security: standardize secret scanning on TruffleHog

.devcontainer/README.adoc

@@ -1,4 +1,5 @@
 // SPDX-License-Identifier: MPL-2.0
+// Copyright (c) Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>
 = Dev Container Usage
 :author: {{AUTHOR}} <{{AUTHOR_EMAIL}}>
 

.github/CODE_OF_CONDUCT.md

@@ -1,3 +1,7 @@
+<!--
+SPDX-License-Identifier: MPL-2.0
+Copyright (c) Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>
+-->
 # Code of Conduct
 
 <!-- 

.github/CONTRIBUTING.md

@@ -1,3 +1,7 @@
+<!--
+SPDX-License-Identifier: MPL-2.0
+Copyright (c) Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>
+-->
 # Clone the repository
 git clone https://github.com/hyperpolymath/snif.git
 cd snif

.github/DIRECTORY.adoc

@@ -1 +1,3 @@
+// SPDX-License-Identifier: MPL-2.0
+// Copyright (c) Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>
 = .github Pillar

.github/GOVERNANCE.md

@@ -1,5 +1,7 @@
-<!-- SPDX-License-Identifier: MPL-2.0 -->
-
+<!--
+SPDX-License-Identifier: MPL-2.0
+Copyright (c) Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>
+-->
 # Project Governance
 
 This document describes the governance model for **{{PROJECT_NAME}}**.

.github/SECURITY.md

@@ -1,3 +1,7 @@
+<!--
+SPDX-License-Identifier: MPL-2.0
+Copyright (c) Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>
+-->
 # Security Policy
 
 <!-- 

.github/copilot-instructions.md

@@ -1,4 +1,7 @@
-<!-- SPDX-License-Identifier: MPL-2.0 -->
+<!--
+SPDX-License-Identifier: MPL-2.0
+Copyright (c) Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>
+-->
 <!-- Copyright (c) {{CURRENT_YEAR}} {{AUTHOR}} (hyperpolymath) <{{AUTHOR_EMAIL}}> -->
 <!-- Authoritative source: docs/AI-CONVENTIONS.md -->
 

.github/copilot/coding-agent.yml

@@ -0,0 +1,6 @@
+mcp_servers:
+  boj-server:
+    command: npx
+    args: ["-y", "@hyperpolymath/boj-server@latest"]
+    env:
+      BOJ_URL: http://localhost:7700

.github/pull_request_template.md

@@ -1,4 +1,7 @@
-<!-- SPDX-License-Identifier: MPL-2.0 -->
+<!--
+SPDX-License-Identifier: MPL-2.0
+Copyright (c) Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>
+-->
 ## Summary
 
 <!-- Briefly describe what this PR does and why. Link to related issues with "Closes #N". -->

.github/workflows/boj-build.yml

@@ -6,23 +6,20 @@
 # To enable: set BOJ_SERVER_URL as a repository secret or variable.
 # To disable: delete this file or leave BOJ_SERVER_URL unset.
 name: BoJ Server Build Trigger
-
 on:
   push:
     branches: [main, master]
   workflow_dispatch:
-
 permissions:
   contents: read
-
 jobs:
   trigger-boj:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     if: ${{ vars.BOJ_SERVER_URL != '' || secrets.BOJ_SERVER_URL != '' }}
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
       - name: Trigger BoJ Server (Casket/ssg-mcp)
         env:
           BOJ_URL: ${{ secrets.BOJ_SERVER_URL || vars.BOJ_SERVER_URL }}

.github/workflows/codeql.yml

@@ -1,28 +1,25 @@
 # SPDX-License-Identifier: MPL-2.0
 name: CodeQL Security Analysis
-
 on:
   push:
     branches: [main, master]
   pull_request:
     branches: [main, master]
   schedule:
     - cron: '0 6 * * 1'
-
 # Estate guardrail: cancel superseded runs so re-pushes / rebased PR
 # updates do not pile up queued runs against the shared account-wide
 # Actions concurrency pool. Applied only to read-only check workflows
 # (no publish/mutation), so cancelling a superseded run is always safe.
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
-
 permissions:
   contents: read
-
 jobs:
   analyze:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     permissions:
       contents: read
       security-events: write
@@ -32,17 +29,14 @@ jobs:
         include:
           - language: javascript-typescript
             build-mode: none
-
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
       - name: Initialize CodeQL
         uses: github/codeql-action/init@c6f931105cb2c34c8f901cc885ba1e2e259cf745 # v3
         with:
           languages: ${{ matrix.language }}
           build-mode: ${{ matrix.build-mode }}
-
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@c6f931105cb2c34c8f901cc885ba1e2e259cf745 # v3
         with:

