Add CONTRIBUTING.md and SPDX license headers

[wksantiago]

Summary

• Add CONTRIBUTING.md with development guidelines
• Add SPDX headers to all source files
• Add REUSE.toml for license annotations
• Add reuse-action check to CI workflow

Test plan

• reuse lint passes
• cargo check passes
• cargo fmt --check passes

Summary by CodeRabbit

• Chores

  • Added SPDX license headers across the codebase for license compliance tracking.
  • Established license compliance infrastructure with REUSE configuration and license files.
  • Added a license compliance check to the CI pipeline.

• Documentation

  • Added comprehensive contributing guidelines covering setup, code style, branching conventions, commit standards, testing, and code review criteria.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Warning

Rate limit exceeded

@wksantiago has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 14 minutes and 57 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 105f973 and 71e0546.

📒 Files selected for processing (1)

• CONTRIBUTING.md

Walkthrough

This PR adds SPDX license headers (copyright and AGPL-3.0-or-later identifiers) to approximately 80 source files across the codebase, introduces a new GitHub Actions CI job for REUSE compliance checking, adds a CONTRIBUTING.md file with project contribution guidelines, and creates licensing configuration files (LICENSES/AGPL-3.0-or-later.txt and REUSE.toml). Additionally, keep-core/src/hidden/mod.rs makes the header and volume modules public with corresponding re-exports.

Changes

Cohort / File(s)	Summary
GitHub Actions CI \\.github/workflows/ci.yml	Adds new "reuse" job running fsfe/reuse-action@v4 to verify SPDX compliance
Documentation & Configuration CONTRIBUTING.md	New file detailing contribution guidelines including code style, commit conventions, testing requirements, and CI checks
License & REUSE Configuration LICENSES/AGPL-3.0-or-later.txt, REUSE.toml	Adds complete AGPL-3.0-or-later license text and SPDX manifest with per-file copyright/license annotations
Root Config Files Dockerfile.reproducible, Justfile, justfile	Each adds SPDX copyright and license identifier headers
Keep Agent Python keep-agent-py/src/lib.rs	Adds SPDX license header
Keep Agent TypeScript keep-agent-ts/build.rs, keep-agent-ts/src/lib.rs	Each adds SPDX license header
Keep Agent Rust keep-agent/src/\*.rs, keep-agent/src/mcp/\*.rs	Adds SPDX license headers to ~15 files (attestation, client, entropy, error, frost, lib, manager, mcp modules, rate_limit, scope, session)
Keep Bitcoin keep-bitcoin/src/\*.rs	Adds SPDX license headers to ~6 files (address, descriptor, error, lib, psbt, signer)
Keep CLI keep-cli/src/\*.rs, keep-cli/src/commands/\*.rs, keep-cli/src/signer/\*.rs	Adds SPDX license headers to ~17 files (main, output, server, tui, warden, bunker, and submodules)
Keep Core keep-core/src/\*.rs, keep-core/src/frost/\*.rs, keep-core/src/hidden/\*.rs, keep-core/tests/\*.rs	Adds SPDX license headers to ~21 files; keep-core/src/hidden/mod.rs additionally makes header and volume modules public with re-exports (DATA_START_OFFSET, HEADER_SIZE, HIDDEN_HEADER_OFFSET, HiddenStorage, VolumeType)
Keep Enclave keep-enclave/enclave/src/\*.rs, keep-enclave/host/src/\*.rs, keep-enclave/host/tests/\*.rs, keep-enclave/src/lib.rs	Adds SPDX license headers to ~20 files (audit, aws_credentials, error, kms, kmstool, main, mlock, policy, rate_limit, signer, vsock_server, attestation, backend, client, error, kms, lib, mock, protocol, integration_tests)
Keep Frost Network keep-frost-net/src/\*.rs, keep-frost-net/tests/\*.rs	Adds SPDX license headers to ~13 files (attestation, audit, error, event, lib, node, nonce_store, peer, proof, protocol, session, multinode_test)

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• feat: Hidden Volume #1: Overlaps with keep-core/src/hidden/mod.rs changes that make header and volume modules public with re-exports, directly related to Hidden Volume feature work.

