docs(governance): fill required-file placeholders

[hyperpolymath]

Summary

The openssf-compliance gate was RED on krl because several governance
required-files still contained unfilled {{PLACEHOLDER}} tokens. This PR
removes those tokens from the gate's required-file set so the gate goes
green, without touching any legitimate template files (k9 *.ncl,
contractiles, container//.well-known/ stubs, tests/e2e/*template*,
settings.yml, methodology.a2ml, etc.).

The gate's placeholder check (.github/workflows/openssf-compliance.yml)
scans this required set: SECURITY.md, .github/SECURITY.md, LICENSE,
CONTRIBUTING.md, README.adoc, .machine_readable/{STATE,META,ECOSYSTEM}.a2ml,
CHANGELOG.md. Only two of those had placeholder hits.

Files changed

• .machine_readable/ECOSYSTEM.a2ml — filled {{REPO_DESCRIPTION}}
  with the canonical KRL one-liner from README.adoc: "Knot Resolution
  Language — a compositional language for constructing, transforming,
  resolving, and retrieving topological objects: tangles, knots, and links".
• .github/SECURITY.md — deleted the rsr-template TEMPLATE INSTRUCTIONS
  comment block; removed the optional PGP subsection. {{PGP_KEY_URL}} and
  {{PGP_FINGERPRINT}} had no fill value (no PGP key for this project) and
  the template explicitly marks the PGP section as optional, so it was removed
  rather than guessed. Project name/repo slug/email/year were already filled
  correctly (krl, hyperpolymath/krl, 2026).
• .github/CODE_OF_CONDUCT.md — deleted the TEMPLATE INSTRUCTIONS block
  (its only {{...}} token); the body was already instantiated for krl.
• .machine_readable/6a2/STATE.a2ml — dropped the META-TEMPLATE comment
  scaffolding that referenced {{PLACEHOLDER}}; the body was already
  instantiated for krl. (Not in the gate's scanned set, but cleaned as part
  of the standard governance docs.)

Same pattern as quandledb PRs #50/#51.

Verification

git grep -nE '\{\{[A-Z_]+\}\}' over the target files returns nothing, and a
local simulation of the gate's exact placeholder-check loop over the required
set reports PASS. The openssf-compliance gate's placeholder step should now
pass; all other required-file existence checks (SECURITY/LICENSE/CONTRIBUTING/
README/CHANGELOG/.machine_readable) were already satisfied.

Not touched (legitimate templates, must keep {{…}})

k9 *.ncl, contractile files (Justfile/Adjustfile.a2ml/Dustfile.a2ml),
container/*, .well-known/security.txt, tests/e2e/*template*,
.github/settings.yml, methodology.a2ml, ANCHOR.a2ml, the
QUICKSTART-*.adoc template guides.

https://claude.ai/code/session_017TXizM5c1Yd9HWf7Y15YH2

---

Generated by Claude Code

[github-actions]

🔍 Hypatia Security Scan

Findings: 38 issues detected

Severity	Count
🔴 Critical	4
🟠 High	10
🟡 Medium	24

⚠️ Action Required: Critical security issues found!

View findings

[
  {
    "reason": "Issue in scorecard-enforcer.yml",
    "type": "scorecard_publish_with_run_step",
    "file": "scorecard-enforcer.yml",
    "action": "split_scorecard_publish_job",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Issue in instant-sync.yml",
    "type": "secret_action_without_presence_gate",
    "file": "instant-sync.yml",
    "action": "peter-evans/repository-dispatch",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Issue in scorecard.yml",
    "type": "scorecard_wrapper_missing_job_permissions",
    "file": "scorecard.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Download-and-execute pattern (curl|wget pipe to shell) -- verify integrity before execution (3 occurrences, CWE-494)",
    "type": "shell_download_then_run",
    "file": "/home/runner/work/krl/krl/setup.sh",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "line": 24,
    "reason": "Secret found: Generic API key",
    "type": "secret_detected",
    "file": "/home/runner/work/krl/krl/.envrc",
    "action": "revoke_rotate_and_purge",
    "rule_module": "security_errors",
    "severity": "critical"
  },
  {
    "reason": "Nominal-only SAST in krl: codeql.yml language matrix contains no language present in the repo and lacks `actions`, so CodeQL records zero results on every commit. Remediation: set the CodeQL matrix to `language: actions`.",
    "type": "StaticAnalysis",
    "file": "/home/runner/work/krl/krl",
    "action": "auto_fix",
    "rule_module": "scorecard",
    "severity": "medium",
    "remediation": "Add CodeQL or equivalent SAST workflow.",
    "scorecard_check": "SAST"
  },
  {
    "reason": "1 workflow(s) with tag-pinned (not SHA-pinned) actions in krl",
    "type": "DependencyPinning",
    "file": "/home/runner/work/krl/krl",
    "action": "auto_fix",
    "rule_module": "scorecard",
    "severity": "medium",
    "remediation": "Pin GitHub Actions and Docker base images by SHA hash.",
    "scorecard_check": "Pinned-Dependencies"
  },
  {
    "reason": "Repository has 3 non-main remote branch(es). Policy: single main branch only.",
    "type": "GS007",
    "file": ".",
    "action": "delete_remote_branches",
    "rule_module": "git_state",
    "severity": "medium"
  },
  {
    "reason": "Code scanning (Hypatia): hypatia/structural_drift/SD022 -- Hypatia structural_drift: SD022 -- 2 day(s) old",
    "type": "CSA001",
    "file": "spec/grammar-overview.md",
    "action": "review",
    "rule_module": "code_scanning_alerts",
    "severity": "medium"
  },
  {
    "reason": "Code scanning (Hypatia): hypatia/structural_drift/SD022 -- Hypatia structural_drift: SD022 -- 2 day(s) old",
    "type": "CSA001",
    "file": "docs/practice/AI-CONVENTIONS.adoc",
    "action": "review",
    "rule_module": "code_scanning_alerts",
    "severity": "medium"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence