rosett-ai 1.3.3

data/doc/REFERENCES.md

@@ -0,0 +1,324 @@
+# Rosett-AI Project References & Bibliography
+
+Comprehensive reference list for the Rosett-AI project.
+All resources collected during design, research, and implementation phases.
+
+Last updated: 2026-03-04
+
+---
+
+## Table of Contents
+
+1. [Licensing & Legal](#1-licensing--legal)
+2. [AI Ecosystem (AAIF, MCP, AGENTS.md)](#2-ai-ecosystem-aaif-mcp-agentsmd)
+3. [D-Bus & Desktop IPC](#3-d-bus--desktop-ipc)
+4. [GNOME / GTK4 Development](#4-gnome--gtk4-development)
+5. [KDE / Qt6 Development](#5-kde--qt6-development)
+6. [Accessibility Standards & Tools](#6-accessibility-standards--tools)
+7. [GUI Testing](#7-gui-testing)
+8. [Compositor & Window Manager Integration](#8-compositor--window-manager-integration)
+9. [Ruby Gems & Libraries](#9-ruby-gems--libraries)
+10. [Build, Packaging & Distribution](#10-build-packaging--distribution)
+11. [Code Quality & Development Tools](#11-code-quality--development-tools)
+12. [Standards & Specifications](#12-standards--specifications)
+13. [Project Infrastructure](#13-project-infrastructure)
+
+---
+
+## 1. Licensing & Legal
+
+### 1.1 GPL & Open Source Licenses
+
+| Resource | URL | Related To | Notes |
+|----------|-----|------------|-------|
+| GPL-3.0 Full Text (HTML) | https://www.gnu.org/licenses/gpl-3.0.en.html | `LICENSE.md`, licensing decision | Project license |
+| GPL-3.0 Full Text (TXT) | https://www.gnu.org/licenses/gpl-3.0.txt | `LICENSE.md` | Machine-readable |
+| AGPL-3.0 Full Text (HTML) | https://www.gnu.org/licenses/agpl-3.0.en.html | Licensing research | Considered, not chosen |
+| AGPL-3.0 Full Text (TXT) | https://www.gnu.org/licenses/agpl-3.0.txt | Licensing research | |
+| GNU Licenses Overview | https://www.gnu.org/licenses/ | `LICENSE.md` | |
+| Why Not LGPL | https://www.gnu.org/licenses/why-not-lgpl.html | `LICENSE.md` | |
+| FSF GPL FAQ: Relicensing | https://www.gnu.org/licenses/gpl-faq.en.html#CanDeveloperThirdParty | AAIF licensing analysis | Third-party relicensing |
+| Apache-2.0 / GPL-3.0 Compatibility | https://www.apache.org/licenses/GPL-compatibility.html | AAIF licensing analysis | Goose (Apache-2.0) + rosett-ai (GPL-3.0) |
+| Free Software Foundation | https://fsf.org/ | `LICENSE.md` | |
+| SPDX License List | https://spdx.org/licenses/ | Licensing research | License identifiers |
+| SPDX Specification v3.0.1 | https://spdx.github.io/spdx-spec/v3.0.1/annexes/spdx-license-expressions/ | Licensing research | Expression syntax |
+
+### 1.2 Anthropic Legal & Terms
+
+| Resource | URL | Related To | Notes |
+|----------|-----|------------|-------|
+| Anthropic Consumer Terms of Service | https://www.anthropic.com/legal/consumer-terms | Licensing research | AI output ownership |
+| Anthropic Commercial Terms of Service | https://www.anthropic.com/legal/commercial-terms | Licensing research | Commercial use rights |
+| Anthropic Acceptable Use Policy | https://www.anthropic.com/legal/aup | Licensing research | |
+| Claude Code Legal & Compliance | https://code.claude.com/docs/en/legal-and-compliance | Licensing research | |
+| Expanded Legal Protections Announcement | https://www.anthropic.com/news/expanded-legal-protections-api-improvements | Licensing research | IP indemnity |
