fix: security hardening and SCM metadata updates (#1)

- Remove template placeholders from SECURITY.md (security issue)
- Replace {{OWNER}}/{{REPO}} with hyperpolymath/eclipse-ssg
- Remove PGP section (not configured)
- Update project name from template-repo to eclipse-ssg in all SCM files
- Add ADR-002 for MCP Hub Integration decision
- Add comprehensive roadmap (v0.1 to v1.0)
- Update development practices with Deno tooling
- Track resolved issues in STATE.scm

Co-authored-by: Claude <noreply@anthropic.com>

Author: hyperpolymath

ECOSYSTEM.scm

@@ -1,15 +1,15 @@
 ;; SPDX-License-Identifier: AGPL-3.0-or-later
 ;; SPDX-FileCopyrightText: 2025 Jonathan D.A. Jewell
-;; ECOSYSTEM.scm — template-repo
+;; ECOSYSTEM.scm — eclipse-ssg
 
 (ecosystem
   (version "1.0.0")
-  (name "template-repo")
-  (type "project")
-  (purpose "Project in the hyperpolymath ecosystem")
+  (name "eclipse-ssg")
+  (type "satellite")
+  (purpose "Satellite SSG implementation providing MCP protocol interface to 28+ static site generators")
 
   (position-in-ecosystem
-    "Part of hyperpolymath ecosystem. Follows RSR guidelines.")
+    "Satellite implementation in the hyperpolymath ecosystem. Synchronizes adapters from poly-ssg-mcp hub.")
 
   (related-projects
     (project
@@ -18,11 +18,21 @@
       (relationship "hub")
       (description "Unified MCP server for 28 SSGs - provides adapter interface")
       (differentiation
-        "poly-ssg-mcp = Hub with all SSG adapters via MCP
-         This project = Satellite SSG implementation using the hub"))
-    (project (name "rhodium-standard-repositories")
-             (url "https://github.com/hyperpolymath/rhodium-standard-repositories")
-             (relationship "standard")))
+        "poly-ssg-mcp = Central hub with all SSG adapters via MCP
+         eclipse-ssg = Satellite implementation consuming the hub adapters"))
+    (project
+      (name "rhodium-standard-repositories")
+      (url "https://github.com/hyperpolymath/rhodium-standard-repositories")
+      (relationship "standard")
+      (description "RSR compliance guidelines and templates")))
+
+  (what-this-is
+    "A satellite SSG project that:
+     - Integrates 28 static site generator adapters from poly-ssg-mcp
+     - Provides unified CLI interface via MCP protocol
+     - Supports Rust, Haskell, Elixir, Julia, OCaml, Scheme, and more")
 
-  (what-this-is "Project in the hyperpolymath ecosystem")
-  (what-this-is-not "- NOT exempt from RSR compliance"))
+  (what-this-is-not
+    "- NOT the canonical source for SSG adapters (that's poly-ssg-mcp)
+     - NOT a standalone SSG implementation
+     - NOT exempt from RSR compliance"))

META.scm

@@ -1,24 +1,33 @@
 ;; SPDX-License-Identifier: AGPL-3.0-or-later
 ;; SPDX-FileCopyrightText: 2025 Jonathan D.A. Jewell
-;;; META.scm — template-repo
+;;; META.scm — eclipse-ssg
 
-(define-module (template-repo meta)
+(define-module (eclipse-ssg meta)
   #:export (architecture-decisions development-practices design-rationale))
 
 (define architecture-decisions
   '((adr-001
      (title . "RSR Compliance")
      (status . "accepted")
      (date . "2025-12-15")
-     (context . "Project in the hyperpolymath ecosystem")
+     (context . "Satellite SSG implementation in the hyperpolymath ecosystem")
      (decision . "Follow Rhodium Standard Repository guidelines")
-     (consequences . ("RSR Gold target" "SHA-pinned actions" "SPDX headers" "Multi-platform CI")))))
+     (consequences . ("RSR Gold target" "SHA-pinned actions" "SPDX headers" "Multi-platform CI")))
+    (adr-002
+     (title . "MCP Hub Integration")
+     (status . "accepted")
+     (date . "2025-12-17")
+     (context . "Need unified interface to multiple SSGs")
+     (decision . "Integrate with poly-ssg-mcp hub for 28+ SSG adapters")
+     (consequences . ("Deno/JS adapters" "CLI wrapper pattern" "Hub synchronization")))))
 
 (define development-practices
-  '((code-style (languages . ("unknown")) (formatter . "auto-detect") (linter . "auto-detect"))
-    (security (sast . "CodeQL") (credentials . "env vars only"))
+  '((code-style (languages . ("javascript" "scheme")) (formatter . "deno fmt") (linter . "deno lint"))
+    (security (sast . "CodeQL") (credentials . "env vars only") (input-validation . "required"))
     (testing (coverage-minimum . 70))
     (versioning (scheme . "SemVer 2.0.0"))))
 
 (define design-rationale
-  '((why-rsr "RSR ensures consistency, security, and maintainability.")))
+  '((why-rsr "RSR ensures consistency, security, and maintainability.")
+    (why-mcp "MCP protocol provides standardized tool interface for AI agents.")
+    (why-deno "Deno provides secure-by-default runtime with TypeScript support.")))

