Move Rescript-TEA into rescript-ecosystem/rescript-tea

Author: hyperpolymath

Rescript-TEA

@@ -19,9 +19,12 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
-    ignore:
-      - dependency-name: "*"
-        update-types: ["version-update:semver-patch"]
+    # `open-pull-requests-limit: 0` suppresses routine version-update PRs
+    # while leaving Dependabot SECURITY PRs flowing. The previous
+    # `ignore: "*" patch` rule also silenced security PRs under GitHub\'s
+    # current Dependabot behaviour. See rsr-template-repo commit 78b050e
+    # and 007-lang/audits/audit-dependabot-automation-gap-2026-04-17.md.
+    open-pull-requests-limit: 0
 
   # Elixir/Mix
   - package-ecosystem: "mix"

rescript-ecosystem/rescript-tea/.github/dependabot.yml

@@ -0,0 +1,143 @@
+# SPDX-License-Identifier: PMPL-1.0-or-later
+#
+# dependabot-automerge.yml — enable GitHub's native auto-merge on
+# Dependabot pull requests that match a declared severity / ecosystem
+# policy. Pairs with `.github/dependabot.yml`'s
+# `open-pull-requests-limit: 0` + security-only pattern (see the
+# cargo block there).
+#
+# What this does:
+#   - Triggers on every Dependabot PR.
+#   - Reads the PR's update-type metadata via the dependabot/fetch-metadata
+#     action (no free-text parsing).
+#   - Requires CI to be green before merge (GitHub's auto-merge enforces
+#     required status checks).
+#   - Gates merge behind a severity+ecosystem policy table. Default is
+#     low+medium security updates only.
+#
+# Why auto-merge on GitHub (not via a bot like rhodibot) is the right
+# layer: GitHub enforces branch protection + required checks natively,
+# and the PR author is already `dependabot[bot]`. Rhodibot doesn't need
+# to know anything about ecosystems — GitHub handles the merge mechanics
+# once we approve.
+#
+# Threat model:
+#   - A compromised upstream package with a bogus security advisory
+#     could propose a malicious version bump. Mitigation: require at
+#     least one non-automated reviewer for HIGH+CRITICAL severity
+#     (done below — we explicitly refuse to auto-approve those).
+#   - A compromised Dependabot itself is an Akerlof claim-grounder
+#     problem. Not in scope here; track under
+#     `project_claim_grounders_dual_use_akerlof.md`.
+#
+# Dogfooding: this workflow template is itself subject to the same
+# Dependabot config via the github-actions ecosystem block, so SHA
+# bumps for dependabot/fetch-metadata flow through the same path.
+
+name: Dependabot Auto-Merge
+
+on:
+  pull_request:
+    types: [opened, reopened, synchronize]
+
+permissions:
+  contents: write        # needed to enable auto-merge
+  pull-requests: write   # needed to approve
+  # NB: keep narrow — do NOT add secrets: read or id-token: write here.
+
+jobs:
+  automerge:
+    # Only run for PRs actually authored by Dependabot.
+    if: github.actor == 'dependabot[bot]' && github.event.pull_request.user.login == 'dependabot[bot]'
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Fetch Dependabot metadata
+        id: meta
+        uses: dependabot/fetch-metadata@dbb049abf0d677abbd7f7eee0375145b417fdd34 # v2.2.0
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      # --- Policy gate -------------------------------------------------------
+      # Outputs from fetch-metadata we care about:
+      #   update-type      → version-update:semver-{patch,minor,major}
+      #   dependency-type  → direct:{development,production} | indirect
+      #   alert-state      → AUTO_DISMISSED | DISMISSED | FIXED | OPEN
+      #   ghsa-id          → GHSA-... if this is a security PR
+      # --- Policy -------------------------------------------------------------
+      # AUTO-APPROVE + AUTO-MERGE when:
+      #   1. This is a SECURITY update (ghsa-id present), AND
+      #   2. Update is patch or minor, AND
+      #   3. Severity ≤ moderate (Dependabot doesn't expose severity
+      #      directly in fetch-metadata; infer from the absence of
+      #      HIGH/CRITICAL labels added by Dependabot).
+      # Otherwise: do nothing. Human reviews HIGH+CRITICAL security
+      # updates and all non-security bumps.
+      - name: Decide policy outcome
+        id: policy
+        env:
+          GHSA_ID: ${{ steps.meta.outputs.ghsa-id }}
+          UPDATE_TYPE: ${{ steps.meta.outputs.update-type }}
+          PR_LABELS: ${{ toJson(github.event.pull_request.labels.*.name) }}
+        run: |
+          set -euo pipefail
+
+          is_security=false
+          is_patch_or_minor=false
+          is_high_or_critical=false
+
+          [ -n "$GHSA_ID" ] && is_security=true
+          case "$UPDATE_TYPE" in
+            version-update:semver-patch|version-update:semver-minor)
+              is_patch_or_minor=true ;;
+          esac
+
+          # Dependabot adds severity labels like "severity: high",
+          # "severity: critical". Look for those in the PR labels JSON.
+          if echo "$PR_LABELS" | grep -qiE '"(severity: (high|critical))"'; then
+            is_high_or_critical=true
+          fi
+
+          if $is_security && $is_patch_or_minor && ! $is_high_or_critical; then
+            echo "action=automerge" >> "$GITHUB_OUTPUT"
+          else
+            echo "action=skip" >> "$GITHUB_OUTPUT"
+          fi
+          echo "security=$is_security" >> "$GITHUB_OUTPUT"
+          echo "update_type=$UPDATE_TYPE" >> "$GITHUB_OUTPUT"
+          echo "ghsa=$GHSA_ID" >> "$GITHUB_OUTPUT"
+
+      - name: Approve PR (if policy allows)
+        if: steps.policy.outputs.action == 'automerge'
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_URL: ${{ github.event.pull_request.html_url }}
+        run: |
+          gh pr review --approve "$PR_URL" \
+            --body "Auto-approving Dependabot security update (${{ steps.policy.outputs.ghsa }}, ${{ steps.policy.outputs.update_type }}). Policy: low/moderate security patches/minors only."
+
+      - name: Enable auto-merge (if policy allows)
+        if: steps.policy.outputs.action == 'automerge'
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_URL: ${{ github.event.pull_request.html_url }}
+        run: |
+          gh pr merge --auto --squash "$PR_URL"
+
+      - name: Write decision to step summary
+        env:
+          ACTION: ${{ steps.policy.outputs.action }}
+          IS_SECURITY: ${{ steps.policy.outputs.security }}
+          UPDATE_TYPE: ${{ steps.policy.outputs.update_type }}
+          GHSA: ${{ steps.policy.outputs.ghsa }}
+        run: |
+          {
+            echo "## Dependabot Auto-Merge Decision"
+            echo ""
+            echo "| Field | Value |"
+            echo "|-------|-------|"
+            echo "| Policy action | \`$ACTION\` |"
+            echo "| Security update | \`$IS_SECURITY\` |"
+            echo "| Update type | \`$UPDATE_TYPE\` |"
+            echo "| GHSA ID | \`${GHSA:-n/a}\` |"
+          } >> "$GITHUB_STEP_SUMMARY"

