Review SCM files and security updates

.github/dependabot.yml

@@ -1,4 +1,4 @@
-# SPDX-License-Identifier: AGPL-3.0-or-later
+# SPDX-License-Identifier: MIT OR AGPL-3.0-or-later
 version: 2
 updates:
   - package-ecosystem: "github-actions"

.github/workflows/codeql.yml

@@ -1,13 +1,8 @@
-# For most projects, this workflow file will not need changing; you simply need
-# to commit it to your repository.
+# SPDX-License-Identifier: MIT OR AGPL-3.0-or-later
+# CodeQL Advanced Analysis
 #
-# You may wish to alter this file to override the set of languages analyzed,
-# or to provide custom queries or build logic.
-#
-# ******** NOTE ********
-# We have attempted to detect the languages in your repository. Please check
-# the `language` matrix defined below to confirm you have the correct set of
-# supported CodeQL languages.
+# This workflow runs CodeQL security analysis on the repository.
+# For documentation templates/standards repos, we analyze GitHub Actions.
 #
 name: "CodeQL Advanced"
 
@@ -22,76 +17,34 @@ on:
 jobs:
   analyze:
     name: Analyze (${{ matrix.language }})
-    # Runner size impacts CodeQL analysis time. To learn more, please see:
-    #   - https://gh.io/recommended-hardware-resources-for-running-codeql
-    #   - https://gh.io/supported-runners-and-hardware-resources
-    #   - https://gh.io/using-larger-runners (GitHub.com only)
-    # Consider using larger runners or machines with greater resources for possible analysis time improvements.
-    runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
+    runs-on: ubuntu-latest
     permissions:
-      # required for all workflows
       security-events: write
-
-      # required to fetch internal or private CodeQL packs
       packages: read
-
-      # only required for workflows in private repositories
       actions: read
       contents: read
 
     strategy:
       fail-fast: false
       matrix:
         include:
-        # CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift'
-        # Use `c-cpp` to analyze code written in C, C++ or both
-        # Use 'java-kotlin' to analyze code written in Java, Kotlin or both
-        # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both
-        # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis,
-        # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.
-        # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how
-        # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
+          - language: actions
+            build-mode: none
+
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v6
+      # SHA pinned for security (RSR Gold compliance)
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
-    # Add any setup steps before running the `github/codeql-action/init` action.
-    # This includes steps like installing compilers or runtimes (`actions/setup-node`
-    # or others). This is typically only required for manual builds.
-    # - name: Setup runtime (example)
-    #   uses: actions/setup-example@v1
-
-    # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v4
+      # SHA pinned for security (RSR Gold compliance)
+      uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
       with:
         languages: ${{ matrix.language }}
         build-mode: ${{ matrix.build-mode }}
-        # If you wish to specify custom queries, you can do so here or in a config file.
-        # By default, queries listed here will override any specified in a config file.
-        # Prefix the list here with "+" to use these queries and those in the config file.
-
-        # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
-        # queries: security-extended,security-and-quality
-
-    # If the analyze step fails for one of the languages you are analyzing with
-    # "We were unable to automatically build your code", modify the matrix above
-    # to set the build mode to "manual" for that language. Then modify this step
-    # to build your code.
-    # ℹ️ Command-line programs to run using the OS shell.
-    # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
-    - name: Run manual build steps
-      if: matrix.build-mode == 'manual'
-      shell: bash
-      run: |
-        echo 'If you are using a "manual" build mode for one or more of the' \
-          'languages you are analyzing, replace this with the commands to build' \
-          'your code, for example:'
-        echo '  make bootstrap'
-        echo '  make release'
-        exit 1
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v4
+      # SHA pinned for security (RSR Gold compliance)
+      uses: github/codeql-action/analyze@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
       with:
         category: "/language:${{matrix.language}}"

ECOSYSTEM.scm

@@ -1,4 +1,4 @@
-;; SPDX-License-Identifier: AGPL-3.0-or-later
+;; SPDX-License-Identifier: MIT OR AGPL-3.0-or-later
 ;; SPDX-FileCopyrightText: 2025 Jonathan D.A. Jewell
 ;; ECOSYSTEM.scm — standards
 

META.scm

@@ -1,4 +1,4 @@
-;; SPDX-License-Identifier: AGPL-3.0-or-later
+;; SPDX-License-Identifier: MIT OR AGPL-3.0-or-later
 ;; SPDX-FileCopyrightText: 2025 Jonathan D.A. Jewell
 ;;; META.scm — standards
 

