From 7c3bb5e17fc0761660b676efe0870489018e28b4 Mon Sep 17 00:00:00 2001 From: Jawafdehi Bot Date: Sat, 9 May 2026 23:07:42 -0700 Subject: [PATCH 1/4] Add Hippocratic License 3.0 + governance files MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - LICENSE: Hippocratic License 3.0 (HL3) with Jawafdehi.org as licensor - SECURITY.md: Vulnerability reporting instructions - CONTRIBUTING.md: Contribution guidelines - CODE_OF_CONDUCT.md: Contributor Covenant 2.1 Replaces previous license (MIT) where applicable. Part of JAW-67 — org-wide Hippocratic licensing. Co-Authored-By: Paperclip --- CODE_OF_CONDUCT.md | 41 +++++++++++++++++++++++++++++++++++++++++ CONTRIBUTING.md | 39 +++++++++++++++++++++++++++++++++++++++ LICENSE | 24 ++++++++++++++++++++++++ SECURITY.md | 23 +++++++++++++++++++++++ 4 files changed, 127 insertions(+) create mode 100644 CODE_OF_CONDUCT.md create mode 100644 CONTRIBUTING.md create mode 100644 LICENSE create mode 100644 SECURITY.md diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md new file mode 100644 index 0000000000..d6b61ba5a2 --- /dev/null +++ b/CODE_OF_CONDUCT.md @@ -0,0 +1,41 @@ +# Contributor Covenant Code of Conduct + +## Our Pledge + +We as members, contributors, and leaders pledge to make participation in our community a harassment-free experience for everyone, regardless of age, body size, visible or invisible disability, ethnicity, sex characteristics, gender identity and expression, level of experience, education, socio-economic status, nationality, personal appearance, race, religion, or sexual identity and orientation. + +We pledge to act and interact in ways that contribute to an open, welcoming, diverse, inclusive, and healthy community. + +## Our Standards + +Examples of behavior that contributes to a positive environment: + +- Demonstrating empathy and kindness toward other people +- Being respectful of differing opinions, viewpoints, and experiences +- Giving and gracefully accepting constructive feedback +- Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience +- Focusing on what is best not just for us as individuals, but for the overall community + +Examples of unacceptable behavior: + +- The use of sexualized language or imagery, and sexual attention or advances of any kind +- Trolling, insulting or derogatory comments, and personal or political attacks +- Public or private harassment +- Publishing others' private information, such as a physical or email address, without their explicit permission +- Other conduct which could reasonably be considered inappropriate in a professional setting + +## Enforcement Responsibilities + +Community leaders are responsible for clarifying and enforcing our standards of acceptable behavior and will take appropriate and fair corrective action in response to any behavior that they deem inappropriate, threatening, offensive, or harmful. + +## Scope + +This Code of Conduct applies within all community spaces, and also applies when an individual is officially representing the community in public spaces. + +## Enforcement + +Instances of abusive, harassing, or otherwise unacceptable behavior may be reported to the community leaders responsible for enforcement at **conduct@jawafdehi.org**. All complaints will be reviewed and investigated promptly and fairly. + +## Attribution + +This Code of Conduct is adapted from the [Contributor Covenant](https://www.contributor-covenant.org), version 2.1. diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000000..0fb55f9d36 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,39 @@ +# Contributing to Jawafdehi + +Thank you for your interest in contributing. Jawafdehi.org builds civic-accountability infrastructure for Nepal — we welcome contributions that further that mission. + +## Before you start + +1. **Read our [Code of Conduct](./CODE_OF_CONDUCT.md).