+
+### 1.3 US Copyright Law & AI
+
+| Resource | URL | Related To | Notes |
+|----------|-----|------------|-------|
+| US Copyright Office AI Hub | https://www.copyright.gov/ai/ | Licensing research | Central AI copyright resource |
+| Part 2: Copyrightability Report (PDF) | https://www.copyright.gov/ai/Copyright-and-Artificial-Intelligence-Part-2-Copyrightability-Report.pdf | Licensing research | |
+| Part 3: Generative AI Training Report (PDF) | https://www.copyright.gov/ai/Copyright-and-Artificial-Intelligence-Part-3-Generative-AI-Training-Report-Pre-Publication-Version.pdf | Licensing research | |
+| Federal Register March 2023 Registration Guidance | https://www.federalregister.gov/documents/2023/03/16/2023-05321/copyright-registration-guidance-works-containing-material-generated-by-artificial-intelligence | Licensing research | Works containing AI material |
+| Zarya of the Dawn Official Letter (PDF) | https://www.copyright.gov/docs/zarya-of-the-dawn.pdf | Licensing research | Landmark ruling |
+| Thaler v. Perlmutter D.C. Circuit Opinion (PDF) | https://media.cadc.uscourts.gov/opinions/docs/2025/03/23-5233.pdf | Licensing research | Human authorship required |
+| Thaler v. Perlmutter SCOTUS Petition (PDF) | https://cdn.patentlyo.com/media/2025/10/Thaler-v-Perlmutter-Petition.pdf | Licensing research | |
+| CRS Report: Generative AI and Copyright Law | https://www.congress.gov/crs-product/LSB10922 | Licensing research | Congressional Research Service |
+
+### 1.4 EU AI Act & Copyright
+
+| Resource | URL | Related To | Notes |
+|----------|-----|------------|-------|
+| EU AI Act Full Text (EUR-Lex PDF) | https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L_202401689 | Licensing research | Official Journal |
+| EU AI Act Article 53 (GPAI Obligations) | https://artificialintelligenceact.eu/article/53/ | Licensing research | |
+| EU AI Act Article 50 (Transparency) | https://artificialintelligenceact.eu/article/50/ | Licensing research | |
+| EP Briefing: Copyright of AI-Generated Works (2025) | https://www.europarl.europa.eu/RegData/etudes/BRIE/2025/782585/EPRS_BRI(2025)782585_EN.pdf | Licensing research | European Parliament |
+| EP Study: Generative AI and Copyright (2025) | https://www.europarl.europa.eu/RegData/etudes/STUD/2025/774095/IUST_STU(2025)774095_EN.pdf | Licensing research | European Parliament |
+
+### 1.5 Legal Analysis (Law Firms)
+
+| Resource | URL | Related To | Notes |
+|----------|-----|------------|-------|
+| Jones Day: Copyrightability of AI Outputs | https://www.jonesday.com/en/insights/2025/02/copyrightability-of-ai-outputs-us-copyright-office-analyzes-human-authorship-requirement | Licensing research | Feb 2025 |
+| Foley & Lardner: Clarifying Copyrightability | https://www.foley.com/insights/publications/2025/02/clarifying-copyrightability-ai-assisted-works/ | Licensing research | Feb 2025 |
+| Skadden: Appellate Court Affirms Human Authorship | https://www.skadden.com/insights/publications/2025/03/appellate-court-affirms-human-authorship | Licensing research | Mar 2025 |
+| Finnegan: DC Circuit Holds Human Authorship Required | https://www.finnegan.com/en/insights/ip-updates/dc-circuit-court-holds-that-human-authorship-is-required-as-a-matter-of-statutory-law-for-copyright-protection.html | Licensing research | |
