chore(eddy): modernization sweep — CI, attestations, governance, BibTeX

.github/dependabot.yml

@@ -0,0 +1,21 @@
+version: 2
+
+updates:
+  # Keep GitHub Actions (including SHA-pinned third-party actions) current.
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    open-pull-requests-limit: 5
+    groups:
+      actions-minor-patch:
+        update-types:
+          - "minor"
+          - "patch"
+    commit-message:
+      prefix: "ci"
+      include: "scope"
+    labels:
+      - "ci"
+      - "dependencies"

.github/workflows/build-pdf.yml

@@ -6,30 +6,49 @@ on:
     paths:
       - 'paper/**'
       - '.github/workflows/build-pdf.yml'
+  pull_request:
+    paths:
+      - 'paper/**'
+      - '.github/workflows/build-pdf.yml'
   workflow_dispatch:
 
+# Workflow-level default is read-only; jobs/steps opt-in to writes explicitly.
 permissions:
-  contents: write
+  contents: read
 
 jobs:
   build:
+    name: Compile and (on main push) publish PDF
     runs-on: ubuntu-latest
+    permissions:
+      contents: write           # required only for the auto-commit step below
+      attestations: write       # required for SLSA build provenance
+      id-token: write           # required for attestation OIDC signing
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 
       - name: Compile LaTeX
-        uses: xu-cheng/latex-action@v3
+        uses: xu-cheng/latex-action@6549dc21effb2730855a1281407ecfcececc6c1b  # v4.1.0
         with:
           root_file: main.tex
           working_directory: paper
 
       - name: Upload PDF artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
         with:
           name: eddy-paper
           path: paper/main.pdf
+          if-no-files-found: error
+
+      - name: Attest build provenance (SLSA)
+        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32  # v4.1.0
+        with:
+          subject-path: paper/main.pdf
 
       - name: Commit PDF
+        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
         run: |
           git config user.name "github-actions[bot]"
           git config user.email "github-actions[bot]@users.noreply.github.com"

.github/workflows/gitleaks.yml

@@ -0,0 +1,29 @@
+name: Secret scan (gitleaks)
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+  workflow_dispatch:
+  schedule:
+    # Sunday 04:17 UTC weekly sweep — catches secrets that slipped past push-time scanning.
+    - cron: "17 4 * * 0"
+
+permissions:
+  contents: read
+
+jobs:
+  scan:
+    name: gitleaks
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          fetch-depth: 0  # full history required for full-repo scan
+
+      - name: Run gitleaks
+        uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7  # v2.3.9
+        env:
+          # GITLEAKS_LICENSE not required for public repositories.
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.zenodo.json

@@ -0,0 +1,36 @@
+{
+  "title": "eddy --- ADHD as Competitive Advantage in AI-Augmented Multi-Project Orchestration",
+  "description": "Position paper proposing that ADHD's rapid stimulus-locking confers a re-engagement speed advantage in AI-augmented multi-session knowledge work, when persistent AI context eliminates the context-reconstruction bottleneck. Includes four falsifiable hypotheses (TTFA / TTFCA / compound productivity / foraging-mediation), boundary conditions, and a 2x2 pilot study design. No experimental results reported; theoretical reframing and testable research agenda.",
+  "creators": [
+    {
+      "name": "Yoon, Jiyeon",
+      "affiliation": "Independent Researcher"
+    }
+  ],
+  "upload_type": "publication",
+  "publication_type": "workingpaper",
+  "access_right": "open",
+  "license": "cc-by-4.0",
+  "keywords": [
+    "ADHD",
+    "neurodivergence",
+    "human-AI interaction",
+    "AI-augmented work",
+    "multi-session orchestration",
+    "task switching",
+    "resumption lag",
+    "cognitive offloading",
+    "ASSETS 2026"
+  ],
+  "communities": [
+    {"identifier": "hci"}
+  ],
+  "related_identifiers": [
+    {
+      "identifier": "https://github.com/heznpc/eddy",
+      "relation": "isSupplementTo",
+      "resource_type": "software"
+    }
+  ],
+  "notes": "Manuscript source of truth: paper/main.tex. PDF auto-built by GitHub Actions and committed to main (see .github/workflows/build-pdf.yml). Venue target: ASSETS 2026 (deadline 2026-06-24)."
+}

