fix(security): complete security configuration and RSR compliance

Security fixes:
- SECURITY.md: Replace template with actual vulnerability policy
- security.txt: Fix {{EXPIRY_DATE}} placeholder with valid RFC 9116 date
- justfile: Replace docker-compose with nerdctl/podman (RSR compliance)

New files:
- flake.nix: Add Nix fallback package management per RSR guidelines
- ROADMAP.adoc: Add comprehensive development roadmap

Updates:
- RSR_COMPLIANCE.adoc: Update status to reflect completed items
- STATE.scm: Update project state with current progress (35%)
- README.adoc: Update roadmap section with current status

Author: claude

.well-known/security.txt

@@ -1,8 +1,9 @@
 # Security Policy for Voyage-Enterprise-Decision-System
 # https://securitytxt.org/
+# RFC 9116 compliant
 
-Contact: security@hyperpolymath.org
-Expires: {{EXPIRY_DATE}}
+Contact: mailto:security@hyperpolymath.org
+Expires: 2026-12-17T23:59:59.000Z
 Encryption: https://hyperpolymath.org/gpg/security.asc
 Preferred-Languages: en, nl
 Canonical: https://github.com/hyperpolymath/Voyage-Enterprise-Decision-System/.well-known/security.txt

README.adoc

@@ -162,24 +162,35 @@ See [LICENSE](LICENSE) for details.
 
 == Roadmap
 
-=== Phase 1: MVP (Current)
-- [x] Design documentation
-- [ ] Database schemas
-- [ ] Basic routing engine
-- [ ] API skeleton
-- [ ] Constraint DSL
-
-=== Phase 2: Core Features
-- [ ] Formal verification integration
-- [ ] Real-time tracking
-- [ ] Julia dashboards
+See link:ROADMAP.adoc[ROADMAP.adoc] for the complete development roadmap.
+
+=== Phase 1: Foundation [CURRENT - 35%]
+- [x] RSR compliance & security configuration
+- [x] CI/CD workflows (13 workflows)
+- [x] Service scaffolds (all 5 services)
+- [x] Container specifications (Containerfiles)
+- [x] Package management (guix.scm + flake.nix)
+- [ ] Database schema finalization
+- [ ] Core routing algorithms
+- [ ] API skeleton completion
+
+=== Phase 2: Core Engine
+- [ ] Rust multi-modal routing optimizer
+- [ ] Clojure constraints engine (XTDB)
+- [ ] Elixir Phoenix API gateway
+- [ ] Property-based testing suite
+
+=== Phase 3: Formal Verification
+- [ ] Ada/SPARK constraint proofs
+- [ ] Z3/CVC5 solver integration
+- [ ] Verification CI pipeline
+
+=== Phase 4: Production
+- [ ] Julia visualization dashboards
 - [ ] VoID/SPARQL endpoint
-
-=== Phase 3: Production
 - [ ] Transport API integrations
-- [ ] Carbon accounting
-- [ ] Labor compliance reporting
-- [ ] Kubernetes deployment
+- [ ] Kubernetes deployment (RKE2/K3s)
+- [ ] Observability stack (OpenTelemetry/Grafana)
 