+| BitLaw: Copyright Protection for AI-Generated Works | https://www.bitlaw.com/ai/AI-copyright.html | Licensing research | |
+
+### 1.6 AI Model Licenses
+
+| Resource | URL | Related To | Notes |
+|----------|-----|------------|-------|
+| Mistral Open Models License | https://help.mistral.ai/en/articles/347393-under-which-license-are-mistral-s-open-models-available | Compiler targets | Apache 2.0 |
+| EleutherAI GPT-NeoX Repository | https://github.com/EleutherAI/gpt-neox | Compiler targets | Apache 2.0 |
+| Meta Llama 2 License | https://ai.meta.com/llama/license/ | Compiler targets | Custom license |
+| Meta Llama 3/3.1/3.2 License | https://www.llama.com/llama3/license/ | Compiler targets | Llama 3 Community |
+| Meta Llama 4 License | https://www.llama.com/llama4/license/ | Compiler targets | |
+
+---
+
+## 2. AI Ecosystem (AAIF, MCP, AGENTS.md)
+
+| Resource | URL | Related To | Notes |
+|----------|-----|------------|-------|
+| AAIF Website | https://aaif.io/ | `aaif_alignment.yml`, `mcp_integration.yml` | Founded 2025-12-09 |
+| Linux Foundation Projects | https://www.linuxfoundation.org/projects | AAIF licensing analysis | Charter template |
+| Open-Core Model (Wikipedia) | https://en.wikipedia.org/wiki/Open-core_model | AAIF licensing analysis | Business model reference |
+| MCP Specification (2025-03-26) | https://modelcontextprotocol.io/specification/2025-03-26 | `mcp_integration.yml` | Current spec version |
+| MCP Server Registry | https://registry.modelcontextprotocol.io | MCP integration | Server discovery |
+| MCP Ruby SDK | https://github.com/modelcontextprotocol/ruby-sdk | MCP integration | gem: mcp v0.9.2 |
+| MCP Servers Repository | https://github.com/modelcontextprotocol/servers | MCP integration | Reference implementations |
+| MCP GitHub Organization | https://github.com/modelcontextprotocol | MCP integration | 36 repositories |
+| AGENTS.md Specification | https://agents.md/ | `aaif_alignment.yml` | Created 2025-08-19; 60k+ projects |
+| Goose by Block | https://github.com/block/goose | AAIF ecosystem | Apache-2.0; 31k+ stars |
+| Goose GOVERNANCE.md | https://github.com/block/goose/blob/main/GOVERNANCE.md | AAIF licensing analysis | |
+| Aider | https://github.com/Aider-AI/aider | Engine Phase 3 | Apache-2.0; CLI-based AI coding |
+| Cursor by Anysphere | https://cursor.com | Engine Phase 4 | IDE with AI integration |
+| GitHub Copilot | https://github.com/features/copilot | Engine Phase 4 | AI pair programmer |
+| Windsurf by Codeium | https://codeium.com/windsurf | Engine Phase 4 | AI-powered IDE |
+| Anthropic Ruby SDK | https://github.com/anthropics/anthropic-sdk-ruby | `doc/ADOPT.md`, `CONTRIBUTING.md` | gem: anthropic ~> 1.16 |
+
+---
+
+## 3. D-Bus & Desktop IPC
+
+| Resource | URL | Related To | Notes |
+|----------|-----|------------|-------|
+| D-Bus Specification | https://dbus.freedesktop.org/doc/dbus-specification.html | `desktop_integration.yml` | Wire protocol |
+| D-Bus API Design Guidelines | https://dbus.freedesktop.org/doc/dbus-api-design.html | `desktop_integration.yml` | Interface design |
