hyperpolymath · hyperpolymath · Jun 12, 2026 · Jun 1, 2026 · Jun 3, 2026 · Jun 4, 2026
@@ -0,0 +1,34 @@
+# SPDX-License-Identifier: MPL-2.0
+# CODEOWNERS - Define code review assignments for GitHub
+# See: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
+
+# Default: sole maintainer for all files
+* @hyperpolymath
+
+# Security-sensitive files require explicit ownership
+SECURITY.md @hyperpolymath
+.github/workflows/ @hyperpolymath
+.machine_readable/ @hyperpolymath
+contractiles/ @hyperpolymath
+
+# License files
+LICENSE @hyperpolymath
+LICENSES/ @hyperpolymath
+
+# Configuration
+.gitignore @hyperpolymath
+.github/ @hyperpolymath
+
+# Documentation
+README* @hyperpolymath
+CONTRIBUTING* @hyperpolymath
+CODE_OF_CONDUCT* @hyperpolymath
+GOVERNANCE* @hyperpolymath
+MAINTAINERS* @hyperpolymath
+CHANGELOG* @hyperpolymath
+ROADMAP* @hyperpolymath
+
+# Build and CI
+Justfile @hyperpolymath
+Makefile @hyperpolymath
+*.sh @hyperpolymath
@@ -1,3 +1,7 @@
+<!--
+SPDX-License-Identifier: MPL-2.0
+Copyright (c) Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>
+-->
 ---
 name: Bug report
 about: Create a report to help us improve

@@ -1,3 +1,7 @@
+<!--
+SPDX-License-Identifier: MPL-2.0
+Copyright (c) Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>
+-->
 ---
 name: Custom issue template
 about: Describe this issue template's purpose here.

@@ -1,3 +1,7 @@
+<!--
+SPDX-License-Identifier: MPL-2.0
+Copyright (c) Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>
+-->
 ---
 name: Documentation
 about: Report unclear, missing, or incorrect documentation

@@ -1,3 +1,7 @@
+<!--
+SPDX-License-Identifier: MPL-2.0
+Copyright (c) Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>
+-->
 ---
 name: Feature request
 about: Suggest an idea for this project

@@ -1,3 +1,7 @@
+<!--
+SPDX-License-Identifier: MPL-2.0
+Copyright (c) Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>
+-->
 ---
 name: Question
 about: Ask a question about usage or behaviour

@@ -0,0 +1,6 @@
+mcp_servers:
+  boj-server:
+    command: npx
+    args: ["-y", "@hyperpolymath/boj-server@latest"]
+    env:
+      BOJ_URL: http://localhost:7700
@@ -7,6 +7,7 @@ on:
 jobs:
   trigger-boj:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     steps:
       - name: Checkout
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

@@ -20,6 +20,7 @@ permissions: read-all
 jobs:
   audit:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     steps:
       - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v4
 
@@ -35,6 +36,7 @@ jobs:
   # Optional: Create issues for vulnerabilities
   create-issue:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     needs: audit
     if: failure()
     permissions:

@@ -18,6 +18,7 @@ concurrency:
 jobs:
   build:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     steps:
       - name: Checkout
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v4
@@ -109,6 +110,7 @@ jobs:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     needs: build
     steps:
       - name: Deploy to GitHub Pages

@@ -1,4 +1,4 @@
-# SPDX-License-Identifier: PMPL-1.0
+# SPDX-License-Identifier: MPL-2.0
 name: CodeQL Security Analysis
 
 on:
@@ -7,7 +7,7 @@ on:
   pull_request:
     branches: [main, master]
   schedule:
-    - cron: '0 6 * * 1'
+    - cron: '0 6 1 * *'   # monthly 1st 06:00 UTC
 
