diff --git a/LICENCE-POLICY.adoc b/LICENCE-POLICY.adoc index 1b543aa..da0d012 100644 --- a/LICENCE-POLICY.adoc +++ b/LICENCE-POLICY.adoc @@ -156,45 +156,32 @@ sentinel with `REPLACE-WITH-*`); `spdx-policy-guard.yml` hard-fails it as a real SPDX value (and surfaces A3 variants as non-failing warnings). Evidence: `LICENCE-DEBT-LEDGER-2026-05-18`. -=== A6 — Named hard-exclusions (enforced, not docs-only) - -Two repos are permanently excluded from the SPDX policy guard -(owner-ruled 2026-05-19). This is *enforced* in -`rsr-template-repo/.github/workflows/spdx-policy-guard.yml` (a -repo-name early-exit), not merely documented here: - -* **`palimpsest-license`** — it *defines* the PMPL / PLMP / PMLP - identifiers; its spec and legal text legitimately contain many SPDX - strings, so scanning it produces guaranteed false positives and - could corrupt the licence specification. -* **`repos-monorepo`** — a 297-submodule aggregate superproject that - only mirrors the standalone source repos (and harbours `007`, see - A1). Every hit duplicates a source repo; licence fixes belong in the - source repos only, never here. - -=== A7 — Known multi-SPDX false positives (ignore-list) - -A small, named set of files legitimately carry more than one SPDX -*string* without being a licence contradiction — the extra strings are -documentation-fenced examples, UI string-literals, or codegen-emitted -headers. These are owner-ruled false positives (2026-05-19, ledger §A + -§C C1–C3) and the guard reports them as a non-failing `::notice`: - -[cols="2,2,3"] -|=== -| File (repo-relative) | Repo | Why it is not a contradiction - -| `PALIMPSEST.adoc` | standards | SPDX ids appear inside doc example blocks -| `README.adoc` | llm-grace | PMPL references are explanatory prose, not a header -| `…/App.res` | ephapax | the second id (EUPL-1.2) is a UI string-literal -| `…/state-utils.scm`| wp-resurrect | the second id (AGPL) is a codegen-emitted header -| `CONTRIBUTING.md` | flatracoon | extra SPDX ids are fenced documentation examples -|=== - -These remain *visible* (`::notice`, not silenced) so the list can be -audited and tightened. Genuine contradiction §C-C4 (zotero-voyant-export -`ECHIDNA_ARCHITECTURE_UPDATE_3LANG.md`) is **not** on this list — it is -a real defect tracked for an owner-directed single-file fix. +=== A8 — Explicit owner-sanctioned scoped carve-outs (2026-05-19) + +A2 forbids *automated/bulk* SPDX change as a standing default. The +owner has issued the following **explicit, scoped, per-file-verified +carve-outs** to discharge known licence debt. These are owner-directed +remediation (A2's "manual, per-file, by the owner" — executed under +explicit owner ruling, enumerated and verified, never a blind sweep), +NOT a relaxation of A2's default: + +. *Suffix normalisation* — `PMPL-1.0` → `PMPL-1.0-or-later`. This is + *not a relicence* (identical licence; only the SPDX expression's + `-or-later` suffix is corrected — exactly the A3 debt). Authorised + estate-wide, per-repo PRs, owner-merged, diff = SPDX-value-only. +. *Repo licence correction* — `idaptik` is wholly the owner's son's + work → `AGPL-3.0-or-later` (Rule 3); ledger ruling #1, ring-fenced by + `idaptik/SON-WORK.boundary`. +. *Archive relicence* — `hyperpolymath-archive` files bearing `MPL-2.0` + that are verified 100% the owner's own authored content (no + third-party, no vendored, no licence-text) → `PMPL-1.0-or-later`. + Verified by read-only fan-out 2026-05-19. Genuine third-party / + vendored / licence-text files are never rewritten. + +Every carve-out PR is per-file enumerated, SPDX-only, draft for owner +merge, and references `LICENCE-DEBT-LEDGER-2026-05-18`. Scaffold +placeholder/variant leaks (A5) remain fixed by *regeneration*, not by +these carve-outs. == See Also