Merge commit 'd803bfe2b1fe7f5e219e50ac20d6801a0a58ac75' as 'vendor/ruvector'

2026-02-28 14:39:40 -05:00
parent 7885bf6278 d803bfe2b1
commit cd5943df23
7854 changed files with 3522914 additions and 0 deletions
--- a/vendor/ruvector/examples/scipix/.github/workflows/benchmark.yml
+++ b/vendor/ruvector/examples/scipix/.github/workflows/benchmark.yml
@@ -0,0 +1,207 @@
+name: Benchmark
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - 'examples/scipix/**'
+  pull_request:
+    paths:
+      - 'examples/scipix/**'
+  workflow_dispatch:
+
+env:
+  CARGO_TERM_COLOR: always
+
+jobs:
+  benchmark:
+    name: Run Benchmarks
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Cache dependencies
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/.cargo/registry
+            ~/.cargo/git
+            target
+          key: ${{ runner.os }}-cargo-bench-${{ hashFiles('**/Cargo.lock') }}
+
+      - name: Install critcmp
+        run: cargo install critcmp
+
+      - name: Download baseline
+        if: github.event_name == 'pull_request'
+        run: |
+          mkdir -p target/criterion
+          gh release download baseline --pattern 'benchmark-baseline.tar.gz' --dir target/criterion || true
+          cd target/criterion && tar -xzf benchmark-baseline.tar.gz || true
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Run benchmarks
+        run: |
+          cd examples/scipix
+          cargo bench --all-features -- --save-baseline current
+
+      - name: Compare benchmarks
+        if: github.event_name == 'pull_request'
+        id: compare
+        run: |
+          cd examples/scipix
+          critcmp baseline current > benchmark-comparison.txt || echo "No baseline found"
+          cat benchmark-comparison.txt
+
+      - name: Comment PR with results
+        if: github.event_name == 'pull_request'
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const fs = require('fs');
+            const comparison = fs.readFileSync('examples/scipix/benchmark-comparison.txt', 'utf8');
+
+            const body = `## Benchmark Results
+
+            \`\`\`
+            ${comparison}
+            \`\`\`
+
+            <details>
+            <summary>Benchmark Details</summary>
+
+            - **Event**: ${{ github.event_name }}
+            - **Branch**: ${{ github.head_ref }}
+            - **Commit**: ${{ github.sha }}
+
+            </details>`;
+
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: body
+            });
+
+      - name: Store baseline (main branch only)
+        if: github.ref == 'refs/heads/main'
+        run: |
+          cd target/criterion
+          tar -czf benchmark-baseline.tar.gz */*/base
+
+      - name: Upload baseline
+        if: github.ref == 'refs/heads/main'
+        run: |
+          gh release create baseline \
+            --title "Benchmark Baseline" \
+            --notes "Automatically generated benchmark baseline" \
+            target/criterion/benchmark-baseline.tar.gz \
+            --clobber
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Upload benchmark results
+        uses: actions/upload-artifact@v4
+        with:
+          name: benchmark-results
+          path: |
+            examples/scipix/target/criterion
+            examples/scipix/benchmark-comparison.txt
+
+  performance-regression:
+    name: Check Performance Regression
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request'
+    needs: benchmark
+    steps:
+      - name: Download benchmark results
+        uses: actions/download-artifact@v4
+        with:
+          name: benchmark-results
+
+      - name: Check for regressions
+        id: check
+        run: |
+          # Parse benchmark results and check for >10% regression
+          if grep -q "regressed" benchmark-comparison.txt; then
+            echo "regression=true" >> $GITHUB_OUTPUT
+            echo "REGRESSION DETECTED!"
+          else
+            echo "regression=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Fail if regression
+        if: steps.check.outputs.regression == 'true'
+        run: |
+          echo "::error::Performance regression detected. Please optimize before merging."
+          exit 1
+
+  memory-profiling:
+    name: Memory Profiling
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Install valgrind
+        run: sudo apt-get update && sudo apt-get install -y valgrind
+
+      - name: Build with debug symbols
+        run: |
+          cd examples/scipix
+          cargo build --profile bench
+
+      - name: Run memory profiling
+        run: |
+          cd examples/scipix
+          valgrind --tool=massif --massif-out-file=massif.out \
+            target/release/scipix-benchmark
+
+      - name: Analyze memory usage
+        run: |
+          cd examples/scipix
+          ms_print massif.out > memory-profile.txt
+          cat memory-profile.txt
+
+      - name: Upload memory profile
+        uses: actions/upload-artifact@v4
+        with:
+          name: memory-profile
+          path: examples/scipix/memory-profile.txt
+
+  flamegraph:
+    name: Generate Flamegraph
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Install cargo-flamegraph
+        run: cargo install flamegraph
+
+      - name: Install perf
+        run: sudo apt-get update && sudo apt-get install -y linux-tools-common linux-tools-generic
+
+      - name: Generate flamegraph
+        run: |
+          cd examples/scipix
+          sudo cargo flamegraph --bench scipix_benchmark -- --bench
+
+      - name: Upload flamegraph
+        uses: actions/upload-artifact@v4
+        with:
+          name: flamegraph
+          path: examples/scipix/flamegraph.svg
--- a/vendor/ruvector/examples/scipix/.github/workflows/ci.yml
+++ b/vendor/ruvector/examples/scipix/.github/workflows/ci.yml
@@ -0,0 +1,186 @@
+name: CI
+
+on:
+  push:
+    branches: [main, develop]
+    paths:
+      - 'examples/scipix/**'
+      - '.github/workflows/ci.yml'
+  pull_request:
+    paths:
+      - 'examples/scipix/**'
+      - '.github/workflows/ci.yml'
+
+env:
+  CARGO_TERM_COLOR: always
+  RUST_BACKTRACE: 1
+
+jobs:
+  check:
+    name: Check
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+        with:
+          components: rustfmt, clippy
+
+      - name: Cache cargo registry
+        uses: actions/cache@v4
+        with:
+          path: ~/.cargo/registry
+          key: ${{ runner.os }}-cargo-registry-${{ hashFiles('**/Cargo.lock') }}
+
+      - name: Cache cargo index
+        uses: actions/cache@v4
+        with:
+          path: ~/.cargo/git
+          key: ${{ runner.os }}-cargo-git-${{ hashFiles('**/Cargo.lock') }}
+
+      - name: Cache cargo build
+        uses: actions/cache@v4
+        with:
+          path: target
+          key: ${{ runner.os }}-cargo-build-target-${{ hashFiles('**/Cargo.lock') }}
+
+      - name: Check formatting
+        run: cargo fmt --check --manifest-path examples/scipix/Cargo.toml
+
+      - name: Run clippy
+        run: cargo clippy --manifest-path examples/scipix/Cargo.toml --all-features --all-targets -- -D warnings
+
+      - name: Check compilation
+        run: cargo check --manifest-path examples/scipix/Cargo.toml --all-features
+
+  test:
+    name: Test Suite
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+        rust: [stable, nightly]
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Rust toolchain
+        uses: dtolnay/rust-toolchain@master
+        with:
+          toolchain: ${{ matrix.rust }}
+
+      - name: Cache dependencies
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/.cargo/registry
+            ~/.cargo/git
+            target
+          key: ${{ runner.os }}-${{ matrix.rust }}-cargo-${{ hashFiles('**/Cargo.lock') }}
+
+      - name: Run tests
+        run: cargo test --manifest-path examples/scipix/Cargo.toml --all-features --verbose
+
+      - name: Run doc tests
+        run: cargo test --manifest-path examples/scipix/Cargo.toml --doc
+
+  coverage:
+    name: Code Coverage
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Install tarpaulin
+        run: cargo install cargo-tarpaulin
+
+      - name: Generate coverage
+        run: cargo tarpaulin --manifest-path examples/scipix/Cargo.toml --all-features --out xml --output-dir ./coverage
+
+      - name: Upload to codecov
+        uses: codecov/codecov-action@v4
+        with:
+          files: ./coverage/cobertura.xml
+          flags: scipix
+          fail_ci_if_error: false
+
+      - name: Check coverage threshold
+        run: |
+          cargo tarpaulin --manifest-path examples/scipix/Cargo.toml --all-features --fail-under 80
+
+  bench:
