From 2ade3966d196550c62209f22cecb0b00467833f8 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Sun, 14 Jun 2026 12:37:17 +0000
Subject: [PATCH 1/2] ci: set CodeQL language matrix to actions (no JS/TS
 source in repo)

codeql.yml declared `javascript-typescript`, but the repo has no JS/TS source,
so the analyze job recorded zero results / failed "no source files" every run.
CodeQL's `actions` language scans the workflow files (present in every repo),
giving real SAST signal. Per the repo's Hypatia workflow_audit finding.

https://claude.ai/code/session_017TXizM5c1Yd9HWf7Y15YH2
---
 .github/workflows/codeql.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 64a6a75..c21d00e 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -27,7 +27,7 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - language: javascript-typescript
+          - language: actions
             build-mode: none
     steps:
       - name: Checkout

From 9cfd91a31cbca35e4be7b756ca537351eff3abf1 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Sun, 14 Jun 2026 14:37:39 +0000
Subject: [PATCH 2/2] docs(governance): fill required-file placeholders + fix
 project naming
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Remove unfilled {{PLACEHOLDER}} tokens from the openssf-compliance gate's
required-file set so the gate passes, without touching legitimate template
files (k9 *.ncl, contractiles, container/well-known stubs, e2e templates).

- .machine_readable/ECOSYSTEM.a2ml: fill {{REPO_DESCRIPTION}} with the KRL
  one-line description from README.adoc.
- .github/SECURITY.md: delete the rsr-template TEMPLATE INSTRUCTIONS block;
  remove the optional PGP section (no PGP key — {{PGP_KEY_URL}}/
  {{PGP_FINGERPRINT}} had no fill value, and the template marks PGP optional).
- .github/CODE_OF_CONDUCT.md: delete the TEMPLATE INSTRUCTIONS block (body
  already instantiated for krl).
- .machine_readable/6a2/STATE.a2ml: drop META-TEMPLATE comment scaffolding
  referencing {{PLACEHOLDER}}; body already instantiated for krl.

https://claude.ai/code/session_017TXizM5c1Yd9HWf7Y15YH2
---
 .github/CODE_OF_CONDUCT.md       | 20 -------------------
 .github/SECURITY.md              | 34 +-------------------------------
 .machine_readable/6a2/STATE.a2ml |  8 ++------
 .machine_readable/ECOSYSTEM.a2ml |  2 +-
 4 files changed, 4 insertions(+), 60 deletions(-)

diff --git a/.github/CODE_OF_CONDUCT.md b/.github/CODE_OF_CONDUCT.md
index 2f60c54..8026a4c 100644
--- a/.github/CODE_OF_CONDUCT.md
+++ b/.github/CODE_OF_CONDUCT.md
@@ -4,26 +4,6 @@ Copyright (c) Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>
 -->
 # Code of Conduct
 
-<!-- 
-============================================================================
-TEMPLATE INSTRUCTIONS (delete this block before publishing)
-============================================================================
-Replace all {{PLACEHOLDER}} values:
-  KRL     - Your project name
-  hyperpolymath            - GitHub/GitLab username or org
-  krl             - Repository name
-  jonathan.jewell@open.ac.uk    - Email for conduct reports
-  Code of Conduct Committee     - Name of conduct team/committee
-  48 hours    - Initial response SLA (e.g., 48 hours)
-  2026     - Current year
-
-Review and customise:
-- Adjust enforcement ladder for your community size
-- Add/remove examples based on your context
-- Ensure contact methods work for your team
-============================================================================
--->
-
 ## Our Pledge
 
 We as members, contributors, and leaders pledge to make participation in KRL a harassment-free experience for everyone, regardless of age, body size, visible or invisible disability, ethnicity, sex characteristics, gender identity and expression, level of experience, education, socio-economic status, nationality, personal appearance, race, caste, colour, religion, or sexual identity and orientation.
diff --git a/.github/SECURITY.md b/.github/SECURITY.md
index 5c3a6a9..acad5ec 100644
--- a/.github/SECURITY.md
+++ b/.github/SECURITY.md
@@ -4,24 +4,6 @@ Copyright (c) Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>
 -->
 # Security Policy
 