 # Estate guardrail: cancel superseded runs so re-pushes / rebased PR
 # updates do not pile up queued runs against the shared account-wide
@@ -23,14 +23,20 @@ permissions:
 jobs:
   analyze:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     permissions:
       contents: read
       security-events: write
     strategy:
       fail-fast: false
       matrix:
         include:
-          - language: javascript-typescript
+          # januskey has no JavaScript/TypeScript source — the
+          # javascript-typescript extractor errors with "no source code seen"
+          # (exit 32, configuration error). CodeQL's GitHub Actions analysis
+          # scans the workflow YAML that does exist here, keeping this a
+          # meaningful security check (same fix as oblibeny + maa-framework).
+          - language: actions
             build-mode: none
 
     steps:

@@ -50,6 +50,7 @@ jobs:
     # Only run for PRs actually authored by Dependabot.
     if: github.actor == 'dependabot[bot]' && github.event.pull_request.user.login == 'dependabot[bot]'
     runs-on: ubuntu-latest
+    timeout-minutes: 15
 
     steps:
       - name: Fetch Dependabot metadata

@@ -22,6 +22,7 @@ jobs:
   a2ml-validate:
     name: Validate A2ML manifests
     runs-on: ubuntu-latest
+    timeout-minutes: 15
 
     steps:
       - name: Checkout repository
@@ -66,6 +67,7 @@ jobs:
   k9-validate:
     name: Validate K9 contracts
     runs-on: ubuntu-latest
+    timeout-minutes: 15
 
     steps:
       - name: Checkout repository
@@ -115,6 +117,7 @@ jobs:
   empty-lint:
     name: Empty-linter (invisible characters)
     runs-on: ubuntu-latest
+    timeout-minutes: 15
 
     steps:
       - name: Checkout repository
@@ -179,6 +182,7 @@ jobs:
   groove-check:
     name: Groove manifest check
     runs-on: ubuntu-latest
+    timeout-minutes: 15
 
     steps:
       - name: Checkout repository
@@ -237,6 +241,7 @@ jobs:
   dogfood-summary:
     name: Dogfooding compliance summary
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     needs: [a2ml-validate, k9-validate, empty-lint, groove-check]
     if: always()
 

@@ -14,6 +14,7 @@ jobs:
   rust-build-test:
     name: Rust Build + Unit Tests
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     steps:
       - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
       - uses: dtolnay/rust-toolchain@4be9e76fd7c4901c61fb841f559994984270fce7 # stable
@@ -30,6 +31,7 @@ jobs:
   benchmarks:
     name: Criterion Benchmarks
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     steps:
       - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
       - uses: dtolnay/rust-toolchain@4be9e76fd7c4901c61fb841f559994984270fce7 # stable
@@ -40,6 +42,7 @@ jobs:
   e2e-lifecycle:
     name: E2E Lifecycle Test
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     steps:
       - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
       - uses: dtolnay/rust-toolchain@4be9e76fd7c4901c61fb841f559994984270fce7 # stable
@@ -52,6 +55,7 @@ jobs:
   aspect-tests:
     name: Aspect Tests (Cross-Cutting)
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     steps:
       - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
       - name: Run aspect tests
@@ -60,6 +64,7 @@ jobs:
   zig-ffi:
     name: Zig FFI Build + Test
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     steps:
       - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
       - name: Install Zig
@@ -75,6 +80,7 @@ jobs:
   panic-attack:
     name: Panic Attack Security Scan
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     if: github.event_name == 'push'
     steps:
       - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

@@ -31,4 +31,5 @@ permissions:
 
 jobs:
   governance:
-    uses: hyperpolymath/standards/.github/workflows/governance-reusable.yml@main
+    uses: hyperpolymath/standards/.github/workflows/governance-reusable.yml@861b5e911d9e5dcfb3c0ab3dd2a9a3c8fd0a1613
+    timeout-minutes: 10
@@ -25,5 +25,6 @@ permissions:
 
 jobs:
   hypatia:
-    uses: hyperpolymath/standards/.github/workflows/hypatia-scan-reusable.yml@915139d73560e65a8240b8fc7768698658502c89
+    uses: hyperpolymath/standards/.github/workflows/hypatia-scan-reusable.yml@6cd3772824e59c8c9affeab66061e25383544242
+    timeout-minutes: 10
     secrets: inherit
@@ -14,6 +14,7 @@ permissions:
 jobs:
   dispatch:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     steps:
       - name: Trigger Propagation
         uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v3

