chore: Add RSR policy enforcement workflows

Author: Jonathan D.A. Jewell

.github/workflows/guix-nix-policy.yml

@@ -0,0 +1,29 @@
+name: Guix/Nix Package Policy
+on: [push, pull_request]
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Enforce Guix primary / Nix fallback
+        run: |
+          # Check for package manager files
+          HAS_GUIX=$(find . -name "*.scm" -o -name ".guix-channel" -o -name "guix.scm" 2>/dev/null | head -1)
+          HAS_NIX=$(find . -name "*.nix" 2>/dev/null | head -1)
+          
+          # Block new package-lock.json, yarn.lock, Gemfile.lock, etc.
+          NEW_LOCKS=$(git diff --name-only --diff-filter=A HEAD~1 2>/dev/null | grep -E 'package-lock\.json|yarn\.lock|Gemfile\.lock|Pipfile\.lock|poetry\.lock|cargo\.lock' || true)
+          if [ -n "$NEW_LOCKS" ]; then
+            echo "⚠️ Lock files detected. Prefer Guix manifests for reproducibility."
+          fi
+          
+          # Prefer Guix, fallback to Nix
+          if [ -n "$HAS_GUIX" ]; then
+            echo "✅ Guix package management detected (primary)"
+          elif [ -n "$HAS_NIX" ]; then
+            echo "✅ Nix package management detected (fallback)"
+          else
+            echo "ℹ️ Consider adding guix.scm or flake.nix for reproducible builds"
+          fi
+          
+          echo "✅ Package policy check passed"

.github/workflows/security-policy.yml

@@ -0,0 +1,37 @@
+name: Security Policy
+on: [push, pull_request]
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Security checks
+        run: |
+          FAILED=false
+          
+          # Block MD5/SHA1 for security (allow for checksums/caching)
+          WEAK_CRYPTO=$(grep -rE 'md5\(|sha1\(' --include="*.py" --include="*.rb" --include="*.js" --include="*.ts" --include="*.go" --include="*.rs" . 2>/dev/null | grep -v 'checksum\|cache\|test\|spec' | head -5 || true)
+          if [ -n "$WEAK_CRYPTO" ]; then
+            echo "⚠️ Weak crypto (MD5/SHA1) detected. Use SHA256+ for security:"
+            echo "$WEAK_CRYPTO"
+          fi
+          
+          # Block HTTP URLs (except localhost)
+          HTTP_URLS=$(grep -rE 'http://[^l][^o][^c]' --include="*.py" --include="*.js" --include="*.ts" --include="*.go" --include="*.rs" --include="*.yaml" --include="*.yml" . 2>/dev/null | grep -v 'localhost\|127.0.0.1\|example\|test\|spec' | head -5 || true)
+          if [ -n "$HTTP_URLS" ]; then
+            echo "⚠️ HTTP URLs found. Use HTTPS:"
+            echo "$HTTP_URLS"
+          fi
+          
+          # Block hardcoded secrets patterns
+          SECRETS=$(grep -rEi '(api_key|apikey|secret_key|password)\s*[=:]\s*["\x27][A-Za-z0-9+/=]{20,}' --include="*.py" --include="*.js" --include="*.ts" --include="*.go" --include="*.rs" --include="*.env" . 2>/dev/null | grep -v 'example\|sample\|test\|mock\|placeholder' | head -3 || true)
+          if [ -n "$SECRETS" ]; then
+            echo "❌ Potential hardcoded secrets detected!"
+            FAILED=true
+          fi
+          
+          if [ "$FAILED" = true ]; then
+            exit 1
+          fi
+          
+          echo "✅ Security policy check passed"