** +2. **Check existing issues** — someone may already be working on what you have in mind. +3. **Open a discussion issue first** for anything larger than a typo fix, especially new features. + +## Development setup + +Each repository has its own setup instructions in its README. Pick the repo that matches your contribution: + +- **Frontend / accountability cases:** [Jawafdehi](https://github.com/Jawafdehi/Jawafdehi) +- **Backend API:** [JawafdehiAPI](https://github.com/Jawafdehi/JawafdehiAPI) +- **Entity registry:** [NepalEntityService](https://github.com/Jawafdehi/NepalEntityService) +- **Judicial data:** [ngm](https://github.com/Jawafdehi/ngm) / [ngm-frontend](https://github.com/Jawafdehi/ngm-frontend) +- **MCP server:** [jawafdehi-mcp](https://github.com/Jawafdehi/jawafdehi-mcp) + +Cross-repo orchestration lives in [jawafdehi-meta](https://github.com/Jawafdehi/jawafdehi-meta). + +## Pull request workflow + +1. Fork the repository. +2. Create a feature branch from `main`. +3. Make your changes, following existing code style. +4. Run tests if the repo has them. +5. Open a pull request with a clear description. + +## Style guides + +- Follow existing code style in the relevant language (Python PEP 8, TypeScript Prettier, etc.). +- Write clear commit messages in English. +- Add or update tests when modifying behavior. + +## License + +By contributing, you agree that your contributions will be licensed under the [Hippocratic License 3.0](./LICENSE). diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000000..f60f6aa802 --- /dev/null +++ b/LICENSE @@ -0,0 +1,24 @@ +Hippocratic License Version 3.0 + +Licensor: Jawafdehi.org +Project: Nepal Entity Service Database + +Rights Granted + +Subject to the terms and conditions of this License, Licensor hereby grants to any person obtaining a copy of this software and associated documentation files (the "Software"), a worldwide, royalty-free, non-exclusive, perpetual license to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: + +1. The above copyright notice and this License or a subsequent version published on the Hippocratic License Website (https://firstdonoharm.dev/) shall be included in all copies or substantial portions of the Software. Licensee has the option of following the terms and conditions either of the above numbered version of this License or of any subsequent version published on the Hippocratic License Website. + +2. Compliance with Human Rights Laws and Human Rights Principles: + + a. Human Rights Laws. The Software shall not be used by any person or entity for any systems, activities, or other uses that violate any applicable laws, regulations, or rules that protect human, civil, labor, privacy, political, environmental, security, economic, due process, or similar rights (collectively, "Human Rights Laws"). Where the Human Rights Laws of more than one jurisdiction are applicable to the use of the Software, the Software shall not be used in any manner that violates any of the Human Rights Laws. + + b. Human Rights Principles. Licensee is advised to consult the articles of the United Nations Universal Declaration of Human Rights (https://www.un.org/en/universal-declaration-human-rights/) and the United Nations Global Compact (https://www.unglobalcompact.org/what-is-gc/mission/principles) that define recognized principles of international human rights (collectively, "Human Rights Principles"). It is Licensor's express intent that all use of the Software be consistent with Human Rights Principles. If Licensor receives notification or otherwise learns of an alleged violation of any Human Rights Principles relating to Licensee's use of the Software, Licensor