/ COMPLIANCE_CHECKLIST.md
COMPLIANCE_CHECKLIST.md
1 # RSR Compliance Checklist 2 3 **Version**: 1.0.0 4 **Last Updated**: 2025-11-22 5 **Purpose**: Validate Rhodium Standard Repository (RSR) compliance 6 7 This checklist provides **pass/fail criteria** for all 11 RSR compliance categories. Use this for self-assessment, audits, and CI/CD automation. 8 9 --- 10 11 ## How to Use This Checklist 12 13 1. **Self-Assessment**: Review each section manually 14 2. **Automation**: Run `just validate` to execute automated checks 15 3. **Audit**: Use for third-party compliance verification 16 4. **CI/CD Integration**: Embed checks in `.gitlab-ci.yml` 17 18 **Scoring**: 19 - ✅ **Pass**: Requirement met 20 - ⚠️ **Partial**: Partially implemented, needs work 21 - ❌ **Fail**: Requirement not met 22 - N/A: Not applicable to this project 23 24 --- 25 26 ## Category 1: Foundational Infrastructure 27 28 ### 1.1 Reproducibility & Configuration 29 30 - [ ] **Nix flakes**: `flake.nix` and `flake.lock` present and functional 31 - [ ] **Nickel configs**: Infrastructure-as-code in Nickel format (or CUE if complex) 32 - [ ] **Justfile**: Task runner with comprehensive recipes (`just --list` shows 15+ tasks) 33 - [ ] **Podman**: Container configuration uses Podman (never Docker) 34 - [ ] **Chainguard Wolfi**: Base images use `cgr.dev/chainguard/wolfi-base` 35 36 **Automation**: `nix flake check`, `just validate` 37 38 --- 39 40 ### 1.2 Version Control & Automation 41 42 - [ ] **GitLab**: Repository hosted on GitLab (not GitHub) 43 - [ ] **Git hooks**: Pre-commit and pre-push hooks configured 44 - [ ] **RVC (Robot Vacuum Cleaner)**: Automated tidying via hooks 45 - [ ] **SaltRover**: Offline repository management configured (if applicable) 46 - [ ] **Salt states**: Configuration management in place (temporary, migrating to Nickel) 47 48 **Automation**: Check `.git/hooks/`, verify GitLab remote 49 50 --- 51 52 ## Category 2: Documentation Standards 53 54 ### 2.1 Required Files (Exact Naming) 55 56 Core documentation must exist with exact filenames: 57 58 - [ ] `README.md` or `README.adoc` 59 - [ ] `LICENSE.txt` (plain text, not `.md`) 60 - [ ] `SECURITY.md` (not `.txt` or `.adoc`) 61 - [ ] `CODE_OF_CONDUCT.md` or `CODE_OF_CONDUCT.adoc` 62 - [ ] `CONTRIBUTING.md` or `CONTRIBUTING.adoc` 63 - [ ] `FUNDING.yml` (not `.yaml`) 64 - [ ] `GOVERNANCE.adoc` 65 - [ ] `MAINTAINERS.md` 66 - [ ] `.gitignore` (not `gitignore`) 67 - [ ] `.gitattributes` 68 69 **Automation**: `test -f README.md || test -f README.adoc` 70 71 --- 72 73 ### 2.2 Well-Known Directory 74 75 - [ ] `.well-known/security.txt` (RFC 9116 compliant) 76 - [ ] `.well-known/ai.txt` (AI crawling policies) 77 - [ ] `.well-known/consent-required.txt` (HTTP 430 protocol) 78 - [ ] `.well-known/provenance.json` (provenance chains) 79 - [ ] `.well-known/humans.txt` (attribution) 80 81 **Automation**: `test -d .well-known && ls .well-known/` 82 83 --- 84 85 ### 2.2.5 AI Context Files 86 87 Machine-readable context for AI assistants: 88 89 - [ ] `META.scm` — Architecture decisions, development practices, design rationale 90 91 - [ ] `ECOSYSTEM.scm` — Project ecosystem position, relationships, boundaries 92 93 - [ ] `STATE.scm` — Current project state, progress, blockers, session history 94 95 - [ ] SPDX headers present in all three files 96 97 - [ ] Guile Scheme syntax valid (parseable) 98 99 **Purpose**: These files enable AI assistants to maintain context across sessions, understand architectural decisions, and track project state. They work alongside `.claude/CLAUDE.md` or similar instruction files. 