CITATION.cff

@@ -0,0 +1,40 @@
+cff-version: 1.2.0
+message: "If you reference this work, please cite it as below."
+type: software
+title: "eddy --- ADHD as Competitive Advantage in AI-Augmented Multi-Project Orchestration"
+abstract: >-
+  Position paper proposing that ADHD's rapid stimulus-locking confers a
+  re-engagement speed advantage in AI-augmented multi-session knowledge work,
+  when persistent AI context eliminates the context-reconstruction bottleneck.
+  Four falsifiable hypotheses (TTFA / TTFCA / compound productivity /
+  foraging-mediation), boundary conditions, and a 2x2 pilot study design.
+authors:
+  - family-names: "Yoon"
+    given-names: "Jiyeon"
+    affiliation: "Independent Researcher"
+license: CC-BY-4.0
+repository-code: "https://github.com/heznpc/eddy"
+url: "https://doi.org/10.5281/zenodo.19074337"
+keywords:
+  - ADHD
+  - neurodivergence
+  - human-AI interaction
+  - AI-augmented work
+  - multi-session orchestration
+  - task switching
+  - resumption lag
+  - cognitive offloading
+identifiers:
+  - type: doi
+    value: "10.5281/zenodo.19074337"
+    description: "Zenodo concept DOI (resolves to the latest version)"
+preferred-citation:
+  type: article
+  title: "Position: Eddy --- ADHD as Competitive Advantage in AI-Augmented Multi-Project Orchestration"
+  authors:
+    - family-names: "Yoon"
+      given-names: "Jiyeon"
+      affiliation: "Independent Researcher"
+  year: 2026
+  doi: "10.5281/zenodo.19074337"
+  url: "https://doi.org/10.5281/zenodo.19074337"

README.md

@@ -6,6 +6,7 @@ Relationship to other work: Companion to ploidy (Program 2 anchor)
 
 [![DOI](https://zenodo.org/badge/DOI/10.5281/zenodo.19074337.svg)](https://doi.org/10.5281/zenodo.19074337)
 [![License: CC BY 4.0](https://img.shields.io/badge/License-CC_BY_4.0-lightgrey.svg)](https://creativecommons.org/licenses/by/4.0/)
+[![Build PDF](https://github.com/heznpc/eddy/actions/workflows/build-pdf.yml/badge.svg?branch=main)](https://github.com/heznpc/eddy/actions/workflows/build-pdf.yml)
 
 **Position: ADHD as Competitive Advantage in AI-Augmented Multi-Project Orchestration**
 

SECURITY.md

@@ -0,0 +1,48 @@
+# Security Policy
+
+## Scope
+
+This repository contains the LaTeX source of a position paper (Zenodo DOI
+[10.5281/zenodo.19074337](https://doi.org/10.5281/zenodo.19074337)) and a
+GitHub Actions workflow that builds the PDF.
+
+There is no runtime service, no user-data pipeline, and no third-party
+package manifest. The relevant trust surfaces are therefore narrow:
+
+- The build workflow (`.github/workflows/build-pdf.yml`) — pinned to
+  third-party action commit SHAs and constrained to least-privilege scopes.
+- The secret-scan workflow (`.github/workflows/gitleaks.yml`) — runs on push,
+  PR, and weekly cron as a defense-in-depth layer over GitHub-native push
+  protection.
+- The published PDF artifact — signed with SLSA build provenance via
+  `actions/attest-build-provenance` on every push to `main`.
+
+## Reporting a vulnerability
+
+Please report security issues by emailing **heznpc@gmail.com** with the
+subject line `[security] eddy <short title>`.
+
+You can expect:
+
+- Acknowledgement within 7 days.
+- A disposition (fix planned / no-fix with rationale / out of scope) within
+  30 days for verifiable supply-chain or workflow issues.
+
+For issues that are about the **research content** of the paper rather than
+the repository (e.g., factual errors in the manuscript, citation problems,
+methodological concerns), please open a public GitHub Issue or email the
+address above with the subject line `[research] eddy <short title>`. Those
+are tracked alongside the manuscript revisions, not under this security
+policy.
+
+## Out of scope
+
+- General LaTeX rendering quirks that do not affect the published PDF on
+  Zenodo.
+- Reproducibility of an as-yet-unrun pilot study — see `planning/TODO.md` for
+  the experimental roadmap.
+
+## Disclosure preference
+
+Coordinated disclosure preferred. Public disclosure after a fix is published
+or after the 30-day window above, whichever comes first.