hyperpolymath · hyperpolymath · Mar 3, 2026 · Mar 3, 2026 · chatgpt-codex-connector · Mar 3, 2026
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -0,0 +1,5 @@
+# SPDX-License-Identifier: PMPL-1.0-or-later
+# https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
+
+# All files in the repository
+* @hyperpolymath
diff --git a/.github/workflows/jekyll-gh-pages.yml b/.github/workflows/jekyll-gh-pages.yml
@@ -11,33 +11,28 @@ on:
   workflow_dispatch:
 
 # Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
-permissions:
-  contents: read
-  pages: write
-  id-token: write
-
-# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued.
-# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete.
-concurrency:
-  group: "pages"
-  cancel-in-progress: false
+permissions: read-all
 
 jobs:
   # Build job
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pages: write
+      id-token: write
     steps:
       - name: Checkout
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4.1.1
       - name: Setup Pages
-        uses: actions/configure-pages@v5
+        uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5.0.0
       - name: Build with Jekyll
-        uses: actions/jekyll-build-pages@v1
+        uses: actions/jekyll-build-pages@483d13b77a3ddc98f58a1b3910aacc19a7f337c3 # v1.0.13
         with:
           source: ./
           destination: ./_site
       - name: Upload artifact
-        uses: actions/upload-pages-artifact@v4
+        uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dee4629d657e # v3.0.1
 
   # Deployment job
   deploy:
@@ -46,7 +41,11 @@ jobs:
       url: ${{ steps.deployment.outputs.page_url }}
     runs-on: ubuntu-latest
     needs: build
+    permissions:
+      pages: write
+      id-token: write
     steps:
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@v4
+        uses: actions/deploy-pages@d6dbca28e605e47460e141952724c5747a3e723e # v4.0.5
+
diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
@@ -9,11 +9,11 @@ on:
     - cron: '0 0 * * 0'  # Weekly on Sunday at midnight
   workflow_dispatch:
 
-permissions:
-  contents: read
+permissions: read-all
 
 jobs:
   scan:
-    uses: hyperpolymath/panic-attacker/.github/workflows/scan-and-report.yml@main
+    uses: hyperpolymath/panic-attacker/.github/workflows/scan-and-report.yml@20321d0d4c61dd410c29c3e66202c10392294692
+
     secrets:
       VERISIMDB_PAT: ${{ secrets.VERISIMDB_PAT }}
diff --git a/CII-BEST-PRACTICES.md b/CII-BEST-PRACTICES.md
@@ -0,0 +1,29 @@
+# OpenSSF Best Practices (CII) Adherence
+
+This document tracks the project's adherence to the [OpenSSF Best Practices Badge](https://best-practices.coreinfrastructure.org/) criteria.
+
+## Summary
+The ambientops project is committed to following open-source security and quality best practices.
+
+## Change Control
+- **Public Repository**: All source code is hosted on GitHub and is public.
+- **Version Control**: We use Git for version control.
+- **Unique Versioning**: All releases use unique version identifiers (SemVer).
+
+## Reporting
+- **Bug Reporting Process**: Documented in `CONTRIBUTING.md`.
+- **Vulnerability Reporting**: A clear `SECURITY.md` file defines the private reporting process.
+
+## Quality
+- **Automated Builds**: We use GitHub Actions for automated builds and CI.
+- **Testing**: Automated test suites are integrated into the CI pipeline.
+- **New Features**: New functionality is required to have associated tests.
+
+## Security
+- **Secure Development**: We use automated security scanners (CodeQL, Trufflehog).
+- **Dependency Pinning**: GitHub Actions and critical dependencies are pinned to specific versions/SHAs.
+- **No Hardcoded Secrets**: Scanned via `trufflehog` and `gitleaks`.
+
+## Best Practices
+- **SPDX Headers**: We use SPDX license identifiers in all source files.
+- **Code Review**: All changes require a pull request and code review before merging to `main`.
diff --git a/SECURITY-ACKNOWLEDGMENTS.md b/SECURITY-ACKNOWLEDGMENTS.md
@@ -0,0 +1,9 @@
+# Security Acknowledgments
+
+We would like to thank the following researchers for their contributions to keeping ambientops safe.
+
+## 2026
+- Currently no entries.
+
+## 2025
+- Currently no entries.
diff --git a/clinician/Cargo.toml b/clinician/Cargo.toml
@@ -40,7 +40,10 @@ directories = "5"
 # Utilities
 chrono = { version = "0.4", features = ["serde"] }
 ring = "0.17.13"
+lru = "0.16.3"
 uuid = { version = "1", features = ["v4"] }
+
+
 toml = "0.8"
 
 futures = "0.3"

diff --git a/czech-file-knife/.tool-versions b/czech-file-knife/.tool-versions
@@ -2,5 +2,5 @@
 # asdf/mise tool versions
 # See: https://asdf-vm.com/
 
-rust 1.83.0
+rust nightly
 just 1.36.0