chore: batch RSR compliance — SPDX headers, SHA-pin actions, forbid(unsafe_code), CODE_OF_CONDUCT, CONTRIBUTING

- Add/fix SPDX-License-Identifier headers (AGPL→PMPL where needed)
- SHA-pin all GitHub Actions to commit hashes
- Add #![forbid(unsafe_code)] to safe Rust crates
- Add CODE_OF_CONDUCT.md (Contributor Covenant v2.1)
- Add CONTRIBUTING.md (standard template)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: hyperpolymath

.github/workflows/ci.yaml

@@ -24,7 +24,7 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - name: Install Rust
-        uses: dtolnay/rust-action@stable
+        uses: dtolnay/rust-toolchain@4be9e76fd7c4901c61fb841f559994984270fce7 # stable
         with:
           toolchain: ${{ env.RUST_VERSION }}
           components: clippy, rustfmt
@@ -51,7 +51,7 @@ jobs:
       - name: Test
         run: cargo test --all-features
       - name: Upload artifact
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
         with:
           name: rust-optimizer
           path: src/rust-routing/target/release/veds-optimizer
@@ -78,7 +78,7 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - name: Setup Elixir
-        uses: erlef/setup-beam@v1
+        uses: erlef/setup-beam@ee09b1e59bb240681c382eb1f0abc6a04af72764 # v1
         with:
           elixir-version: ${{ env.ELIXIR_VERSION }}
           otp-version: ${{ env.OTP_VERSION }}
@@ -112,7 +112,7 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - name: Setup Java
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
         with:
           distribution: 'temurin'
           java-version: '21'
@@ -141,7 +141,7 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - name: Setup Julia
-        uses: julia-actions/setup-julia@v2
+        uses: julia-actions/setup-julia@4c0cb0fce8556fdb04a90347310e5db8b1f98fb9 # v2
         with:
           version: ${{ env.JULIA_VERSION }}
       - name: Cache Julia packages
@@ -187,7 +187,7 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - name: Setup Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version: '3.12'
       - name: Install test dependencies
@@ -205,7 +205,7 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - name: Setup Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version: '3.12'
       - name: Install test dependencies
@@ -221,7 +221,7 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # master
         with:
           scan-type: 'fs'
           scan-ref: '.'
@@ -257,16 +257,16 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
       - name: Login to GHCR
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Extract metadata
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5
         with:
           images: ${{ env.REGISTRY }}/${{ github.repository_owner }}/veds-${{ matrix.service.name }}
           tags: |
@@ -275,7 +275,7 @@ jobs:
             type=semver,pattern={{version}}
             type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
       - name: Build and push
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
         with:
           context: ${{ matrix.service.context }}
           push: true

.github/workflows/release.yaml

@@ -16,9 +16,9 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
       - name: Login to GHCR
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
@@ -28,31 +28,31 @@ jobs:
         run: echo "VERSION=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT
       # Build and push all service images with version tag
       - name: Build rust-optimizer
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
         with:
           context: src/rust-routing
           push: true
           tags: |
             ${{ env.REGISTRY }}/${{ github.repository_owner }}/veds-rust-optimizer:${{ steps.version.outputs.VERSION }}
             ${{ env.REGISTRY }}/${{ github.repository_owner }}/veds-rust-optimizer:latest
       - name: Build elixir-api
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
         with:
           context: src/elixir-api
           push: true
           tags: |
             ${{ env.REGISTRY }}/${{ github.repository_owner }}/veds-elixir-api:${{ steps.version.outputs.VERSION }}
             ${{ env.REGISTRY }}/${{ github.repository_owner }}/veds-elixir-api:latest
       - name: Build clojure-constraints
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
         with:
           context: src/clojure-constraints
           push: true
           tags: |
             ${{ env.REGISTRY }}/${{ github.repository_owner }}/veds-clojure-constraints:${{ steps.version.outputs.VERSION }}
             ${{ env.REGISTRY }}/${{ github.repository_owner }}/veds-clojure-constraints:latest
       - name: Build julia-viz
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
         with:
           context: src/julia-viz
           push: true

.github/workflows/scorecard.yml

@@ -27,6 +27,6 @@ jobs:
           results_format: sarif
 
       - name: Upload results
-        uses: github/codeql-action/upload-sarif@v4.31.10
+        uses: github/codeql-action/upload-sarif@6624720a57d4c312633c7b953db2f2da5bcb4c3a # v3.31.10
         with:
           sarif_file: results.sarif

src/deno-api/src/Constraint.res

@@ -1,4 +1,4 @@
-// SPDX-License-Identifier: MIT OR AGPL-3.0
+// SPDX-License-Identifier: PMPL-1.0-or-later
 // VEDS Constraint DSL - Declarative constraint definitions
 
 open Types

src/deno-api/src/Handlers.res

@@ -1,4 +1,4 @@
-// SPDX-License-Identifier: MIT OR AGPL-3.0
+// SPDX-License-Identifier: PMPL-1.0-or-later
 // VEDS API Handlers - Request handling logic
 
 open Types

src/deno-api/src/Router.res

@@ -1,4 +1,4 @@
-// SPDX-License-Identifier: MIT OR AGPL-3.0
+// SPDX-License-Identifier: PMPL-1.0-or-later
 // VEDS API Router - Route handling and dispatch
 
 // HTTP Method type

src/deno-api/src/Types.res

@@ -1,4 +1,4 @@
-// SPDX-License-Identifier: MIT OR AGPL-3.0
+// SPDX-License-Identifier: PMPL-1.0-or-later
 // VEDS API Types - Domain Model
 
 // Transport modes