fix: REUSE compliance and basedpyright errors on main

[williaby]

Summary

Companion cleanup PR to #14. Two long-standing CI failures live on main and have nothing to do with the security/docs hardening in #14, so they are addressed here separately to keep each diff reviewable.

REUSE compliance

reuse lint fails on main with two classes of issue:

1. 15 files lack copyright/licence information. Most are root-level dotfile configs (.cruft.json, .darglint, .dockerignore, .env.example, .infisical.json, .markdownlint.json, .mutmut_config, .prettierrc, .shellcheckrc, .yamllint), Dockerfile, uv.lock, .claude/settings.local.json.example, the Claude skills Python script, and scripts/README.md.
2. 3 licence texts are unreferenced in LICENSES/: Apache-2.0.txt, BSD-3-Clause.txt, GPL-3.0-or-later.txt. No file in the repo declares any of them.

Fixes:

• Extend the existing config-files annotation in REUSE.toml to cover each newly listed dotfile/build file, plus .claude/settings.local.json.example.
• Add ".claude/**/*.py" to the MIT source-code annotation so the planning-doc validator script is covered.
• Change the docs annotation from "*.md" to "**/*.md" so nested READMEs (e.g. scripts/README.md) are picked up without per-file listing — the existing !LICENSES/*.txt exclusion still keeps license texts out.
• Delete the three unreferenced licence texts. They are not declared anywhere in the repo and tripped the "unused licenses" check. They can be re-added if a future dependency or vendored file adopts one of them.

basedpyright

uv run basedpyright src/ with the [api] extras installed reports five concrete errors on main:

1. api/health.py:91, 122 — ReadinessCheck(...) calls without an error argument are flagged because Field(None, ...) is read by the type checker as "no default provided." Switching the optional fields to Field(default=None, ...) makes both the default and the type explicit.
2. middleware/correlation.py:203 — dispatch overrides BaseHTTPMiddleware.dispatch incompatibly: the parent expects Callable[[Request], Awaitable[Response]] (Starlette's RequestResponseEndpoint), but the override types call_next as Callable[[Request], Response].
3. middleware/correlation.py:236 — Direct consequence of (2): await call_next(request) is flagged because Response isn't awaitable. Fixing the signature in (2) fixes this too.
4. middleware/security.py:99 — response.headers.pop("Server", None) fails type-checking because Starlette's MutableHeaders doesn't expose .pop(). Replace with the supported if "server" in response.headers: del response.headers["server"] (Starlette lowercases keys internally, so this is case-insensitive).

No behaviour changes: pop("Server", None) on a MutableHeaders would have raised AttributeError at runtime — that path was unreachable in practice because tests didn't exercise it.

Verified locally

• reuse lint → "Congratulations! Your project is compliant with version 3.3 of the REUSE Specification" (156/156 files).
• uv run basedpyright src/ with --extra dev --extra api → 0 errors, 27 warnings (warnings unchanged).
• uv run ruff check src/ → clean.
• uv run ruff format --check src/ → clean.

Test plan

• Check REUSE Compliance workflow turns green on this branch.
• Core Validation / Code Quality Checks passes on this branch.
• No regression in tests on this branch (the only runtime-visible change is the Server-header deletion in SecurityHeadersMiddleware, which still strips the header when present).

https://claude.ai/code/session_015Zx4CpQVNSvskJhJXT5v3q

---

Generated by Claude Code

[coderabbitai]

Warning

Rate limit exceeded

@williaby has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 3 minutes and 33 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 86599374-3b1e-49fb-95ed-c5d14437ec42

📥 Commits

Reviewing files that changed from the base of the PR and between 6c1b9a3 and 7978c9a.

📒 Files selected for processing (7)

• LICENSES/Apache-2.0.txt
• LICENSES/BSD-3-Clause.txt
• LICENSES/GPL-3.0-or-later.txt
• REUSE.toml
• src/foundry_unify/api/health.py
• src/foundry_unify/middleware/correlation.py
• src/foundry_unify/middleware/security.py

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/ci-baseline-compliance

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

✅ FIPS Compatibility Check

Metric	Count
Errors	0
Warnings	0
Info	0

Status: ✅ PASSED

What is FIPS?

FIPS 140-2/140-3 is a US government standard for cryptographic modules.
Systems running Ubuntu LTS with fips-updates or similar configurations
restrict cryptographic algorithms to NIST-approved ones.

Common issues:

• Using hashlib.md5() without usedforsecurity=False
• Dependencies using non-approved algorithms (bcrypt, DES, RC4)
• Weak cipher configurations

[Copilot]

Pull request overview

Companion cleanup to PR #14 that fixes two long-standing CI failures on main: REUSE compliance violations and basedpyright type errors. The changes are non-functional housekeeping.

Changes:

• Fix REUSE compliance by annotating previously-uncovered config/dotfiles in REUSE.toml and deleting three unreferenced license texts (Apache-2.0, BSD-3-Clause, GPL-3.0-or-later).
• Fix basedpyright errors in api/health.py by using Field(default=None, ...) for optional fields.
• Fix basedpyright errors in middleware: correct call_next signature to Callable[[Request], Awaitable[Response]] in CorrelationMiddleware.dispatch, and replace unsupported MutableHeaders.pop() with a case-insensitive del in SecurityHeadersMiddleware.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
src/foundry_unify/api/health.py	Switch ReadinessCheck optional fields to explicit Field(default=None, ...) to satisfy basedpyright.
src/foundry_unify/middleware/correlation.py	Add Awaitable import and correct call_next type so await call_next(request) type-checks.
src/foundry_unify/middleware/security.py	Replace response.headers.pop("Server", None) (unsupported on MutableHeaders) with conditional del.
REUSE.toml	Cover newly listed dotfiles/build files, include .claude/**/*.py, and broaden docs glob to **/*.md.
LICENSES/Apache-2.0.txt	Delete unreferenced license text.
LICENSES/BSD-3-Clause.txt	Delete unreferenced license text.
LICENSES/GPL-3.0-or-later.txt	Delete unreferenced license text.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud