From 54b2651a1f9138ba4487427e8d6b4a9af8b2a3d5 Mon Sep 17 00:00:00 2001 From: Codebeast Date: Fri, 10 Apr 2026 06:27:03 -0500 Subject: [PATCH] feat(security,ecosystem): outbound disclosure policy + OSS repo manifest MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adds the missing "outbound" side of the security policy — rules for when Stackbilt itself (operators and internal agents) files findings against its own public repositories. The existing policy covered inbound reports only; this closes the gap. What's new: 1. security.md — new "Outbound Disclosure" section: - Severity/channel routing matrix for public vs private repos - Neutral-filer rule (no internal agent branding on public issues) - Reference framing rules (cite RFCs/OWASP, not internal docs) - Scrub list of identifier classes that must not appear publicly - Cross-repo chain rule (never describe private-chain findings publicly) - Approval gate for agent-filed public issues - Disclosure audit log requirement - Policy Authoring Rule: the policy itself must pass its own scrub filter during revisions (includes a case study of the near-miss that produced this section) - Primary reporting email flipped to admin@stackbilt.dev - GHSA added as per-repo preferred channel 2. ecosystem.md — two new sections: - Open Source Libraries table listing 14 OSS repos under Stackbilt-dev with one-line purposes and repo links - OSS Core / Commercial Extension pattern documentation with aegis-oss as the concrete example; commercial extensions described abstractly without naming - Service Map AEGIS row updated to point at aegis-oss (removes the "Internal cognitive agent" phrasing that contradicted the new OSS libraries section) 3. public/ecosystem/repo-visibility.json — new machine-readable manifest: - Public allowlist only (16 repos) with ecosystem_role, disclosure channel, and fallback channel per entry - default_policy stanza: anything not listed is private, must not be referenced publicly - Routing matrix for severity -> channel decisions - Reference framing allowlist / prohibition list - agent_consumers section documenting pre-flight lookup behavior - Contains NO private repo names. Private-name scrub lists are generated dynamically by agents at session start via the authenticated GitHub API, never persisted to a public-visible location. 4. public/ecosystem/SECURITY.md.template — canonical per-repo SECURITY.md template. Placeholder {{REPO_NAME}} replaced at rollout time. Points at admin@stackbilt.dev and the canonical policy URL. Known pre-existing scrub gaps in ecosystem.md that are NOT addressed in this PR and will be tracked in a follow-up issue: - Service Map line 29: tarotscript-worker service binding identifier - Service Map line 30: img-forge-gateway service binding identifier - Authentication section lines 123, 129: edge-auth named by private repo name These were present before this PR and are editorial decisions about how the deployed auth and service-binding architecture is described. Fixing them requires broader rewriting of those sections and is out of scope for this policy introduction. Co-Authored-By: Claude Opus 4.6 (1M context) --- public/ecosystem/SECURITY.md.template | 45 +++++++ public/ecosystem/repo-visibility.json | 178 ++++++++++++++++++++++++++ src/content/docs/ecosystem.md | 38 +++++- src/content/docs/security.md | 121 ++++++++++++++++- 4 files changed, 378 insertions(+), 4 deletions(-) create mode 100644 public/ecosystem/SECURITY.md.template create mode 100644 public/ecosystem/repo-visibility.json diff --git a/public/ecosystem/SECURITY.md.template b/public/ecosystem/SECURITY.md.template new file mode 100644 index 0000000..9ac04e9 --- /dev/null +++ b/public/ecosystem/SECURITY.md.template @@ -0,0 +1,45 @@ +# Security + +For the full Stackbilt security policy, see https://docs.stackbilt.dev/security/. + +## Reporting a Vulnerability + +**Do not open a public GitHub issue for security vulnerabilities.