Suggested reviewers

• kwsantiago

Poem

🐰 Hop, skip, and SPDX sign,
License headers now align,
REUSE checks the copyright line,
Every file looks so fine! 📜✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: adding CONTRIBUTING.md and SPDX license headers across the codebase, which are the primary focus of this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[wksantiago]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

keep-core/src/hidden/mod.rs (1)

10-13: Make header constants crate-private; keep HiddenStorage and VolumeType public.

HiddenStorage and VolumeType are correctly exposed as public API since they're used throughout keep-cli. However, the header constants (DATA_START_OFFSET, HEADER_SIZE, HIDDEN_HEADER_OFFSET) are internal implementation details not used outside the hidden module and should remain pub(crate) to avoid overcommitting to a public API surface.

Recommended adjustment

 pub mod volume;

-pub use header::{DATA_START_OFFSET, HEADER_SIZE, HIDDEN_HEADER_OFFSET};
 pub use volume::{HiddenStorage, VolumeType};
+
+pub(crate) use header::{DATA_START_OFFSET, HEADER_SIZE, HIDDEN_HEADER_OFFSET};

🤖 Fix all issues with AI agents

In `@CONTRIBUTING.md`:
- Line 12: Update the documented minimum Rust version text in CONTRIBUTING.md so
it matches the CI MSRV job: replace the phrase "Requires Rust 1.70+" with the
enforced minimum from CI (e.g., "Requires Rust 1.83+") and confirm any
surrounding guidance or version-related references are consistent with the CI
configuration referenced by the MSRV job.
- Around line 31-36: The markdown examples use fenced code blocks without
language identifiers which triggers MD040; add a language tag (e.g., text or
markdown) to both fenced blocks shown (the generic template block starting with
"<type>: <short summary>" and the specific example starting with "fix: prevent
memory exhaustion on malformed vault data") so they read "```text" (or
"```markdown") at the opening fence; ensure both opening fences are updated
accordingly for the examples mentioned and the identical pair at lines 41-46.

🧹 Nitpick comments (3)

.github/workflows/ci.yml (1)

15-19: Pin GitHub Actions to commit SHAs for supply‑chain hardening.
Floating tags (@v4) can change unexpectedly; consider pinning to exact SHAs and updating via Dependabot/Renovate.

🔐 Example pattern

-      - uses: actions/checkout@v4
-      - uses: fsfe/reuse-action@v4
+      - uses: actions/checkout@<commit-sha> # v4.x
+      - uses: fsfe/reuse-action@<commit-sha> # v4.x

keep-core/src/frost/signing.rs (1)

6-8: Add a brief rationale for the module-level unused_assignments allow.

The suppression is module-wide; a short note (like in frost/coordinator.rs) will clarify it’s for ZeroizeOnDrop-generated code and prevent accidental retention later.

📝 Suggested comment

 #![forbid(unsafe_code)]
-#![allow(unused_assignments)]
+// ZeroizeOnDrop derive generates assignments in Drop impl for #[zeroize(skip)] fields
+// that appear unused. Module-level allow is needed as struct-level doesn't affect generated code.
+#![allow(unused_assignments)]

keep-core/src/frost/share.rs (1)

6-8: Add a short note explaining unused_assignments suppression.

A brief rationale (matching frost/coordinator.rs) will clarify that this is for ZeroizeOnDrop-generated code and keep the suppression intentional.

📝 Suggested comment

 #![forbid(unsafe_code)]
-#![allow(unused_assignments)]
+// ZeroizeOnDrop derive generates assignments in Drop impl for #[zeroize(skip)] fields
+// that appear unused. Module-level allow is needed as struct-level doesn't affect generated code.
+#![allow(unused_assignments)]