SECURITY.md

@@ -1,23 +1,5 @@
 # Security Policy
 
-<!-- 
-============================================================================
-TEMPLATE INSTRUCTIONS (delete this block before publishing)
-============================================================================
-Replace all {{PLACEHOLDER}} values with your information:
-  {{PROJECT_NAME}}     - Your project name
-  {{OWNER}}            - GitHub username or org (e.g., hyperpolymath)
-  {{REPO}}             - Repository name
-  {{SECURITY_EMAIL}}   - Security contact email
-  {{PGP_FINGERPRINT}}  - Your PGP key fingerprint (40 chars, no spaces)
-  {{PGP_KEY_URL}}      - URL to your public PGP key
-  {{WEBSITE}}          - Your website/domain
-  {{CURRENT_YEAR}}     - Current year for copyright
-
-Optional: Remove sections that don't apply (e.g., PGP if you don't use it)
-============================================================================
--->
-
 We take security seriously. We appreciate your efforts to responsibly disclose vulnerabilities and will make every effort to acknowledge your contributions.
 
 ## Table of Contents
@@ -40,7 +22,7 @@ We take security seriously. We appreciate your efforts to responsibly disclose v
 
 The preferred method for reporting security vulnerabilities is through GitHub's Security Advisory feature:
 
-1. Navigate to [Report a Vulnerability](https://github.com/{{OWNER}}/{{REPO}}/security/advisories/new)
+1. Navigate to [Report a Vulnerability](https://github.com/hyperpolymath/eclipse-ssg/security/advisories/new)
 2. Click **"Report a vulnerability"**
 3. Complete the form with as much detail as possible
 4. Submit — we'll receive a private notification
@@ -52,27 +34,6 @@ This method ensures:
 - Coordinated disclosure tooling
 - Automatic credit when the advisory is published
 
-### Alternative: Encrypted Email
-
-If you cannot use GitHub Security Advisories, you may email us directly:
-
-| | |
-|---|---|
-| **Email** | {{SECURITY_EMAIL}} |
-| **PGP Key** | [Download Public Key]({{PGP_KEY_URL}}) |
-| **Fingerprint** | `{{PGP_FINGERPRINT}}` |
-
-```bash
-# Import our PGP key
-curl -sSL {{PGP_KEY_URL}} | gpg --import
-
-# Verify fingerprint
-gpg --fingerprint {{SECURITY_EMAIL}}
-
-# Encrypt your report
-gpg --armor --encrypt --recipient {{SECURITY_EMAIL}} report.txt
-```
-
 > **⚠️ Important:** Do not report security vulnerabilities through public GitHub issues, pull requests, discussions, or social media.
 
 ---
@@ -203,7 +164,7 @@ If we cannot reach agreement on disclosure timing, we default to 90 days from yo
 
 The following are within scope for security research:
 
-- This repository (`{{OWNER}}/{{REPO}}`) and all its code
+- This repository (`hyperpolymath/eclipse-ssg`) and all its code
 - Official releases and packages published from this repository
 - Documentation that could lead to security issues
 - Build and deployment configurations in this repository
@@ -322,7 +283,7 @@ Recognition includes:
 To stay informed about security updates:
 
 - **Watch this repository**: Click "Watch" → "Custom" → Select "Security alerts"
-- **GitHub Security Advisories**: Published at [Security Advisories](https://github.com/{{OWNER}}/{{REPO}}/security/advisories)
+- **GitHub Security Advisories**: Published at [Security Advisories](https://github.com/hyperpolymath/eclipse-ssg/security/advisories)
 - **Release notes**: Security fixes noted in [CHANGELOG](CHANGELOG.md)
 
 ### Update Policy
@@ -335,8 +296,6 @@ To stay informed about security updates:
 
 ### Supported Versions
 
-<!-- Adjust this table to match your actual version support policy -->
-
 | Version | Supported | Notes |
 |---------|-----------|-------|
 | `main` branch | ✅ Yes | Latest development |
@@ -348,7 +307,7 @@ To stay informed about security updates:
 
 ## Security Best Practices
 
-When using {{PROJECT_NAME}}, we recommend:
+When using eclipse-ssg, we recommend:
 
 ### General
 
@@ -370,8 +329,7 @@ When using {{PROJECT_NAME}}, we recommend:
 