** + +### How to report + +- **Primary channel:** email `admin@stackbilt.dev` with "SECURITY:" in the subject line +- **GitHub Security Advisory:** https://github.com/Stackbilt-dev/{{REPO_NAME}}/security/advisories/new +- Include: vulnerability description, reproduction steps, potential impact, and any suggested mitigation + +### Response targets + +| Severity | Acknowledgement | Fix target | +|---|---|---| +| Critical — active exploitation, data exposure | 24 hours | 7 days | +| High — exploitable with effort | 48 hours | 14 days | +| Medium / Low | 5 business days | Next release cycle | + +These are targets, not contractual SLAs. Stackbilt is a solo-founder operation and response times reflect that reality honestly. Critical issues affecting user data are prioritized above everything else. + +### Scope + +This policy covers all software published in this repository. For the full policy covering the entire Stackbilt-dev organization, see the [canonical security policy](https://docs.stackbilt.dev/security/). + +### Out of scope + +- Denial of service against free-tier services (Cloudflare handles DDoS) +- Rate limiting bypass on non-authenticated endpoints (unless it enables data access) +- Missing security headers on non-production deployments +- Vulnerabilities in third-party dependencies where this repo is not the upstream maintainer + +### Disclosure + +- Stackbilt practices **coordinated disclosure** with a minimum 90-day window (30 days for critical). +- Reporters are credited in release notes unless anonymity is requested. +- Good-faith security research within this policy will not face legal action. + +### Contact + +- **Primary:** admin@stackbilt.dev +- **Canonical policy:** https://docs.stackbilt.dev/security/ diff --git a/public/ecosystem/repo-visibility.json b/public/ecosystem/repo-visibility.json new file mode 100644 index 0000000..1eaa9b6 --- /dev/null +++ b/public/ecosystem/repo-visibility.json @@ -0,0 +1,178 @@ +{ + "$schema": "https://docs.stackbilt.dev/ecosystem/repo-visibility.schema.json", + "version": "1.0.0", + "updated": "2026-04-10", + "canonical_url": "https://docs.stackbilt.dev/ecosystem/repo-visibility.json", + "purpose": "Authoritative public-facing manifest of Stackbilt-dev open source repositories. Lists only repos that are safe to reference publicly. Consumed by internal automation to route findings and by external researchers to confirm which repos are in scope for public discussion.", + + "default_policy": { + "description": "Any Stackbilt-dev repository not listed in the `repos` array below is to be treated as private. Private repositories must not be referenced by name in any public artifact — blog posts, GitHub issues, PR descriptions, commit messages, conference talks, or social media posts. This includes repositories that may become public in the future but have not yet been added to this manifest.", + "unlisted_repo_handling": "treat_as_private", + "new_repo_onboarding": "Public repositories graduate into this manifest via a PR on Stackbilt-dev/docs updating this file. Opening a repo to public visibility on GitHub does not automatically add it here — the manifest is the canonical source of truth for `safe_to_reference_publicly`, not GitHub's own visibility flag." + }, + + "disclosure_channels": { + "ghsa": "GitHub Security Advisory on the target repository. Preferred for critical and high-severity security findings — coordinated disclosure with the repo maintainer, tracked in the repo's security tab.", + "email": "admin@stackbilt.dev — the canonical Stackbilt security address. Use as fallback when GHSA is not appropriate or for findings spanning multiple repositories.", + "public_issue": "Public GitHub issue on the target repository. Appropriate only for non-security findings: low-severity hardening, documentation gaps, test coverage, refactors, and performance work." + }, + + "routing_matrix": { + "description": "Severity → channel routing for findings against repos in this manifest. See https://docs.stackbilt.dev/security/ § Outbound Disclosure for the full policy.", + "critical": "ghsa", + "high_exploitable": "ghsa", + "medium_exploitable": "ghsa", + "medium_hardening": "public_issue", + "low": "public_issue", + "docs": "public_issue", + "test_gap": "public_issue" + }, + + "reference_framing_rules": { + "description": "When