.github/workflows/dogfood-gate.yml

@@ -22,6 +22,7 @@ jobs:
   a2ml-validate:
     name: Validate A2ML manifests
     runs-on: ubuntu-latest
+    timeout-minutes: 15
 
     steps:
       - name: Checkout repository
@@ -66,6 +67,7 @@ jobs:
   k9-validate:
     name: Validate K9 contracts
     runs-on: ubuntu-latest
+    timeout-minutes: 15
 
     steps:
       - name: Checkout repository
@@ -115,6 +117,7 @@ jobs:
   empty-lint:
     name: Empty-linter (invisible characters)
     runs-on: ubuntu-latest
+    timeout-minutes: 15
 
     steps:
       - name: Checkout repository
@@ -179,6 +182,7 @@ jobs:
   groove-check:
     name: Groove manifest check
     runs-on: ubuntu-latest
+    timeout-minutes: 15
 
     steps:
       - name: Checkout repository
@@ -237,6 +241,7 @@ jobs:
   eclexiaiser-validate:
     name: Validate eclexiaiser manifest
     runs-on: ubuntu-latest
+    timeout-minutes: 15
 
     steps:
       - name: Checkout repository
@@ -300,6 +305,7 @@ print(f'Valid: {project[\"name\"]} ({len(functions)} function(s))')
   dogfood-summary:
     name: Dogfooding compliance summary
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     needs: [a2ml-validate, k9-validate, empty-lint, groove-check, eclexiaiser-validate]
     if: always()
 

.github/workflows/e2e.yml

@@ -10,7 +10,6 @@
 # affected build.
 
 name: E2E + Aspect + Bench
-
 on:
   push:
     branches: [main, master, develop]
@@ -29,13 +28,10 @@ on:
       - 'Justfile'
       - '.github/workflows/e2e.yml'
   workflow_dispatch:
-
 permissions: read-all
-
 concurrency:
   group: e2e-${{ github.ref }}
   cancel-in-progress: true
-
 jobs:
   # ─── Build-mode invariant gate ─────────────────────────────────────
   # Builds the wasm guest fresh from source (defeating any stale committed
@@ -146,37 +142,37 @@ jobs:
   #     - run: cabal build all
   #     - run: bash tests/integration-test.sh
 
-  # ─── Aspect Tests ──────────────────────────────────────────────────
-  # Cross-cutting concerns: thread safety, ABI contracts, SPDX, dangerous patterns
-  # Uncomment and customise:
-
-  # aspect-tests:
-  #   name: Aspect — Architectural Invariants
-  #   runs-on: ubuntu-latest
-  #   timeout-minutes: 10
-  #   steps:
-  #     - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
-  #     - run: bash tests/aspect_tests.sh
-
-  # ─── Benchmarks ────────────────────────────────────────────────────
-  # Performance regression detection. Uncomment matching stack:
-
-  ## === RUST BENCH ===
-  # benchmarks:
-  #   name: Bench — Performance Regression
-  #   runs-on: ubuntu-latest
-  #   timeout-minutes: 15
-  #   steps:
-  #     - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
-  #     - uses: dtolnay/rust-toolchain@4be9e76fd7c4901c61fb841f559994984270fce7  # stable
-  #     - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5  # v2
-  #     - run: cargo bench 2>&1 | tee /tmp/bench-results.txt
-  #     - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4
-  #       if: always()
-  #       with:
-  #         name: benchmark-results
-  #         path: /tmp/bench-results.txt
-  #         retention-days: 30
+# ─── Aspect Tests ──────────────────────────────────────────────────
+# Cross-cutting concerns: thread safety, ABI contracts, SPDX, dangerous patterns
+# Uncomment and customise:
+
+# aspect-tests:
+#   name: Aspect — Architectural Invariants
+#   runs-on: ubuntu-latest
+#   timeout-minutes: 10
+#   steps:
+#     - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+#     - run: bash tests/aspect_tests.sh
+
+# ─── Benchmarks ────────────────────────────────────────────────────
+# Performance regression detection. Uncomment matching stack:
+
+## === RUST BENCH ===
+# benchmarks:
+#   name: Bench — Performance Regression
+#   runs-on: ubuntu-latest
+#   timeout-minutes: 15
+#   steps:
+#     - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+#     - uses: dtolnay/rust-toolchain@4be9e76fd7c4901c61fb841f559994984270fce7  # stable
+#     - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5  # v2
+#     - run: cargo bench 2>&1 | tee /tmp/bench-results.txt
+#     - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4
+#       if: always()
+#       with:
+#         name: benchmark-results
+#         path: /tmp/bench-results.txt
+#         retention-days: 30
 