may in its discretion and without obligation (i) (a) notify Licensee of such allegation and (b) allow Licensee 90 days from notification under (i)(a) to investigate and respond to Licensor regarding the allegation and (ii) (a) after the earlier of 90 days from notification under (i)(a), or Licensee's response under (i)(b), notify Licensee of License termination and (b) allow Licensee an additional 90 days from notification under (ii)(a) to cease use of the Software. + + c. Indemnity. Licensee shall hold harmless and indemnify Licensor against all losses, damages, liabilities, deficiencies, claims, actions, judgments, settlements, interest, awards, penalties, fines, costs, or expenses of whatever kind, including Licensor's reasonable attorneys' fees, arising out of or relating to Licensee's non-compliance with this License or use of the Software in violation of Human Rights Laws or Human Rights Principles. + +3. Enforceability: If any portion or provision of this License is determined to be invalid, illegal, or unenforceable by a court of competent jurisdiction, then such invalidity, illegality, or unenforceability shall not affect any other term or provision of this License or invalidate or render unenforceable such term or provision in any other jurisdiction. Upon a determination that any term or provision is invalid, illegal, or unenforceable, to the extent permitted by applicable law, the court may modify this License to affect the original intent of the parties as closely as possible. The section headings are for convenience only and are not intended to affect the construction or interpretation of this License. Any rule of construction to the effect that ambiguities are to be resolved against the drafting party shall not apply in interpreting this License. The language in this License shall be interpreted as to its fair meaning and not strictly for or against any party. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +The Hippocratic License is an Ethical Source license (https://ethicalsource.dev). diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000000..e176db42a5 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,23 @@ +# Security Policy + +## Reporting a Vulnerability + +Jawafdehi.org takes security seriously. If you discover a security vulnerability in any Jawafdehi project, please report it responsibly. + +**Do not open a public issue.** Instead, please email: + +**security@jawafdehi.org** + +We will acknowledge your report within 72 hours and provide an estimated timeline for a fix. + +## Scope + +This policy covers all repositories under the [Jawafdehi GitHub organization](https://github.com/Jawafdehi). + +## Disclosure + +We follow coordinated disclosure. Once a fix is available, we will publish a security advisory and credit the reporter (unless anonymity is requested). + +## Supported Versions + +Only the latest release or the `main` branch is actively supported with security patches. From f8e9c801f3770ba901b03afdd4b61dcff7325f6f Mon Sep 17 00:00:00 2001 From: Jawafdehi Bot Date: Sat, 9 May 2026 23:21:13 -0700 Subject: [PATCH 2/4] Add LICENSING.md and update README with license section Co-Authored-By: Paperclip --- LICENSING.md | 17 +++++++++++++++++ README.md | 5 +++++ 2 files changed, 22 insertions(+) create mode 100644 LICENSING.md diff --git a/LICENSING.md b/LICENSING.md new file mode 100644 index 0000000000..fc54c776dc --- /dev/null +++ b/LICENSING.md @@ -0,0 +1,17 @@ +# Licensing + +This project is licensed under the [Hippocratic License Version 3.0](./LICENSE) (HL3). + +## Why HL3 + +Jawafdehi.org builds civic-accountability infrastructure for Nepal. We chose the Hippocratic License to align our software with our mission: technology should serve human