Review SCM files and security updates (#3)

- Fix security.txt expiry date (was placeholder {{EXPIRY_DATE}})
- Add flake.nix for Nix fallback (RSR requirement)
- Update RSR_COMPLIANCE.adoc with current compliance status
- Update STATE.scm roadmap and completion (25% → 35%)
- Add CHANGELOG.md following Keep a Changelog format

Co-authored-by: Claude <noreply@anthropic.com>

Author: hyperpolymath

.well-known/security.txt

@@ -2,7 +2,7 @@
 # https://securitytxt.org/
 
 Contact: security@hyperpolymath.org
-Expires: {{EXPIRY_DATE}}
+Expires: 2026-12-17T00:00:00.000Z
 Encryption: https://hyperpolymath.org/gpg/security.asc
 Preferred-Languages: en, nl
 Canonical: https://github.com/hyperpolymath/checky-monkey/.well-known/security.txt

CHANGELOG.md

@@ -0,0 +1,61 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+### Added
+- `flake.nix` - Nix fallback package management (RSR requirement)
+- `CHANGELOG.md` - Project changelog following Keep a Changelog format
+
+### Fixed
+- `security.txt` - RFC 9116 compliance with valid expiry date (was placeholder)
+- `RSR_COMPLIANCE.adoc` - Updated compliance status to reflect current state
+
+### Changed
+- `STATE.scm` - Updated roadmap and completion status (25% → 35%)
+
+## [0.1.0] - 2025-12-15
+
+### Added
+- Initial project structure with RSR compliance
+- `guix.scm` - Primary package management (Guix)
+- `.guix-channel` - Guix channel configuration
+- `META.scm` - Architecture Decision Records
+- `ECOSYSTEM.scm` - Project relationships
+- `STATE.scm` - Session state persistence
+- GitHub Actions workflows:
+  - `security-policy.yml` - Security checks (weak crypto, HTTP, secrets)
+  - `quality.yml` - Code quality (TruffleHog, EditorConfig)
+  - `workflow-linter.yml` - RSR workflow validation
+  - `guix-nix-policy.yml` - Package manager enforcement
+  - `npm-bun-blocker.yml` - Forbidden package manager blocking
+  - `wellknown-enforcement.yml` - RFC 9116 validation
+  - `scorecard.yml` - OSSF Scorecard security analysis
+  - `mirror.yml` - Multi-platform mirroring
+  - `codeql.yml` - Static analysis (placeholder)
+- `.well-known/` directory:
+  - `security.txt` - RFC 9116 security contact
+  - `ai.txt` - Consent-aware AI policy
+  - `humans.txt` - Human-readable credits
+  - `consent-required.txt` - HTTP 430 consent framework
+  - `provenance.json` - Source provenance
+- Community files:
+  - `SECURITY.md` - Security policy
+  - `CONTRIBUTING.md` - Contribution guidelines
+  - `CODE_OF_CONDUCT.md` - Contributor Covenant v2.1
+  - `CITATION.cff` - Citation metadata
+  - `codemeta.json` - CodeMeta metadata
+- Configuration files:
+  - `.editorconfig` - Editor configuration
+  - `.gitignore` - Git ignore patterns
+  - `.gitattributes` - Git attributes
+  - `justfile` - Task runner (TODO recipes)
+  - `.gitlab-ci.yml` - GitLab CI/CD pipeline
+  - `dependabot.yml` - Dependency automation
+
+[Unreleased]: https://github.com/hyperpolymath/checky-monkey/compare/v0.1.0...HEAD
+[0.1.0]: https://github.com/hyperpolymath/checky-monkey/releases/tag/v0.1.0

RSR_COMPLIANCE.adoc

@@ -13,10 +13,10 @@ This document describes the Rhodium Standard Repository (RSR) compliance status
 |Attribute |Value
 
 |Project |checky-monkey
-|Primary Language |unknown
-|RSR Tier |N/A
-|Compliance Status |Review Needed
-|Last Updated |2025-12-10
+|Primary Language |Guile Scheme
+|RSR Tier |Tier 2
+|Compliance Status |Gold Target
+|Last Updated |2025-12-17
 |===
 
 == Language Tier Classification
@@ -46,14 +46,14 @@ This document describes the Rhodium Standard Repository (RSR) compliance status
 |===
 |Requirement |Status |Notes
 
-|Primary language is Tier 1/2 |✓ |unknown
+|Primary language is Tier 1/2 |✓ |Guile Scheme (Tier 2)
 |No restricted languages outside exemptions |✓ |
 |.editorconfig present |✓ |
 |.well-known/ directory |✓ |
-|justfile present |✗ |
-|LICENSE.txt (AGPL + Palimpsest) |✗ |
+|justfile present |✓ |
+|LICENSE.txt (AGPL + Palimpsest) |✓ |
 |Containerfile present |✗ |
-|flake.nix present |✗ |
+|flake.nix present |✓ |
 |===
 