   ## === ZIG BENCH ===
   # benchmarks:
@@ -190,15 +186,15 @@ jobs:
   #         version: 0.15.0
   #     - run: cd ffi/zig && zig build bench
 
-  # ─── Readiness (CRG) ──────────────────────────────────────────────
-  # Component Readiness Grade: D (runs) → C (correct) → B (edge cases)
-
-  # readiness:
-  #   name: Readiness — Grade D/C/B
-  #   runs-on: ubuntu-latest
-  #   timeout-minutes: 10
-  #   steps:
-  #     - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
-  #     - uses: dtolnay/rust-toolchain@4be9e76fd7c4901c61fb841f559994984270fce7  # stable
-  #     - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5  # v2
-  #     - run: cargo test --test readiness -- --nocapture
+# ─── Readiness (CRG) ──────────────────────────────────────────────
+# Component Readiness Grade: D (runs) → C (correct) → B (edge cases)
+
+# readiness:
+#   name: Readiness — Grade D/C/B
+#   runs-on: ubuntu-latest
+#   timeout-minutes: 10
+#   steps:
+#     - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+#     - uses: dtolnay/rust-toolchain@4be9e76fd7c4901c61fb841f559994984270fce7  # stable
+#     - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5  # v2
+#     - run: cargo test --test readiness -- --nocapture

.github/workflows/governance.yml

@@ -11,24 +11,21 @@
 # (rust-ci, codeql, dependabot, release, scan/mirror/pages plumbing).
 
 name: Governance
-
 on:
   push:
     branches: [main, master]
   pull_request:
   workflow_dispatch:
-
 # Estate guardrail: cancel superseded runs so re-pushes / rebased PR
 # updates do not pile up queued runs against the shared account-wide
 # Actions concurrency pool. Applied only to read-only check workflows
 # (no publish/mutation), so cancelling a superseded run is always safe.
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
-
 permissions:
   contents: read
-
 jobs:
   governance:
-    uses: hyperpolymath/standards/.github/workflows/governance-reusable.yml@main
+    uses: hyperpolymath/standards/.github/workflows/governance-reusable.yml@861b5e911d9e5dcfb3c0ab3dd2a9a3c8fd0a1613
+    timeout-minutes: 10

.github/workflows/hypatia-scan.yml

@@ -3,7 +3,6 @@
 # See standards#191 for the reusable's purpose and design.
 
 name: Hypatia Security Scan
-
 on:
   push:
     branches: [main, master, develop]
@@ -17,12 +16,10 @@ on:
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
-
 permissions:
   contents: read
   security-events: write
   pull-requests: write
-
 jobs:
   hypatia:
     uses: hyperpolymath/standards/.github/workflows/hypatia-scan-reusable.yml@915139d73560e65a8240b8fc7768698658502c89

.github/workflows/instant-sync.yml

@@ -1,19 +1,17 @@
 # SPDX-License-Identifier: MPL-2.0
 # Instant Forge Sync - Triggers propagation to all forges on push/release
 name: Instant Sync
-
 on:
   push:
     branches: [main, master]
   release:
     types: [published]
-
 permissions:
   contents: read
-
 jobs:
   dispatch:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     steps:
       - name: Trigger Propagation
         uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v3
@@ -28,7 +26,6 @@ jobs:
               "sha": "${{ github.sha }}",
               "forges": ""
             }
-
       - name: Confirm
         env:
           REPO_NAME: ${{ github.event.repository.name }}