Review SCM files and security updates

RSR_COMPLIANCE.adoc

@@ -1,22 +1,22 @@
-= RSR Compliance: RSR-template-repo
+= RSR Compliance: poly-queue-mcp
 :toc:
 :sectnums:
 
 == Overview
 
-This document describes the Rhodium Standard Repository (RSR) compliance status for *RSR-template-repo*.
+This document describes the Rhodium Standard Repository (RSR) compliance status for *poly-queue-mcp*.
 
 == Classification
 
 [cols="1,2"]
 |===
 |Attribute |Value
 
-|Project |RSR-template-repo
-|Primary Language |unknown
-|RSR Tier |N/A
-|Compliance Status |Review Needed
-|Last Updated |2025-12-10
+|Project |poly-queue-mcp
+|Primary Language |ReScript
+|RSR Tier |Tier 1
+|Compliance Status |Compliant
+|Last Updated |2025-12-17
 |===
 
 == Language Tier Classification
@@ -27,12 +27,12 @@ This document describes the Rhodium Standard Repository (RSR) compliance status
 * Zig
 * Ada
 * Haskell
-* ReScript
+* ReScript ✓ (primary language for this project)
 
 === Tier 2 Languages (Acceptable)
 * Nickel (configuration)
 * Racket (scripting)
-* Guile Scheme (state management)
+* Guile Scheme (state management) ✓ (STATE.scm)
 * Nix (derivations)
 
 === Restricted Languages
@@ -46,14 +46,30 @@ This document describes the Rhodium Standard Repository (RSR) compliance status
 |===
 |Requirement |Status |Notes
 
-|Primary language is Tier 1/2 |✓ |unknown
-|No restricted languages outside exemptions |✓ |
-|.editorconfig present |✓ |
-|.well-known/ directory |✓ |
-|justfile present |✗ |
-|LICENSE.txt (AGPL + Palimpsest) |✓ |
-|Containerfile present |✗ |
-|flake.nix present |✗ |
+|Primary language is Tier 1/2 |✓ |ReScript (Tier 1)
+|No restricted languages outside exemptions |✓ |JavaScript is compiled output only
+|.editorconfig present |✓ |Multi-language rules configured
+|.well-known/ directory |✓ |aibdp.json, provenance.json, security.txt
+|justfile present |✓ |Full RSR template with matrix recipes
+|LICENSE.txt (AGPL + Palimpsest) |✓ |MIT OR AGPL-3.0-or-later
+|Containerfile present |✓ |Chainguard Wolfi base
+|guix.scm present |✓ |Primary package manager
+|flake.nix present |✗ |Optional (Guix is primary)
+|===
+
+== Security Compliance
+
+[cols="1,1,2"]
+|===
+|Requirement |Status |Notes
+
+|SHA-pinned GitHub Actions |✓ |All workflows use commit SHAs
+|No MD5/SHA1 for security |✓ |CI enforces SHA256+
+|HTTPS only |✓ |CI blocks HTTP URLs
+|No hardcoded secrets |✓ |CI scans for patterns
+|SPDX license headers |✓ |All source files tagged
+|Minimal container privileges |✓ |Non-root user (uid 1000)
+|Security scanning |✓ |CodeQL, Trivy, Gitleaks, Semgrep
 |===
 
 == Exemptions
@@ -62,12 +78,12 @@ None
 
 == Action Items
 
-* Add justfile
-* Add Containerfile
-* Add flake.nix
+* [ ] Add flake.nix (optional fallback)
+* [ ] Complete adapter implementations (Kafka, ZeroMQ, SQS, Pub/Sub, Azure)
+* [ ] Add comprehensive test suite
 
 == References
 
-* link:https://github.com/hyperpolymath/RSR-template-repo[RSR Template Repository]
-* link:../CONTRIBUTING.adoc[Contributing Guidelines]
-* link:../CODE_OF_CONDUCT.adoc[Code of Conduct]
+* link:https://github.com/hyperpolymath/poly-queue-mcp[Repository]
+* link:SECURITY.md[Security Policy]
+* link:CODE_OF_CONDUCT.md[Code of Conduct]

