Goal
Prepare this repository to be made public and shared with an external design partner. The code tree, git-history secrets, and GitHub issue/PR metadata have already been audited and cleaned. This epic tracks the remaining presentation, policy, and process gates before the visibility switch, and serves as the single go/no-go checklist.
Use generic language ("the design partner") in any new issues, comments, commits, or docs. Do not reintroduce the partner's name — the metadata was deliberately scrubbed of it.
Already done (context for anyone picking this up cold)
- Apache-2.0 license +
NOTICE added (closed work).
- Secret scan of the working tree and full git history — zero live credentials; a standing gitleaks CI lane + pre-commit hook now guard against regressions (
.gitleaks.toml, .github/workflows/secret-scan.yml).
- Metadata scrub — the partner's name, internal Notion/Slack/ClickUp links, and a third-party email were removed from all issue/PR bodies, titles, and comments; the highest-signal comments were deleted outright (link/contact/strategy).
Accepted residue (NOT open tasks — do not "fix")
- The partner's name still appears in
main commit messages and in refs/pull/* commit history. Removing it would require a force-push that rewrites every SHA and severs the commit↔PR↔approval linkage relied on for SOC 2 change-management evidence. GitHub also retains PR commit refs permanently (PRs cannot be deleted). This residue is a deliberate trade-off, accepted to preserve the audit trail.
- Edit-history dropdowns on the ~45 low-signal edited items still show pre-edit text. The per-revision delete control is UI-only and was not reliably available; not worth deleting whole technical records to chase.
Remaining gates (child issues)
Go / no-go (do these at publish time, in order)
Goal
Prepare this repository to be made public and shared with an external design partner. The code tree, git-history secrets, and GitHub issue/PR metadata have already been audited and cleaned. This epic tracks the remaining presentation, policy, and process gates before the visibility switch, and serves as the single go/no-go checklist.
Already done (context for anyone picking this up cold)
NOTICEadded (closed work)..gitleaks.toml,.github/workflows/secret-scan.yml).Accepted residue (NOT open tasks — do not "fix")
maincommit messages and inrefs/pull/*commit history. Removing it would require a force-push that rewrites every SHA and severs the commit↔PR↔approval linkage relied on for SOC 2 change-management evidence. GitHub also retains PR commit refs permanently (PRs cannot be deleted). This residue is a deliberate trade-off, accepted to preserve the audit trail.Remaining gates (child issues)
Go / no-go (do these at publish time, in order)
gitleaks git .+gitleaks dir .; confirm 0 partner-name / internal-link / secret / PII hits. (Metadata can change between now and go-time.)