Publication Strategy

Publish only what is meant to be public.

The cleanest model is a private working repository with explicit public export bundles. Docs, open specs, and public example fixtures each get their own allow-listed release target instead of mirroring the whole repository by accident.

Recommended Split

Seven public repos plus one release bundle lane

Docs repo: the static site under docs/, suitable for GitHub Pages.
Governance repo: charter, governance, conflicts, sponsor model, and release policy.
Specs repo: draft artifact formats, mapping methodology, control-boundary metadata, exact-anchor review pilots, witness receipts, revocations, signed-artifact manifests, and versioning rules.
Examples repo: replay bundles, lifecycle examples, signature manifests, public keys, other synthetic public test data, and the versioned verifier release bundle.
Conformance repo: descriptive vectors, witness expectations, and an executable validator tied to the public examples.
Evidence-schema repo: typed evidence claim envelopes, actor and signer metadata, trust-policy references, provenance fields, and public claim-type payload schemas.
Actor trust-policy registry: machine-readable delegated-approver, verifier-service, and witness policy rules.
Actor identity registry: the current synthetic actor, signer, and witness identities backing the ExampleCo corridors and release artifacts.
Lean4-controls repo: a buildable Lean 4 corridor with explicit proof-boundary notes plus a LegalLean-backed typed layer for `FormalisationBoundary`, `Defeats`, `Vague`, typed logging, and the first minimal-corpus solver with runtime claim decisions. The current public predicates now cover scoped password policy, managed web-application-firewall state, unique named infrastructure identities, customer and environment segmentation, ingress-boundary attachment, admin-ingress restriction, plaintext-transport disablement, scoped encryption at rest, and the cyber-baseline default-deny boundary in addition to the earlier identity, logging, key, location, and backup slice.

Why Split Them

Different audiences, different risk

The docs need to be simple and public. The open specs need reviewable semantics and versioning. The example bundles need public-safe synthetic fixtures. The private working repo may still contain internal experiments, private evidence, or unpublished runtime work that should never leak into a public mirror.

The public GitHub organization is the easiest way to browse those boundaries directly, and the repository map on this site links each public repo to its role.

Submodule-friendly model

private monorepo
  projects/dev/opencompliance/docs/              -> public docs repo or docs submodule
  projects/dev/opencompliance/foundation/        -> public governance repo or governance submodule
  projects/dev/opencompliance/open-specs/        -> public specs repo or specs submodule
  projects/dev/opencompliance/fixtures/public/   -> public examples repo or examples submodule
  projects/dev/opencompliance/conformance/       -> public conformance repo or conformance submodule
  projects/dev/opencompliance/evidence-schema/   -> public schema repo or schema submodule
  projects/dev/opencompliance/lean4-controls/    -> public Lean repo or Lean submodule

private only
  projects/dev/opencompliance/src/
  projects/dev/opencompliance/fixtures/internal/
  projects/dev/opencompliance/.env
  projects/dev/opencompliance/secrets/

Rule 1

Allow-list every release

Publication should be manifest-driven. If a path is not listed for a public bundle, it does not ship.

See release policy

Rule 2

Run public-boundary checks in CI

Secret scans, path checks, and artifact-manifest validation should block release before anything reaches the mirror target.

See conformance repo

Rule 3

Keep docs independently publishable

The docs bundle should work as a standalone GitHub Pages site so it can be published without exposing the rest of the project.

Open site repo

Rule 4

Only ship synthetic examples by default

The public examples should be synthetic unless a real example has been explicitly approved for release. Public review works fine without customer leakage.

Open examples repo

Rule 5

Release a runnable verifier bundle

The public runtime should not exist only as private repo glue. The examples surface now also carries a versioned verifier bundle that can rerun the synthetic corridors outside the monorepo.

