Version: 1.0 Effective Date: February 6, 2026 Next Review: May 6, 2026 Status: Active

This policy establishes:

1. A classification system to protect trade secrets and sensitive information in public repositories
2. Enforcement mechanisms to keep living documents current with every significant change
3. Clear boundaries between public transparency and confidential business operations

This policy implements the transparency exceptions defined in GOVERNANCE_PROTOCOL.md Protocol 9.3.

Documents visible to anyone. Must NOT contain trade secrets, financials, investor details, or stakeholder PII.

Rule: Any PR that modifies workflows, labels, templates, or board configuration MUST include corresponding doc updates as part of the PR checklist.

Documents that should live in private repositories or GitHub Wiki with restricted access. Contain operational details that are not trade secrets but provide competitive insight.

Must NEVER appear in any public repository, commit history, issue, or PR comment.

A GitHub Actions workflow (doc-freshness-check.yml) MUST run on every PR to main/master:

What it checks:

• If the PR modifies files in .github/workflows/, require updates to .github/workflows/README.md
• If the PR modifies labels.yml, require updates to PROJECT_BOARD_GUIDE.md label sections
• If the PR modifies issue templates, require updates to PROJECT_BOARD_GUIDE.md workflow sections
• If the PR closes an issue linked to a milestone, flag MILESTONES_OVERVIEW.md for update
• If any classified-public doc has a Last Updated date older than 90 days, warn in PR comment

Enforcement level: Warning (non-blocking) for first 30 days, then blocking.

A weekly scheduled workflow (doc-staleness-audit.yml) MUST:

• Parse all markdown files for Last Updated dates
• Flag any doc past its stated Next Review date
• Create an issue titled [DOC REVIEW] {filename} is past review date with label type: documentation
• Assign to the doc owner or @core-team

A pre-merge check (sensitive-content-scan.yml) MUST scan PRs for:

• Email addresses not in an approved public list
• Phone numbers
• Dollar amounts with context suggesting financials (e.g., "$X funding", "revenue", "burn rate")
• Keywords: "investor", "pitch", "funding round", "valuation", "NDA", "confidential"
• API key patterns, wallet addresses, credentials

Action on match: Block merge, comment with findings, require manual override by core team member.

The existing PULL_REQUEST_TEMPLATE.md MUST include a documentation checklist:

## Documentation Impact
- [ ] No documentation updates needed
- [ ] Updated relevant docs (list which ones)
- [ ] Verified no confidential information in changes
- [ ] Updated `Last Updated` date on modified docs

The author (or reviewer) is responsible for:

1. Check: Does this PR change any process, workflow, template, label, or board structure?
2. Update: If yes, update the corresponding public doc(s) in the same PR
3. Date: Bump Last Updated on every doc modified
4. Review: Reviewer verifies doc updates match code changes

1. If the bug was tracked on the project board, verify board guide accuracy
2. If the bug revealed a process gap, update CONTRIBUTING.md or relevant process doc
3. If the bug was a security issue, follow SECURITY.md disclosure process

1. Core team reviews all Last Updated dates
2. Update GOALS.md OKR progress
3. Run doc staleness audit manually if automated version not yet deployed

1. Full doc review cycle per GOVERNANCE_PROTOCOL.md Protocol 10.2
2. Rotate Next Review dates
3. Archive or deprecate obsolete docs
4. Verify classification levels still appropriate

The following content is currently in PUBLIC repos but violates this classification policy:

Every living document MUST have a designated owner responsible for freshness.

• GOVERNANCE_PROTOCOL.md - Protocol 9.3 (Transparency Exceptions)
• SECURITY.md - Security reporting and handling
• CONTRIBUTING.md - Contribution process
• ORG_AUDIT_RECOMMENDATIONS.md - Current audit findings

Last Updated: February 6, 2026 Next Review: May 6, 2026