 == Exemptions
@@ -62,9 +62,7 @@ None
 
 == Action Items
 
-* Add justfile
 * Add Containerfile
-* Add flake.nix
 
 == References
 

STATE.scm

@@ -15,7 +15,7 @@
   '((version . "0.1.0")
     (schema-version . "1.0")
     (created . "2025-12-15")
-    (updated . "2025-12-15")
+    (updated . "2025-12-18")
     (project . "checky-monkey")
     (repo . "github.com/hyperpolymath/checky-monkey")))
 
@@ -41,18 +41,28 @@
 
 (define current-position
   '((phase . "v0.1 - Initial Setup and RSR Compliance")
-    (overall-completion . 25)
+    (overall-completion . 35)
 
     (components
      ((rsr-compliance
        ((status . "complete")
         (completion . 100)
         (notes . "SHA-pinned actions, SPDX headers, multi-platform CI")))
 
+      (security
+       ((status . "complete")
+        (completion . 100)
+        (notes . "RFC 9116 security.txt, wellknown-enforcement, no weak crypto")))
+
+      (package-management
+       ((status . "complete")
+        (completion . 100)
+        (notes . "guix.scm (primary), flake.nix (fallback), npm/bun blocked")))
+
       (documentation
        ((status . "foundation")
-        (completion . 30)
-        (notes . "README exists, META/ECOSYSTEM/STATE.scm added")))
+        (completion . 40)
+        (notes . "README, META/ECOSYSTEM/STATE.scm, RSR_COMPLIANCE updated")))
 
       (testing
        ((status . "minimal")
@@ -68,7 +78,11 @@
      ("RSR-compliant CI/CD pipeline"
       "Multi-platform mirroring (GitHub, GitLab, Bitbucket)"
       "SPDX license headers on all files"
-      "SHA-pinned GitHub Actions"))))
+      "SHA-pinned GitHub Actions"
+      "RFC 9116 security.txt with valid expiry"
+      "Guix primary + Nix fallback package management"
+      "npm/bun blocker workflow"
+      "Workflow security linter"))))
 
 ;;;============================================================================
 ;;; ROUTE TO MVP
@@ -151,6 +165,15 @@
 
 (define session-history
   '((snapshots
+     ((date . "2025-12-18")
+      (session . "security-review-and-scm-fixes")
+      (accomplishments
+       ("Fixed security.txt expiry date (RFC 9116 compliance)"
+        "Created flake.nix (Nix fallback for RSR)"
+        "Updated RSR_COMPLIANCE.adoc status"
+        "Updated STATE.scm with current roadmap"
+        "Verified all CI/CD workflows"))
+      (notes . "Security audit and SCM file review"))
      ((date . "2025-12-15")
       (session . "initial-state-creation")
       (accomplishments
@@ -185,10 +208,10 @@
 (define state-summary
   '((project . "checky-monkey")
     (version . "0.1.0")
-    (overall-completion . 25)
+    (overall-completion . 35)
     (next-milestone . "v0.2 - Core Functionality")
     (critical-blockers . 0)
     (high-priority-issues . 0)
-    (updated . "2025-12-15")))
+    (updated . "2025-12-18")))
 
 ;;; End of STATE.scm

flake.nix

@@ -0,0 +1,67 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
+# SPDX-FileCopyrightText: 2025 Jonathan D.A. Jewell
+#
+# flake.nix - Nix Flake (fallback package management)
+# Primary: guix.scm | Fallback: flake.nix
+# Run: nix develop
+{
+  description = "checky-monkey - RSR-compliant infrastructure project";
+
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
+    flake-utils.url = "github:numtide/flake-utils";
+  };
+
+  outputs = { self, nixpkgs, flake-utils }:
+    flake-utils.lib.eachDefaultSystem (system:
+      let
+        pkgs = nixpkgs.legacyPackages.${system};
+      in
+      {
+        packages.default = pkgs.stdenv.mkDerivation {
+          pname = "checky-monkey";
+          version = "0.1.0";
+          src = ./.;
+
+          meta = with pkgs.lib; {
+            description = "RSR-compliant infrastructure project";
+            homepage = "https://github.com/hyperpolymath/checky-monkey";
+            license = licenses.agpl3Plus;
+            maintainers = [ ];
+            platforms = platforms.all;
+          };
+        };
+
+        devShells.default = pkgs.mkShell {
+          buildInputs = with pkgs; [
+            # Core tools
+            git
+            gnumake
+            just
+
+            # Guile Scheme (for SCM files)
+            guile
+
+            # Security tools
+            trufflehog
+            trivy
+
+            # Linters
+            shellcheck
+            yamllint
+            editorconfig-checker
+          ];
+
+          shellHook = ''
+            echo "checky-monkey development environment"
+            echo "Primary SCM: guix.scm"
+            echo "Fallback SCM: flake.nix (this file)"
+            echo ""
+            echo "Available commands:"
+            echo "  just --list    # Show available tasks"
+            echo "  guile META.scm # Evaluate architecture decisions"
+          '';
+        };
+      }
+    );
+}