dignity and justice, never undermine it. + +The Hippocratic License is an [Ethical Source](https://ethicalsource.dev) license. It requires that the software not be used to violate human rights laws or the principles in the UN Universal Declaration of Human Rights and UN Global Compact. + +## Reporting misuse + +If you believe this software is being used in violation of the license, contact the licensor at [info@jawafdehi.org](mailto:info@jawafdehi.org). + +## Third-party code + +Dependencies and third-party code remain under their original licenses. diff --git a/README.md b/README.md index ee51265d25..951d75b940 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,7 @@ # NepalEntityService-database + A file-based database that powers the NepalEntityService API. + +## License + +This project is licensed under the [Hippocratic License Version 3.0](./LICENSE) — see [LICENSING.md](./LICENSING.md) for details. From 567c13d0e3cef03e79f646d45521eb592db4b9ef Mon Sep 17 00:00:00 2001 From: Jawafdehi Bot Date: Sat, 9 May 2026 23:43:37 -0700 Subject: [PATCH 3/4] Add SPDX header check CI workflow MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Enforcement-level SPDX header validation for Hippocratic License 3.0 compliance. Part of JAW-79 — SPDX-header CI check for Hippocratic License compliance. Co-Authored-By: Paperclip --- .github/workflows/spdx-header-check.yml | 111 ++++++++++++++++++++++++ 1 file changed, 111 insertions(+) create mode 100644 .github/workflows/spdx-header-check.yml diff --git a/.github/workflows/spdx-header-check.yml b/.github/workflows/spdx-header-check.yml new file mode 100644 index 0000000000..a302b9ffde --- /dev/null +++ b/.github/workflows/spdx-header-check.yml @@ -0,0 +1,111 @@ +name: SPDX License Header Check + +on: + pull_request: + branches: [main] + push: + branches: [main] + +jobs: + spdx-check: + name: Check SPDX License Headers + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + fetch-depth: 0 + + - name: Check LICENSE file + run: | + if [ ! -f LICENSE ]; then + echo "::error::LICENSE file is missing" + exit 1 + fi + if ! grep -q "Hippocratic License Version 3.0" LICENSE; then + echo "::error::LICENSE does not contain Hippocratic License 3.0" + exit 1 + fi + echo "LICENSE file OK (Hippocratic License 3.0)" + + - name: Check SPDX headers in source files + run: | + MISSING=0 + TOTAL=0 + SOURCE_FILES=$(git ls-files \ + '*.py' '*.js' '*.ts' '*.tsx' '*.rs' '*.go' '*.java' '*.rb' \ + '*.sh' '*.bash' '*.yml' '*.yaml' '*.json' '*.css' '*.scss' \ + '*.html' '*.sql' '*.tf' 'Dockerfile*' \ + 2>/dev/null || true) + + if [ -z "$SOURCE_FILES" ]; then + echo "No source files found to check." + exit 0 + fi + + while IFS= read -r file; do + TOTAL=$((TOTAL + 1)) + if head -20 "$file" 2>/dev/null | grep -qi "SPDX-License-Identifier"; then + continue + else + echo "::error title=Missing SPDX header::$file" + MISSING=$((MISSING + 1)) + fi + done <<< "$SOURCE_FILES" + + echo "---" + echo "Files checked: $TOTAL" + echo "Files with SPDX header: $((TOTAL - MISSING))" + echo "Files missing SPDX header: $MISSING" + + if [ "$MISSING" -gt 0 ]; then + echo "::error:: $MISSING source files are missing SPDX license headers" + exit 1 + fi + echo "All tracked source files have SPDX headers." + + - name: Verify SPDX identifier is Hippocratic-3.0 + run: | + MISMATCH=0 + TOTAL=0 + SOURCE_FILES=$(git ls-files \ + '*.py' '*.js' '*.ts' '*.tsx' '*.rs' '*.go' '*.java' '*.rb' \ + '*.sh' '*.bash' 2>/dev/null || true) + + if [ -z "$SOURCE_FILES" ]; then + echo "No source files to verify SPDX identifier against." + exit 0 + fi + + while IFS= read -r file; do + LINE=$(head -20 "$file" 2>/dev/null | grep -i "SPDX-License-Identifier" | head -1 || true) + if [ -n "$LINE" ]; then + TOTAL=$((TOTAL + 1)) + if ! echo "$LINE" | grep -qi "Hippocratic-3.0"; then + echo "::warning title=Non-HL3 SPDX identifier::$file" + echo " Found: $(echo "$LINE" | sed 's/^[[:space:]]*//')" + MISMATCH=$((MISMATCH + 1)) + fi + fi + done <<< "$SOURCE_FILES" + + echo "---" + echo "Files with SPDX identifiers checked: $TOTAL" + echo "Non-HL3 identifiers found: $MISMATCH" + if [ "$MISMATCH" -gt 0 ]; then + echo "::warning:: $MISMATCH file(s) use a non-Hippocratic-3.0 SPDX identifier" + fi + + - name: Verify governance files exist + run: | + MISSING_GOV=0 + for f in SECURITY.md CONTRIBUTING.md CODE_OF_CONDUCT.md; do + if [ ! -f "$f" ]; then + echo "::warning::$f is missing" + MISSING_GOV=$((MISSING_GOV + 1)) + else + echo "$f present" + fi + done + if [ "$MISSING_GOV" -gt 0 ]; then + echo "::warning:: $MISSING_GOV governance file(s) missing" + fi From 67576dca58c434165f6aa45ec3505e851b46a2dc Mon Sep 17 00:00:00 2001 From: Jawafdehi Bot Date: Sun, 10 May 2026 07:29:58 -0700 Subject: [PATCH 4/4] Fix SPDX header check: unified globs, warning-only, drop JSON - Unify file glob lists across header-check and identifier-verify steps - Remove *.json from header enforcement (JSON has no comment syntax) - Change Step 2 to warning-only (matches $12.3 approval understanding) - Both steps now use identical file coverage Co-Authored-By: Paperclip --- .github/workflows/spdx-header-check.yml | 33 +++++++++++++------------ 1 file changed, 17 insertions(+), 16 deletions(-) diff --git a/.github/workflows/spdx-header-check.yml b/.github/workflows/spdx-header-check.yml index a302b9ffde..82266bf270 100644 --- a/.github/workflows/spdx-header-check.yml +++ b/.github/workflows/spdx-header-check.yml @@ -29,28 +29,28 @@ jobs: - name: Check SPDX headers in source files run: | - MISSING=0 - TOTAL=0 - SOURCE_FILES=$(git ls-files \ + HEADER_FILES=$(git ls-files \ '*.py' '*.js' '*.ts' '*.tsx' '*.rs' '*.go' '*.java' '*.rb' \ - '*.sh' '*.bash' '*.yml' '*.yaml' '*.json' '*.css' '*.scss' \ + '*.sh' '*.bash' '*.yml' '*.yaml' '*.css' '*.scss' \ '*.html' '*.sql' '*.tf' 'Dockerfile*' \ 2>/dev/null || true) - if [ -z "$SOURCE_FILES" ]; then + if [ -z "$HEADER_FILES" ]; then echo "No source files found to check." exit 0 fi + MISSING=0 + TOTAL=0 while IFS= read -r file; do TOTAL=$((TOTAL + 1)) if head -20 "$file" 2>/dev/null | grep -qi "SPDX-License-Identifier"; then continue else - echo "::error title=Missing SPDX header::$file" + echo "::warning title=Missing SPDX header::$file" MISSING=$((MISSING + 1)) fi - done <<< "$SOURCE_FILES" + done <<< "$HEADER_FILES" echo "---" echo "Files checked: $TOTAL" @@ -58,24 +58,25 @@ jobs: echo "Files missing SPDX header: $MISSING" if [ "$MISSING" -gt 0 ]; then - echo "::error:: $MISSING source files are missing SPDX license headers" - exit 1 + echo "::warning:: $MISSING source files are missing SPDX license headers" fi - echo "All tracked source files have SPDX headers." + echo "SPDX header scan complete." - name: Verify SPDX identifier is Hippocratic-3.0 run: | - MISMATCH=0 - TOTAL=0 - SOURCE_FILES=$(git ls-files \ + IDENTIFIER_FILES=$(git ls-files \ '*.py' '*.js' '*.ts' '*.tsx' '*.rs' '*.go' '*.java' '*.rb' \ - '*.sh' '*.bash' 2>/dev/null || true) + '*.sh' '*.bash' '*.yml' '*.yaml' '*.css' '*.scss' \ + '*.html' '*.sql' '*.tf' 'Dockerfile*' \ + 2>/dev/null || true) - if [ -z "$SOURCE_FILES" ]; then + if [ -z "$IDENTIFIER_FILES" ]; then echo "No source files to verify SPDX identifier against." exit 0 fi + MISMATCH=0 + TOTAL=0 while IFS= read -r file; do LINE=$(head -20 "$file" 2>/dev/null | grep -i "SPDX-License-Identifier" | head -1 || true) if [ -n "$LINE" ]; then @@ -86,7 +87,7 @@ jobs: MISMATCH=$((MISMATCH + 1)) fi fi - done <<< "$SOURCE_FILES" + done <<< "$IDENTIFIER_FILES" echo "---" echo "Files with SPDX identifiers checked: $TOTAL"