fix: replace believe_me with prim__callbackToPtr FFI, batch RSR compliance

- Foreign.idr: believe_me callback cast → proper prim__callbackToPtr C FFI
- Rust crates: add #![forbid(unsafe_code)] where safe
- Batch RSR: SPDX headers, SHA-pin actions, hypatia-scan fix, hook updates
- Add test files and DAP scaffolding

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: hyperpolymath

.github/workflows/hypatia-scan.yml

@@ -41,10 +41,9 @@ jobs:
         run: |
           if [ ! -f hypatia-v2 ]; then
             echo "Building hypatia-v2 scanner..."
-            cd scanner
             mix deps.get
             mix escript.build
-            mv hypatia ../hypatia-v2
+            mv hypatia hypatia-v2
           fi
 
       - name: Run Hypatia scan

.github/workflows/workflow-linter.yml

@@ -36,7 +36,7 @@ jobs:
             fi
           done
           if [ $failed -eq 1 ]; then
-            echo "Add '# SPDX-License-Identifier: AGPL-3.0-or-later' as first line"
+            echo "Add '# SPDX-License-Identifier: PMPL-1.0-or-later' as first line"
             exit 1
           fi
           echo "All workflows have SPDX headers"

examples/SafeDOMExample.res

@@ -1,4 +1,4 @@
-// SPDX-License-Identifier: AGPL-3.0-or-later
+// SPDX-License-Identifier: PMPL-1.0-or-later
 // Example: Using SafeDOM for formally verified DOM mounting
 
 open SafeDOM

ffi/zig/build.zig

@@ -1,5 +1,5 @@
 // {{PROJECT}} FFI Build Configuration
-// SPDX-License-Identifier: AGPL-3.0-or-later
+// SPDX-License-Identifier: PMPL-1.0-or-later
 
 const std = @import("std");
 

ffi/zig/src/main.zig

@@ -3,7 +3,7 @@
 // This module implements the C-compatible FFI declared in src/abi/Foreign.idr
 // All types and layouts must match the Idris2 ABI definitions.
 //
-// SPDX-License-Identifier: AGPL-3.0-or-later
+// SPDX-License-Identifier: PMPL-1.0-or-later
 
 const std = @import("std");
 

ffi/zig/test/integration_test.zig

@@ -1,5 +1,5 @@
 // {{PROJECT}} Integration Tests
-// SPDX-License-Identifier: AGPL-3.0-or-later
+// SPDX-License-Identifier: PMPL-1.0-or-later
 //
 // These tests verify that the Zig FFI correctly implements the Idris2 ABI
 

hooks/validate-codeql.sh

@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-# SPDX-License-Identifier: AGPL-3.0-or-later
+# SPDX-License-Identifier: PMPL-1.0-or-later
 # Pre-commit hook: Validate CodeQL language matrix matches repo
 set -euo pipefail
 

hooks/validate-permissions.sh

@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-# SPDX-License-Identifier: AGPL-3.0-or-later
+# SPDX-License-Identifier: PMPL-1.0-or-later
 # Pre-commit hook: Validate workflow permissions declarations
 set -euo pipefail
 ERRORS=0

hooks/validate-sha-pins.sh

@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-# SPDX-License-Identifier: AGPL-3.0-or-later
+# SPDX-License-Identifier: PMPL-1.0-or-later
 # Pre-commit hook: Validate GitHub Actions are SHA-pinned
 
 set -euo pipefail

hooks/validate-spdx.sh

@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-# SPDX-License-Identifier: AGPL-3.0-or-later
+# SPDX-License-Identifier: PMPL-1.0-or-later
 # Pre-commit hook: Validate SPDX headers in workflow files
 
 set -euo pipefail
@@ -13,7 +13,7 @@ for workflow in .github/workflows/*.yml .github/workflows/*.yaml; do
     first_line=$(head -n1 "$workflow")
     if ! echo "$first_line" | grep -qE "$SPDX_PATTERN"; then
         echo "ERROR: Missing SPDX header in $workflow"
-        echo "  First line should be: # SPDX-License-Identifier: AGPL-3.0-or-later"
+        echo "  First line should be: # SPDX-License-Identifier: PMPL-1.0-or-later"
         ERRORS=$((ERRORS + 1))
     fi
 done