 ---
 

ROADMAP.adoc

@@ -0,0 +1,257 @@
+= VEDS Roadmap
+:toc:
+:sectnums:
+:icons: font
+
+== Overview
+
+This roadmap outlines the development phases for the Voyage Enterprise Decision System (VEDS).
+
+*Current Status:* Phase 1 - Foundation (35% complete)
+
+---
+
+== Phase 1: Foundation [CURRENT]
+
+=== 1.1 RSR Compliance & SCM [COMPLETE]
+
+[cols="1,1,2"]
+|===
+|Task |Status |Notes
+
+|.gitignore & .gitattributes |✓ |RSR-compliant
+|.well-known directory |✓ |security.txt, ai.txt, humans.txt, consent-required.txt
+|Security policy (SECURITY.md) |✓ |RFC 9116 compliant
+|CI/CD workflows |✓ |13 workflows configured
+|Container policy enforcement |✓ |Blocks Dockerfile, enforces Containerfile
+|Package management |✓ |guix.scm + flake.nix fallback
+|Dependabot |✓ |Cargo, Mix, GitHub Actions
+|CodeQL scanning |✓ |Weekly + PR triggers
+|===
+
+=== 1.2 Service Scaffolds [IN PROGRESS]
+
+[cols="1,1,2"]
+|===
+|Service |Status |Progress
+
+|rust-routing |Scaffold |Cargo.toml, dependencies, basic structure
+|elixir-api |Scaffold |mix.exs, Phoenix setup
+|clojure-constraints |Scaffold |deps.edn, XTDB integration
+|ada-spark-verify |Scaffold |alire.toml, GPR project
+|julia-viz |Scaffold |Project.toml, Makie dependencies
+|===
+
+=== 1.3 Database Schemas [IN PROGRESS]
+
+[cols="1,1"]
+|===
+|Database |Status
+
+|SurrealDB schema |Defined (config/surrealdb-schema.surql)
+|XTDB config |Defined (config/xtdb.yaml)
+|Dragonfly cache |Pending implementation
+|PostgreSQL (Elixir) |Ecto migrations pending
+|===
+
+---
+
+== Phase 2: Core Engine Development
+
+=== 2.1 Rust Routing Optimizer
+
+* [ ] Implement graph-based route representation (petgraph)
+* [ ] Multi-modal edge cost functions
+* [ ] Pareto-optimal path finding (cost, carbon, time)
+* [ ] gRPC service endpoints
+* [ ] Integration with SurrealDB for graph storage
+* [ ] Redis/Dragonfly caching layer
+
+=== 2.2 Clojure Constraints Engine
+
+* [ ] XTDB bitemporal data model
+* [ ] Datalog constraint rules
+* [ ] ILO labor compliance rules
+* [ ] Carbon budget constraints
+* [ ] Time window constraints
+* [ ] Integration with Rust optimizer via gRPC
+
+=== 2.3 Elixir API Gateway
+
+* [ ] Phoenix REST API (v1)
+* [ ] GraphQL endpoint (Absinthe)
+* [ ] Phoenix Channels for real-time tracking
+* [ ] Authentication & authorization
+* [ ] Rate limiting
+* [ ] OpenAPI documentation
+
+=== 2.4 Testing Infrastructure
+
+* [ ] Property-based tests (Hypothesis)
+* [ ] Integration test suite
+* [ ] Load testing setup
+* [ ] Mutation testing for critical paths
+
+---
+
+== Phase 3: Formal Verification
+
+=== 3.1 Ada/SPARK Proofs
+
+* [ ] Constraint satisfaction proofs
+* [ ] Route validity proofs
+* [ ] Labor compliance formal specs
+* [ ] Z3/CVC5 integration
+* [ ] Proof coverage metrics
+
+=== 3.2 Verification Pipeline
+
+* [ ] CI integration for SPARK proofs
+* [ ] Proof failure blocking
+* [ ] Coverage reporting
+* [ ] Documentation generation from specs
+
+---
+
+== Phase 4: Visualization & Analytics
+
+=== 4.1 Julia Dashboards
+
+* [ ] Route visualization (GeoMakie)
+* [ ] Real-time tracking display
+* [ ] Cost/carbon analytics
+* [ ] Network graph visualization (GraphMakie)
+* [ ] Interactive Pluto notebooks
+
+=== 4.2 Reporting
+
+* [ ] PDF report generation
+* [ ] Carbon audit reports
+* [ ] Labor compliance reports
+* [ ] Cost breakdown analysis
+
+---
+
+== Phase 5: Integration & APIs
+
+=== 5.1 External Transport APIs
+
+* [ ] Maritime: AIS data integration
+* [ ] Rail: Network timetables
+* [ ] Road: Traffic/routing APIs
+* [ ] Air: Flight schedule integration
+
+=== 5.2 Linked Data / VoID
+
+* [ ] SPARQL endpoint
+* [ ] VoID vocabulary mapping
+* [ ] Federation capabilities
+* [ ] RDF export
+
+=== 5.3 Third-Party Integration
+
+* [ ] ERP connectors
+* [ ] TMS integration adapters
+* [ ] EDI message handling
+
+---
+
+== Phase 6: Production Deployment
+
+=== 6.1 Kubernetes Infrastructure
+
+* [ ] RKE2 manifests finalization
+* [ ] K3s lightweight option
+* [ ] ArgoCD GitOps deployment
+* [ ] Horizontal Pod Autoscaling
+* [ ] Pod Security Policies
+
+=== 6.2 Observability
+
+* [ ] OpenTelemetry instrumentation
+* [ ] Grafana dashboards
+* [ ] Prometheus metrics
+* [ ] Distributed tracing
+* [ ] Log aggregation
+
+=== 6.3 Security Hardening
+
+* [ ] mTLS between services
+* [ ] Secret management (Vault/Sealed Secrets)
+* [ ] Network policies
+* [ ] Pod security admission
+* [ ] Regular penetration testing
+
+---
+
+== Phase 7: Advanced Features
+
+=== 7.1 Machine Learning
+
+* [ ] Demand forecasting
+* [ ] Route recommendation
+* [ ] Anomaly detection
+* [ ] Carbon prediction models
+
+=== 7.2 Cooperative Economics Features
+
+* [ ] Worker-owned fleet support
+* [ ] Fair wage enforcement
+* [ ] Cooperative pricing models
+* [ ] Profit sharing calculations
+
+---
+
+== Milestone Summary
+
+[cols="1,2,1"]
+|===
+|Milestone |Description |Status
+
+|M1 |Foundation & RSR Compliance |✓ Complete
+|M2 |Service Scaffolds |In Progress (80%)
+|M3 |Database Integration |In Progress (50%)
+|M4 |Core Routing Engine |Pending
+|M5 |Constraint Engine |Pending
+|M6 |API Gateway |Pending
+|M7 |Formal Verification |Pending
+|M8 |Visualization |Pending
+|M9 |Production Deployment |Pending
+|===
+
+---
+
+== Dependencies & Risks
+
+=== Technical Dependencies
+
+* XTDB 2.0 beta stability
+* Ada/SPARK toolchain availability in CI
+* Julia package ecosystem compatibility
+* gRPC interop between Rust/Clojure/Elixir
+
+=== Risks
+
+[cols="1,1,2"]
+|===
+|Risk |Impact |Mitigation
+
+|XTDB 2.0 API changes |High |Pin version, monitor release notes
+|SPARK proof complexity |Medium |Start with critical path proofs only
+|Multi-language gRPC schema drift |Medium |Single source of truth for protobuf
+|Performance at scale |High |Early load testing, profiling
+|===
+
+---
+
+== Contributing
+
+See link:CONTRIBUTING.md[CONTRIBUTING.md] for contribution guidelines.
+
+Priority areas for contribution:
+
+1. Rust routing algorithm implementations
+2. Clojure Datalog constraint rules
+3. Ada/SPARK formal specifications
+4. Julia visualization components
+5. Integration tests