fix: remove 12 orphaned gitlinks, fix 4 failing CI workflows

Orphaned gitlinks (submodule entries in index with no .gitmodules URL)
caused checkout's auth cleanup to crash with "No url found for
submodule path" — breaking Scorecard, Secret Scanner, and others.

Gitlink fixes:
- Remove gitlinks for 9 small directories, track as regular files:
  deno-ecosystem, devkit-risc-v, idris2-ecosystem, opm-canonicalizer,
  packages, riscv-guix-buildsys, synapse, well-known-ecosystem,
  zig-ecosystem
- Remove gitlinks for 3 large directories, add to .gitignore:
  julia-ecosystem (273MB), opam-repository (79MB),
  package-publishers (2GB)

Workflow fixes:
- mirror.yml: mkdir -p ~/.radicle/keys before writing key file
- workflow-linter.yml: grep ^\s*uses: to skip comments (was matching
  its own comment lines as "unpinned actions")
- workflow-linter.yml: fix SPDX suggestion from AGPL to PMPL
- All 4 workflows: fix SPDX from MPL-2.0-or-later to PMPL-1.0-or-later
- .gitignore: fix SPDX from AGPL to PMPL

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: hyperpolymath

.github/workflows/mirror.yml

@@ -1,4 +1,4 @@
-# SPDX-License-Identifier: MPL-2.0-or-later
+# SPDX-License-Identifier: PMPL-1.0-or-later
 # SPDX-FileCopyrightText: 2025 Jonathan D.A. Jewell
 name: Mirror to Git Forges
 
@@ -139,6 +139,7 @@ jobs:
 
       - name: Mirror to Radicle
         run: |
+          mkdir -p ~/.radicle/keys
           echo "${{ secrets.RADICLE_KEY }}" > ~/.radicle/keys/radicle
           chmod 600 ~/.radicle/keys/radicle
           rad sync --announce || echo "Radicle sync attempted"

.github/workflows/scorecard.yml

@@ -1,4 +1,4 @@
-# SPDX-License-Identifier: MPL-2.0-or-later
+# SPDX-License-Identifier: PMPL-1.0-or-later
 name: OSSF Scorecard
 on:
   push:

.github/workflows/secret-scanner.yml

@@ -1,4 +1,4 @@
-# SPDX-License-Identifier: MPL-2.0-or-later
+# SPDX-License-Identifier: PMPL-1.0-or-later
 # Prevention workflow - scans for hardcoded secrets before they reach main
 name: Secret Scanner
 

.github/workflows/workflow-linter.yml

@@ -1,4 +1,4 @@
-# SPDX-License-Identifier: MPL-2.0-or-later
+# SPDX-License-Identifier: PMPL-1.0-or-later
 # workflow-linter.yml - Validates GitHub workflows against RSR security standards
 # This workflow can be copied to other repos for consistent enforcement
 name: Workflow Security Linter
@@ -36,7 +36,7 @@ jobs:
             fi
           done
           if [ $failed -eq 1 ]; then
-            echo "Add '# SPDX-License-Identifier: AGPL-3.0-or-later' as first line"
+            echo "Add '# SPDX-License-Identifier: PMPL-1.0-or-later' as first line"
             exit 1
           fi
           echo "All workflows have SPDX headers"
@@ -63,9 +63,9 @@ jobs:
           echo "=== Checking Action Pinning ==="
           # Find any uses: lines that don't have @SHA format
           # Pattern: uses: owner/repo@<40-char-hex>
-          unpinned=$(grep -rn "uses:" .github/workflows/ | \
+          unpinned=$(grep -rn "^\s*uses:" .github/workflows/ | \
             grep -v "@[a-f0-9]\{40\}" | \
-            grep -v "uses: \./\|uses: docker://\|uses: actions/github-script" || true)
+            grep -v "uses: \./\|uses: docker://" || true)
 
           if [ -n "$unpinned" ]; then
             echo "ERROR: Found unpinned actions:"

.gitignore

@@ -1,4 +1,4 @@
-# SPDX-License-Identifier: AGPL-3.0-or-later
+# SPDX-License-Identifier: PMPL-1.0-or-later
 # RSR-compliant .gitignore
 
 # OS & Editor
@@ -80,3 +80,8 @@ htmlcov/
 
 # Crash recovery artifacts
 ai-cli-crash-capture/
+
+# Large directories (no standalone repos, too big to track)
+/julia-ecosystem/
+/opam-repository/
+/package-publishers/

deno-ecosystem

@@ -0,0 +1,9 @@
+;; SPDX-License-Identifier: PMPL-1.0-or-later
+;; .bot_directives — per-bot rules and constraints
+;; Media-Type: application/vnd.bot-directives+scm
+
+(bot-directives
+  (version "1.0")
+  (notes
+    "Repo-specific bot constraints."
+    "Bots must follow these directives in addition to global policies."))

deno-ecosystem/.bot_directives/README.scm

@@ -0,0 +1,7 @@
+;; SPDX-License-Identifier: PMPL-1.0-or-later
+(bot-directive
+  (bot "echidnabot")
+  (scope "formal verification and fuzzing")
+  (allow ("analysis" "fuzzing" "proof checks"))
+  (deny ("write to core modules" "write to bindings"))
+  (notes "May open findings; code changes require explicit approval"))

deno-ecosystem/.bot_directives/echidnabot.scm

@@ -0,0 +1,7 @@
+;; SPDX-License-Identifier: PMPL-1.0-or-later
+(bot-directive
+  (bot "finishbot")
+  (scope "release readiness")
+  (allow ("release checklists" "docs updates" "metadata fixes"))
+  (deny ("code changes without approval"))
+  (notes "Focus on polish, licensing, and packaging"))

deno-ecosystem/.bot_directives/finishbot.scm

@@ -0,0 +1,7 @@
+;; SPDX-License-Identifier: PMPL-1.0-or-later
+(bot-directive
+  (bot "glambot")
+  (scope "presentation + accessibility")
+  (allow ("docs" "readme badges" "ui/accessibility suggestions"))
+  (deny ("logic changes"))
+  (notes "Edits limited to presentation layers"))