fix(security): complete security policy and update SCM files (#1)

hyperpolymath · claude · web-flow · commit 7d7160d68812 · 2025-12-18T00:12:27.000Z
- Remove template placeholders from SECURITY.md
- Update repository URLs to hyperpolymath/labnote-ssg
- Simplify PGP section (not currently using encrypted email)
- Update META.scm with correct project name (labnote-ssg)
- Update ECOSYSTEM.scm with accurate project description
- Update STATE.scm to reflect v0.2 completion (50%)
- Add comprehensive README.adoc with project documentation

Security improvements:
- All adapter security reviewed (safe Deno.Command usage)
- No shell injection vulnerabilities found
- CodeQL and Dependabot properly configured

Co-authored-by: Claude &lt;noreply@anthropic.com&gt;
diff --git a/ECOSYSTEM.scm b/ECOSYSTEM.scm
@@ -1,12 +1,12 @@
 ;; SPDX-License-Identifier: AGPL-3.0-or-later
 ;; SPDX-FileCopyrightText: 2025 Jonathan D.A. Jewell
-;; ECOSYSTEM.scm — template-repo
+;; ECOSYSTEM.scm — labnote-ssg
 
 (ecosystem
   (version "1.0.0")
-  (name "template-repo")
-  (type "project")
-  (purpose "Project in the hyperpolymath ecosystem")
+  (name "labnote-ssg")
+  (type "satellite")
+  (purpose "MCP adapter hub for 28 static site generators")
 
   (position-in-ecosystem
     "Part of hyperpolymath ecosystem. Follows RSR guidelines.")
@@ -24,5 +24,5 @@
              (url "https://github.com/hyperpolymath/rhodium-standard-repositories")
              (relationship "standard")))
 
-  (what-this-is "Project in the hyperpolymath ecosystem")
-  (what-this-is-not "- NOT exempt from RSR compliance"))
+  (what-this-is "Satellite SSG adapter hub providing MCP adapters for 28 static site generators")
+  (what-this-is-not "- NOT the poly-ssg-mcp hub itself\n- NOT exempt from RSR compliance"))
diff --git a/META.scm b/META.scm
@@ -1,8 +1,8 @@
 ;; SPDX-License-Identifier: AGPL-3.0-or-later
 ;; SPDX-FileCopyrightText: 2025 Jonathan D.A. Jewell
-;;; META.scm — template-repo
+;;; META.scm — labnote-ssg
 
-(define-module (template-repo meta)
+(define-module (labnote-ssg meta)
   #:export (architecture-decisions development-practices design-rationale))
 
 (define architecture-decisions
diff --git a/README.adoc b/README.adoc
@@ -1 +1,114 @@
+// SPDX-License-Identifier: MIT OR AGPL-3.0-or-later
+// SPDX-FileCopyrightText: 2025 Jonathan D.A. Jewell
+= labnote-ssg
+:toc: macro
+:toclevels: 2
+:source-highlighter: rouge
 