SECURITY.md

@@ -2,20 +2,54 @@
 
 ## Supported Versions
 
-Use this section to tell people about which versions of your project are
-currently being supported with security updates.
-
 | Version | Supported          |
 | ------- | ------------------ |
-| 5.1.x   | :white_check_mark: |
-| 5.0.x   | :x:                |
-| 4.0.x   | :white_check_mark: |
-| < 4.0   | :x:                |
+| 1.x.x   | :white_check_mark: |
+| < 1.0   | :x:                |
+
+## Security Features
+
+This project implements the following security measures:
+
+### Container Security
+- **Base Image**: Chainguard Wolfi (minimal attack surface)
+- **Non-root User**: Runs as `mcp` (uid 1000)
+- **Minimal Permissions**: Only required Deno permissions enabled
+
+### CI/CD Security
+- **SHA-pinned Actions**: All GitHub Actions use commit hashes
+- **CodeQL Analysis**: Automated SAST scanning
+- **Secret Scanning**: Gitleaks, TruffleHog
+- **Dependency Scanning**: Trivy, Semgrep
+- **OSSF Scorecard**: Weekly security posture assessment
+
+### Code Security
+- **SPDX License Headers**: All source files tagged
+- **No Weak Crypto**: MD5/SHA1 blocked for security use
+- **HTTPS Enforced**: HTTP URLs blocked in CI
+- **No Hardcoded Secrets**: Pattern detection in CI
 
 ## Reporting a Vulnerability
 
-Use this section to tell people how to report a vulnerability.
+### Contact
+- **Email**: security@hyperpolymath.org
+- **GPG Key**: https://hyperpolymath.org/gpg/security.asc
+
+### Process
+1. **Report** via email with details of the vulnerability
+2. **Response** within 72 hours acknowledging receipt
+3. **Assessment** within 7 days with severity classification
+4. **Fix Timeline**:
+   - Critical: 24-48 hours
+   - High: 7 days
+   - Medium: 30 days
+   - Low: Next release
+
+### Disclosure
+- Coordinated disclosure after fix is released
+- Credit given to reporter (unless anonymity requested)
+- CVE assigned for confirmed vulnerabilities
+
+## Security.txt
 
-Tell them where to go, how often they can expect to get an update on a
-reported vulnerability, what to expect if the vulnerability is accepted or
-declined, etc.
+See `.well-known/security.txt` for machine-readable security contact information (RFC 9116).

STATE.scm

@@ -3,22 +3,135 @@
 ;; SPDX-FileCopyrightText: 2025 Jonathan D.A. Jewell
 
 (define metadata
-  '((version . "0.1.0") (updated . "2025-12-15") (project . "poly-queue-mcp")))
+  '((version . "1.0.0")
+    (updated . "2025-12-17")
+    (project . "poly-queue-mcp")
+    (description . "Unified MCP server for message queues")))
 
 (define current-position
-  '((phase . "v0.1 - Initial Setup")
-    (overall-completion . 25)
-    (components ((rsr-compliance ((status . "complete") (completion . 100)))))))
+  '((phase . "v1.0 - Core Implementation")
+    (overall-completion . 45)
+    (components
+     ((rsr-compliance ((status . "complete") (completion . 100)))
+      (core-adapters ((status . "in-progress") (completion . 40)))
+      (security ((status . "complete") (completion . 100)))
+      (ci-cd ((status . "complete") (completion . 100)))
+      (documentation ((status . "in-progress") (completion . 60)))))))
 
-(define blockers-and-issues '((critical ()) (high-priority ())))
+(define blockers-and-issues
+  '((critical ())
+    (high-priority ())
+    (medium (("flake.nix" . "Optional Nix fallback not yet added")))))
 
 (define critical-next-actions
-  '((immediate (("Verify CI/CD" . high))) (this-week (("Expand tests" . medium)))))
+  '((immediate
+     (("Complete Redis adapter tests" . high)
+      ("Add RabbitMQ integration tests" . high)))
+    (this-week
+     (("Implement Kafka adapter" . medium)
+      ("Add ZeroMQ adapter" . medium)))
+    (this-month
+     (("AWS SQS adapter" . medium)
+      ("Google Pub/Sub adapter" . medium)
+      ("Azure Service Bus adapter" . low)))))
 
 (define session-history
-  '((snapshots ((date . "2025-12-15") (session . "initial") (notes . "SCM files added"))
-               ((date . "2025-12-15") (session . "security-fixes")
-                (notes . "OpenSSF Scorecard: SHA-pinned all actions, added SPDX headers, permissions, fixed CodeQL matrix, deleted empty security.yml")))))
+  '((snapshots
+     ((date . "2025-12-17")
+      (session . "scm-security-review")
+      (notes . "Fixed SCM files, removed npx, updated guix.scm, security docs, roadmap"))
+     ((date . "2025-12-15")
+      (session . "initial")
+      (notes . "SCM files added"))
+     ((date . "2025-12-15")
+      (session . "security-fixes")
+      (notes . "OpenSSF Scorecard: SHA-pinned actions, SPDX headers, permissions, CodeQL")))))
+
+;;; ═══════════════════════════════════════════════════════════════════════════
+;;; ROADMAP
+;;; ═══════════════════════════════════════════════════════════════════════════
+
+(define roadmap
+  '((v1.0
+     ((name . "Core Foundation")
+      (status . "in-progress")
+      (milestones
+       ((m1 ((name . "RSR Compliance")
+             (status . "complete")
+             (items
+              (("SPDX headers" . complete)
+               ("Containerfile" . complete)
+               ("guix.scm" . complete)
+               ("justfile" . complete)
+               ("CI/CD security" . complete)))))
+        (m2 ((name . "Core Adapters")
+             (status . "in-progress")
+             (items
+              (("Redis Streams" . complete)
+               ("RabbitMQ" . complete)
+               ("NATS" . complete)
+               ("Kafka" . pending)
+               ("ZeroMQ" . pending)))))
+        (m3 ((name . "Testing")
+             (status . "pending")
+             (items
+              (("Unit tests" . pending)
+               ("Integration tests" . pending)
+               ("E2E tests" . pending)))))))))
+
+    (v1.1
+     ((name . "Cloud Providers")
+      (status . "planned")
+      (milestones
+       ((m1 ((name . "AWS Integration")
+             (status . "pending")
+             (items
+              (("SQS adapter" . pending)
+               ("SNS adapter" . pending)
+               ("EventBridge" . pending)))))
+        (m2 ((name . "GCP Integration")
+             (status . "pending")
+             (items
+              (("Pub/Sub adapter" . pending)
+               ("Cloud Tasks" . pending)))))
+        (m3 ((name . "Azure Integration")
+             (status . "pending")
+             (items
+              (("Service Bus" . pending)
+               ("Event Hubs" . pending)))))))))
+
+    (v1.2
+     ((name . "Advanced Features")
+      (status . "planned")
+      (milestones
+       ((m1 ((name . "Observability")
+             (status . "pending")
+             (items
+              (("Metrics export" . pending)
+               ("Tracing support" . pending)
+               ("Health checks" . pending)))))
+        (m2 ((name . "Performance")
+             (status . "pending")
+             (items
+              (("Connection pooling" . pending)
+               ("Batch operations" . pending)
+               ("Caching layer" . pending)))))))))))
+
+(define ecosystem
+  '((position . "MCP server for message queue abstraction")
+    (dependencies . ("@modelcontextprotocol/sdk" "@rescript/runtime"))
+    (consumers . ("AI agents" "automation pipelines" "dev tools"))
+    (integrations
+     ((redis . "Redis Streams for lightweight queuing")
+      (rabbitmq . "AMQP for enterprise messaging")
+      (nats . "Cloud-native messaging")
+      (kafka . "Event streaming at scale")
+      (zeromq . "High-performance async messaging")))))
 
 (define state-summary
-  '((project . "poly-queue-mcp") (completion . 25) (blockers . 0) (updated . "2025-12-15")))
+  '((project . "poly-queue-mcp")
+    (version . "1.0.0")
+    (completion . 45)
+    (blockers . 0)
+    (next-milestone . "Complete Kafka and ZeroMQ adapters")
+    (updated . "2025-12-17")))

deno.json

@@ -6,8 +6,8 @@
   "tasks": {
     "start": "deno run --allow-net --allow-read --allow-write --allow-env --allow-run main.js",
     "dev": "deno run --watch --allow-net --allow-read --allow-write --allow-env --allow-run main.js",
-    "build": "npx rescript build",
-    "clean": "npx rescript clean"
+    "build": "deno run -A npm:rescript build",
+    "clean": "deno run -A npm:rescript clean"
   },
   "imports": {
     "@rescript/runtime": "npm:@rescript/runtime@12.0.1",

guix.scm

@@ -8,18 +8,18 @@
              ((guix licenses) #:prefix license:)
              (gnu packages base))
 
-(define-public rsr_template_repo
+(define-public poly-queue-mcp
   (package
-    (name "RSR-template-repo")
-    (version "0.1.0")
-    (source (local-file "." "RSR-template-repo-checkout"
+    (name "poly-queue-mcp")
+    (version "1.0.0")
+    (source (local-file "." "poly-queue-mcp-checkout"
                         #:recursive? #t
                         #:select? (git-predicate ".")))
     (build-system gnu-build-system)
-    (synopsis "Guix channel/infrastructure")
-    (description "Guix channel/infrastructure - part of the RSR ecosystem.")
-    (home-page "https://github.com/hyperpolymath/RSR-template-repo")
+    (synopsis "Unified MCP server for message queues")
+    (description "Polyglot Queue MCP - unified Model Context Protocol server for RabbitMQ, Kafka, NATS, ZeroMQ, Redis Streams, SQS, Pub/Sub, Azure Service Bus.")
+    (home-page "https://github.com/hyperpolymath/poly-queue-mcp")
     (license license:agpl3+)))
 
 ;; Return package for guix shell
-rsr_template_repo
+poly-queue-mcp