chore: embed founder ORCID in LICENSE + SECURITY.md + license-integrity workflow

.github/workflows/license-integrity.yml

@@ -0,0 +1,59 @@
+# NOTE: Out-of-network repos that removed fork relationship are not detectable via GitHub API.
+name: License Integrity Monitor
+
+on:
+  schedule:
+    - cron: "0 9 * * 1"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  issues: write
+
+jobs:
+  check-forks:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Compute LICENSE hash
+        id: ref-hash
+        run: |
+          HASH=$(sha256sum LICENSE | awk '{print $1}')
+          echo "hash=${HASH}" >> "$GITHUB_OUTPUT"
+
+      - name: Check fork LICENSE integrity
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          REF_HASH: ${{ steps.ref-hash.outputs.hash }}
+        run: |
+          VIOLATIONS=""
+          PAGE=1
+          while true; do
+            FORKS=$(gh api "/repos/dakera-ai/dakera-js/forks?per_page=100&page=${PAGE}" --jq '.[].full_name')
+            if [ -z "$FORKS" ]; then
+              break
+            fi
+            while IFS= read -r FORK; do
+              CONTENT=$(gh api "/repos/${FORK}/contents/LICENSE" --jq '.content' 2>/dev/null || true)
+              if [ -z "$CONTENT" ]; then
+                VIOLATIONS="${VIOLATIONS}\n- ${FORK}: LICENSE file missing or inaccessible"
+              else
+                FORK_HASH=$(echo "$CONTENT" | base64 -d 2>/dev/null | sha256sum | awk '{print $1}')
+                if [ "$FORK_HASH" != "$REF_HASH" ]; then
+                  VIOLATIONS="${VIOLATIONS}\n- ${FORK}: LICENSE hash mismatch (expected ${REF_HASH}, got ${FORK_HASH})"
+                fi
+              fi
+              sleep 0.5
+            done <<< "$FORKS"
+            PAGE=$((PAGE + 1))
+          done
+
+          if [ -n "$VIOLATIONS" ]; then
+            BODY="The following forks have a LICENSE integrity violation:\n${VIOLATIONS}\n\nRef hash: ${REF_HASH}"
+            gh issue create \
+              --repo dakera-ai/dakera-js \
+              --title "License integrity violation detected" \
+              --body "$(printf '%b' "$BODY")"
+          fi

LICENSE

@@ -1,6 +1,9 @@
+SPDX-License-Identifier: MIT
+
 MIT License
 
 Copyright (c) 2025 Dakera AI
+Author: Mohamed Amine Ferhi (https://orcid.org/0009-0007-2641-7727)
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

SECURITY.md

@@ -0,0 +1,31 @@
+# Security Policy
+
+## Supported Versions
+
+We actively maintain the latest stable release of this project.
+
+| Version | Supported |
+|---------|-----------|
+| latest  | YES       |
+| older   | NO        |
+
+## Reporting a Vulnerability
+
+Please report security vulnerabilities responsibly. Do **not** open public GitHub issues for security bugs.
+
+**Preferred channels:**
+
+- **GitHub Security Advisories**: Open a private advisory at https://github.com/dakera-ai/dakera-js/security/advisories/new
+- **Telegram**: Contact the maintainer directly for urgent issues
+
+We aim to acknowledge reports within 48 hours and provide an initial assessment within 7 days.
+Critical vulnerabilities will be patched within 7 days; high-severity within 30 days.
+
+## IP Attribution
+
+This project is authored and maintained by **Mohamed Amine Ferhi**.
+
+ORCID: [https://orcid.org/0009-0007-2641-7727](https://orcid.org/0009-0007-2641-7727)
+
+The ORCID identifier provides a persistent digital identifier for the author, enabling verifiable
+IP attribution and professional record-keeping.