SECURITY.md

@@ -1,23 +1,5 @@
 # Security Policy
 
-<!-- 
-============================================================================
-TEMPLATE INSTRUCTIONS (delete this block before publishing)
-============================================================================
-Replace all {{PLACEHOLDER}} values with your information:
-  {{PROJECT_NAME}}     - Your project name
-  {{OWNER}}            - GitHub username or org (e.g., hyperpolymath)
-  {{REPO}}             - Repository name
-  {{SECURITY_EMAIL}}   - Security contact email
-  {{PGP_FINGERPRINT}}  - Your PGP key fingerprint (40 chars, no spaces)
-  {{PGP_KEY_URL}}      - URL to your public PGP key
-  {{WEBSITE}}          - Your website/domain
-  {{CURRENT_YEAR}}     - Current year for copyright
-
-Optional: Remove sections that don't apply (e.g., PGP if you don't use it)
-============================================================================
--->
-
 We take security seriously. We appreciate your efforts to responsibly disclose vulnerabilities and will make every effort to acknowledge your contributions.
 
 ## Table of Contents
@@ -40,7 +22,7 @@ We take security seriously. We appreciate your efforts to responsibly disclose v
 
 The preferred method for reporting security vulnerabilities is through GitHub's Security Advisory feature:
 
-1. Navigate to [Report a Vulnerability](https://github.com/{{OWNER}}/{{REPO}}/security/advisories/new)
+1. Navigate to [Report a Vulnerability](https://github.com/hyperpolymath/standards/security/advisories/new)
 2. Click **"Report a vulnerability"**
 3. Complete the form with as much detail as possible
 4. Submit — we'll receive a private notification
@@ -52,27 +34,6 @@ This method ensures:
 - Coordinated disclosure tooling
 - Automatic credit when the advisory is published
 
-### Alternative: Encrypted Email
-
-If you cannot use GitHub Security Advisories, you may email us directly:
-
-| | |
-|---|---|
-| **Email** | {{SECURITY_EMAIL}} |
-| **PGP Key** | [Download Public Key]({{PGP_KEY_URL}}) |
-| **Fingerprint** | `{{PGP_FINGERPRINT}}` |
-
-```bash
-# Import our PGP key
-curl -sSL {{PGP_KEY_URL}} | gpg --import
-
-# Verify fingerprint
-gpg --fingerprint {{SECURITY_EMAIL}}
-
-# Encrypt your report
-gpg --armor --encrypt --recipient {{SECURITY_EMAIL}} report.txt
-```
-
 > **⚠️ Important:** Do not report security vulnerabilities through public GitHub issues, pull requests, discussions, or social media.
 
 ---
@@ -203,7 +164,7 @@ If we cannot reach agreement on disclosure timing, we default to 90 days from yo
 
 The following are within scope for security research:
 
-- This repository (`{{OWNER}}/{{REPO}}`) and all its code
+- This repository (`hyperpolymath/standards`) and all its code
 - Official releases and packages published from this repository
 - Documentation that could lead to security issues
 - Build and deployment configurations in this repository
@@ -322,7 +283,7 @@ Recognition includes:
 To stay informed about security updates:
 
 - **Watch this repository**: Click "Watch" → "Custom" → Select "Security alerts"
-- **GitHub Security Advisories**: Published at [Security Advisories](https://github.com/{{OWNER}}/{{REPO}}/security/advisories)
+- **GitHub Security Advisories**: Published at [Security Advisories](https://github.com/hyperpolymath/standards/security/advisories)
 - **Release notes**: Security fixes noted in [CHANGELOG](CHANGELOG.md)
 
 ### Update Policy
@@ -348,7 +309,7 @@ To stay informed about security updates:
 
 ## Security Best Practices
 
-When using {{PROJECT_NAME}}, we recommend:
+When using this project, we recommend:
 
 ### General
 
@@ -370,8 +331,7 @@ When using {{PROJECT_NAME}}, we recommend:
 
