licence: normalise to MPL-2.0 (code) + CC-BY-SA-4.0 (docs); reconcile policy; fix scaffold leaks (#373)

Owner-directed licence normalisation + policy reconciliation +
contractile fill (2026-06-04 session). 3 commits.

## Final model
- **code / config / scripts → `MPL-2.0`** (2,934 files)
- **prose docs (`*.adoc`, `*.md`) → `CC-BY-SA-4.0`** (share-alike, the
standard CC licence everywhere) (761 files)
- **PMPL** = narrow carve-out, 3 repos only (`palimpsest-license`,
`palimpsest-plasma`, `consent-aware-http`)
- **AGPL** = son's co-developed repos only; **007** out of scope;
**MIT/foreign** third-party preserved

## What's in the PR
1. **Header normalisation** (entire tree, header-only, first SPDX line ≤
L8 — in-body examples / Exhibit-A text untouched). Protected & skipped:
`consent-aware-http/` (incl. rhodium satellite), all `palimpsest*`,
`LICENSES/`+`licenses/`, MIT/foreign, `PLMP-/PMLP-` sentinels.
2. **License texts**: added `LICENSES/CC-BY-SA-4.0.txt` (canonical
SPDX); removed the interim CC-BY-4.0.txt.
3. **Policy reconciliation** — killed the stale `default = PMPL`
contradiction: `LICENCE-POLICY.adoc` (Rule 1 = code MPL-2.0 / docs
CC-BY-SA-4.0; Rule 2 = PMPL is the 3-repo carve-out) and
`.machine_readable/licensing-policy.toml` now agree. Fixed
header-**emitting** generators (`build-registry.sh`, `setup.sh`,
`*.rs`/`.py`/`.jl` emitters) + the `validate-spdx.sh` hint so they stop
re-introducing AGPL.
4. **`PALIMPSEST.adoc`** (root + rhodium) header → `CC-BY-SA-4.0` *(was
flag #1)*.
5. **Scaffold leaks fixed** *(was flag #2)* — `Mustfile.a2ml` /
`Adjustfile.a2ml` / `Dustfile.a2ml` in `.machine_readable/contractiles/`
were templated for a different project; rewritten for `standards` with
real probes (file presence, SPDX policy canaries, SHA-pin/timeout,
registry, drift tolerances, cleanup hygiene).
6. **Contractile fill** — `MUST.contractile` project-specific invariants
(licensing + CI hardening + registry) + a `(cross-repo)` block tracing
the hypatia detector musts to #370.
7. **Deep-mention normalisation** *(was flag #4)* — 76 files:
header-form example SPDX strings (RSR_OUTLINE templates, README licence
blocks, `.scm`/spec examples) → current policy ids. Prose sentences &
`sed` conversion rules untouched.

## Validation
- `scripts/check-licence-consistency.sh` passes
- `shellcheck`/`py_compile` clean on edited scripts; `MUST.contractile`
parens balanced; `licensing-policy.toml` valid TOML
- Verified: no SPDX rewrite deeper than L8 in the header pass; 0 stray
CC-BY-4.0 doc headers; no protected path touched; no foreign-project
name left in the trident

## Residual / standing notes
- Flag #3 resolved by policy: **CC-BY-SA-4.0** is now *the* CC licence
everywhere unless a file states otherwise.
- The 2 pre-existing `CC-BY-SA-4.0` docs were already on-policy.
- Header-emitting SPDX strings embedded **in code** inside mirror repos
(e.g. `push_str("# SPDX...")`) are intentionally left for their source
repos (policy A6).
- **New standing rule honoured:** wrong-project scaffold leaks are now
fixed on sight, not just flagged.

https://claude.ai/code/session_01AmPXB2dA2wCcabo8BXwS28

---------

Co-authored-by: Claude <noreply@anthropic.com>

Author: hyperpolymath

.editorconfig

@@ -1,4 +1,4 @@
-# SPDX-License-Identifier: AGPL-3.0-or-later
+# SPDX-License-Identifier: MPL-2.0
 # https://editorconfig.org
 
 root = true

.gitattributes

@@ -1,4 +1,4 @@
-# SPDX-License-Identifier: AGPL-3.0-or-later
+# SPDX-License-Identifier: MPL-2.0
 # RSR-compliant .gitattributes
 
 * text=auto eol=lf

.github/FUNDING.yml

@@ -1,4 +1,4 @@
-# SPDX-License-Identifier: AGPL-3.0-or-later
+# SPDX-License-Identifier: MPL-2.0
 # Funding platforms for hyperpolymath projects
 # See: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository
 