+image:https://img.shields.io/badge/RSR-Gold-gold[RSR Gold]
+image:https://img.shields.io/badge/license-MIT%20OR%20AGPL--3.0--or--later-blue[License]
+image:https://img.shields.io/badge/MCP-compatible-green[MCP Compatible]
+
+MCP adapter hub for 28 static site generators — part of the https://github.com/hyperpolymath[hyperpolymath] ecosystem.
+
+toc::[]
+
+== Overview
+
+labnote-ssg provides Model Context Protocol (MCP) adapters for 28 different static site generators (SSGs). As a satellite project in the hyperpolymath ecosystem, it integrates with https://github.com/hyperpolymath/poly-ssg-mcp[poly-ssg-mcp] hub to provide a unified interface for working with diverse SSG tooling.
+
+=== Features
+
+* **28 SSG Adapters** — Support for major static site generators across multiple languages
+* **MCP Protocol** — Standard interface for AI-assisted development workflows
+* **Security-First** — Safe command execution with no shell injection vulnerabilities
+* **RSR Compliant** — Follows Rhodium Standard Repository guidelines
+
+== Supported SSGs
+
+[cols="1,1,2"]
+|===
+|Language |SSG |Description
+
+|Rust |Zola |Fast SSG with Sass compilation and syntax highlighting
+|Rust |mdBook |Documentation/book generator for Rust projects
+|Rust |Cobalt |Simple, extensible static site generator
+|Elixir |Serum |Simple static website generator
+|Elixir |NimblePublisher |Markdown-based publishing engine
+|Elixir |Tableau |Static site generator using LiveView
+|Haskell |Hakyll |Flexible static site library
+|Haskell |Ema |Hot-reloading static site generator
+|Clojure |Cryogen |Static site generator written in Clojure
+|Clojure |Perun |Composable static site generator
+|Clojure |Babashka |Fast native Clojure scripting
+|Common Lisp |Coleslaw |Flexible static blog generator
+|Racket |Frog |Static blog generator
+|Racket |Pollen |Book-publishing system
+|Julia |Franklin |Flexible static site generator
+|Julia |Publish |Documentation publishing system
+|Julia |Documenter |Documentation generator for packages
+|Scala |Laika |Text markup transformer and site generator
+|Scala |Orchid |Documentation and static site engine
+|Scala |ScalaTex |Typesetting with Scala
+|F# |Fornax |Scriptable static site generator
+|OCaml |YOCaml |Static site generator in OCaml
+|Nim |Nimrod |Static site builder
+|D |Reggae |Build system for D language
+|D |Marmot |Static site generator
+|Ada |StaticWebPages |Web page generator
+|Erlang |Zotonic |Web framework and CMS
+|Erlang |Wub |Web utilities
+|===
+
+== Architecture
+
+labnote-ssg serves as a satellite implementation in the poly-ssg-mcp ecosystem:
+
+....
+                    ┌─────────────────────┐
+                    │   poly-ssg-mcp      │
+                    │   (Central Hub)     │
+                    └──────────┬──────────┘
+                               │ MCP Protocol
+            ┌──────────────────┼──────────────────┐
+            │                  │                  │
+    ┌───────┴───────┐  ┌───────┴───────┐  ┌───────┴───────┐
+    │  labnote-ssg  │  │   Other SSG   │  │   Other SSG   │
+    │  (Satellite)  │  │   Satellites  │  │   Satellites  │
+    └───────────────┘  └───────────────┘  └───────────────┘
+....
+
+== Security
+
+* All adapters use safe command execution (`Deno.Command` with array arguments)
+* No shell string construction or `eval` usage
+* CodeQL SAST scanning enabled
+* Dependabot security updates configured
+* Full security policy available in link:SECURITY.md[SECURITY.md]
+
+== Development
+
+=== Prerequisites
+
+* https://deno.land[Deno] runtime (for adapter execution)
+* Individual SSG binaries as needed
+
+=== Running Adapters
+
+Adapters are designed to be loaded by the poly-ssg-mcp hub. Each adapter exports:
+
+* `name` — SSG name
+* `language` — Implementation language
+* `description` — Brief description
+* `connect()` — Initialize connection
+* `disconnect()` — Clean up
+* `isConnected()` — Connection status
+* `tools` — Array of MCP-compatible tool definitions
+
+== Contributing
+
+See link:CONTRIBUTING.md[CONTRIBUTING.md] for development guidelines.
+
+== License
+
+Dual licensed under MIT OR AGPL-3.0-or-later. See link:LICENSE.txt[LICENSE.txt] for details.
diff --git a/SECURITY.md b/SECURITY.md
@@ -1,23 +1,5 @@
 # Security Policy
 
-<!-- 
-============================================================================
-TEMPLATE INSTRUCTIONS (delete this block before publishing)
-============================================================================
-Replace all {{PLACEHOLDER}} values with your information:
-  {{PROJECT_NAME}}     - Your project name
-  {{OWNER}}            - GitHub username or org (e.g., hyperpolymath)
-  {{REPO}}             - Repository name
-  {{SECURITY_EMAIL}}   - Security contact email
-  {{PGP_FINGERPRINT}}  - Your PGP key fingerprint (40 chars, no spaces)
-  {{PGP_KEY_URL}}      - URL to your public PGP key
-  {{WEBSITE}}          - Your website/domain
-  {{CURRENT_YEAR}}     - Current year for copyright
-
-Optional: Remove sections that don't apply (e.g., PGP if you don't use it)
-============================================================================
--->
-
 We take security seriously. We appreciate your efforts to responsibly disclose vulnerabilities and will make every effort to acknowledge your contributions.
 
 ## Table of Contents
@@ -40,7 +22,7 @@ We take security seriously. We appreciate your efforts to responsibly disclose v
 
 The preferred method for reporting security vulnerabilities is through GitHub's Security Advisory feature:
 
-1. Navigate to [Report a Vulnerability](https://github.com/{{OWNER}}/{{REPO}}/security/advisories/new)
+1. Navigate to [Report a Vulnerability](https://github.com/hyperpolymath/labnote-ssg/security/advisories/new)
 2. Click **"Report a vulnerability"**
 3. Complete the form with as much detail as possible
 4. Submit — we'll receive a private notification
@@ -52,26 +34,9 @@ This method ensures:
 - Coordinated disclosure tooling
 - Automatic credit when the advisory is published
 
-### Alternative: Encrypted Email
-
-If you cannot use GitHub Security Advisories, you may email us directly:
-
-| | |
-|---|---|
-| **Email** | {{SECURITY_EMAIL}} |
-| **PGP Key** | [Download Public Key]({{PGP_KEY_URL}}) |
-| **Fingerprint** | `{{PGP_FINGERPRINT}}` |
+### Alternative: GitHub Issues (Private)
 
-```bash
-# Import our PGP key
-curl -sSL {{PGP_KEY_URL}} | gpg --import
-
-# Verify fingerprint
-gpg --fingerprint {{SECURITY_EMAIL}}
-
-# Encrypt your report
-gpg --armor --encrypt --recipient {{SECURITY_EMAIL}} report.txt
-```
+If you cannot use GitHub Security Advisories, you may open a private security issue or contact the maintainers through the repository.
 
 > **⚠️ Important:** Do not report security vulnerabilities through public GitHub issues, pull requests, discussions, or social media.
 
@@ -203,7 +168,7 @@ If we cannot reach agreement on disclosure timing, we default to 90 days from yo
 
 The following are within scope for security research:
 
-- This repository (`{{OWNER}}/{{REPO}}`) and all its code
+- This repository (`hyperpolymath/labnote-ssg`) and all its code
 - Official releases and packages published from this repository
 - Documentation that could lead to security issues
 - Build and deployment configurations in this repository
@@ -322,7 +287,7 @@ Recognition includes:
 To stay informed about security updates:
 
 - **Watch this repository**: Click "Watch" → "Custom" → Select "Security alerts"
-- **GitHub Security Advisories**: Published at [Security Advisories](https://github.com/{{OWNER}}/{{REPO}}/security/advisories)
+- **GitHub Security Advisories**: Published at [Security Advisories](https://github.com/hyperpolymath/labnote-ssg/security/advisories)
 - **Release notes**: Security fixes noted in [CHANGELOG](CHANGELOG.md)
 
 ### Update Policy
@@ -348,7 +313,7 @@ To stay informed about security updates:
 
 ## Security Best Practices
 
-When using {{PROJECT_NAME}}, we recommend:
+When using labnote-ssg, we recommend:
 
 ### General
 
@@ -370,8 +335,7 @@ When using {{PROJECT_NAME}}, we recommend:
 
