------------------------------------------
   empty-lint:
     name: Empty-linter (invisible characters)
     runs-on: ubuntu-latest
-
+    timeout-minutes: 15
     steps:
       - name: Checkout repository
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
@@ -153,7 +144,6 @@ jobs:
             REL_PATH="${filepath#$GITHUB_WORKSPACE/}"
             echo "::warning file=${REL_PATH}::Invisible Unicode characters detected (zero-width space, BOM, NBSP, etc.)"
           done < /tmp/empty-lint-results.txt
-
       - name: Write summary
         run: |
           if [ "${{ steps.lint.outputs.ready }}" = "true" ]; then
@@ -172,14 +162,13 @@ jobs:
             echo "" >> "$GITHUB_STEP_SUMMARY"
             echo "Skipped: empty-linter not available." >> "$GITHUB_STEP_SUMMARY"
           fi
-
   # ---------------------------------------------------------------------------
   # Job 4: Groove manifest check (for repos that should expose services)
   # ---------------------------------------------------------------------------
   groove-check:
     name: Groove manifest check
     runs-on: ubuntu-latest
-
+    timeout-minutes: 15
     steps:
       - name: Checkout repository
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
@@ -220,7 +209,6 @@ jobs:
           if [ "$HAS_SERVER" = "true" ] && [ "$HAS_MANIFEST" = "false" ] && [ "$HAS_GROOVE_CODE" = "false" ]; then
             echo "::warning::This repo has server code but no Groove endpoint. Add .well-known/groove/manifest.json for service discovery."
           fi
-
       - name: Write summary
         run: |
           echo "## Groove Protocol Check" >> "$GITHUB_STEP_SUMMARY"
@@ -230,16 +218,15 @@ jobs:
           echo "| Static manifest (.well-known/groove/manifest.json) | ${{ steps.groove.outputs.has_manifest }} |" >> "$GITHUB_STEP_SUMMARY"
           echo "| Groove endpoint in code | ${{ steps.groove.outputs.has_groove_code }} |" >> "$GITHUB_STEP_SUMMARY"
           echo "| Has HTTP server code | ${{ steps.groove.outputs.has_server }} |" >> "$GITHUB_STEP_SUMMARY"
-
   # ---------------------------------------------------------------------------
   # Job 5: Dogfooding summary
   # ---------------------------------------------------------------------------
   dogfood-summary:
     name: Dogfooding compliance summary
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     needs: [a2ml-validate, k9-validate, empty-lint, groove-check]
     if: always()
-
     steps:
       - name: Checkout repository
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
@@ -306,4 +293,3 @@ jobs:
           *Generated by the [Dogfood Gate](https://github.com/hyperpolymath/natsci-studio) workflow.*
           *Dogfooding is guinea pig fooding — we test our tools on ourselves.*
           EOF
-