drafting public artifacts about these repos, cite only sources that are already publicly published.", + "allowed_citations": [ + "Published RFCs (RFC 6749, RFC 7636, RFC 7519, etc.)", + "OWASP guidance and Top 10 entries", + "Cloudflare Workers documentation at developers.cloudflare.com", + "Published npm packages on npmjs.com", + "Commits, issues, and PRs in repositories listed in this manifest", + "Publicly-dated blog posts at blog.stackbilder.com" + ], + "prohibited_citations": [ + "Commits, issues, or PRs in Stackbilt-dev repositories not listed in this manifest", + "Internal policy documents, agent memory stores, CLAUDE.md files", + "Internal incident descriptions or postmortems not publicly published", + "Sibling private service names or binding identifiers", + "Non-public pricing, customer names, or commercial configuration" + ] + }, + + "repos": [ + { + "name": "charter", + "public_name": "Charter CLI", + "disclosure_channel": "ghsa", + "fallback_channel": "admin@stackbilt.dev", + "ecosystem_role": "OSS governance runtime, ADF context compiler, CLI gateway (Apache-2.0)", + "npm_package": "@stackbilt/cli", + "docs_url": "https://docs.stackbilt.dev/platform/#charter" + }, + { + "name": "docs", + "public_name": "Stackbilt Documentation", + "disclosure_channel": "ghsa", + "fallback_channel": "admin@stackbilt.dev", + "ecosystem_role": "docs.stackbilt.dev — public documentation site", + "docs_url": "https://docs.stackbilt.dev/" + }, + { + "name": ".github", + "public_name": "Stackbilt-dev Organization Profile", + "disclosure_channel": "public_issue", + "fallback_channel": "admin@stackbilt.dev", + "ecosystem_role": "GitHub organization profile and shared templates" + }, + { + "name": "stackbilt-mcp-gateway", + "public_name": "Stackbilt MCP Gateway", + "disclosure_channel": "ghsa", + "fallback_channel": "admin@stackbilt.dev", + "ecosystem_role": "OAuth-authenticated MCP gateway routing to Stackbilt platform services", + "docs_url": "https://docs.stackbilt.dev/mcp/" + }, + { + "name": "cc-taskrunner", + "public_name": "cc-taskrunner", + "disclosure_channel": "ghsa", + "fallback_channel": "admin@stackbilt.dev", + "ecosystem_role": "Autonomous task queue for Claude Code with safety hooks, branch isolation, and PR creation" + }, + { + "name": "mindspring", + "public_name": "Mindspring", + "disclosure_channel": "ghsa", + "fallback_channel": "admin@stackbilt.dev", + "ecosystem_role": "Semantic search for AI conversation exports (ChatGPT/Claude)" + }, + { + "name": "aegis-oss", + "public_name": "AEGIS", + "disclosure_channel": "ghsa", + "fallback_channel": "admin@stackbilt.dev", + "ecosystem_role": "Persistent AI agent framework for Cloudflare Workers — multi-tier memory, autonomous goals, dreaming cycles, MCP native", + "has_commercial_extension": true, + "public_reference_note": "When discussing AEGIS in any public context, always reference aegis-oss. The commercial platform builds additional integrations on top of this OSS framework; those integrations are implementation details and are not publicly named." + }, + { + "name": "n8n-transpiler", + "public_name": "n8n-transpiler", + "disclosure_channel": "ghsa", + "fallback_channel": "admin@stackbilt.dev", + "ecosystem_role": "n8n workflow JSON → Cloudflare Workers transpiler" + }, + { + "name": "social-sentinel", + "public_name": "Social Sentinel", + "disclosure_channel": "ghsa", + "fallback_channel": "admin@stackbilt.dev", + "ecosystem_role": "Privacy-first social sentiment monitoring with PII redaction and Workers AI sentiment analysis", + "has_commercial_extension": true, + "public_reference_note": "When discussing Social Sentinel in any public context, always reference social-sentinel. Commercial extensions are implementation details and are not publicly named." + }, + { + "name": "equity-scenario-sim", + "public_name": "Equity Scenario Sim", + "disclosure_channel": "ghsa", + "fallback_channel": "admin@stackbilt.dev", + "ecosystem_role": "Cap table simulator for partnership negotiations — deal structures, vesting, exit payouts" + }, + { + "name": "ai-playbook", + "public_name": "AI Playbook", + "disclosure_channel": "ghsa", + "fallback_channel": "admin@stackbilt.dev", + "ecosystem_role": "AI interaction frameworks, philosophical archetypes, and context engineering patterns" + }, + { + "name": "llm-providers", + "public_name": "llm-providers", + "disclosure_channel": "ghsa", + "fallback_channel": "admin@stackbilt.dev", + "ecosystem_role": "Multi-LLM failover with circuit breakers, cost tracking, and intelligent retry" + }, + { + "name": "audit-chain", + "public_name": "audit-chain", + "disclosure_channel": "ghsa", + "fallback_channel": "admin@stackbilt.dev", + "ecosystem_role": "Tamper-evident audit trail for Cloudflare Workers — SHA-256 hash chaining with R2 immutability and D1 indexing" + }, + { + "name": "worker-observability", + "public_name": "worker-observability", + "disclosure_channel": "ghsa", + "fallback_channel": "admin@stackbilt.dev", + "ecosystem_role": "Edge-native observability for Cloudflare Workers — health checks, structured logging, metrics, tracing, SLI/SLO monitoring" + }, + { + "name": "feature-flags", + "public_name": "feature-flags", + "disclosure_channel": "ghsa", + "fallback_channel": "admin@stackbilt.dev", + "ecosystem_role": "Edge-native feature flags for Cloudflare Workers — KV-backed, per-tenant, canary rollouts, A/B conditions, Hono middleware" + }, + { + "name": "contracts", + "public_name": "Stackbilt Contracts", + "disclosure_channel": "ghsa", + "fallback_channel": "admin@stackbilt.dev", + "ecosystem_role": "Contract Ontology Layer — ODD-driven code generation from TypeScript+Zod contracts" + } + ], + + "agent_consumers": { + "description": "Internal agents that consume this manifest at pre-flight before filing any issue, PR, or security advisory against a Stackbilt-dev repository. See https://docs.stackbilt.dev/security/ § Outbound Disclosure for agent responsibilities.", + "lookup_behavior": "Agents fetch this manifest at session start, cache for the session, and check the target repo's name against the `repos` array before any filing action. A target repo not in the array is treated as private per `default_policy.unlisted_repo_handling`.", + "scrub_list_generation": "Agents generate their private-repo scrub list dynamically at session start by calling `gh api orgs/Stackbilt-dev/repos --paginate` with authenticated credentials and extracting the names of private repositories. The scrub list is held in memory only, never persisted, and never published. This manifest does not contain the scrub list directly — it contains only the positive (public) allowlist." + } +} diff --git a/src/content/docs/ecosystem.md b/src/content/docs/ecosystem.md index d149fa9..68a115b 100644 --- a/src/content/docs/ecosystem.md +++ b/src/content/docs/ecosystem.md @@ -29,7 +29,7 @@ Charter is the open-source CLI. Stackbilder and img-forge are commercial service | **TarotScript** | `tarotscript-worker` (service binding) | Deterministic scaffold engine — intent classification, scaffold-cast spreads, grimoire persistence | | **img-forge** | `img-forge-gateway` (service binding) | AI image generation API, async job queue, R2 image storage | | **Auth** | `auth.stackbilt.dev` | Centralized auth — OAuth (GitHub/Google), session management, API keys, quota, billing | -| **AEGIS** | `aegis.stackbilt.dev` | Internal cognitive agent — memory, goals, task pipeline | +| **AEGIS** | `aegis.stackbilt.dev` | Persistent AI agent framework — see [aegis-oss](https://github.com/Stackbilt-dev/aegis-oss) | | **Docs** | `docs.stackbilder.com` | Documentation (this site) | | **Blog** | `blog.stackbilder.com` | Blog and changelog | @@ -140,6 +140,42 @@ Flat tiers. No credits, no tokens, no per-action charges. Every plan includes full governance output. See [stackbilder.com/pricing](https://stackbilder.com/pricing). +## Open Source Libraries + +Beyond Charter and the commercial services, Stackbilt maintains a set of edge-native open source libraries. They are standalone, composable, and deliberately scoped — each solves one problem Cloudflare Workers developers hit repeatedly. + +| Library | Repo | Purpose | +|---|---|---| +| **Charter CLI** | [Stackbilt-dev/charter](https://github.com/Stackbilt-dev/charter) | Governance runtime, ADF context compiler, CLI gateway (Apache-2.0) | +| **Stackbilt MCP Gateway** | [Stackbilt-dev/stackbilt-mcp-gateway](https://github.com/Stackbilt-dev/stackbilt-mcp-gateway) | OAuth-authenticated MCP gateway routing to Stackbilt platform services | +| **AEGIS (OSS framework)** | [Stackbilt-dev/aegis-oss](https://github.com/Stackbilt-dev/aegis-oss) | Persistent AI agent framework for Workers — multi-tier memory, goals, dreaming cycles, MCP native | +| **llm-providers** | [Stackbilt-dev/llm-providers](https://github.com/Stackbilt-dev/llm-providers) | Multi-LLM failover with circuit breakers, cost tracking, intelligent retry | +| **worker-observability** | [Stackbilt-dev/worker-observability](https://github.com/Stackbilt-dev/worker-observability) | Edge-native observability — health checks, structured logging, metrics, tracing, SLI/SLO monitoring | +| **audit-chain** | [Stackbilt-dev/audit-chain](https://github.com/Stackbilt-dev/audit-chain) | Tamper-evident audit trail via SHA-256 hash chaining with R2 immutability and D1 indexing | +| **feature-flags** | [Stackbilt-dev/feature-flags](https://github.com/Stackbilt-dev/feature-flags) | KV-backed feature flags — per-tenant, canary rollouts, A/B conditions, Hono middleware | +| **contracts** | [Stackbilt-dev/contracts](https://github.com/Stackbilt-dev/contracts) | Stackbilt Contract Ontology Layer — ODD-driven code generation from TypeScript+Zod contracts | +| **cc-taskrunner** | [Stackbilt-dev/cc-taskrunner](https://github.com/Stackbilt-dev/cc-taskrunner) | Autonomous task queue for Claude Code with safety hooks, branch isolation, PR creation | +| **Social Sentinel** | [Stackbilt-dev/social-sentinel](https://github.com/Stackbilt-dev/social-sentinel) | Privacy-first social sentiment monitoring — PII redaction, Workers AI sentiment analysis | +| **Mindspring** | [Stackbilt-dev/mindspring](https://github.com/Stackbilt-dev/mindspring) | Semantic search for AI conversation exports — upload, embed, search, RAG chat | +| **n8n-transpiler** | [Stackbilt-dev/n8n-transpiler](https://github.com/Stackbilt-dev/n8n-transpiler) | n8n automation JSON → deployable Workers transpiler | +| **equity-scenario-sim** | [Stackbilt-dev/equity-scenario-sim](https://github.com/Stackbilt-dev/equity-scenario-sim) | Cap table simulator for partnership negotiations | +| **ai-playbook** | [Stackbilt-dev/ai-playbook](https://github.com/Stackbilt-dev/ai-playbook) | AI interaction frameworks, philosophical archetypes, context engineering patterns | + +All libraries live under the [`Stackbilt-dev`](https://github.com/Stackbilt-dev) GitHub organization. Contributions welcome — see each repo's `CONTRIBUTING.md` and `SECURITY.md`. + +## OSS Core ↔ Commercial Extension Pattern + +Some capabilities in the Stackbilt ecosystem ship as a public OSS core with a commercial productization built on top. The OSS core is the canonical, publicly-named reference implementation — that's what gets documented, discussed, contributed to, and written about. Commercial extensions are implementation details: they are not publicly named, not separately documented, and not referenced in public artifacts. + +A concrete example: [`aegis-oss`](https://github.com/Stackbilt-dev/aegis-oss) is the full persistent AI agent framework for Cloudflare Workers — multi-tier memory, autonomous goals, dreaming cycles, MCP native. It is the canonical AEGIS and is fully open source under its repository license. The commercial Stackbilt platform builds additional integrations and productization on top of that core. When referring to "AEGIS" in any public context — blog posts, GitHub issues, conference talks, external documentation, social media — the reference is to `aegis-oss`. Commercial extensions exist but are not separately named, advertised, or linked publicly. + +This convention serves two purposes: + +1. **OSS clarity.** Contributors, users, and researchers engage with one canonical repo per capability. There is no ambiguity about "which version are we talking about." +2. **Moat protection.** Commercial productization is kept out of public discussion, which prevents feature leaks and competitive mapping of the commercial surface. + +Internal contributors — including autonomous agents filing issues or drafting documentation — must follow the same convention. Public artifacts reference the OSS core only. See [Outbound Disclosure](/security/#outbound-disclosure--filing-against-stackbilt-dev-public-repositories) for the full authoring rules. + ## Multi-Stack Roadmap Cloudflare Workers is the currently supported stack. Coming soon: diff --git a/src/content/docs/security.md b/src/content/docs/security.md index f23510d..fbfc524 100644 --- a/src/content/docs/security.md +++ b/src/content/docs/security.md @@ -92,7 +92,7 @@ Stackbilt operates autonomous AI agents for code generation, testing, and infras **Do not open a public GitHub issue for security vulnerabilities.** -Email: **security@stackbilt.dev** +Email: **admin@stackbilt.dev** | Severity | Acknowledgement | Fix Target | |----------|----------------|------------| @@ -121,5 +121,120 @@ This policy covers all software published under the Stackbilt-dev GitHub organiz ### Contact -- **Primary:** security@stackbilt.dev -- **Fallback:** admin@stackbilt.dev +- **Primary:** admin@stackbilt.dev +- **GitHub Security Advisory:** `https://github.com/Stackbilt-dev/{repo}/security/advisories/new` (preferred for per-repo coordinated disclosure) + +## Outbound Disclosure — Filing Against Stackbilt-dev Public Repositories + +The policy above governs **inbound** reports — external researchers finding bugs in our software. This section governs **outbound** disclosure — findings discovered by Stackbilt itself (operators, internal agents, automated audits) against our own public repositories. + +Stackbilt runs adversarial internal audits against its own code. When findings land against a public repository, the filing channel depends on severity and exploitability. + +### Channel Routing Matrix + +| Finding class | Public repo | Private repo | +|---|---|---| +| **Critical / High exploitable** | Private disclosure only — GitHub Security Advisory on the target repo, or email `admin@stackbilt.dev`. Never a public GH issue until a fix lands and the embargo window elapses. | Public GH issue OK (repo is private). Normal internal triage. | +| **Medium, exploitable** | Private disclosure (same channels as above). | Public GH issue OK. | +| **Medium, hardening / defense-in-depth** | Public GH issue OK with the scrub rules below. | Public GH issue OK. | +| **Low / docs / test coverage / refactor** | Public GH issue OK with the scrub rules below. | Public GH issue OK. | + +Severity classification follows the same definitions used for inbound reports: Critical = active exploitation or data exposure path, High = exploitable with effort, Medium = requires specific conditions or low impact, Low = hardening / hygiene / no direct exploitation path. + +### Neutral-Filer Rule + +Public GitHub issues filed by Stackbilt operators or internal agents against Stackbilt-dev public repositories **must not**: + +- Identify the filer as an internal AI agent, automated review bot, or any named internal tooling +- Include session footers such as "Filed by X during audit session" or "Part of internal review cluster" +- Reference internal memory stores, internal policy documents, or private `CLAUDE.md` files +- Cross-reference other internal audits, findings, or issue clusters across private repositories +- Imply the existence of any internal review capability beyond what is documented in the public [ecosystem overview](/ecosystem) + +Public filings should read as if contributed by an external security researcher or a maintainer doing routine hygiene review. Technical content is the point; framing is not. + +### Reference Framing Rules + +When writing a public issue, cite: + +- Published RFCs (RFC 6749, RFC 7636, RFC 7519, etc.) +- OWASP guidance and Top 10 entries +- Cloudflare Workers documentation at `developers.cloudflare.com` +- Published npm packages and public GitHub repositories +- Commits and issues in other **public** Stackbilt-dev repositories + +Do **not** cite: + +- Private repository commits or issue numbers +- Internal policy docs or CLAUDE.md files +- Internal agent memory, internal incident postmortems, or internal architecture notes +- Sibling private services as the justification for a finding ("because we also do this in X") where X is private + +### Scrub List — Identifiers That Must Not Appear in Public Artifacts + +The following classes of identifier must not appear in any public GH issue, public commit message, public PR, public GHSA draft body, or any other publicly-visible artifact: + +- **Private repository names.** The authoritative public allowlist lives in the [machine-readable manifest](https://docs.stackbilt.dev/ecosystem/repo-visibility.json). Repositories not listed there are private by default and must not be referenced by name in public. The manifest contains only the positive (public) list — the private list is **not published**. Internal agents generate their private-name deny-regex dynamically at session start by calling `gh api orgs/Stackbilt-dev/repos --paginate` with authenticated credentials; the deny-list is held in memory only and never persisted to a public-visible location. +- **Internal tool names and agent handles** not documented in the public [ecosystem overview](/ecosystem). If the ecosystem doc doesn't name it, it is not safe to name publicly. +- **Private commit SHAs** — never cite a commit hash from a private repository in a public context. +- **Private service binding identifiers** — internal wrangler binding names, service binding entry points, and internal RPC contracts. +- **Internal incident descriptions** — references to past outages, postmortems, or security incidents unless they have been publicly published. +- **Customer names and non-public pricing details** — only the public pricing tiers at [stackbilder.com/pricing](https://stackbilder.com/pricing) may be referenced. + +### Cross-Repo Chain Rule + +If a finding in a public repository exploitability-chains with a bug or misconfiguration in a private repository, the combined chain **must not** be described in any public channel. Either: + +1. Route the entire finding privately (GHSA + email) and include the chain analysis in the private write-up, or +2. File only the public-repo-scoped portion publicly, treating the chain as embargoed until both legs are fixed. + +The decision of "can this be filed publicly" happens against the *public-only* framing of the finding. If a reasonable reader of the public filing could reconstruct the private chain, the public filing must be rewritten or withheld. + +### Approval Gate for Agent-Filed Public Issues + +Autonomous agents (CodeBeast, cc-taskrunner, and any future governance automation) are permitted to file issues against **private** Stackbilt-dev repositories without human approval, following internal triage rules. Filings against **public** Stackbilt-dev repositories require explicit operator approval per-filing — no agent may autonomously `gh issue create` or `gh api security-advisories` against a public repo. + +The approval flow: + +1. Agent drafts the finding with public framing applied from the start (not "full version then scrub") +2. Agent looks up target repo visibility against `repo-visibility.json` +3. Agent applies scrub-list regex to the draft; any match blocks the filing and surfaces the match to the operator +4. Agent presents the drafted issue body, severity classification, and channel routing decision to the operator +5. Operator approves, edits, or rejects +6. On approval, the agent files via the operator's credentials or via the approved automation surface, and writes the filing action to the disclosure audit log + +### Disclosure Audit Log + +Every filing action by an internal agent against a Stackbilt-dev repository (public or private) is written to a persistent audit log. The log records: target repo, finding severity, channel routing decision, scrub result, operator approval status (for public filings), final published URL, and timestamp. The log is the authoritative trail for "did we ever leak something we shouldn't have" — it enables after-the-fact review and policy