+    name: Benchmarks
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Cache dependencies
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/.cargo/registry
+            ~/.cargo/git
+            target
+          key: ${{ runner.os }}-cargo-bench-${{ hashFiles('**/Cargo.lock') }}
+
+      - name: Build benchmarks
+        run: cargo bench --manifest-path examples/scipix/Cargo.toml --no-run
+
+      - name: Run benchmarks
+        run: cargo bench --manifest-path examples/scipix/Cargo.toml -- --save-baseline pr
+
+  wasm:
+    name: WebAssembly Build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+        with:
+          targets: wasm32-unknown-unknown
+
+      - name: Install wasm-pack
+        run: curl https://rustwasm.github.io/wasm-pack/installer/init.sh -sSf | sh
+
+      - name: Build WASM
+        run: |
+          cd examples/scipix
+          wasm-pack build --target web --features wasm
+
+      - name: Test WASM
+        run: |
+          cd examples/scipix
+          wasm-pack test --headless --firefox --chrome
+
+  security:
+    name: Security Audit
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Install cargo-audit
+        run: cargo install cargo-audit
+
+      - name: Run security audit
+        run: cargo audit --manifest-path examples/scipix/Cargo.toml
+
+      - name: Run cargo-deny
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          manifest-path: examples/scipix/Cargo.toml
--- a/vendor/ruvector/examples/scipix/.github/workflows/docs.yml
+++ b/vendor/ruvector/examples/scipix/.github/workflows/docs.yml
@@ -0,0 +1,103 @@
+name: Documentation
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - 'examples/scipix/**'
+      - '.github/workflows/docs.yml'
+  pull_request:
+    paths:
+      - 'examples/scipix/**'
+  workflow_dispatch:
+
+env:
+  CARGO_TERM_COLOR: always
+
+jobs:
+  build-docs:
+    name: Build Documentation
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Build documentation
+        run: |
+          cd examples/scipix
+          cargo doc --all-features --no-deps
+
+      - name: Add index redirect
+        run: |
+          echo '<meta http-equiv="refresh" content="0; url=ruvector_scipix/index.html">' > examples/scipix/target/doc/index.html
+
+      - name: Upload documentation
+        uses: actions/upload-artifact@v4
+        with:
+          name: documentation
+          path: examples/scipix/target/doc
+
+  deploy-docs:
+    name: Deploy Documentation
+    needs: build-docs
+    runs-on: ubuntu-latest
+    if: github.ref == 'refs/heads/main'
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Download documentation
+        uses: actions/download-artifact@v4
+        with:
+          name: documentation
+          path: docs
+
+      - name: Deploy to GitHub Pages
+        uses: peaceiris/actions-gh-pages@v3
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          publish_dir: ./docs
+          force_orphan: true
+
+  check-links:
+    name: Check Documentation Links
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Install cargo-deadlinks
+        run: cargo install cargo-deadlinks
+
+      - name: Build and check documentation
+        run: |
+          cd examples/scipix
+          cargo doc --all-features --no-deps
+          cargo deadlinks --dir target/doc
+
+  readme-sync:
+    name: Sync README to docs.rs
+    runs-on: ubuntu-latest
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Verify README exists
+        run: test -f examples/scipix/README.md
+
+      - name: Check README formatting
+        run: |
+          cd examples/scipix
+          if ! grep -q "# RuVector Mathpix" README.md; then
+            echo "README.md should start with '# RuVector Mathpix'"
+            exit 1
+          fi
--- a/vendor/ruvector/examples/scipix/.github/workflows/release.yml
+++ b/vendor/ruvector/examples/scipix/.github/workflows/release.yml
@@ -0,0 +1,220 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - 'scipix-v*.*.*'
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Version to release'
+        required: true
+
+env:
+  CARGO_TERM_COLOR: always
+
+jobs:
+  create-release:
+    name: Create Release
+    runs-on: ubuntu-latest
+    outputs:
+      upload_url: ${{ steps.create_release.outputs.upload_url }}
+      version: ${{ steps.get_version.outputs.version }}
+    steps:
+      - name: Get version
+        id: get_version
+        run: |
