chore(license): SPDX headers PMPL-1.0-or-later → MPL-2.0 (Closes #301)

[hyperpolymath]

Summary

Closes #301. Sweeps SPDX surfaces from PMPL-1.0-or-later → MPL-2.0 across the affinescript repo while keeping the PMPL narrative intact in LICENSE. Option 3 of the three options in #301 — machine-readable side becomes SPDX-recognised everywhere (JSR, opam, SBOM tooling); human-readable preference for PMPL survives in the licence file's body.

Why this shape

Root LICENSE is explicit (and was already this way):

PMPL-1.0-or-later is the primary/preferred licence
MPL-2.0 is the fallback (legally-recognised) licence
"MPL-2.0 was chosen as the fallback because PMPL-1.0-or-later is explicitly based on and extends MPL-2.0"

So PMPL was never the only licence — it's the preferred name for a licence that legally falls back to MPL-2.0 wherever PMPL isn't recognised. SPDX/JSR/opam tooling never recognised PMPL and the fallback was already what applied at those surfaces. This change makes that fact explicit in the SPDX headers (where tools look) without altering the human-readable preference.

Scope (673 files, +1127 / −711)

• SPDX headers, 1116 sites — SPDX-License-Identifier: PMPL-1.0-or-later → MPL-2.0. Mechanical sed; touches source/.adoc/.md/.yml/.a2ml/.affine/.toml/.sh/.rs/.ml/.idr/.mjs/... uniformly.
• Excluded — vendored sister-repo subtrees road-skate/ and affinescript-vite/ (they carry their own licensing decisions).
• Code generators that emit SPDX strings in writeln!/Buffer.add_string/echo — newly scaffolded source files will now carry MPL-2.0 by default.
• Machine-readable license: / license = fields in .machine_readable/6a2/META.a2ml, .machine_readable/svc/k9/examples/project-metadata.k9.ncl, and affinescriptiser/.machine_readable/6a2/META.a2ml.
• dune-project — (license "MIT OR AGPL-3.0-or-later") (a stale OCaml-project-template leftover that didn't match anywhere) → (license "MPL-2.0"). affinescript.opam regenerated by dune accordingly.
• LICENSES/LICENSE-MPL-2.0 — added (canonical 373-line Mozilla text from https://www.mozilla.org/media/MPL/2.0/index.txt).

Deliberately preserved

• Root LICENSE body — full PMPL preferred-licence narrative + MPL-2.0 fallback explanation stay verbatim. Only the file's own SPDX header flipped.
• LICENSES/LICENSE-PMPL-1.0 — kept (PMPL is still narrated as preferred).
• Narrative references to PMPL in ALPHA-1-RELEASE-NOTES.md, BACKEND-IMPLEMENTATION.md, EXPLAINME.adoc, GAME-BUNDLING-STRATEGY.md, etc. — historical / architectural context, not machine-readable licence data.

Heads-up — dune-project symlink

Pre-existing layout had top-level dune-project as a symlink to .build/dune-project. The sed -i follow-up broke the symlink (atomic temp+rename overwrites the symlink with a regular file). Both files are now real files with identical content (license + version 0.1.1). If the symlink was load-bearing for some build-output relocation scheme, you may want to restore it as a separate small fix; build + tests pass either way.

Verification

• dune build --release clean.
• dune runtest --force → 295/295 green.
• Binary --version → 0.1.1.
• Shim deno test → 6/6 green.
• grep -rl 'SPDX-License-Identifier: PMPL-1.0-or-later' (excl. vendored subtrees) → empty.
• grep '^license' affinescript.opam → license: "MPL-2.0".

Test plan

• Build + tests green locally
• CI: governance / Hypatia / etc. should remain green — the SPDX flip is uniform; no policy bans MPL-2.0.

Closes #301.

🤖 Generated with Claude Code

[github-actions]

🔍 Hypatia Security Scan

Findings: 42 issues detected

Severity	Count
🔴 Critical	13
🟠 High	17
🟡 Medium	12

⚠️ Action Required: Critical security issues found!

View findings

[
  {
    "reason": "Stray AI.a2ml in root -- use 0-AI-MANIFEST.a2ml only",
    "type": "banned",
    "file": "AI.a2ml",
    "action": "delete",
    "rule_module": "root_hygiene",
    "severity": "high"
  },
  {
    "reason": "Superseded by 0-AI-MANIFEST.a2ml",
    "type": "banned",
    "file": "AI.djot",
    "action": "delete",
    "rule_module": "root_hygiene",
    "severity": "high"
  },
  {
    "reason": "Issue in quality.yml",
    "type": "missing_workflow",
    "file": "quality.yml",
    "action": "create",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Issue in security-policy.yml",
    "type": "missing_workflow",
    "file": "security-policy.yml",
    "action": "create",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
    "type": "unpinned_action",
    "file": "governance.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Action actions/checkout@v4 needs attention",
    "type": "unpinned_action",
    "file": "publish-jsr.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Action denoland/setup-deno@v2 needs attention",
    "type": "unpinned_action",
    "file": "publish-jsr.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "TypeScript file detected -- banned language",
    "type": "banned_language_file",
    "file": "/home/runner/work/affinescript/affinescript/affinescript-deno-test/example/smoke_driver.ts",
    "action": "flag",
    "rule_module": "cicd_rules",
    "severity": "critical"
  },
  {
    "reason": "TypeScript file detected -- banned language",
    "type": "banned_language_file",
    "file": "/home/runner/work/affinescript/affinescript/affinescript-deno-test/cli.ts",
    "action": "flag",
    "rule_module": "cicd_rules",
    "severity": "critical"
  },
  {
    "reason": "TypeScript file detected -- banned language",
    "type": "banned_language_file",
    "file": "/home/runner/work/affinescript/affinescript/affinescript-deno-test/mod.ts",
    "action": "flag",
    "rule_module": "cicd_rules",
    "severity": "critical"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence