diff --git a/.github/workflows/license-integrity.yml b/.github/workflows/license-integrity.yml new file mode 100644 index 0000000..563e278 --- /dev/null +++ b/.github/workflows/license-integrity.yml @@ -0,0 +1,59 @@ +# NOTE: Out-of-network repos that removed fork relationship are not detectable via GitHub API. +name: License Integrity Monitor + +on: + schedule: + - cron: "0 9 * * 1" + workflow_dispatch: + +permissions: + contents: read + issues: write + +jobs: + check-forks: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Compute LICENSE hash + id: ref-hash + run: | + HASH=$(sha256sum LICENSE | awk '{print $1}') + echo "hash=${HASH}" >> "$GITHUB_OUTPUT" + + - name: Check fork LICENSE integrity + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + REF_HASH: ${{ steps.ref-hash.outputs.hash }} + run: | + VIOLATIONS="" + PAGE=1 + while true; do + FORKS=$(gh api "/repos/dakera-ai/dakera-js/forks?per_page=100&page=${PAGE}" --jq '.[].full_name') + if [ -z "$FORKS" ]; then + break + fi + while IFS= read -r FORK; do + CONTENT=$(gh api "/repos/${FORK}/contents/LICENSE" --jq '.content' 2>/dev/null || true) + if [ -z "$CONTENT" ]; then + VIOLATIONS="${VIOLATIONS}\n- ${FORK}: LICENSE file missing or inaccessible" + else + FORK_HASH=$(echo "$CONTENT" | base64 -d 2>/dev/null | sha256sum | awk '{print $1}') + if [ "$FORK_HASH" != "$REF_HASH" ]; then + VIOLATIONS="${VIOLATIONS}\n- ${FORK}: LICENSE hash mismatch (expected ${REF_HASH}, got ${FORK_HASH})" + fi + fi + sleep 0.5 + done <<< "$FORKS" + PAGE=$((PAGE + 1)) + done + + if [ -n "$VIOLATIONS" ]; then + BODY="The following forks have a LICENSE integrity violation:\n${VIOLATIONS}\n\nRef hash: ${REF_HASH}" + gh issue create \ + --repo dakera-ai/dakera-js \ + --title "License integrity violation detected" \ + --body "$(printf '%b' "$BODY")" + fi diff --git a/LICENSE b/LICENSE index 9070557..6d8944a 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,9 @@ +SPDX-License-Identifier: MIT + MIT License Copyright (c) 2025 Dakera AI +Author: Mohamed Amine Ferhi (https://orcid.org/0009-0007-2641-7727) Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..0d3f265 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,31 @@ +# Security Policy + +## Supported Versions + +We actively maintain the latest stable release of this project. + +| Version | Supported | +|---------|-----------| +| latest | YES | +| older | NO | + +## Reporting a Vulnerability + +Please report security vulnerabilities responsibly. Do **not** open public GitHub issues for security bugs. + +**Preferred channels:** + +- **GitHub Security Advisories**: Open a private advisory at https://github.com/dakera-ai/dakera-js/security/advisories/new +- **Telegram**: Contact the maintainer directly for urgent issues + +We aim to acknowledge reports within 48 hours and provide an initial assessment within 7 days. +Critical vulnerabilities will be patched within 7 days; high-severity within 30 days. + +## IP Attribution + +This project is authored and maintained by **Mohamed Amine Ferhi**. + +ORCID: [https://orcid.org/0009-0007-2641-7727](https://orcid.org/0009-0007-2641-7727) + +The ORCID identifier provides a persistent digital identifier for the author, enabling verifiable +IP attribution and professional record-keeping.