@@ -12,4 +12,5 @@ permissions:
 jobs:
   mirror:
     uses: hyperpolymath/standards/.github/workflows/mirror-reusable.yml@e6b2884722350515934d443daf23442f2195796f
+    timeout-minutes: 10
     secrets: inherit
@@ -23,6 +23,7 @@ permissions:
 jobs:
   scorecard:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     permissions:
       security-events: write
       id-token: write  # For OIDC
@@ -61,6 +62,7 @@ jobs:
   # Check specific high-priority items
   check-critical:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     steps:
       - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
 

@@ -16,4 +16,5 @@ jobs:
       security-events: write
       id-token: write
     uses: hyperpolymath/standards/.github/workflows/scorecard-reusable.yml@e0caf11508a3989574713c78f5f444f2ce5e33ef
+    timeout-minutes: 10
     secrets: inherit
@@ -16,4 +16,5 @@ permissions:
 jobs:
   scan:
     uses: hyperpolymath/standards/.github/workflows/secret-scanner-reusable.yml@3e4bd4c93911750727e2e4c66dff859e00079da0
+    timeout-minutes: 10
     secrets: inherit
@@ -16,6 +16,7 @@ permissions:
 jobs:
   semgrep:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     permissions:
       security-events: write
       contents: read

@@ -15,6 +15,7 @@ permissions: read-all
 jobs:
   lint-workflows:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     steps:
       - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v4
 

@@ -0,0 +1,31 @@
+# AI Manifest for 6a2 Directory
+
+## Purpose
+
+This manifest declares the AI-assistant context for the 6a2 machine-readable metadata directory.
+
+## Canonical Locations
+
+The 6 core A2ML files MUST exist in this directory:
+1. AGENTIC.a2ml
+2. ECOSYSTEM.a2ml
+3. META.a2ml
+4. NEUROSYM.a2ml
+5. PLAYBOOK.a2ml
+6. STATE.a2ml
+
+## Invariants
+
+- No duplicate files in root directory
+- Single source of truth: this directory is authoritative
+- No stale metadata
+
+## Protocol
+
+When multiple agents may write to A2ML files concurrently:
+1. Read file and record git-sha-at-read in [provenance] section
+2. Lock by creating .lock-<FILENAME>
+3. Write updated file with new [provenance] metadata
+4. Release by removing lock file
+5. On conflict: re-read and retry if git-sha-at-read does not match HEAD
+
@@ -7,3 +7,4 @@ project = "januskey"
 author = "Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>"
 license = "MPL-2.0"
 standard = "RSR 2026"
+last-updated = "2026-06-12"
@@ -0,0 +1,30 @@
+// SPDX-License-Identifier: MPL-2.0
+// Copyright (c) Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>
+# A2ML 6a2 Directory
+
+This directory contains the 6 core A2ML machine-readable metadata files for this repository.
+
+## Files
+
+- `AGENTIC.a2ml` - AI agent operational gating, safety controls
+- `ECOSYSTEM.a2ml` - Project ecosystem position, relationships, explicit boundaries
+- `META.a2ml` - Architecture decisions (ADRs), development practices, design rationale
+- `NEUROSYM.a2ml` - Symbolic semantics, composition algebra
+- `PLAYBOOK.a2ml` - Executable plans, operational runbooks
+- `STATE.a2ml` - Project state, phase, milestones, session history
+
+## Standards Compliance
+
+These files follow the A2ML Format Family specification from:
+https://github.com/hyperpolymath/standards/tree/main/a2ml
+
+## Generation
+
+These files may be generated from .scm source files using transpilation tools.
+Source .scm files should be removed after successful transpilation.
+
+## See Also
+
+- [A2ML Repository Template](https://github.com/hyperpolymath/standards/blob/main/A2ML-REPO-TEMPLATE.adoc)
+- [6A2 Format Family](https://github.com/hyperpolymath/standards#a2ml-format-family-7-formats)
+