Public boundary and provenance

2 min readReferenceUpdated 2026-05-19

What you'll find here

The machine-checkable MVP boundary that keeps Craik public docs free of private paths, raw credentials, internal-only labels, and local secret filenames — plus the hygiene scanner and provenance helpers.

Public docs are policed.

craik.runtime.projects.public_docs provides the machine-checkable boundary; scripts/check_public_docs_hygiene.py runs in the CI security gate.

Classification

Class

Covers

Notes

public

shipped

README · changelog · Docusaurus docs.

internal

repo

Source · tests · scripts · CI · unclassified repository work.

private

local

Local state · secret paths · user-specific runtime files.

Hygiene

scripts/check_public_docs_hygiene.py scans public docs for obvious leaks. The CI security gate runs it with release-readiness and policy tests.

Provenance

Generated docs cite source.

generated_doc_provenance creates craik.evidence_reference records that link generated docs back to source files, tests, or commands.

Staleness

stale_documentation_findings compares generated docs against source mtimes and returns stale-risk findings when a source is newer than the generated doc.

Repeat findings → decision records.

Repeated boundary findings should produce decision records for path redaction, secret handling, or task naming.

What's next

ReferenceRedactionThe persistence-time redaction utility.SecurityRelease processHow public boundary findings interact with releases.ReferenceFailure modesHow the hygiene gate composes with the wider failure posture.