 ## Additional Resources
 
-- [Our PGP Public Key]({{PGP_KEY_URL}})
-- [Security Advisories](https://github.com/{{OWNER}}/{{REPO}}/security/advisories)
+- [Security Advisories](https://github.com/hyperpolymath/labnote-ssg/security/advisories)
 - [Changelog](CHANGELOG.md)
 - [Contributing Guidelines](CONTRIBUTING.md)
 - [CVE Database](https://cve.mitre.org/)
@@ -383,8 +347,8 @@ When using {{PROJECT_NAME}}, we recommend:
 
 | Purpose | Contact |
 |---------|---------|
-| **Security issues** | [Report via GitHub](https://github.com/{{OWNER}}/{{REPO}}/security/advisories/new) or {{SECURITY_EMAIL}} |
-| **General questions** | [GitHub Discussions](https://github.com/{{OWNER}}/{{REPO}}/discussions) |
+| **Security issues** | [Report via GitHub](https://github.com/hyperpolymath/labnote-ssg/security/advisories/new) |
+| **General questions** | [GitHub Discussions](https://github.com/hyperpolymath/labnote-ssg/discussions) |
 | **Other enquiries** | See [README](README.md) for contact information |
 
 ---
@@ -399,8 +363,8 @@ This security policy may be updated from time to time. Significant changes will
 
 ---
 
-*Thank you for helping keep {{PROJECT_NAME}} and its users safe.* 🛡️
+*Thank you for helping keep labnote-ssg and its users safe.*
 
 ---
 
-<sub>Last updated: {{CURRENT_YEAR}} · Policy version: 1.0.0</sub>
+<sub>Last updated: 2025 · Policy version: 1.0.0</sub>
diff --git a/STATE.scm b/STATE.scm
@@ -1,22 +1,39 @@
-;;; STATE.scm — template-repo
+;;; STATE.scm — labnote-ssg
 ;; SPDX-License-Identifier: AGPL-3.0-or-later
 ;; SPDX-FileCopyrightText: 2025 Jonathan D.A. Jewell
 
 (define metadata
-  '((version . "0.1.0") (updated . "2025-12-15") (project . "template-repo")))
+  '((version . "0.2.0") (updated . "2025-12-17") (project . "labnote-ssg")))
 
 (define current-position
-  '((phase . "v0.1 - Initial Setup")
-    (overall-completion . 25)
-    (components ((rsr-compliance ((status . "complete") (completion . 100)))))))
+  '((phase . "v0.2 - Security Hardening Complete")
+    (overall-completion . 50)
+    (components
+     ((rsr-compliance ((status . "complete") (completion . 100)))
+      (security-policy ((status . "complete") (completion . 100)))
+      (adapter-implementation ((status . "complete") (completion . 100)))
+      (documentation ((status . "in-progress") (completion . 30)))
+      (testing ((status . "pending") (completion . 0)))
+      (ci-cd-verification ((status . "pending") (completion . 0)))))))
 
 (define blockers-and-issues '((critical ()) (high-priority ())))
 
 (define critical-next-actions
-  '((immediate (("Verify CI/CD" . high))) (this-week (("Expand tests" . medium)))))
+  '((immediate
+     (("Verify CI/CD pipelines work" . high)
+      ("Add comprehensive tests" . high)))
+    (this-week
+     (("Create CHANGELOG.md" . medium)
+      ("Expand README documentation" . medium)))))
 
 (define session-history
-  '((snapshots ((date . "2025-12-15") (session . "initial") (notes . "SCM files added")))))
+  '((snapshots
+     ((date . "2025-12-15") (session . "initial") (notes . "SCM files added"))
+     ((date . "2025-12-16") (session . "adapters") (notes . "28 SSG adapters integrated"))
+     ((date . "2025-12-17") (session . "security") (notes . "Security policy completed, SCM files updated")))))
 
 (define state-summary
-  '((project . "template-repo") (completion . 25) (blockers . 0) (updated . "2025-12-15")))
+  '((project . "labnote-ssg")
+    (completion . 50)
+    (blockers . 0)
+    (updated . "2025-12-17")))
