Status: post-rewrite hosted-surface audit complete; public-only publication settings pending
Date: 2026-06-06
Final pre-public API pass: 2026-06-06
Repository: Shaelz/codebase-visualize-skill
This record inventories surfaces that would become public with the repository. It does not authorize a visibility change or history rewrite.
- retain: intentionally public as-is;
- generalize: keep the surface but replace private context;
- remove: remove tracked current-tree content;
- delete: remove a GitHub-hosted object where supported; and
- rewrite: replace reachable Git history and force-update the private remote.
| Surface | Finding | Disposition |
|---|---|---|
| Current tracked tree | npm run check:public passes |
retain |
| Local branches intended for publication | only main |
retain |
| GitHub branches | only main |
retain, then protect after publication |
| Tags | none; strengthened gate also enforces public tagger identity | retain empty until final v1.0.0 tag |
| Reachable history content | npm run check:public:history passes after rewrite |
retain |
| Reachable filenames | no private-target or workstation-path filename leaks after rewrite | retain |
| Commit metadata | all publishable commits use the intended Shaelz noreply identity after rewrite |
retain |
| Commit messages | npm run check:public:history passes after rewrite |
retain |
| Large/binary history | no binary blobs observed; largest blobs are renderer source below 100 KB | retain |
| Tool-local refs | a local Codex turn-diff ref exists but is not a branch, tag, or GitHub ref | exclude from publishable-history gate |
The strengthened npm run check:public:history gate now inspects branch/tag
history content, historical filenames, commit messages, and author/committer
identity. It intentionally ignores workstation-local tool refs that cannot
become public unless explicitly pushed. npm run check:public:contracts
proves historical filename and identity leaks are rejected in a disposable
repository.
The initial strengthened history run reports 122 unique findings: 16 concrete workstation-path findings, 102 private-target findings, 2 non-public author identities, and 2 non-public committer identities. Its category totals are the baseline for rewrite verification; the post-rewrite run must report zero.
The 2026-06-06 dry run reduced that baseline to zero findings in a fresh
rewritten checkout while preserving the reviewed tip tree. The real private
remote was then rewritten and a fresh GitHub clone passed
npm run check:public:history.
| Surface | Finding | Disposition |
|---|---|---|
| Visibility | private | retain until every M6 gate passes, then change to public |
| Description/homepage/topics | description and sibling-adapted topics applied; homepage empty | retain |
| Issues and pull requests | none | retain empty |
| Comments and review threads | none through the empty issue/PR surface | retain empty |
| Releases and release assets | none | retain empty until final release |
| Actions runs, artifacts, and caches | none | retain empty |
| Deployments and environments | none | retain empty |
| Pages | not configured | retain disabled |
| Wiki and discussions | disabled | retain disabled |
| Projects | disabled | retain disabled |
| Packages | no package publication is intended; package.json remains private; package views remain a manual UI check |
retain no-publication policy and verify manually |
| Hooks and deploy keys | none | retain empty |
| Collaborators | owner only | retain |
| Actions secrets and variables | none | retain empty |
| Rulesets and branch protection | unavailable on the current private plan | add sibling-grade rulesets after publication |
| Security scanning and alerts | unavailable/disabled on the current private plan | enable supported sibling-grade features after publication |
| Private vulnerability reporting | unavailable before publication | enable after publication |
| Forks | none | retain empty |
Private-safe settings applied on 2026-06-06:
- repository description set to the documented visualization target;
- sibling-adapted public-safe topics added;
- Projects disabled;
- delete head branches after merge enabled;
- default squash title set to pull request title;
- Issues kept enabled;
- Wiki and Discussions kept disabled; and
- merge, squash, and rebase merge strategies kept enabled.
The fallback security contact in SECURITY.md is an intentional published
maintainer contact and is retained. Commit metadata still uses only the noreply
identity after the planned rewrite.
The final pre-public API pass also confirmed:
mainis the only branch and is not yet protected while private;- no tags or releases exist;
- no Issues or pull requests exist;
- no Actions runs, artifacts, caches, environments, deployments, hooks, deploy keys, Actions secrets, or Actions variables exist;
- Pages returns no configured site;
- rulesets are blocked until public or an upgraded plan;
- vulnerability alerts are disabled/unavailable while private; and
- the sibling public repository has active
Protect main historyandProtect version tagsrulesets, secret scanning, push protection, and private vulnerability reporting enabled.
Sibling ruleset details to recreate after publication:
Protect main history: target branch, includerefs/heads/main, enforcement active, block deletion and non-fast-forward updates.Protect version tags: target tag, includerefs/tags/v*, enforcement active, block update, deletion, and non-fast-forward updates.
- Create a recoverable backup of all refs outside the working repository.
- Rewrite the 2 non-public commit identities to the intended noreply identity.
- Generalize the historical private target name, workstation path, and old private-target filename.
- Re-run the strengthened history audit against rewritten branches and tags.
- Force-update the private GitHub
mainonly after reviewing the rewritten commit map and exact diff. - Re-audit GitHub-hosted surfaces after the force-update.
- Validate a fresh clone of the exact rewritten candidate.
Steps 1-7 are complete for the private-history rewrite. The post-rewrite GitHub-hosted surface audit and private-safe settings pass are complete. Public-only security features, immutable releases, and sibling-grade rulesets remain deferred until visibility and release timing make them safe.
- GitHub private-plan APIs report some future public security/ruleset features as unavailable rather than disabled.
- GitHub UI-only presentation surfaces such as a social preview should receive a final manual glance before publication.
- External links or caches outside this repository cannot be rewritten here.
The current tree, rewritten Git history, private-safe GitHub settings, exact private release candidate, agent-mediated pre-public rehearsal, and final API readiness pass are public-ready according to the maintained gates. The repository is not ready to become public until manual UI-only checks, public-only security/ruleset setup, and the final publication decision are complete.