100 101 **Specification Repositories**: 102 103 - [META.scm](https://github.com/hyperpolymath/META.scm) 104 105 - [ECOSYSTEM.scm](https://github.com/hyperpolymath/ECOSYSTEM.scm) 106 107 - [STATE.scm](https://github.com/hyperpolymath/state.scm) 108 109 **Automation**: `test -f META.scm && test -f ECOSYSTEM.scm && test -f STATE.scm` 110 111 --- 112 ### 2.3 Structural Requirements 113 114 README must contain: 115 - [ ] Project overview (1-2 paragraphs) 116 - [ ] Installation instructions 117 - [ ] Usage examples 118 - [ ] License reference 119 120 SECURITY must define: 121 - [ ] Vulnerability reporting channel 122 - [ ] Response SLA (e.g., "24-hour acknowledgement") 123 - [ ] Supported versions table 124 125 LICENSE must be: 126 - [ ] SPDX-identified (e.g., `MIT`, `Apache-2.0`, `Palimpsest-0.8`) 127 - [ ] Plain text format (`.txt`) 128 - [ ] Single file (or dual: `LICENSE-MIT` + `LICENSE-PALIMPSEST`) 129 130 **Automation**: `rg "SPDX-License-Identifier" LICENSE.txt` 131 132 --- 133 134 ### 2.4 Link Integrity 135 136 - [ ] All outbound links validated (no 404s) 137 - [ ] All internal anchors resolve 138 - [ ] All images have alt text 139 - [ ] Cross-references consistent (e.g., `README → FUNDING.yml`) 140 141 **Automation**: `lychee --verbose docs/ *.md *.adoc` 142 143 --- 144 145 ### 2.5 DocGementer Compliance 146 147 - [ ] Canonical heading synonyms normalized 148 - [ ] Metadata extracted and validated 149 - [ ] Anchor resolution automated 150 - [ ] Lychee link validation in CI/CD 151 - [ ] Codespell/vale for prose quality 152 153 **Automation**: `just check-links` 154 155 --- 156 157 ## Category 3: Security Architecture (10+ Dimensions) 158 159 ### 3.1 Type Safety 160 161 - [ ] Primary language provides compile-time type safety (Ada/Chapel/Elixir/Haskell/Julia/ReScript/Rust) 162 - [ ] No TypeScript (unsound gradual typing) 163 - [ ] No Python (except SaltStack, temporary) 164 - [ ] No JavaScript (being actively eliminated) 165 166 **Automation**: Check `Cargo.toml`, `mix.exs`, `*.gpr`, `package.json` absence 167 168 --- 169 170 ### 3.2 Memory Safety 171 172 - [ ] Rust ownership model **or** Ada SPARK proofs **or** GC-based (Elixir/Haskell) 173 - [ ] No manual memory management in C/C++ without verification 174 - [ ] WASM compilation targets available (if applicable) 175 176 **Automation**: `cargo audit`, `gnatcheck` (for Ada) 177 178 --- 179 180 ### 3.3 Data Security 181 182 - [ ] CRDTs used for distributed state (no distributed locking) 183 - [ ] No cache invalidation complexity (offline-first design) 184 - [ ] Deno KV or equivalent for persistent CRDT storage (if applicable) 185 186 **Automation**: `rg "CRDT|LWW|AWSet|ORSet" src/` 187 188 --- 189 190 ### 3.4 Process Security 191 192 - [ ] Deno permissions model: explicit `--allow-*` flags (if using Deno) 193 - [ ] Podman rootless containers (no privileged daemon) 194 - [ ] Software-Defined Perimeter (SDP) for network access 195 - [ ] Zero Trust architecture (no default internal trust) 196 197 **Automation**: Check Containerfile for `USER` directive, no `--privileged` 198 199 --- 200 201 ### 3.5 Platform Security 202 203 - [ ] Chainguard Wolfi base images (minimal attack surface) 204 - [ ] RISC-V consideration documented (if hardware-specific) 205 - [ ] Supply chain auditing: SPDX headers on every source file 206 - [ ] `just audit-licence` command available 207 208 **Automation**: `just audit-licence` 209 210 --- 211 212 ### 3.6 Network Security 213 214 - [ ] IPv6 native support (no IPv4-only) 215 - [ ] QUIC protocol (HTTP/3) preferred over HTTP/2 216 - [ ] DoQ (DNS over QUIC) or oDNS (Oblivious DNS) 217 - [ ] DNSSEC validation mandatory 218 - [ ] Security headers configured (CSP, HSTS, X-Frame-Options, COOP, COEP, CORP) 219 - [ ] HTTP header minimization (Maximum Principal Reduction) 220 221 **Automation**: `rg "Content-Security-Policy|Strict-Transport-Security"` in configs 222 223 --- 224 225 ### 3.7 Privacy & Data Minimization 226 227 - [ ] Necessary processing only (Ada philosophy: if it exists, it has a reason) 228 - [ ] Cookie minimization or none at all 229 - [ ] No tracking scripts 230 - [ ] Privacy-respecting analytics (or none) 231 - [ ] GDPR/CCPA compliance by design 232 - [ ] Data retention policies documented 233 234 **Automation**: `rg -i "cookie|analytics|tracking" src/` (should find none) 235 236 --- 237 238 ### 3.8 Fault Tolerance 239 240 - [ ] Elixir supervision trees **or** equivalent fault isolation 241 - [ ] OTP patterns (let it crash, restart cleanly) 242 - [ ] Circuit breakers for external dependencies 243 - [ ] Graceful degradation (offline mode, partial functionality) 244 245 **Automation**: `rg "GenServer|Supervisor|supervisor" src/` (for Elixir) 246 247 --- 248 249 ### 3.9 Self-Healing 250 251 - [ ] CRDT conflict resolution (automatic, deterministic) 252 - [ ] Supervision tree restarts (automatic process recovery) 253 - [ ] Health checks and automatic remediation 254 - [ ] RVC automated cleanup (preventive maintenance) 255 256 **Automation**: Check for health check endpoints 257 258 --- 259 260 ### 3.10 Kernel Security 261 262 - [ ] Podman (no Docker daemon) 263 - [ ] cgroups v2 resource limits 264 - [ ] SELinux/AppArmor mandatory access control 265 - [ ] Seccomp syscall filtering 266 267 **Automation**: `podman info | rg "cgroupVersion: 2"` 268 269 --- 270 271 ### 3.11 Supply Chain Security 272 273 - [ ] SPDX audit on every source file 274 - [ ] Dependency vendoring for critical components 275 - [ ] Pinned versions (no floating ranges: `~`, `^`) 276 - [ ] SBOM (Software Bill of Materials) generation 277 278 **Automation**: `just audit-licence`, `just sbom-generate` 279 280 --- 281 282 ## Category 4: Architecture Principles 283 284 ### 4.1 Distributed-First Design 285 286 - [ ] CRDTs for state (no coordination needed) 287 - [ ] Event sourcing where appropriate 288 - [ ] Blockchain consideration for audit trails (if applicable) 289 - [ ] Peer-to-peer capabilities (not always client-server) 290 291 **Automation**: `rg "EventSourcing|CRDT" docs/architecture/` 292 293 --- 294 295 ### 4.2 Offline-First 296 297 - [ ] SaltRover offline repository management **or** equivalent 298 - [ ] Local-first software principles 299 - [ ] Intermittent connectivity never blocks work 300 - [ ] Sync when online (not required for operation) 301 302 **Automation**: Test `git clone` + `just build` works without network 303 304 --- 305 306 ### 4.3 Reversibility 307 308 - [ ] Every operation can be undone 309 - [ ] No destructive defaults 310 - [ ] Confirmation for risky operations 311 - [ ] Git history + RVC tidying = safe experimentation 312 - [ ] `REVERSIBILITY.md` document present 313 314 **Automation**: `test -f REVERSIBILITY.md` 315 316 --- 317 318 ### 4.4 Reflexivity 319 320 - [ ] Systems that can reason about themselves 321 - [ ] Meta-programming where beneficial (Elixir macros, Nickel contracts) 322 - [ ] Homoiconicity (code-as-data, Lisp-style where appropriate) 323 324 **Automation**: N/A (architectural review) 325 326 --- 327 328 ### 4.5 Interoperability (iSOS: Integrated Stack of Stacks) 329 330 - [ ] FFI layers documented (e.g., Rust ↔ Ada) 331 - [ ] WASM targets available 332 - [ ] Standard protocols: HTTP/3, QUIC, WebRTC 333 - [ ] Semantic web integration (Schema.org, RDF, JSON-LD) 334 335 **Automation**: Check for FFI bindings, WASM build targets 336 337 --- 338 339 ## Category 5: Web Standards & Protocols 340 341 ### 5.1 DNS Configuration (if web-facing) 342 343 - [ ] DNSSEC validation 344 - [ ] CAA records (Certificate