+| D-Bus Tutorial (freedesktop.org) | https://dbus.freedesktop.org/doc/dbus-tutorial.html | Desktop integration research | |
+| D-Bus (Wikipedia) | https://en.wikipedia.org/wiki/D-Bus | Desktop integration research | Overview |
+| D-Bus (ArchWiki) | https://wiki.archlinux.org/title/D-Bus | Desktop integration research | Practical guide |
+| KDE D-Bus Introduction | https://develop.kde.org/docs/features/d-bus/introduction_to_dbus/ | Desktop integration research | KDE perspective |
+| Wayland vs D-Bus for Shell IPC (KDE Blog) | https://blogs.kde.org/2020/10/11/linux-desktop-shell-ipc-wayland-vs-d-bus-and-lack-agreement-when-use-them/ | Desktop integration research | Architecture decision |
+| Arch Linux RFC 0025: dbus-broker Default | https://rfc.archlinux.page/0025-dbus-broker-default/ | Desktop integration research | dbus-broker adoption |
+| systemd/User (ArchWiki) | https://wiki.archlinux.org/title/Systemd/User | Desktop integration research | User session D-Bus |
+| wlr-foreign-toplevel-management Protocol | https://wayland.app/protocols/wlr-foreign-toplevel-management-unstable-v1 | Desktop integration research | Focus tracking (wlroots) |
+| ruby-dbus on GitHub | https://github.com/mvidner/ruby-dbus | `desktop_integration.yml` | v0.24.0; LGPL-2.1 |
+| ruby-dbus Tutorial | https://github.com/mvidner/ruby-dbus/blob/master/doc/Tutorial.md | Desktop integration research | |
+| ruby-dbus on RubyGems | https://rubygems.org/gems/ruby-dbus | Desktop integration research | |
+
+---
+
+## 4. GNOME / GTK4 Development
+
+| Resource | URL | Related To | Notes |
+|----------|-----|------------|-------|
+| GNOME Human Interface Guidelines | https://developer.gnome.org/hig/ | `ui_framework.yml`, `desktop_integration.yml` | HIG compliance |
+| GNOME Accessibility Guidelines | https://developer.gnome.org/documentation/guidelines/accessibility.html | `accessibility.yml` | |
+| GTK4 Accessibility Documentation | https://docs.gtk.org/gtk4/section-accessibility.html | `accessibility.yml`, desktop research | GtkAccessible roles |
+| GTK4 Test Accessible Functions | https://docs.gtk.org/gtk4/func.test_accessible_has_role.html | Desktop integration research | Widget testing |
+| Libadwaita Documentation | https://gnome.pages.gitlab.gnome.org/libadwaita/ | Desktop integration research | AdwPreferencesDialog |
+| ruby-gnome Project | https://github.com/ruby-gnome/ruby-gnome | `desktop_integration.yml` | gtk4 + adwaita gems |
+| gtk4 Gem on RubyGems | https://rubygems.org/gems/gtk4 | Desktop integration research | v4.3.5 (Feb 2026) |
+| adwaita Gem on RubyGems | https://rubygems.org/gems/adwaita | Desktop integration research | v4.3.5 (Feb 2026) |
+| Meson i18n Module | https://mesonbuild.com/i18n-module.html | Desktop integration research | gettext compilation |
+| Pop!_OS GNOME Control Center Patch | https://github.com/pop-os/gnome-control-center/blob/e87068996f29fe812e94478d4cebc38741c1853d/debian/patches/system76_firmware.patch | Desktop integration research | Evidence: no external GCC plugins |
+
+---
+
+## 5. KDE / Qt6 Development
+
+| Resource | URL | Related To | Notes |
+|----------|-----|------------|-------|
+| KDE KCM Development | https://develop.kde.org/docs/features/configuration/kcm/ | `desktop_integration.yml` | KCM plugin architecture |
