Apply wave1 lane hygiene for music (#6)

Author: Zer0pa-Architect-Prime

.zenodo.json

@@ -0,0 +1,26 @@
+{
+  "title": "ZPE-Music",
+  "description": "ZPE-Music is a music encoding product for canonical symbolic score data, with a bounded note-local expression refinement carried on the same score note. It is useful now for MusicXML pipelines that need auditable roundtrip recovery of score structure plus note-local attack, release, and dynamics-derived fields.",
+  "creators": [
+    {
+      "name": "Zer0pa (Pty) Ltd"
+    }
+  ],
+  "keywords": [
+    "musicxml",
+    "symbolic-score",
+    "music-encoding",
+    "deterministic-codec",
+    "score-roundtrip",
+    "note-expression"
+  ],
+  "license": "LicenseRef-Zer0pa-SAL-7.0",
+  "upload_type": "software",
+  "related_identifiers": [
+    {
+      "identifier": "https://github.com/Zer0pa/ZPE-Music",
+      "relation": "isSupplementTo",
+      "scheme": "url"
+    }
+  ]
+}

CITATION.cff

@@ -1,11 +1,19 @@
 cff-version: 1.2.0
-title: zpe-music
+title: ZPE-Music
 message: If you use this repository, please cite it using this metadata.
 type: software
 authors:
-  - family-names: Zer0pa
+  - name: Zer0pa (Pty) Ltd
 version: 0.1.0
 url: https://github.com/Zer0pa/ZPE-Music
+repository-code: https://github.com/Zer0pa/ZPE-Music
+keywords:
+  - musicxml
+  - symbolic-score
+  - music-encoding
+  - deterministic-codec
+  - score-roundtrip
+  - note-expression
 license: LicenseRef-Zer0pa-SAL-7.0
 contact:
   - email: architects@zer0pa.ai

README.md

@@ -46,7 +46,7 @@ This release candidate is restamped to the verified source commit below.
 | Field | Value |
 |-------|-------|
 | Verdict | STAGED |
-| Commit SHA | 87c8f781dadc |
+| Commit SHA | ef28b3e359a9 |
 | Confidence | 100% |
 | Source | validation/results/release_verification.json |
 

REPRODUCIBILITY.md

@@ -0,0 +1,31 @@
+# Reproducibility
+
+## Canonical Inputs
+
+- `fixtures/simple_scale.musicxml`: canonical MusicXML fixture used by the
+  fresh-clone verification path
+
+The repeated-note authority cases in the public test battery are constructed in
+`tests/test_music_expression_authority_roundtrip.py`; no separate repeated-note
+fixture file is committed in this repo.
+
+## Golden-Bundle Hash
+
+This field will be populated by the `receipt-bundle.yml` workflow in Wave 3.
+
+## Verification Command
+
+```bash
+python3 -m venv .venv
+. .venv/bin/activate
+python -m pip install --upgrade pip
+python -m pip install -e '.[dev]'
+python validation/run_release_verification.py
+python -m pytest -q tests/test_music_authority_roundtrip.py tests/test_music_expression_authority_roundtrip.py tests/test_music_authority_guardrails.py
+```
+
+## Supported Runtimes
+
+- CPython 3.10+ via `src/zpe_music/`
+
+No alternate runtime surface is claimed in this repo.

SECURITY.md

@@ -1,12 +1,47 @@
 # Security Policy
 
-If you find a security issue in `zpe-music`, please report it privately to the repository owner rather than opening a public issue first.
+## Supported Scope
+
+This policy covers the `zpe-music` Python package, fixture files under
+`fixtures/`, proof artifacts, validation manifests, and security-sensitive repo
+assets such as workflows and release metadata.
+
+What counts as a security issue here:
+
+- arbitrary code execution, privilege escalation, or data exfiltration through package or dependency paths
+- secrets or tokens committed to the repo
+- vulnerable CI or release workflow behavior
+- supply-chain issues in declared dependencies or published artifacts
+
+What does not count as a security issue here:
+
+- benchmark losses
+- codec-quality regressions
+- documentation disputes about technical claims
+
+## Reporting
+
+Do not open a public issue for a security vulnerability.
+
+Report privately through:
+
+- GitHub Private Vulnerability Reporting
+- `architects@zer0pa.ai`
 
 Include:
 
-- the affected version or commit
-- reproduction steps
-- expected impact
-- any proposed mitigation
+- affected component
+- reproduction steps or proof of concept
+- severity and impact
+- suggested remediation if you have one
+
+## Response Targets
+
+| Stage | Target timeframe |
+|---|---|
+| Acknowledgement | within 5 business days |
+| Initial triage | within 10 business days |
+| Remediation or mitigation plan | post-triage, based on confirmed severity |
 
-You will receive acknowledgement after triage. Public disclosure should wait until the owner confirms the remediation plan.
+We follow coordinated disclosure and will not take legal action against
+good-faith security research that follows this policy.

docs/_reorientation/2026-04-17/NOVELTY_CARD.md

@@ -1,5 +1,5 @@
 [build-system]
-requires = ["setuptools>=68", "wheel"]
+requires = ["setuptools>=68,<77", "wheel"]
 build-backend = "setuptools.build_meta"
 
 [project]
@@ -8,9 +8,31 @@ version = "0.1.0"
 description = "Canonical symbolic-score codec with a bounded note-local expression refinement"
 readme = "README.md"
 requires-python = ">=3.10"
+license = {text = "LicenseRef-Zer0pa-SAL-7.0"}
 authors = [{name = "Zer0pa (Pty) Ltd"}]
+keywords = [
+    "musicxml",
+    "symbolic-score",
+    "music-encoding",
+    "deterministic-codec",
+    "score-roundtrip",
+    "note-expression",
+]
+classifiers = [
+    "License :: Other/Proprietary License",
+    "Intended Audience :: Science/Research",
+    "Topic :: Scientific/Engineering",
+    "Development Status :: 4 - Beta",
+]
 dependencies = ["music21>=9.1"]
 
+[project.urls]
+Homepage = "https://github.com/Zer0pa/ZPE-Music"
+Documentation = "https://github.com/Zer0pa/ZPE-Music#readme"
+Repository = "https://github.com/Zer0pa/ZPE-Music"
+Issues = "https://github.com/Zer0pa/ZPE-Music/issues"
+Changelog = "https://github.com/Zer0pa/ZPE-Music/blob/main/CHANGELOG.md"
+
 [project.optional-dependencies]
 dev = ["numpy>=1.26", "pytest>=8.0"]