See verifier release

What the public repos now carry

Examples

Seven corridor bundles, lifecycle/signing packs, and a verifier release

The public `examples` repo now has a small `minimal` blocked bundle, a `failed` corridor that demonstrates present-but-non-compliant evidence, a `stale` corridor that demonstrates freshness-blocked evidence, a richer `medium` blocked corridor with raw synthetic source exports spanning repo policy, CI policy, IAM, cloud, password policy, managed WAF state, centralized monitoring, storage encryption, infrastructure identity state, and environment-segmentation state, signed governance attestations for access-review closure, monitoring review, configuration exceptions, patch exceptions, incident procedures, and vendor terms, plus Lean-backed access-review-export, password-policy, managed-WAF, centralized-monitoring, managed-boundary, admin-ingress, plaintext-transport, encryption-at-rest, unique-infrastructure-identity, repository-integrity, CI-policy, and segmentation claims, an `issued` ExampleCo corridor that demonstrates the narrow certificate path with typed access-review exports, scoped password-policy, managed-WAF, centralized-monitoring, storage-encryption, infrastructure-identity, and environment-segmentation exports, plus signed closure, monitoring-review, and incident-runbook attestations, a `cyber-baseline` corridor that demonstrates a clean Cyber Essentials-style hygiene baseline with Lean-backed default-deny boundary, secure-baseline, update-hygiene, and malware-protection proofs, and an `ai-governance` corridor that now demonstrates documentary AI governance plus machine-checkable disclosure and provenance, alongside signed evaluation and data-quality governance attestations. The `exampleco-showcase` meta-pack aggregates the strongest company-level story across four corridors, while the lifecycle pack shows drift, delta rechecks, and composed component certificates, the signing pack carries a synthetic public key plus signed-artifact manifests, and the `verifier-release/` lane now carries a stitched public verifier bundle that can rerun the synthetic corridors outside the private monorepo. Together they show persisted classification artifacts, boundary-aware proof-runner metadata, an explicit LegalLean typed-boundary summary, runtime-consumed LegalLean verdicts across all current public corridors, typed punch-lists, scoped certificates, replay bundles, transparency logs, inclusion proofs, OSCAL-shaped projections, witness receipts, lifecycle artifacts, public signature verification, a release-manifest contract, a machine-readable verifier contract, and a buyer-facing showcase model without leaking private data. Behind that public surface, the current release is now rebuilt, validated, and smoke-checked through one scripted private operator path before publication.

Open examples repo See verifier release

Conformance

The validator now checks all seven corridors

The public `conformance` repo validates typed payload schemas, persisted classification artifacts, mixed-control decompositions, proof-bundle mappings, proof-runner boundary inventory, the LegalLean typed-boundary metadata summary, runtime-consumed claim metadata for all seven current public corridors, witness digests, transparency logs, inclusion proofs, corridor control references, control-boundary mapping maturity metadata, the exact-anchor review pilot, and OSCAL projection consistency across the seven synthetic corridor bundles. It also now ships a public showcase builder that regenerates the `exampleco-showcase` summary from the checked-in corridor artifacts. The lifecycle pack is public and executable, but it is still a descriptive example rather than part of the conformance matrix.

Open conformance repo

Mapping maturity

Current State

Family proxies, not fake completeness

The public corridor still maps narrow OpenCompliance controls to family-level proxy targets. That is an honest seed state. It lets others inspect the proof corridor without pretending that whole ISO 27001 clauses or SOC 2 criteria have already been reduced into theorems. The public fixture set now spans seven synthetic corridors, including dedicated cyber-baseline and AI-governance packs, while exact-anchor review remains a separate maturity layer.

See boundary metadata

Target State

Reviewed source anchors

The state-of-the-art target is a reviewed mapping layer with exact source anchors, per-edge relation and method metadata, explicit confidence and review status, and decomposition into atomic obligations before the decidable slice enters Lean 4. The public specs now include an exact-anchor review pilot spanning 101 public controls across 30 frameworks and 332 review entries, using public-source exact anchors where possible, crosswalk-derived candidate anchors for ISO AI standards and newer ISO public abstracts where only limited official text is open, explicit blocker records where the source text is not publicly reviewable, and new program artifacts for the ISO 27001 / SOC 2 completion wave. The specs repo also now carries framework-source-availability, framework-priority, framework-coverage, standards-mapping-status, publication-model, and external-review files so those states and the actual depth order are visible in one place.

See framework depth Open reviewed mappings

Agentic AI public-safe artifacts

AI Artifact 1

Purpose and action envelope

Publish the declared task purpose, permitted autonomous actions, escalation triggers, and lawful-basis context. The current AI-governance corridor now includes a typed task-envelope export, but it still avoids publishing raw prompts or personal data by default.

See AI boundary

AI Artifact 2

Rights-ready run metadata

Expose enough structured run metadata to support access, correction, deletion, objection, and human review without making the public bundle itself a privacy leak. The current AI-governance corridor now includes a typed rights-ready run-trace export for that narrow slice.

See reconstruction model

AI Artifact 3

Retention and deletion controls

Show retention schedule references, expiry metadata, and deletion evidence for agent traces, memory, tool outputs, and inferred personal data where the corridor depends on them.

See AI corridor wording

AI Artifact 4

Supplier, recipient, and transfer map

Make model vendors, connector vendors, recipients, subprocessors, and transfer paths visible enough that controller-processor boundaries and third-party contract scope can be inspected. The current AI-governance corridor now includes a typed supplier-transfer attestation rather than leaving this completely implicit.

See public repo surfaces

Publication options

Option A

One-way export to public repos

Keep the monorepo as the source of truth, generate release manifests, and push allow-listed bundles into separate public repositories. This is the safest operational model.

See public repo layout

Option B

Public repos as submodules

Mount the public repositories as submodules and publish into them from the private repo. This helps reuse and external contribution, but the publication boundary still needs manifest checks or the submodule will just become another leak path.

See public repo layout

Immediate next step

Keep the exports synchronized, treat the released verifier bundle as a public contract rather than an ad hoc snapshot, keep going depth-first on the ISO 27001-driven decomposition order, and expand live-style connectors honestly.