Generated from configs/governance/public-readiness.yaml. Do not edit this file manually.
| Key | Value |
|---|---|
| mode | public-repo-maintainer-operated |
| public claim allowed | true |
| english canonical status | scoped-only-not-repo-wide |
| artifact publication mode | private-only |
This page is a repo-side truth reference. It records tracked governance stance, the audit paths that exist, and which remote GitHub settings remain audit-backed, unknown, or manual-only until a fresh verification run confirms them.
| ID | Claim | Evidence |
|---|---|---|
generated-reference |
This page is generated from tracked governance source and should be updated through source-plus-render, not by hand-editing the rendered markdown. | configs/governance/public-readiness.yaml, scripts/ci/render-public-readiness-doc.mjs, docs/reference/public-readiness.md |
private-default-artifacts |
Runtime evidence and failure bundles remain private-only by default unless a path is explicitly allowlisted as public-safe. | configs/governance/public-readiness.yaml |
historical-closure-record |
The v0.1.0 closure record is retained as a historical snapshot and no longer acts as current truth for live GitHub settings. | docs/releases/v0.1.0-public-closure.md |
branch-protection-audit-path |
The repository ships a dedicated branch-protection audit workflow for remote main-branch protection rechecks. | .github/workflows/branch-protection-audit.yml |
public-surface-audit-path |
The repository ships a dedicated public-surface audit workflow and script for manual or scheduled rechecks of API-readable and GraphQL-readable public GitHub metadata. | .github/workflows/public-surface-audit.yml, scripts/ci/public-surface-audit.mjs |
protected-sensitive-workflows |
Secret-backed live, desktop, and privileged governance workflows stay on GitHub-hosted runners, require workflow_dispatch entrypoints when they touch external or privileged surfaces, and bind the owner-approved-sensitive protected environment. | .github/workflows/live-realism.yml, .github/workflows/desktop-smoke.yml, .github/workflows/nightly.yml, .github/workflows/branch-protection-audit.yml |
deep-water-english-gate |
The scoped deep-water English closure gate still protects deep-water Command Center files, frontend E2E support, runtime-path reference docs, and runtime-path governance source files. A small allowlisted set of locale-aware Command Center operator surfaces is intentionally bilingual and is verified by app tests instead of being rejected by this English-purity gate. It is not a repo-wide no-non-English guarantee. | scripts/ci/check-deep-english-purity.mjs, apps/command-center, tests/frontend-e2e, docs/reference/runtime-paths.md, docs/reference/dependency-governance.md, configs/governance/runtime-paths.yaml |
dependabot-version-updates-reopened |
Dependabot version updates are reopened on a weekly cadence with a bounded open-PR cap across GitHub Actions, npm, uv, and Docker ecosystems. | .github/dependabot.yml, docs/reference/dependency-governance.md |
dependency-review-audit-path |
The repository ships a dedicated Dependency Review check inside the required PR gate, backed by a tracked config, so dependency diffs are evaluated on the same protected merge path. | .github/workflows/pr.yml, .github/dependency-review-config.yml |
trivy-fs-audit-path |
The repository ships a Trivy filesystem audit path that runs inside the main CI and PR gates through a repo-owned wrapper script instead of a detached side workflow. | .github/workflows/ci.yml, .github/workflows/pr.yml, package.json, scripts/ci/run-trivy-fs.sh |
zizmor-workflow-audit-path |
The repository ships a zizmor workflow audit inside the main CI and PR gates so GitHub Actions policy analysis no longer relies only on actionlint or manual review. | .github/workflows/ci.yml, .github/workflows/pr.yml, package.json |
oss-redaction-fresh-clone-audit |
The OSS redaction audit now checks the tracked worktree, git history, a fresh clone, and GitHub-facing issue or pull-request text surfaces when credentials are available. | scripts/ci/oss-redaction-audit.sh |
| ID | Surface | Verification Mode | Paths | Detail |
|---|---|---|---|---|
render-check |
Rendered public-readiness reference drift | repo-local-check |
scripts/ci/render-public-readiness-doc.mjs |
Run the render script with –check to prove the reference page still matches the tracked YAML source. |
branch-protection-remote |
Remote branch-protection state on main | manual-protected-environment-workflow |
.github/workflows/branch-protection-audit.yml |
Use uploaded audit artifacts from the protected workflow_dispatch audit before restating required checks, review rules, or admin enforcement as current fact. |
public-surface-remote |
Remote repo visibility, default branch, description, discussions, topics, release presence, and social preview assignment | manual-or-scheduled-workflow |
.github/workflows/public-surface-audit.yml, scripts/ci/public-surface-audit.mjs |
The audit summary explicitly labels API-readable and GraphQL-readable signals. Social preview assignment can be queried, but uploading or replacing the image still remains a GitHub Settings action. |
| ID | Remote Surface | Status | Why It Stays Out Of Tracked Truth | Reverify Path |
|---|---|---|---|---|
live-repo-visibility |
Current GitHub repository visibility and API-readable public metadata, including description, homepage, topics, discussions, and release presence | unknown-until-audited |
Tracked markdown is a repo-side statement, not proof of the current remote GitHub settings. | .github/workflows/public-surface-audit.yml, scripts/ci/public-surface-audit.mjs |
live-branch-protection |
Current main-branch protection rules, required checks, review settings, and conversation resolution | unknown-until-audited |
These settings live on GitHub and must come from a fresh audit artifact rather than a static repository document. | .github/workflows/branch-protection-audit.yml |
live-secret-scanning |
Current secret scanning and push protection state | manual-verification-required |
GitHub API visibility can be permission-limited, so this repo keeps the state in unknown/manual until a fresh audit artifact or direct settings review confirms it. | .github/workflows/public-surface-audit.yml, GitHub Settings > Security |
live-social-preview |
Current GitHub social preview image assignment | queryable-state-manual-mutation |
The current assignment is queryable through GraphQL or gh repo view fields such as openGraphImageUrl and usesCustomOpenGraphImage, but uploading or replacing the image still requires GitHub Settings. |
scripts/ci/public-surface-audit.mjs, gh repo view <owner>/<repo> --json openGraphImageUrl,usesCustomOpenGraphImage, GitHub Settings > General > Social preview |
live-push-protection |
Current push protection state | manual-verification-required |
Push protection remains a GitHub-side enforcement surface that should not be restated from repo prose without direct settings verification. | GitHub Settings > Security |
| ID | Class | Status | Owner | Detail | Evidence |
|---|---|---|---|---|---|
remote-github-state-proof |
blocker |
open |
maintainers |
Remote GitHub settings still require audit-backed verification and must not be stated as unconditional repo-side truth. | .github/workflows/branch-protection-audit.yml, .github/workflows/public-surface-audit.yml, docs/reference/public-readiness.md |
| ID | Class | Status | Owner | Detail | Evidence |
|---|---|---|---|---|---|
public-surface-audit-baseline |
precondition |
pending |
maintainers |
Establish and retain a current public-surface audit artifact before promoting GitHub-side metadata into tracked current-state prose. | .github/workflows/public-surface-audit.yml, scripts/ci/public-surface-audit.mjs |
repo-side confirmed means the repository itself contains the tracked source, script, or workflow named in the evidence column.audit path exists means the repository has a way to re-check a remote GitHub surface; it does not mean the current remote setting already passed that check.unknown or manual verification required means tracked docs must stay honest and avoid restating live GitHub settings as fact until a fresh audit artifact or direct settings review confirms them.