+| KDE Human Interface Guidelines | https://develop.kde.org/hig/ | `ui_framework.yml`, `desktop_integration.yml` | HIG compliance |
+| KDE Frameworks 6 Porting Guide | https://develop.kde.org/docs/features/configuration/porting_kf6/ | Desktop integration research | KF5 to KF6 |
+| Qt6 QAccessible Documentation | https://doc.qt.io/qt-6/qaccessible.html | `accessibility.yml`, desktop research | AT-SPI2 bridge |
+| KDE Accessibility / qt-atspi | https://community.kde.org/Accessibility/qt-atspi | Desktop integration research | |
+
+---
+
+## 6. Accessibility Standards & Tools
+
+| Resource | URL | Related To | Notes |
+|----------|-----|------------|-------|
+| EN 301 549 (EU Accessibility Standard) | https://www.etsi.org/deliver/etsi_en/301500_301599/301549/ | `accessibility.yml` | EU target standard |
+| WCAG 2.2 Cognitive Patterns | https://www.w3.org/WAI/WCAG2/supplemental/patterns/o5p03-manageable-quantity/ | Desktop integration research | Max 5 choices per screen |
+| W3C Cognitive Accessibility | https://www.w3.org/WAI/cognitive/ | Desktop integration research | |
+| AT-SPI2 D-Bus Interfaces | https://documentation.ubuntu.com/desktop/en/latest/reference/accessibility/dbus/ | Desktop integration research | Linux a11y layer |
+
+---
+
+## 7. GUI Testing
+
+| Resource | URL | Related To | Notes |
+|----------|-----|------------|-------|
+| Dogtail (GitLab) | https://gitlab.com/dogtail/dogtail | `testing.yml`, desktop research | v1.0.7 (Jul 2025); cross-toolkit |
+| Dogtail Cross-Toolkit Testing Article | https://ydirson.gitlab.io/the-floss-cook/a11y/2020/04/29/dogtail-against-gtk-and-qt.html | Desktop integration research | |
+| Spix (Qt6 Test Automation) | https://github.com/faaxm/spix | Desktop integration research | MIT; KDAB; XMLRPC |
+| Debian CI GUI Testing | https://wiki.debian.org/ContinuousIntegration/GUI | `ci_pipeline.yml` | xvfb + at-spi2 |
+
+---
+
+## 8. Compositor & Window Manager Integration
+
+| Resource | URL | Related To | Notes |
+|----------|-----|------------|-------|
+| i3ipc Ruby Gem | https://github.com/veelenga/i3ipc-ruby | `desktop_integration.yml` | sway/i3 focus adapter |
+| Hyprland IPC Wiki | https://wiki.hyprland.org/IPC/ | `desktop_integration.yml` | socket2 events |
+| awesome WM D-Bus Module | https://awesomewm.org/doc/api/libraries/dbus.html | Desktop integration research | |
+
+---
+
+## 9. Ruby Gems & Libraries
+
+### 9.1 Runtime Dependencies (from rosett-ai.gemspec)
+
+| Gem | Version | URL | Purpose |
+|-----|---------|-----|---------|
+| anthropic | ~> 1.16 | https://github.com/anthropics/anthropic-sdk-ruby | Claude API client |
+| ed25519 | ~> 1.4 | https://rubygems.org/gems/ed25519 | License key signing |
+| faraday | ~> 2.14 | https://rubygems.org/gems/faraday | HTTP client |
+| gettext | ~> 3.5 | https://rubygems.org/gems/gettext | i18n (gettext format) |
+| i18n | ~> 1.14 | https://rubygems.org/gems/i18n | Internationalisation |
+| json | ~> 2.18 | https://rubygems.org/gems/json | JSON parsing |
+| json_schemer | ~> 2.5 | https://rubygems.org/gems/json_schemer | JSON Schema validation |
+| jwt | ~> 2.10 | https://rubygems.org/gems/jwt | JWT license tokens |
+| jwt-eddsa | ~> 0.9 | https://rubygems.org/gems/jwt-eddsa | Ed25519 JWT extension |