+          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+            echo "version=${{ github.event.inputs.version }}" >> $GITHUB_OUTPUT
+          else
+            echo "version=${GITHUB_REF#refs/tags/scipix-v}" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Create Release
+        id: create_release
+        uses: actions/create-release@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          tag_name: scipix-v${{ steps.get_version.outputs.version }}
+          release_name: RuVector Mathpix v${{ steps.get_version.outputs.version }}
+          draft: false
+          prerelease: false
+          body: |
+            # RuVector Mathpix v${{ steps.get_version.outputs.version }}
+
+            ## What's New
+            - High-performance mathematical expression recognition
+            - ONNX model integration
+            - WASM support for web applications
+            - Comprehensive benchmarking suite
+
+            ## Installation
+
+            ### Rust
+            ```bash
+            cargo add ruvector-scipix
+            ```
+
+            ### WASM/JavaScript
+            ```bash
+            npm install @ruvector/scipix-wasm
+            ```
+
+            ## Downloads
+            See assets below for pre-built binaries.
+
+  build:
+    name: Build ${{ matrix.target }}
+    needs: create-release
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - target: x86_64-unknown-linux-gnu
+            os: ubuntu-latest
+            artifact_name: libruvector_scipix.so
+            asset_name: libruvector_scipix-linux-x86_64.so
+
+          - target: aarch64-unknown-linux-gnu
+            os: ubuntu-latest
+            artifact_name: libruvector_scipix.so
+            asset_name: libruvector_scipix-linux-aarch64.so
+
+          - target: x86_64-apple-darwin
+            os: macos-latest
+            artifact_name: libruvector_scipix.dylib
+            asset_name: libruvector_scipix-macos-x86_64.dylib
+
+          - target: aarch64-apple-darwin
+            os: macos-latest
+            artifact_name: libruvector_scipix.dylib
+            asset_name: libruvector_scipix-macos-aarch64.dylib
+
+          - target: x86_64-pc-windows-msvc
+            os: windows-latest
+            artifact_name: ruvector_scipix.dll
+            asset_name: ruvector_scipix-windows-x86_64.dll
+
+          - target: wasm32-unknown-unknown
+            os: ubuntu-latest
+            artifact_name: ruvector_scipix_bg.wasm
+            asset_name: ruvector_scipix.wasm
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+        with:
+          targets: ${{ matrix.target }}
+
+      - name: Install cross-compilation tools
+        if: matrix.target == 'aarch64-unknown-linux-gnu'
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y gcc-aarch64-linux-gnu
+
+      - name: Build
+        run: |
+          cd examples/scipix
+          cargo build --release --target ${{ matrix.target }} --features release
+
+      - name: Strip binary (Linux/macOS)
+        if: matrix.os != 'windows-latest' && matrix.target != 'wasm32-unknown-unknown'
+        run: strip target/${{ matrix.target }}/release/${{ matrix.artifact_name }}
+
+      - name: Upload Release Asset
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ needs.create-release.outputs.upload_url }}
+          asset_path: target/${{ matrix.target }}/release/${{ matrix.artifact_name }}
+          asset_name: ${{ matrix.asset_name }}
+          asset_content_type: application/octet-stream
+
+  publish-crates:
+    name: Publish to crates.io
+    needs: [create-release, build]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Publish to crates.io
+        run: |
+          cd examples/scipix
+          cargo publish --token ${{ secrets.CARGO_REGISTRY_TOKEN }}
+
+  publish-npm:
+    name: Publish WASM to npm
+    needs: [create-release, build]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+        with:
+          targets: wasm32-unknown-unknown
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          registry-url: 'https://registry.npmjs.org'
+
+      - name: Install wasm-pack
+        run: curl https://rustwasm.github.io/wasm-pack/installer/init.sh -sSf | sh
+
+      - name: Build WASM package
+        run: |
+          cd examples/scipix
+          wasm-pack build --target web --scope ruvector
+
+      - name: Update package.json version
+        run: |
+          cd examples/scipix/pkg
+          npm version ${{ needs.create-release.outputs.version }} --no-git-tag-version