calibration. + +### Policy Enforcement + +This outbound-disclosure policy is enforced by: + +1. **Internal agent pre-flight filters** — filing-capable agents load the [public visibility manifest](https://docs.stackbilt.dev/ecosystem/repo-visibility.json) and generate their private-name scrub list dynamically at session start, then re-check before each filing action. +2. **Operator judgment** — operators filing manually apply the same rules by hand; when in doubt, route privately. +3. **After-the-fact review** — the disclosure audit log is reviewed periodically to catch drift between policy and practice. + +Violations of this policy are treated as incidents. A public filing that names a private repository, exposes an internal agent, or leaks cross-repo chain information is a security-relevant mistake even if no external attacker acts on it, because the leaked information is already indexed by public search and archival systems the moment it ships. + +### Policy Authoring Rule + +**This policy document must pass its own scrub filter.** + +Any revision to this policy, to [`repo-visibility.json`](https://docs.stackbilt.dev/ecosystem/repo-visibility.json), to the [ecosystem overview](/ecosystem), or to any other publicly-visible Stackbilt-dev documentation artifact must be authored with the outbound disclosure rules applied from the start — not written in full detail and scrubbed after. The authoring context is the highest-risk context for accidental disclosure, because the author has the most private context loaded at exactly the moment they are writing public-facing text. + +This rule exists because the first draft of this policy — written on 2026-04-10 during the policy's creation session — attempted to publish: + +1. A `repo-visibility.json` manifest listing every private Stackbilt-dev repository by name. Because private repo names are not externally enumerable via the GitHub API without authenticated access, publishing such a manifest would have converted "private repos exist but their names are not known to external observers" into "here is the complete roster of every internal project." This is a strictly worse disclosure than leaking any individual file — repo enumeration is reconnaissance, and reconnaissance is the first step of any external attack. +2. A dual-repo section in the ecosystem documentation that explicitly named private commercial extensions alongside their OSS cores. +3. A scrub-list reference in the policy body pointing readers at the leaky manifest as an "authoritative list." + +All three were caught in a pre-commit review pass before anything was pushed to the remote. No disclosure occurred. But the near-miss validates the rule: the approval gate that this policy mandates for agent-filed public artifacts applies with equal force to policy documents themselves. The author of any policy revision must perform the same pre-flight scrub — against the same rules — that agents perform before filing. + +**Practical implications for future policy revisions:** + +1. Policy revisions to this document must be reviewed by a second pair of eyes (operator or peer reviewer) before merging, with the explicit task of verifying no private identifiers have been introduced. +2. Changes to [`repo-visibility.json`](https://docs.stackbilt.dev/ecosystem/repo-visibility.json) that add or remove repositories must be verified against the live GitHub API (`gh api orgs/Stackbilt-dev/repos`) to ensure no private repo has been accidentally added to the public allowlist. +3. The dual-repo section in ecosystem documentation must only name the OSS core of each capability. Commercial extensions exist, are referenced abstractly, and are never publicly named. +4. The phrase "the scrub list" refers to a dynamically-generated in-memory artifact, never to a persisted public file. Any proposed policy revision that attempts to publish the scrub list itself must be rejected at review. +5. Policy drafts should be committed first to a feature branch (never directly to `main`) and reviewed as a diff against the current policy before merging, so that changes are visible and auditable.