Publication Strategy

Publish only what is meant to be public.

The cleanest model is a private working repository with explicit public export bundles. Docs, open specs, and public example fixtures each get their own allow-listed release target instead of mirroring the whole repository by accident.

Recommended Split

Seven public repos

Docs repo: the static site under docs/, suitable for GitHub Pages.
Governance repo: charter, governance, conflicts, sponsor model, and release policy.
Specs repo: draft artifact formats, mapping methodology, control-boundary metadata, exact-anchor review pilots, witness receipts, revocations, signed-artifact manifests, and versioning rules.
Examples repo: replay bundles, lifecycle examples, signature manifests, public keys, and other synthetic public test data.
Conformance repo: descriptive vectors, witness expectations, and an executable validator tied to the public examples.
Evidence-schema repo: typed evidence claim envelopes, signer and provenance fields, and public claim-type payload schemas.
Lean4-controls repo: a buildable Lean 4 corridor with explicit proof-boundary notes tied to the synthetic example bundles.

Why Split Them

Different audiences, different risk

The docs need to be simple and public. The open specs need reviewable semantics and versioning. The example bundles need public-safe synthetic fixtures. The private working repo may still contain internal experiments, private evidence, or unpublished runtime work that should never leak into a public mirror.

The public GitHub organization is the easiest way to browse those boundaries directly, and the repository map on this site links each public repo to its role.

Submodule-friendly model

private monorepo
  projects/dev/opencompliance/docs/              -> public docs repo or docs submodule
  projects/dev/opencompliance/foundation/        -> public governance repo or governance submodule
  projects/dev/opencompliance/open-specs/        -> public specs repo or specs submodule
  projects/dev/opencompliance/fixtures/public/   -> public examples repo or examples submodule
  projects/dev/opencompliance/conformance/       -> public conformance repo or conformance submodule
  projects/dev/opencompliance/evidence-schema/   -> public schema repo or schema submodule
  projects/dev/opencompliance/lean4-controls/    -> public Lean repo or Lean submodule

private only
  projects/dev/opencompliance/src/
  projects/dev/opencompliance/fixtures/internal/
  projects/dev/opencompliance/.env
  projects/dev/opencompliance/secrets/

Rule 1

Allow-list every release

Publication should be manifest-driven. If a path is not listed for a public bundle, it does not ship.

Rule 2

Run public-boundary checks in CI

Secret scans, path checks, and artifact-manifest validation should block release before anything reaches the mirror target.

Rule 3

Keep docs independently publishable

The docs bundle should work as a standalone GitHub Pages site so it can be published without exposing the rest of the project.

Rule 4

Only ship synthetic examples by default

The public examples should be synthetic unless a real example has been explicitly approved for release. Public review works fine without customer leakage.

What the public repos now carry

Examples

Seven corridor bundles plus lifecycle and signing packs

The public `examples` repo now has a small `minimal` blocked bundle, a `failed` corridor that demonstrates present-but-non-compliant evidence, a `stale` corridor that demonstrates freshness-blocked evidence, a richer `medium` blocked corridor with raw synthetic source exports spanning repo policy, CI policy, IAM, cloud, and signed governance attestations for access-review closure, configuration exceptions, patch exceptions, incident procedures, and vendor terms, an `issued` ExampleCo corridor that demonstrates the narrow certificate path with typed access-review exports plus signed closure and incident-runbook attestations, a `cyber-baseline` corridor that demonstrates a clean Cyber Essentials-style hygiene baseline, an `ai-governance` corridor that demonstrates documentary AI governance plus machine-checkable disclosure, an `exampleco-showcase` meta-pack that aggregates the strongest company-level story across four corridors, a lifecycle pack showing drift, delta rechecks, and composed component certificates, and a signing pack with a synthetic public key plus signed-artifact manifests. Together they show persisted classification artifacts, boundary-aware proof-runner metadata, typed punch-lists, scoped certificates, replay bundles, transparency logs, inclusion proofs, OSCAL-shaped projections, witness receipts, lifecycle artifacts, public signature verification, and a buyer-facing showcase model without leaking private data.

Conformance

The validator now checks all seven corridors

The public `conformance` repo validates typed payload schemas, persisted classification artifacts, mixed-control decompositions, proof-bundle mappings, proof-runner boundary inventory, witness digests, transparency logs, inclusion proofs, corridor control references, control-boundary mapping maturity metadata, the exact-anchor review pilot, and OSCAL projection consistency across the seven synthetic corridor bundles. It also now ships a public showcase builder that regenerates the `exampleco-showcase` summary from the checked-in corridor artifacts. The lifecycle pack is public and executable, but it is still a descriptive example rather than part of the conformance matrix.

Mapping maturity

Current State

Family proxies, not fake completeness

The public corridor still maps narrow OpenCompliance controls to family-level proxy targets. That is an honest seed state. It lets others inspect the proof corridor without pretending that whole ISO 27001 clauses or SOC 2 criteria have already been reduced into theorems. The public fixture set now spans seven synthetic corridors, including dedicated cyber-baseline and AI-governance packs, while exact-anchor review remains a separate maturity layer.

Target State

Reviewed source anchors

The state-of-the-art target is a reviewed mapping layer with exact source anchors, per-edge relation and method metadata, explicit confidence and review status, and decomposition into atomic obligations before the decidable slice enters Lean 4. The public specs now include an exact-anchor review pilot that uses public-source exact anchors where possible, crosswalk-derived candidate anchors for ISO AI standards where only public crosswalks exist, and explicit blocker records where the source text is not publicly reviewable. The specs repo also now carries a framework-source-availability note so those three states are visible in one place.

Publication options

Option A

One-way export to public repos

Keep the monorepo as the source of truth, generate release manifests, and push allow-listed bundles into separate public repositories. This is the safest operational model.

Option B

Public repos as submodules

Mount the public repositories as submodules and publish into them from the private repo. This helps reuse and external contribution, but the publication boundary still needs manifest checks or the submodule will just become another leak path.

Immediate next step

Keep the exports synchronized, expand live-style connectors honestly, add reviewed exact anchors where the public source text supports them, and resist the temptation to publish a "reference verifier" before the public artifacts and proof corridor are stable enough to support it.