+| paint | ~> 2.3 | https://rubygems.org/gems/paint | Terminal colours |
+| rainbow | ~> 3.1 | https://rubygems.org/gems/rainbow | Terminal colours |
+| rubyzip | ~> 2.4 | https://rubygems.org/gems/rubyzip | ZIP archive handling |
+| terminal-table | ~> 4.0 | https://rubygems.org/gems/terminal-table | CLI table output |
+| thor | ~> 1.5 | https://rubygems.org/gems/thor | CLI framework |
+| tty-prompt | ~> 0.23 | https://rubygems.org/gems/tty-prompt | Interactive prompts |
+| tty-spinner | ~> 0.9 | https://rubygems.org/gems/tty-spinner | CLI spinners |
+| zeitwerk | ~> 2.7 | https://rubygems.org/gems/zeitwerk | Autoloader |
+
+### 9.2 Development Dependencies (from Gemfile)
+
+| Gem | Version | URL | Purpose |
+|-----|---------|-----|---------|
+| bundler-audit | ~> 0.9 | https://rubygems.org/gems/bundler-audit | CVE audit |
+| factory_bot | ~> 6.5 | https://rubygems.org/gems/factory_bot | Test factories |
+| fakefs | ~> 3.2 | https://rubygems.org/gems/fakefs | Filesystem stubs |
+| flay | ~> 2.14 | https://rubygems.org/gems/flay | Duplication detection |
+| fpm | ~> 1.17 | https://rubygems.org/gems/fpm | Package builder |
+| mdl | ~> 0.15 | https://rubygems.org/gems/mdl | Markdown lint |
+| mutant-rspec | ~> 0.14 | https://rubygems.org/gems/mutant-rspec | Mutation testing |
+| overcommit | ~> 0.68 | https://rubygems.org/gems/overcommit | Git hooks |
+| rantly | ~> 3.0 | https://rubygems.org/gems/rantly | Property-based testing |
+| reek | ~> 6.5 | https://rubygems.org/gems/reek | Code smell detection |
+| ronn-ng | ~> 0.10 | https://rubygems.org/gems/ronn-ng | Man page generation |
+| rspec | ~> 3.13 | https://rubygems.org/gems/rspec | Test framework |
+| rubocop | ~> 1.82 | https://rubygems.org/gems/rubocop | Linter |
+| rubocop-performance | ~> 1.26 | https://rubygems.org/gems/rubocop-performance | Performance cops |
+| rubocop-rspec | ~> 3.9 | https://rubygems.org/gems/rubocop-rspec | RSpec cops |
+| ruby_audit | ~> 3.1 | https://rubygems.org/gems/ruby_audit | Ruby CVE audit |
+| simplecov | ~> 0.22 | https://rubygems.org/gems/simplecov | Coverage |
+| webmock | ~> 3.26 | https://rubygems.org/gems/webmock | HTTP mocking |
+| yard | ~> 0.9 | https://rubygems.org/gems/yard | Documentation |
+
+### 9.3 Future / Desktop Dependencies
+
+| Gem | Version | URL | Purpose |
+|-----|---------|-----|---------|
+| ruby-dbus | 0.24.0 | https://rubygems.org/gems/ruby-dbus | D-Bus IPC (Phase 1) |
+| gtk4 | 4.3.5 | https://rubygems.org/gems/gtk4 | GTK4 bindings (rosett-ai-gtk4) |
+| adwaita | 4.3.5 | https://rubygems.org/gems/adwaita | Libadwaita bindings (rosett-ai-gtk4) |
+| i3ipc | — | https://rubygems.org/gems/i3ipc | sway/i3 IPC (focus monitor) |
+| mcp | 0.9.2 | https://rubygems.org/gems/mcp | MCP server SDK |
+
+---
+
+## 10. Build, Packaging & Distribution
+
+| Resource | URL | Related To | Notes |
+|----------|-----|------------|-------|
+| fpm Project | https://github.com/jordansissel/fpm | `doc/PACKAGING.md` | .deb builder |
+| fpm Documentation | https://fpm.readthedocs.io/en/latest/ | `doc/PACKAGING.md` | |
+| fpm on RubyGems | https://rubygems.org/gems/fpm | `doc/PACKAGING.md` | |
+| rbenv | https://github.com/rbenv/rbenv | `doc/SETUP.md` | Ruby version manager |