 ## Additional Resources
 
-- [Our PGP Public Key]({{PGP_KEY_URL}})
-- [Security Advisories](https://github.com/{{OWNER}}/{{REPO}}/security/advisories)
+- [Security Advisories](https://github.com/hyperpolymath/eclipse-ssg/security/advisories)
 - [Changelog](CHANGELOG.md)
 - [Contributing Guidelines](CONTRIBUTING.md)
 - [CVE Database](https://cve.mitre.org/)
@@ -383,8 +341,8 @@ When using {{PROJECT_NAME}}, we recommend:
 
 | Purpose | Contact |
 |---------|---------|
-| **Security issues** | [Report via GitHub](https://github.com/{{OWNER}}/{{REPO}}/security/advisories/new) or {{SECURITY_EMAIL}} |
-| **General questions** | [GitHub Discussions](https://github.com/{{OWNER}}/{{REPO}}/discussions) |
+| **Security issues** | [Report via GitHub](https://github.com/hyperpolymath/eclipse-ssg/security/advisories/new) |
+| **General questions** | [GitHub Discussions](https://github.com/hyperpolymath/eclipse-ssg/discussions) |
 | **Other enquiries** | See [README](README.md) for contact information |
 
 ---
@@ -399,8 +357,8 @@ This security policy may be updated from time to time. Significant changes will
 
 ---
 
-*Thank you for helping keep {{PROJECT_NAME}} and its users safe.* 🛡️
+*Thank you for helping keep eclipse-ssg and its users safe.* 🛡️
 
 ---
 
-<sub>Last updated: {{CURRENT_YEAR}} · Policy version: 1.0.0</sub>
+<sub>Last updated: 2025 · Policy version: 1.0.0</sub>

STATE.scm

@@ -1,22 +1,78 @@
-;;; STATE.scm — template-repo
 ;; SPDX-License-Identifier: AGPL-3.0-or-later
 ;; SPDX-FileCopyrightText: 2025 Jonathan D.A. Jewell
+;;; STATE.scm — eclipse-ssg
 
 (define metadata
-  '((version . "0.1.0") (updated . "2025-12-15") (project . "template-repo")))
+  '((version . "0.2.0") (updated . "2025-12-17") (project . "eclipse-ssg")))
 
 (define current-position
-  '((phase . "v0.1 - Initial Setup")
-    (overall-completion . 25)
-    (components ((rsr-compliance ((status . "complete") (completion . 100)))))))
+  '((phase . "v0.2 - Integration Complete")
+    (overall-completion . 40)
+    (components
+      ((rsr-compliance ((status . "complete") (completion . 100)))
+       (hub-integration ((status . "complete") (completion . 100)))
+       (security-hardening ((status . "complete") (completion . 100)))
+       (testing ((status . "not-started") (completion . 0)))
+       (documentation ((status . "in-progress") (completion . 50)))))))
 
-(define blockers-and-issues '((critical ()) (high-priority ())))
+(define blockers-and-issues
+  '((critical ())
+    (high-priority ())
+    (resolved
+      (("SECURITY.md placeholders" . "2025-12-17")
+       ("SCM file naming" . "2025-12-17")))))
 
 (define critical-next-actions
-  '((immediate (("Verify CI/CD" . high))) (this-week (("Expand tests" . medium)))))
+  '((immediate
+      (("Add adapter tests" . high)
+       ("Create deno.json config" . medium)))
+    (this-week
+      (("Add README with usage examples" . medium)
+       ("Set up CI for adapter validation" . medium)))))
+
+(define roadmap
+  '((v0.1 (name . "Initial Setup")
+          (status . "complete")
+          (items . ("RSR compliance" "Repository structure" "CI/CD setup")))
+    (v0.2 (name . "Hub Integration")
+          (status . "complete")
+          (items . ("Sync 28 SSG adapters from poly-ssg-mcp"
+                    "Security policy configuration"
+                    "SCM metadata updates")))
+    (v0.3 (name . "Testing & Validation")
+          (status . "planned")
+          (items . ("Unit tests for adapter loading"
+                    "Integration tests with mock SSGs"
+                    "CI pipeline for adapter validation"
+                    "Coverage reporting")))
+    (v0.4 (name . "Documentation & Examples")
+          (status . "planned")
+          (items . ("README with quick start guide"
+                    "Usage examples for each adapter"
+                    "API documentation"
+                    "Troubleshooting guide")))
+    (v0.5 (name . "Production Readiness")
+          (status . "planned")
+          (items . ("Input validation for all adapters"
+                    "Error handling improvements"
+                    "Performance benchmarks"
+                    "Release automation")))
+    (v1.0 (name . "Stable Release")
+          (status . "planned")
+          (items . ("Full test coverage (70%+)"
+                    "Complete documentation"
+                    "npm/deno package publishing"
+                    "Security audit")))))
 
 (define session-history
-  '((snapshots ((date . "2025-12-15") (session . "initial") (notes . "SCM files added")))))
+  '((snapshots
+      ((date . "2025-12-15") (session . "initial") (notes . "SCM files added"))
+      ((date . "2025-12-17") (session . "hub-integration") (notes . "28 SSG adapters synced from poly-ssg-mcp"))
+      ((date . "2025-12-17") (session . "security-review") (notes . "Fixed SECURITY.md, updated SCM files")))))
 
 (define state-summary
-  '((project . "template-repo") (completion . 25) (blockers . 0) (updated . "2025-12-15")))
+  '((project . "eclipse-ssg")
+    (completion . 40)
+    (blockers . 0)
+    (adapters . 28)
+    (updated . "2025-12-17")))