feat(security,ecosystem): outbound disclosure policy + OSS repo manifest

[stackbilt-admin]

Summary

Adds the outbound side of the security policy — rules for when Stackbilt itself (operators and internal agents) files findings against our own public repositories. The existing policy only covered inbound reports from external researchers; this closes the gap.

This PR introduces the full framework: policy text, a machine-readable public repo manifest, a canonical per-repo SECURITY.md template, and an updated ecosystem doc that documents the OSS Core / Commercial Extension pattern without leaking private repo names.

What's in this PR

1. src/content/docs/security.md — new "Outbound Disclosure" section

• Severity → channel routing matrix for public vs private repos
• Neutral-filer rule — no internal agent branding, no session footers, no implication of internal AI review capability
• Reference framing rules — cite RFCs, OWASP, Cloudflare public docs; never internal CLAUDE.md, memory stores, or private repo commits
• Scrub list — classes of identifier that must not appear in public artifacts
• Cross-repo chain rule — never publicly describe a finding that chains with a private-repo bug
• Approval gate — autonomous agents may file against private repos without approval but must get operator approval before filing against public repos
• Disclosure audit log — persistent trail of every filing action by internal agents
• Policy Authoring Rule — the policy itself must pass its own scrub filter during revisions; includes a case study of the near-miss that produced this section (see "The Meta-Finding" below)
• Primary reporting email flipped from security@ to admin@stackbilt.dev
• GitHub Security Advisory added as per-repo preferred channel for critical/high disclosures

2. src/content/docs/ecosystem.md — two new sections

• Open Source Libraries — table of all 14 public OSS repos under Stackbilt-dev with one-line purposes, repo links, and npm package names where applicable. These are libraries that were "silently public" — shipped, visible on GitHub, but not narrated anywhere in the docs. Now they have canonical documentation.
• OSS Core ↔ Commercial Extension Pattern — documents the dual-repo structure where a public OSS core (e.g., aegis-oss) has commercial productization built on top. Names only the OSS core; describes commercial extensions abstractly without naming them. Enforces the moat-protecting convention that public discussion always references the OSS repo.
• Service Map AEGIS row updated to point at aegis-oss (removes the "Internal cognitive agent" phrasing that directly contradicted the new OSS Libraries section)

3. public/ecosystem/repo-visibility.json — new machine-readable manifest

Served at docs.stackbilt.dev/ecosystem/repo-visibility.json for agent pre-flight lookups.

• Public allowlist only — 16 repos, each with ecosystem_role, disclosure_channel, and fallback_channel
• default_policy stanza — any Stackbilt-dev repository not listed here is treated as private by default; unlisted repos must not be referenced in public
• Routing matrix — severity → channel decisions
• Reference framing allowlist / prohibition list — machine-readable version of the policy's citation rules
• agent_consumers section documenting how internal automation consumes this file at pre-flight

⚠️ Contains NO private repo names. Private-name scrub lists are generated dynamically by agents at session start via the authenticated GitHub API (`gh api orgs/Stackbilt-dev/repos --paginate`). The scrub list is held in memory only, never persisted to a public-visible location. This design prevents the manifest itself from becoming a repo-enumeration attack surface.

4. public/ecosystem/SECURITY.md.template — canonical per-repo SECURITY.md

One-file-fits-all template for per-repository SECURITY.md files across the entire Stackbilt-dev organization. Placeholder `{{REPO_NAME}}` is replaced at rollout time. Points at `admin@stackbilt.dev` and the canonical policy URL.

This unblocks a follow-up rollout that will apply the template to every repo (public and private) so every repo has a standardized security reporting entry point.

The Meta-Finding — why this PR has a "Policy Authoring Rule" section

The first draft of this policy would have shipped the exact leak it was designed to prevent.

The initial repo-visibility.json I wrote listed every Stackbilt-dev repository by name — public AND private — because the natural instinct when documenting a visibility manifest is to be thorough. Publishing that file at docs.stackbilt.dev/ecosystem/repo-visibility.json would have converted "private repos exist but are not externally enumerable" into "here is the complete roster of every internal Stackbilt project." Private repo names are not currently discoverable via unauthenticated `gh api` calls, so the manifest would have been a pure reconnaissance gift.

The initial ecosystem.md dual-repo section also named private commercial extensions directly in a table alongside their OSS cores. Same class of leak, narrower scope.

Both were caught in a pre-commit review pass before anything was pushed. No disclosure occurred. But the near-miss validates the rule: policy documents must be authored with the policy's own scrub rules applied from the start, not written thoroughly and scrubbed after. The highest-risk context for accidental disclosure is the policy authoring context itself, because the author has the most private context loaded at exactly the moment they're writing public-facing text.

This is codified in the new Policy Authoring Rule section with the above near-miss as the case study.

Known pre-existing scrub gaps NOT addressed in this PR

These were present in ecosystem.md before this PR and are editorial decisions about how the deployed auth and service-binding architecture is described. Fixing them requires broader rewriting of those sections and is out of scope for this policy introduction. Tracked as a follow-up issue:

• Service Map line 29: `tarotscript-worker` service binding identifier
• Service Map line 30: `img-forge-gateway` service binding identifier
• Authentication section lines 123, 129: `edge-auth` named by private repo name

A follow-up issue on this repo will track the scrub pass and propose the replacement wording.

Test plan

• `npm run build` passes (pre-commit hook verified, 9 pages built in 18.97s)
• No private repo names appear in committed files (grep-verified against full private repo list)
• `repo-visibility.json` validates as JSON
• Cross-reference check: all 16 public repos in the manifest match `gh api orgs/Stackbilt-dev/repos --jq '.[] | select(.private == false and .archived == false) | .name'`
• Manual review of policy wording for tone + actionability
• Confirm the `{{REPO_NAME}}` placeholder substitution strategy for the SECURITY.md rollout
• Confirm `admin@stackbilt.dev` is the intended canonical address (security@ is demoted)

Follow-up work unlocked by this PR

1. File a follow-up issue on this repo to track the pre-existing scrub gaps (`tarotscript-worker`, `img-forge-gateway`, `edge-auth` in ecosystem.md)
2. Roll out the canonical SECURITY.md template to every repo in Stackbilt-dev (54 repos, batched in parallel, one small PR per repo)
3. Implement the CodeBeast pre-flight filter spec per the new policy (separate internal issue)
4. Staged Charter CLI adoption across all Node repos (separate workstream, blocked on this PR + SECURITY.md rollout)

---

🤖 Generated with Claude Code