+| ruby-build | https://github.com/rbenv/ruby-build | `doc/SETUP.md`, `doc/PACKAGING.md` | Compile Ruby from source |
+| dpkg-deb Man Page | https://man7.org/linux/man-pages/man1/dpkg-deb.1.html | `doc/PACKAGING.md` | |
+| Debian FakeRoot Wiki | https://wiki.debian.org/FakeRoot | `doc/PACKAGING.md` | |
+| rsync Homepage | https://rsync.samba.org/ | `doc/PACKAGING.md` | |
+| rsync Man Page | https://download.samba.org/pub/rsync/rsync.1 | `doc/PACKAGING.md` | |
+| Pulp Project | https://pulpproject.org | `distribution.yml` | Multi-format repo management |
+| GNU C Library (glibc) | https://www.gnu.org/software/libc/ | `doc/PACKAGING.md` | System dependency |
+| OpenSSL | https://www.openssl.org/ | `doc/PACKAGING.md` | System dependency |
+| zlib | https://www.zlib.net/ | `doc/PACKAGING.md` | System dependency |
+| LibYAML | https://pyyaml.org/wiki/LibYAML | `doc/PACKAGING.md` | System dependency |
+| Semantic Versioning 2.0.0 | https://semver.org | `release_management.yml` | Versioning standard |
+| Keep a Changelog 1.1.0 | https://keepachangelog.com/en/1.1.0/ | `cliff.toml`, `CHANGELOG.md` | Changelog format |
+| git-cliff Configuration | https://git-cliff.org/docs/configuration | `cliff.toml` | Changelog generator |
+
+---
+
+## 11. Code Quality & Development Tools
+
+| Resource | URL | Related To | Notes |
+|----------|-----|------------|-------|
+| Reek Project | https://github.com/troessner/reek | `doc/REEK_CONFIGURATION.md` | Code smell detector |
+| Reek 4-to-5 Migration Guide | https://github.com/troessner/reek/blob/master/docs/Reek-4-to-Reek-5-migration.md | `doc/REEK_CONFIGURATION.md` | |
+| Reek Duplicate Method Call Docs | https://github.com/troessner/reek/blob/master/docs/Duplicate-Method-Call.md | `doc/REEK_CONFIGURATION.md` | |
+| Overcommit | https://github.com/sds/overcommit | `doc/QUALITY_FIX_SUMMARY.md` | Git hook manager |
+| RubyGems | https://rubygems.org | `Gemfile` | Package registry |
+| JSON Schema Draft 2020-12 | https://json-schema.org/draft/2020-12/schema | `conf/schemas/design_schema.json` | Validation standard |
+
+---
+
+## 12. Standards & Specifications
+
+| Resource | URL | Related To | Notes |
+|----------|-----|------------|-------|
+| XDG Base Directory Specification | https://specifications.freedesktop.org/basedir/latest/ | ADR-002 | Path resolution |
+| XDG Base Directory (ArchWiki) | https://wiki.archlinux.org/title/XDG_Base_Directory | ADR-002 | |
+| KDE XDG Filesystem Hierarchy | https://userbase.kde.org/KDE_System_Administration/XDG_Filesystem_Hierarchy | ADR-002 | |
+| Ruby EOL Dates | https://endoflife.date/api/ruby.json | `lifecycle_management.yml` | Version lifecycle |
+| Ruby Official Releases | https://www.ruby-lang.org/en/downloads/releases/ | `lifecycle_management.yml` | |
+
+---
+
+## 13. Project Infrastructure
+
+| Resource | URL | Related To | Notes |
+|----------|-----|------------|-------|
+| rosett-ai Repository | https://gitlab.neatnerds.be/neatnerds/NeatNerds-AI/rosett-ai | `rosett-ai.gemspec`, `CONTRIBUTING.md` | Source code |
+| rosett-ai Releases | https://gitlab.neatnerds.be/neatnerds/NeatNerds-AI/rosett-ai/-/releases | `INSTALL.md` | Download packages |