Authority Authorization) 345 - [ ] SPF/DKIM/DMARC for email domains 346 - [ ] DANE (DNS-based Authentication of Named Entities) 347 - [ ] SVCB/HTTPS records (service binding) 348 349 **Automation**: `dig +dnssec example.com` 350 351 --- 352 353 ### 5.2 TLS/SSL Best Practices (if web-facing) 354 355 - [ ] TLS 1.3 only (no TLS 1.2 or earlier) 356 - [ ] Certificate pinning where appropriate 357 - [ ] OCSP stapling 358 - [ ] HSTS preload 359 - [ ] Certificate transparency monitoring 360 361 **Automation**: `testssl.sh example.com` 362 363 --- 364 365 ### 5.3 HTTP Security Headers (if web-facing) 366 367 Must include: 368 - [ ] `Content-Security-Policy: default-src 'self'` 369 - [ ] `X-Frame-Options: DENY` 370 - [ ] `X-Content-Type-Options: nosniff` 371 - [ ] `Referrer-Policy: no-referrer` 372 - [ ] `Permissions-Policy: geolocation=(), microphone=(), camera=()` 373 - [ ] `Cross-Origin-Opener-Policy: same-origin` 374 - [ ] `Cross-Origin-Embedder-Policy: require-corp` 375 - [ ] `Cross-Origin-Resource-Policy: same-origin` 376 377 **Automation**: `curl -I https://example.com | rg "Content-Security-Policy"` 378 379 --- 380 381 ## Category 6: Semantic Web & IndieWeb 382 383 ### 6.1 Vocabularies & Linked Data (if applicable) 384 385 - [ ] Schema.org markup where appropriate 386 - [ ] RDF for interrelated datasets 387 - [ ] JSON-LD for structured data 388 - [ ] Microformats (h-card, h-entry) 389 390 **Automation**: `rg "@context|@type|h-entry" docs/` 391 392 --- 393 394 ### 6.2 IndieWeb Principles (if applicable) 395 396 - [ ] Own your data (not platform-dependent) 397 - [ ] Webmention support for federated comments 398 - [ ] Micropub for publishing 399 - [ ] POSSE (Publish Own Site, Syndicate Elsewhere) 400 - [ ] RelMeAuth for identity verification 401 402 **Automation**: Check for Webmention endpoints 403 404 --- 405 406 ## Category 7: FOSS & Licensing 407 408 ### 7.1 License Clarity 409 410 - [ ] `LICENSE.txt` present (plain text, SPDX-identified) 411 - [ ] SPDX headers in every source file 412 - [ ] `just audit-licence` passes 413 - [ ] Dependency license audit (no GPL contamination if incompatible) 414 415 **Automation**: `just audit-licence` 416 417 --- 418 419 ### 7.2 Contributor Rights 420 421 - [ ] Palimpsest License **or** clear attribution framework 422 - [ ] DCO (Developer Certificate of Origin) **or** CLA 423 - [ ] Clear attribution in `MAINTAINERS.md` 424 425 **Automation**: `test -f LICENSE-PALIMPSEST || test -f DCO` 426 427 --- 428 429 ### 7.3 Funding Transparency 430 431 - [ ] `FUNDING.yml` present 432 - [ ] OpenCollective **or** Liberapay **or** sponsor links 433 - [ ] Solidarity economics framework documented 434 435 **Automation**: `test -f FUNDING.yml` 436 437 --- 438 439 ## Category 8: Cognitive Ergonomics & Human Factors 440 441 ### 8.1 Information Architecture 442 443 - [ ] Consistent directory structure across repos 444 - [ ] Canonical heading synonyms (no confusion) 445 - [ ] Progressive disclosure (simple → complex) 446 447 **Automation**: N/A (manual review) 448 449 --- 450 451 ### 8.2 Accessibility 452 453 - [ ] WCAG 2.1 AA compliance minimum (if web-facing) 454 - [ ] Semantic HTML (not div soup) 455 - [ ] Alt text on all images 456 - [ ] Keyboard navigation 457 - [ ] Screen reader testing 458 459 **Automation**: `pa11y-ci --sitemap https://example.com/sitemap.xml` 460 461 --- 462 463 ### 8.3 Internationalization 464 465 - [ ] i18n from the start (not an afterthought) 466 - [ ] UTF-8 everywhere 467 - [ ] Language tags (HTML lang attribute, if web) 468 - [ ] Right-to-left (RTL) support consideration 469 470 **Automation**: `rg "lang=\"en\"|i18n|gettext" src/` 471 472 --- 473 474 ## Category 9: Lifecycle Management 475 