.github/workflows/doc-format.yml

@@ -34,6 +34,15 @@ jobs:
           # Check for docs that exist in both .md and .adoc (except GitHub-required)
           for doc in README ARCHITECTURE ROADMAP PHILOSOPHY INSTALL CHANGELOG; do
             if [ -f "${doc}.md" ] && [ -f "${doc}.adoc" ]; then
+              # Glama carve-out: the Glama MCP-server directory (glama.ai) requires a
+              # README.md to index a server and will NOT render README.adoc. When a
+              # glama.json is present, README.md is permitted alongside the canonical
+              # README.adoc. README.adoc remains the source of truth. This is a Glama
+              # limitation, not an owner-policy change. See contractiles/CANONICAL-TEMPLATES.adoc.
+              if [ "${doc}" = "README" ] && [ -f "glama.json" ]; then
+                echo "::notice::README.md kept alongside README.adoc (Glama carve-out: glama.json present; .adoc remains canonical)."
+                continue
+              fi
               echo "::error::Duplicate documentation: ${doc}.md and ${doc}.adoc both exist. Keep only .adoc"
               DUPLICATES=$((DUPLICATES + 1))
             fi

.gitignore

@@ -1,4 +1,4 @@
-# SPDX-License-Identifier: AGPL-3.0-or-later
+# SPDX-License-Identifier: MPL-2.0
 # RSR-compliant .gitignore
 
 # OS & Editor

.machine_readable/6a2/AGENTIC.a2ml

@@ -1,4 +1,4 @@
-# SPDX-License-Identifier: AGPL-3.0-or-later
+# SPDX-License-Identifier: MPL-2.0
 # Copyright (c) 2026 Jonathan D.A. Jewell (hyperpolymath) <j.d.a.jewell@open.ac.uk>
 #
 # AGENTIC.a2ml — AI agent constraints and capabilities

.machine_readable/6a2/ECOSYSTEM.a2ml

@@ -1,4 +1,4 @@
-# SPDX-License-Identifier: AGPL-3.0-or-later
+# SPDX-License-Identifier: MPL-2.0
 # Copyright (c) 2026 Jonathan D.A. Jewell (hyperpolymath) <j.d.a.jewell@open.ac.uk>
 #
 # ECOSYSTEM.a2ml — Standards ecosystem position

.machine_readable/6a2/META.a2ml

@@ -1,4 +1,4 @@
-# SPDX-License-Identifier: AGPL-3.0-or-later
+# SPDX-License-Identifier: MPL-2.0
 # Copyright (c) 2026 Jonathan D.A. Jewell (hyperpolymath) <j.d.a.jewell@open.ac.uk>
 #
 # META.a2ml — Standards meta-level information

.machine_readable/6a2/NEUROSYM.a2ml

@@ -1,4 +1,4 @@
-# SPDX-License-Identifier: AGPL-3.0-or-later
+# SPDX-License-Identifier: MPL-2.0
 # Copyright (c) 2026 Jonathan D.A. Jewell (hyperpolymath) <j.d.a.jewell@open.ac.uk>
 #
 # NEUROSYM.a2ml — Neurosymbolic integration metadata

.machine_readable/6a2/PLAYBOOK.a2ml

@@ -1,4 +1,4 @@
-# SPDX-License-Identifier: AGPL-3.0-or-later
+# SPDX-License-Identifier: MPL-2.0
 # Copyright (c) 2026 Jonathan D.A. Jewell (hyperpolymath) <j.d.a.jewell@open.ac.uk>
 #
 # PLAYBOOK.a2ml — Operational playbook
@@ -25,6 +25,16 @@ last-updated = "2026-04-11"
 # 1. Update version in STATE.a2ml, META.a2ml
 # 2. Run `just release-preflight` (validate + quality + security + maint-hard-pass)
 # 3. Tag and push
+# 4. If glama.json is present (repo listed on the Glama MCP directory),
+#    regenerate README.md from the canonical README.adoc before tagging so the
+#    Glama listing stays current. README.adoc is the source of truth; README.md
+#    exists solely for Glama (which will not render .adoc). Carve-out enforced by
+#    doc-format.yml + Mustfile readme-md-glama-carveout + Dustfile preserve:glama-readme.
+
+[docs-format]
+# Estate docs are .adoc-canonical, no duplicate formats. Sole exception: the
+# Glama README.md carve-out (gated on glama.json). See
+# contractiles/CANONICAL-TEMPLATES.adoc "Documentation carve-out — Glama README.md".
 
 [maintenance-operations]
 # Baseline audit: just maint-audit