+| rosett-ai Design Schema | https://gitlab.neatnerds.be/neatnerds/NeatNerds-AI/rosett-ai/schemas/design_schema.json | `conf/schemas/design_schema.json` | $id URI |
+| rosett-ai Pricing Page | https://neatnerds.be/rosett-ai/pricing | `content_packs.yml` | Content pack tiers |
+| APT Repository GPG Key | https://repo.neatnerds.be/gpg.key | `distribution.yml` | Package signing |
+| APT Repository (stable) | https://repo.neatnerds.be/stable | `distribution.yml` | Debian packages |
+| RPM Repository (stable) | https://repo.neatnerds.be/stable/rpm | `distribution.yml` | RPM packages |

data/doc/SECURITY_REVIEW_CHECKLIST.md

@@ -0,0 +1,72 @@
+# Security Review Checklist
+
+Use this checklist when reviewing changes that affect trust boundaries,
+external integrations, or security-sensitive code.
+
+## Pre-Review
+
+- [ ] Identify which trust boundaries (see `doc/THREAT_MODEL.md`) are affected
+- [ ] Confirm the change does not introduce a new trust boundary without
+      updating the threat model
+
+## Input Validation
+
+- [ ] All external input is validated at the boundary (not deep in the call chain)
+- [ ] `YAML.safe_load` is used (never `YAML.load`)
+- [ ] File size, nesting depth, and key count limits are enforced for YAML input
+- [ ] CLI arguments are type-checked by Thor
+- [ ] Environment variables have safe defaults via `ENV.fetch`
+
+## Output Safety
+
+- [ ] Output paths are canonicalised with `File.expand_path`
+- [ ] Output paths are checked against the whitelist
+  (`~/.claude/`, project `.claude/`, `~/.config/rosett-ai/`)
+- [ ] File permissions are set explicitly (`0644`, `0755`, `0600` as appropriate)
+- [ ] Temporary files use `Tempfile.new` with `ensure` cleanup
+
+## Secrets
+
+- [ ] Secrets are never logged, displayed, or included in error messages
+- [ ] Secret files use `0600` permissions
+- [ ] Secrets resolution follows the hierarchy: ENV > keyring > secrets file
+- [ ] No hardcoded credentials in source code
+
+## Shell Commands
+
+- [ ] All shell commands use array-form `system()` (never string interpolation)
+- [ ] User input is never interpolated into shell command strings
+- [ ] Command output is not passed to `eval` or similar
+
+## Dependencies
+
+- [ ] New dependencies are justified and documented
+- [ ] `Gemfile.lock` is updated with exact version pins
+- [ ] `bundler-audit` passes with no findings
+- [ ] Native extension gems are documented and justified
+
+## Content Packs
+
+- [ ] Content pack YAML is validated against schemas
+- [ ] Archive extraction checks for path traversal
+- [ ] No Ruby code is executed from content packs
+- [ ] Checksums are verified before installation
+
+## D-Bus
+
+- [ ] Method signatures match expected types
+- [ ] Unknown methods return appropriate D-Bus errors
+- [ ] Arguments are validated beyond type checking
+- [ ] Only session bus is used (no system bus)
+
+## ANSI / Display
+
+- [ ] Control characters are stripped from external input before display
+- [ ] No information is conveyed by colour alone
+- [ ] TTY detection is used to disable formatting for non-interactive output
+
+## Post-Review
+
+- [ ] Threat model is updated if new trust boundaries were introduced
+- [ ] Security-relevant test cases are added (positive and negative)
+- [ ] `gitleaks` passes (no secrets in committed code)