+
+      - name: Publish to npm
+        run: |
+          cd examples/scipix/pkg
+          npm publish --access public
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+
+  publish-models:
+    name: Upload ONNX Models
+    needs: create-release
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Download models
+        run: |
+          cd examples/scipix
+          ./scripts/download_models.sh
+
+      - name: Create model archive
+        run: |
+          cd examples/scipix/models
+          tar -czf scipix-models-${{ needs.create-release.outputs.version }}.tar.gz *.onnx
+
+      - name: Upload models
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ needs.create-release.outputs.upload_url }}
+          asset_path: examples/scipix/models/scipix-models-${{ needs.create-release.outputs.version }}.tar.gz
+          asset_name: scipix-models-${{ needs.create-release.outputs.version }}.tar.gz
+          asset_content_type: application/gzip
--- a/vendor/ruvector/examples/scipix/.github/workflows/security.yml
+++ b/vendor/ruvector/examples/scipix/.github/workflows/security.yml
@@ -0,0 +1,161 @@
+name: Security
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+  schedule:
+    # Run security audit weekly
+    - cron: '0 0 * * 1'
+  workflow_dispatch:
+
+env:
+  CARGO_TERM_COLOR: always
+
+jobs:
+  audit:
+    name: Security Audit
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Install cargo-audit
+        run: cargo install cargo-audit
+
+      - name: Run cargo audit
+        run: cargo audit --manifest-path examples/scipix/Cargo.toml --json > audit-results.json
+
+      - name: Check for vulnerabilities
+        run: |
+          if [ $(jq '.vulnerabilities.count' audit-results.json) -gt 0 ]; then
+            echo "::error::Security vulnerabilities found!"
+            jq '.vulnerabilities.list' audit-results.json
+            exit 1
+          fi
+
+      - name: Upload audit results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: security-audit
+          path: audit-results.json
+
+  dependency-review:
+    name: Dependency Review
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request'
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Dependency Review
+        uses: actions/dependency-review-action@v4
+        with:
+          fail-on-severity: moderate
+          deny-licenses: GPL-3.0, AGPL-3.0
+
+  cargo-deny:
+    name: Cargo Deny
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Cargo Deny
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          manifest-path: examples/scipix/Cargo.toml
+          command: check
+          arguments: --all-features
+
+  codeql:
+    name: CodeQL Analysis
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      actions: read
+      contents: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: rust
+
+      - name: Build
+        run: cargo build --manifest-path examples/scipix/Cargo.toml --all-features
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+
+  secrets-scan:
+    name: Secrets Scanning
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: TruffleHog Scan
+        uses: trufflesecurity/trufflehog@main
+        with:
+          path: ./examples/scipix
+          base: ${{ github.event.repository.default_branch }}
+          head: HEAD
+          extra_args: --debug --only-verified
+
+  license-check:
+    name: License Compliance
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Install cargo-license
+        run: cargo install cargo-license
+
+      - name: Check licenses
+        run: |
+          cd examples/scipix
+          cargo license --json > licenses.json
+
+          # Check for incompatible licenses
+          if jq '.[] | select(.license | contains("GPL"))' licenses.json | grep -q .; then
+            echo "::error::GPL licensed dependencies found!"
+            exit 1
+          fi
+
+      - name: Upload license report
+        uses: actions/upload-artifact@v4
+        with:
+          name: license-report
+          path: examples/scipix/licenses.json
+
+  supply-chain:
+    name: Supply Chain Security
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: OSSF Scorecard
+        uses: ossf/scorecard-action@v2
+        with:
+          results_file: scorecard-results.sarif
+          results_format: sarif
+          publish_results: true
+
+      - name: Upload SARIF results
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: scorecard-results.sarif