476 ### 9.1 Upstream Dependencies 477 478 - [ ] Vendoring critical dependencies 479 - [ ] Pin specific versions (no floating ranges) 480 - [ ] Supply chain security (SPDX, SBOM) 481 - [ ] Dependency update policy documented 482 483 **Automation**: `rg "~|\\^" Cargo.toml mix.exs` (should fail) 484 485 --- 486 487 ### 9.2 Downstream Impact 488 489 - [ ] Semantic versioning (SemVer 2.0) 490 - [ ] Deprecation warnings (one version ahead) 491 - [ ] Migration guides for breaking changes 492 - [ ] API stability guarantees documented 493 494 **Automation**: Check `CHANGELOG.md` for SemVer compliance 495 496 --- 497 498 ### 9.3 End-of-Life Planning 499 500 - [ ] Sunset policy documented 501 - [ ] Archive strategy (not just deletion) 502 - [ ] Data export capabilities 503 - [ ] Succession planning (who maintains after you?) 504 505 **Automation**: `test -f ROADMAP.md` (should mention EOL) 506 507 --- 508 509 ## Category 10: Community & Governance 510 511 ### 10.1 Tri-Perimeter Contribution Framework (TPCF) 512 513 - [ ] Perimeter 1 (Core): Maintainers-only access defined 514 - [ ] Perimeter 2 (Expert): Trusted contributor pathway defined 515 - [ ] Perimeter 3 (Community): Open contribution sandbox defined 516 - [ ] `CONTRIBUTING.adoc` documents TPCF 517 518 **Automation**: `test -f CONTRIBUTING.adoc && rg "Perimeter" CONTRIBUTING.adoc` 519 520 --- 521 522 ### 10.2 Code of Conduct 523 524 - [ ] Explicit CoC (Contributor Covenant or custom) 525 - [ ] Enforcement procedures documented 526 - [ ] Reporting mechanisms clear 527 - [ ] Conflict resolution process 528 529 **Automation**: `test -f CODE_OF_CONDUCT.md || test -f CODE_OF_CONDUCT.adoc` 530 531 --- 532 533 ### 10.3 Governance Model 534 535 - [ ] `GOVERNANCE.adoc` defining decision-making 536 - [ ] Maintainer succession process 537 - [ ] Voting procedures (if applicable) 538 - [ ] Financial transparency (if funded) 539 540 **Automation**: `test -f GOVERNANCE.adoc` 541 542 --- 543 544 ## Category 11: Mutually Assured Accountability (MAA) 545 546 ### 11.1 Framework Integration 547 548 - [ ] MAA principles embedded in architecture 549 - [ ] RMR (Reputation, Merit, Rights) utilities 550 - [ ] RMO (Responsibility, Monitoring, Obligations) utilities 551 - [ ] Formal verification of accountability properties 552 553 **Automation**: `rg "RMR|RMO|MAA" docs/architecture/` 554 555 --- 556 557 ### 11.2 Audit Trails 558 559 - [ ] Immutable logs (blockchain where appropriate) 560 - [ ] Provenance chains (`.well-known/provenance.json`) 561 - [ ] Change attribution (Git history + SPDX) 562 563 **Automation**: `test -f .well-known/provenance.json` 564 565 --- 566 567 ## Summary Scoring 568 569 **Total Categories**: 11 570 **Total Checkpoints**: 150+ 571 572 **Pass Thresholds**: 573 - **RSR Gold** (Full Compliance): 100% pass 574 - **RSR Silver** (Strong Compliance): 90-99% pass 575 - **RSR Bronze** (Basic Compliance): 75-89% pass 576 - **Non-Compliant**: < 75% pass 577 578 **Automated Validation**: 579 ```bash 580 just validate # Runs all automated checks 581 ``` 582 583 --- 584 585 ## Continuous Compliance 586 587 **Frequency**: 588 - **Pre-commit**: SPDX headers, format, lint 589 - **Pre-push**: Tests, security scan 590 - **CI/CD**: Full `just validate` on every MR 591 - **Weekly**: Dependency audit 592 - **Quarterly**: Manual compliance review 593 - **Annual**: Third-party audit (if applicable) 594 595 --- 596 597 ## Contact 598 599 - **Compliance questions**: Open issue with `compliance` label 600 - **Audit requests**: {compliance-email} 601 - **RSR specification**: See `CLAUDE.md` 602 603 --- 604 605 *"Compliance is not a checklist—it's a continuous commitment to excellence."* 606 607 — The Rhodium Standard