-<!-- 
-============================================================================
-TEMPLATE INSTRUCTIONS (delete this block before publishing)
-============================================================================
-Replace all {{PLACEHOLDER}} values with your information:
-  KRL     - Your project name
-  hyperpolymath            - GitHub username or org (e.g., hyperpolymath)
-  krl             - Repository name
-  jonathan.jewell@open.ac.uk   - Security contact email
-  {{PGP_FINGERPRINT}}  - Your PGP key fingerprint (40 chars, no spaces)
-  {{PGP_KEY_URL}}      - URL to your public PGP key
-  https://github.com/hyperpolymath/krl          - Your website/domain
-  2026     - Current year for copyright
-
-Optional: Remove sections that don't apply (e.g., PGP if you don't use it)
-============================================================================
--->
-
 We take security seriously. We appreciate your efforts to responsibly disclose vulnerabilities and will make every effort to acknowledge your contributions.
 
 ## Table of Contents
@@ -56,26 +38,13 @@ This method ensures:
 - Coordinated disclosure tooling
 - Automatic credit when the advisory is published
 
-### Alternative: Encrypted Email
+### Alternative: Email
 
 If you cannot use GitHub Security Advisories, you may email us directly:
 
 | | |
 |---|---|
 | **Email** | jonathan.jewell@open.ac.uk |
-| **PGP Key** | [Download Public Key]({{PGP_KEY_URL}}) |
-| **Fingerprint** | `{{PGP_FINGERPRINT}}` |
-
-```bash
-# Import our PGP key
-curl -sSL {{PGP_KEY_URL}} | gpg --import
-
-# Verify fingerprint
-gpg --fingerprint jonathan.jewell@open.ac.uk
-
-# Encrypt your report
-gpg --armor --encrypt --recipient jonathan.jewell@open.ac.uk report.txt
-```
 
 > **⚠️ Important:** Do not report security vulnerabilities through public GitHub issues, pull requests, discussions, or social media.
 
@@ -374,7 +343,6 @@ When using KRL, we recommend:
 
 ## Additional Resources
 
-- [Our PGP Public Key]({{PGP_KEY_URL}})
 - [Security Advisories](https://github.com/hyperpolymath/krl/security/advisories)
 - [Changelog](CHANGELOG.md)
 - [Contributing Guidelines](CONTRIBUTING.md)
diff --git a/.machine_readable/6a2/STATE.a2ml b/.machine_readable/6a2/STATE.a2ml
index 9079599..553f70b 100644
--- a/.machine_readable/6a2/STATE.a2ml
+++ b/.machine_readable/6a2/STATE.a2ml
@@ -1,11 +1,9 @@
 # SPDX-License-Identifier: MPL-2.0
 # Copyright (c) 2026 Jonathan D.A. Jewell (hyperpolymath) <j.d.a.jewell@open.ac.uk>
 #
-# STATE.a2ml — Project state checkpoint (META-TEMPLATE)
+# STATE.a2ml — Project state checkpoint
 #
 # This is the STATE file for krl.
-# When consumed by a new project, replace {{PLACEHOLDER}} tokens
-# and customize sections below for the target project.
 
 [metadata]
 project = "krl"
@@ -58,7 +56,5 @@ part-of = ["RSR Framework", "stapeln ecosystem"]
 depends-on = ["stapeln", "selur-compose", "cerro-torre", "svalinn", "vordr", "k9-svc"]
 
 # ---------------------------------------------------------------------------
-# NOTE FOR CONSUMERS: When using this template to create a new repo, reset
-# the fields above to your project's values and replace all {{PLACEHOLDER}}
-# tokens. The milestones above describe the TEMPLATE's evolution, not yours.
+# NOTE: The milestones above describe the krl repository's evolution.
 # ---------------------------------------------------------------------------
diff --git a/.machine_readable/ECOSYSTEM.a2ml b/.machine_readable/ECOSYSTEM.a2ml
index 3004c7a..2e22d53 100644
--- a/.machine_readable/ECOSYSTEM.a2ml
+++ b/.machine_readable/ECOSYSTEM.a2ml
@@ -4,5 +4,5 @@
   (version "1.0.0")
   (name "krl")
   (type "library")
-  (purpose "{{REPO_DESCRIPTION}}")
+  (purpose "Knot Resolution Language — a compositional language for constructing, transforming, resolving, and retrieving topological objects: tangles, knots, and links")
   (related-projects))