rescript-ecosystem/rescript-tea/.github/workflows/dependabot-automerge.yml

@@ -13,6 +13,9 @@ on:
 
 permissions:
   contents: read
+  # security-events: read lets the built-in GITHUB_TOKEN query this
+  # repo\'s own Dependabot alerts via the Hypatia DependabotAlerts rule.
+  security-events: read
 
 jobs:
   scan:

rescript-ecosystem/rescript-tea/.github/workflows/hypatia-scan.yml

@@ -1,3 +1,4 @@
+<<<<<<< HEAD
 # SPDX-License-Identifier: PMPL-1.0-or-later
 # RSR-compliant .gitignore
 
@@ -105,3 +106,35 @@ sync_report*.txt
 *.cmt
 *.cmti
 *.cmi
+target/
+node_modules/
+_build/
+deps/
+.elixir_ls/
+.cache/
+build/
+dist/
+=======
+# Dependencies
+node_modules/
+
+# ReScript build output
+lib/
+.bsb.lock
+*.bs.js
+
+# Editor
+.vscode/
+.idea/
+*.swp
+*.swo
+
+# OS
+.DS_Store
+Thumbs.db
+
+# Debug
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+>>>>>>> 992e4b4 (feat: initial implementation of rescript-tea)

rescript-ecosystem/rescript-tea/.gitignore

@@ -1,2 +1,2 @@
-nodejs 20.11.1
+nodejs 22.13.1
 just 1.36.0

rescript-ecosystem/rescript-tea/.tool-versions

@@ -1,4 +1,5 @@
-SPDX-License-Identifier: MPL-2.0
+<<<<<<< HEAD
+SPDX-License-Identifier: PMPL-1.0-or-later
 SPDX-FileCopyrightText: 2024-2026 Jonathan D.A. Jewell (hyperpolymath) <j.d.a.jewell@open.ac.uk>
 
 ------------------------------------------------------------------------
@@ -406,3 +407,26 @@ Exhibit B - "Incompatible With Secondary Licenses" Notice
 
   This Source Code Form is "Incompatible With Secondary Licenses", as
   defined by the Mozilla Public License, v. 2.0.
+=======
+MIT License
+
+Copyright (c) 2024 Jonathan D.A. Jewell
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+>>>>>>> 992e4b4 (feat: initial implementation of rescript-tea)