 ## Additional Resources
 
-- [Our PGP Public Key]({{PGP_KEY_URL}})
-- [Security Advisories](https://github.com/{{OWNER}}/{{REPO}}/security/advisories)
+- [Security Advisories](https://github.com/hyperpolymath/standards/security/advisories)
 - [Changelog](CHANGELOG.md)
 - [Contributing Guidelines](CONTRIBUTING.md)
 - [CVE Database](https://cve.mitre.org/)
@@ -383,9 +343,9 @@ When using {{PROJECT_NAME}}, we recommend:
 
 | Purpose | Contact |
 |---------|---------|
-| **Security issues** | [Report via GitHub](https://github.com/{{OWNER}}/{{REPO}}/security/advisories/new) or {{SECURITY_EMAIL}} |
-| **General questions** | [GitHub Discussions](https://github.com/{{OWNER}}/{{REPO}}/discussions) |
-| **Other enquiries** | See [README](README.md) for contact information |
+| **Security issues** | [Report via GitHub](https://github.com/hyperpolymath/standards/security/advisories/new) |
+| **General questions** | [GitHub Discussions](https://github.com/hyperpolymath/standards/discussions) |
+| **Other enquiries** | See [README](README.adoc) for contact information |
 
 ---
 
@@ -399,8 +359,8 @@ This security policy may be updated from time to time. Significant changes will
 
 ---
 
-*Thank you for helping keep {{PROJECT_NAME}} and its users safe.* 🛡️
+*Thank you for helping keep this project and its users safe.*
 
 ---
 
-<sub>Last updated: {{CURRENT_YEAR}} · Policy version: 1.0.0</sub>
+<sub>Last updated: 2025 · Policy version: 1.0.0</sub>

STATE.scm

@@ -1,37 +1,85 @@
-;; SPDX-License-Identifier: AGPL-3.0-or-later
+;; SPDX-License-Identifier: MIT OR AGPL-3.0-or-later
 ;; SPDX-FileCopyrightText: 2025 Jonathan D.A. Jewell
 ;;; STATE.scm — standards
 
 (define-module (standards state)
-  #:export (metadata project-context current-position critical-next-actions))
+  #:export (metadata project-context current-position critical-next-actions roadmap))
 
 (define metadata
-  '((version . "1.0.0")
+  '((version . "1.1.0")
     (schema-version . "1.0")
     (created . "2025-12-15")
-    (updated . "2025-12-15")
+    (updated . "2025-12-17")
     (project . "standards")
     (repo . "hyperpolymath/standards")))
 
 (define project-context
   '((name . "standards")
     (tagline . "Hyperpolymath ecosystem standards and templates")
-    (tech-stack . ("Documentation" "Templates"))))
+    (tech-stack . ("Documentation" "Templates" "GitHub Actions"))))
 
 (define current-position
   '((phase . "stable")
-    (overall-completion . 100)
+    (overall-completion . 90)
     (components
      ((name . "Community files") (status . "complete"))
      ((name . "License") (status . "complete"))
-     ((name . "Security policy") (status . "complete")))
+     ((name . "Security policy") (status . "complete"))
+     ((name . "SCM metadata") (status . "complete"))
+     ((name . "CI/CD workflows") (status . "complete"))
+     ((name . "README documentation") (status . "pending")))
     (working-features
      ("CODE_OF_CONDUCT.md"
       "CONTRIBUTING.md"
       "SECURITY.md"
-      "LICENSE.txt"))))
+      "LICENSE.txt"
+      "META.scm"
+      "ECOSYSTEM.scm"
+      "STATE.scm"
+      ".github/workflows/codeql.yml"
+      ".github/dependabot.yml"))))
 
 (define critical-next-actions
-  '((immediate . ())
-    (this-week . ())
-    (this-month . ())))
+  '((immediate
+     ("Add README.adoc content with project overview"))
+    (this-week
+     ("Add CHANGELOG.md for version tracking"
+      "Add issue templates for bug reports and features"))
+    (this-month
+     ("Create template validation CI workflow"
+      "Add security acknowledgments file"))))
+
+(define roadmap
+  '((phase-1
+     (name . "Foundation Complete")
+     (status . "done")
+     (items
+      ("Community standards files"
+       "Dual MIT/AGPL licensing"
+       "Security policy"
+       "SCM metadata files"
+       "SHA-pinned GitHub Actions")))
+
+    (phase-2
+     (name . "Documentation Enhancement")
+     (status . "in-progress")
+     (items
+      ("README.adoc with full project documentation"
+       "CHANGELOG.md for release tracking"
+       "Template usage guide")))
+
+    (phase-3
+     (name . "Automation")
+     (status . "planned")
+     (items
+      ("Template validation workflow"
+       "Automatic version bumping"
+       "Release automation")))
+
+    (phase-4
+     (name . "Ecosystem Integration")
+     (status . "planned")
+     (items
+      ("Cross-repository template synchronization"
+       "RSR compliance checker integration"
+       "Automated security scanning reports")))))