feat(governance): add recipe-fix-pmpl-drift + script + update SPDX exclude_repos#423
Merged
Conversation
…clude_repos Adds category-aware PMPL drift detection + auto-fix per 2026-06-02 owner directive: - New recipe recipe-fix-pmpl-drift.json — detects PMPL-1.0-or-later SPDX stamps that drift from the per-repo category target (MPL-2.0 for sole-owner, AGPL-3.0-or-later for son-shared). Skips palimpsest carve-outs (palimpsest-license, palimpsest-plasma) + 007 + third-party content. - New fix-pmpl-drift.sh — classifies via LICENSE file, sweeps PMPL→target, respects submodules + sub-path exclusions (rescript-tea, rescript-vite, affinescript-vite, idaptik-rescript13-staging, consent-aware-http). - Update recipe-fix-spdx-license.json exclude_repos to add the now-confirmed AGPL category-3 repos (burble, standards, rattlescript, vcl-ut) + carve-outs (palimpsest-license, palimpsest-plasma, paint-type) + 007 (ARR). References the 26-repo initial sweep (neurophone#102, dev-ecosystem#103-106, ngdb#29-30, standards#344-345, stapeln#86-87, reposystem#90, ephapax#285, + 21 single-PR sweeps). See memory feedback_estate_license_policy_umbrella.md for canonical policy. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…026-06-02 policy Adds confirmed AGPL category-3 repos (burble, standards, rattlescript, vcl-ut) + palimpsest carve-outs + 007 to exclude_repos so this AGPL-3.0→MPL-2.0 flip recipe stops trying to re-flip correctly-AGPL repos. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
🔍 Hypatia Security ScanFindings: 146 issues detected
View findings[
{
"reason": "Action urin 21 JRE\n uses: actions/setup-java@be666c2fcd27 needs attention",
"type": "unpinned_action",
"file": "verify-proofs.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in ci.yml",
"type": "missing_timeout_minutes",
"file": "ci.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in ci.yml",
"type": "missing_timeout_minutes",
"file": "ci.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in ci.yml",
"type": "missing_timeout_minutes",
"file": "ci.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in ci.yml",
"type": "missing_timeout_minutes",
"file": "ci.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in ci.yml",
"type": "missing_timeout_minutes",
"file": "ci.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in ci.yml",
"type": "missing_timeout_minutes",
"file": "ci.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in ci.yml",
"type": "missing_timeout_minutes",
"file": "ci.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in ci.yml",
"type": "missing_timeout_minutes",
"file": "ci.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in clusterfuzzlite.yml",
"type": "missing_timeout_minutes",
"file": "clusterfuzzlite.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
🔍 Hypatia Security ScanFindings: 146 issues detected
View findings[
{
"reason": "Action urin 21 JRE\n uses: actions/setup-java@be666c2fcd27 needs attention",
"type": "unpinned_action",
"file": "verify-proofs.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in ci.yml",
"type": "missing_timeout_minutes",
"file": "ci.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in ci.yml",
"type": "missing_timeout_minutes",
"file": "ci.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in ci.yml",
"type": "missing_timeout_minutes",
"file": "ci.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in ci.yml",
"type": "missing_timeout_minutes",
"file": "ci.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in ci.yml",
"type": "missing_timeout_minutes",
"file": "ci.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in ci.yml",
"type": "missing_timeout_minutes",
"file": "ci.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in ci.yml",
"type": "missing_timeout_minutes",
"file": "ci.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in ci.yml",
"type": "missing_timeout_minutes",
"file": "ci.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in clusterfuzzlite.yml",
"type": "missing_timeout_minutes",
"file": "clusterfuzzlite.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
🔍 Hypatia Security ScanFindings: 166 issues detected
View findings[
{
"reason": "Action urin 21 JRE\n uses: actions/setup-java@be666c2fcd27 needs attention",
"type": "unpinned_action",
"file": "verify-proofs.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in ci.yml",
"type": "missing_timeout_minutes",
"file": "ci.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in ci.yml",
"type": "missing_timeout_minutes",
"file": "ci.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in ci.yml",
"type": "missing_timeout_minutes",
"file": "ci.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in ci.yml",
"type": "missing_timeout_minutes",
"file": "ci.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in ci.yml",
"type": "missing_timeout_minutes",
"file": "ci.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in ci.yml",
"type": "missing_timeout_minutes",
"file": "ci.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in ci.yml",
"type": "missing_timeout_minutes",
"file": "ci.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in ci.yml",
"type": "missing_timeout_minutes",
"file": "ci.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in clusterfuzzlite.yml",
"type": "missing_timeout_minutes",
"file": "clusterfuzzlite.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds category-aware PMPL drift detection + auto-fix to the hypatia recipe system, per the 2026-06-02 owner directive (canonical: estate-license-policy-umbrella memory).
Changes
New recipe
data/verisim/recipes/recipe-fix-pmpl-drift.json— detects PMPL-1.0-or-later SPDX stamps that drift from the per-repo category target. Includes full category classification (sole-owner → MPL-2.0, son-shared → AGPL-3.0-or-later, 007 → ARR, palimpsest carve-out → keep PMPL, third-party/forks → leave alone). Lists the 26 initial sweep PRs as reference.New script
scripts/fix-scripts/fix-pmpl-drift.sh— auto-classifies a repo via its LICENSE file, sweeps PMPL→target safely with sub-path exclusions (rescript-tea, rescript-vite, affinescript-vite, idaptik-rescript13-staging, consent-aware-http subdir) and submodule exclusion.Update
data/verisim/recipes/recipe-fix-spdx-license.json— adds the now-confirmed AGPL category-3 repos (burble, standards, rattlescript, vcl-ut) + palimpsest carve-outs + 007 to exclude_repos so this older recipe stops trying to AGPL→MPL flip them.Why this matters
Before this PR, the existing SPDX recipe could flip AGPL→MPL on repos that are correctly AGPL (would break the categorization). After this PR, both recipes are aligned with the 2026-06-02 policy and the gitbot can auto-PR PMPL drift fixes without manual per-repo triage going forward.
Test plan
🤖 Generated with Claude Code