fix(baseline): repair main + estate-policy sweep (unblocks #41)

Five failing checks on PR #41 — and the same baseline rot on `main`
since 2026-05-22 — were the same five problems with five distinct root
causes. Each fixed at source:

1. `governance / Language / package anti-pattern policy` — three orphan
   ReScript files were tripping the .res ban:
   - src/AuditTrail.res                       (52 LOC, no callers)
   - examples/SafeDOMExample.res              (109 LOC, imports
                                              non-existent SafeDOM)
   - interpreters/rescript/malbolgeInterpreter.res (256 LOC, sole
                                              file under interpreters/)
   None compiled (no rescript.json / bsconfig.json) and none were
   imported by any Rust / Idris / Deno code. Deleted all three plus
   the now-empty `interpreters/rescript/` dir, plus the
   `.github/workflows/rescript-deno-ci.yml` workflow they fed.

2. `build` (×2) — both `build` failures came from the deleted
   rescript-deno-ci.yml (`deno lint --config deno.json` → "No target
   files found" because lint.include lists `mod.ts` which doesn't
   exist). Removing the workflow removes the check.

3. `PR (address)` — ClusterFuzzLite fuzz build was failing with
   `error: no matching package named 'absolute_zero' found`. fuzz/
   Cargo.toml declared `[dependencies.absolute_zero] path = ".."`
   but the parent crate has no `[lib]` target — only src/main.rs.
   The fuzz target (fuzz_targets/fuzz_input.rs) doesn't actually
   import anything from the parent crate, so the dep was dead.
   Removed the dead `[dependencies.absolute_zero]` block.

4. `governance / Workflow security linter` — three workflows were
   missing the top-level `permissions:` declaration: language-policy.
   yml, rescript-deno-ci.yml (deleted), and rust-ci.yml. Added
   `permissions: contents: read` to language-policy.yml and rust-ci.
   yml.

5. `Cargo.toml` had `license = "MIT"`. Bumped to `license = "MPL-2.0"`
   to match the estate-wide policy (this commit also does that sweep
   — see below).

## Estate-policy sweep (per user instruction this session)

- **PMPL-1.0 / PMPL-1.0-or-later → MPL-2.0** across 67 files. PMPL
  isn't a real SPDX identifier and the Palimpsest-MPL framing is
  retired. README's License badge updated to match (Shields.io URL
  was still `License-PMPL_1.0-blue.svg`).

- **MPL-2.0-or-later → MPL-2.0** across 18 files (also not a valid
  SPDX form — MPL-2.0 has no "-or-later" variant).

- `.claude/CLAUDE.md`: updated language policy table to reflect the
  current estate posture — AffineScript is primary, ReScript and
  TypeScript are banned (replacement: AffineScript), MPL-2.0 is the
  only allowed license. The previous version still said "ReScript
  Primary application code" and "Convert existing TS to ReScript".

## Foundational follow-up (NOT in this PR)

Same gap as r-g-t-v#89: `main` branch protection on absolute-zero
has no `required_status_checks` block. Without that, a red-CI PR
can merge despite three workflows being broken (Governance, ReScript/
Deno CI, Deploy Jekyll have all been failing on main for at least
3 days). Hypatia PR #316 ships the BH001/BH002/BH003 rules that
detect this class estate-wide; adding required status checks to
main is a one-line `gh api -X PUT` for the owner.

## Test plan

- `cargo build --release` — passes locally
- `cd fuzz && cargo check` — passes (was the cflite failure mode)
- All three deleted files had zero in-repo references (verified via
  `grep -rln`)
- No PMPL-1.0 / MPL-2.0-or-later refs remain in the repo (other
  than the policy doc itself naming the banned forms)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: hyperpolymath

.claude/CLAUDE.md

@@ -1,4 +1,4 @@
-# SPDX-License-Identifier: PMPL-1.0-or-later
+# SPDX-License-Identifier: MPL-2.0
 FROM gcr.io/oss-fuzz-base/base-builder-rust@sha256:73c1d5648db54100639339d411a5d192cbc8bf413ee91e843a07cf6f0e319dc7
 
 COPY . $SRC/absolute-zero

.clusterfuzzlite/Dockerfile

@@ -1,5 +1,5 @@
 #!/bin/bash -eu
-# SPDX-License-Identifier: PMPL-1.0-or-later
+# SPDX-License-Identifier: MPL-2.0
 cd "$SRC"/absolute-zero
 cargo +nightly fuzz build
 for target in $(cargo +nightly fuzz list); do

.clusterfuzzlite/build.sh

@@ -1,2 +1,2 @@
-# SPDX-License-Identifier: MPL-2.0-or-later
+# SPDX-License-Identifier: MPL-2.0
 language: rust

.clusterfuzzlite/project.yaml

@@ -1,4 +1,4 @@
-# SPDX-License-Identifier: MPL-2.0-or-later
+# SPDX-License-Identifier: MPL-2.0
 # Funding platforms for hyperpolymath projects
 # See: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository
 

.github/FUNDING.yml

@@ -1,4 +1,4 @@
-# SPDX-License-Identifier: MPL-2.0-or-later
+# SPDX-License-Identifier: MPL-2.0
 version: 2
 updates:
   - package-ecosystem: "cargo"

.github/dependabot.yml

@@ -1,4 +1,4 @@
-# SPDX-License-Identifier: MPL-2.0-or-later
+# SPDX-License-Identifier: MPL-2.0
 name: ClusterFuzzLite batch fuzzing
 on:
   schedule:

.github/workflows/cflite_batch.yml

@@ -1,4 +1,4 @@
-# SPDX-License-Identifier: MPL-2.0-or-later
+# SPDX-License-Identifier: MPL-2.0
 name: ClusterFuzzLite PR fuzzing
 on:
   pull_request:

.github/workflows/cflite_pr.yml

@@ -1,4 +1,4 @@
-# SPDX-License-Identifier: MPL-2.0-or-later
+# SPDX-License-Identifier: MPL-2.0
 name: CodeQL Security Analysis
 
 on:

.github/workflows/codeql.yml

@@ -1,4 +1,4 @@
-# SPDX-License-Identifier: PMPL-1.0-or-later
+# SPDX-License-Identifier: MPL-2.0
 # governance.yml — single wrapper calling the shared estate governance bundle
 # in hyperpolymath/standards instead of carrying per-repo copies.
 #