Record public LFL20 proof bundle publication

doc/CURRENT_STATE.md

@@ -15,13 +15,17 @@ Implementation baseline: `doc/archive/top_level_history/HELPER_EXECUTION_BOARD_2
 
 ## 2026-04-15 Current Addendum
 
-- Repository identity: local `main` and `origin/main` are aligned at `c2f38df`.
+- Repository identity: local `main` and `origin/main` are aligned at `8cc34c2`.
+- Private-core baseline tag: `helper-private-core-2026-04-15-green`.
 - Repository visibility: `Private`.
 - Public visibility policy: private-core repo stays Private; public publication must use a separate curated showcase/proof-bundle repo.
-- Latest deterministic local gate before the security/posture branch: `npm run ci:gate` passed end-to-end.
+- Public proof-bundle repository: `https://github.com/rovsh44-glitch/helper-proof-bundle-lfl20`.
+- Latest deterministic local gate on the security/posture branch: `npm run ci:gate` passed end-to-end before merge.
+- Hosted checks on updated `main`: `repo_gate=success`, `connected_nuget_audit=success`, Dependabot jobs `success`.
+- Dependency security status: `npm audit --json` returns `0` vulnerabilities; strict-online NuGet audit passed after Magick.NET isolation.
 - LFL20 proof-bundle status: implemented and green on the final local acceptance run described in `doc/analysis/HELPER_CURRENT_STATUS_AND_REPO_ALIGNMENT_REPORT_2026-04-15.md`.
 - Local-library evidence fusion: implemented and audited with zero public path leaks in the final local acceptance artifact.
-- Active follow-up: push the security/posture remediation branch, run hosted `repo-gate` and `nuget-security-audit`, then merge after both pass.
+- Active follow-up: start the separate model A/B stage against this fixed baseline; do not mix model-change work into the already-published LFL20 baseline.
 - Code scanning status: not an active control for the private-core repo on the current GitHub tier; use repo-owned gates and Dependabot unless the security tier changes.
 
 ## Additional Truth Layers

doc/analysis/HELPER_CURRENT_STATUS_AND_REPO_ALIGNMENT_REPORT_2026-04-15.md

@@ -12,17 +12,20 @@ Functionally, the Helper remediation and proof-bundle work is in a strong local
 Repository-wise, the project is now aligned with GitHub:
 
 - Local `main` is checked out.
-- Local `main` and `origin/main` both point at `c2f38df`.
+- Local `main` and `origin/main` both point at `8cc34c2`.
 - Divergence is `0 0`.
-- The working tree was clean before the 2026-04-15 security/posture remediation branch.
+- The working tree was clean after the 2026-04-15 security/posture remediation merge before the public-proof docs update.
 - PR `#42` is merged as the GitHub squash commit `c2f38df`.
+- PR `#43` is merged as the GitHub squash commit `8cc34c2`.
+- Baseline tag `helper-private-core-2026-04-15-green` is attached to the current private-core `main`.
+- The sanitized public LFL20 proof-bundle repository is published at `https://github.com/rovsh44-glitch/helper-proof-bundle-lfl20`.
 
 ## Git State Observed
 
 - Remote repository: `https://github.com/rovsh44-glitch/Helper.git`.
-- GitHub `main`: `c2f38df` (`Add LFL20 proof bundle and local library evidence fusion (#42)`).
-- Local `main`: `c2f38df`.
-- Current remediation branch for follow-up work: `security-posture-dependency-isolation-2026-04-15`.
+- GitHub `main`: `8cc34c2` (`Close dependency security and private-core posture (#43)`).
+- Local `main`: `8cc34c2`.
+- Current remediation branch for follow-up work: none; security/posture remediation is merged.
 - Previous stale feature branches remain local-only historical refs unless explicitly pruned.
 
 The earlier warning about a stale checked-out branch is closed. Current follow-up work must proceed through a normal feature branch and PR because `main` is protected.
@@ -103,13 +106,23 @@ Observed final audit result:
 - Public path leaks: `0`.
 - Missing local metadata: `0`.
 
+## Current Closure
+
+The security/posture branch is no longer pending:
+
+1. PR `#43` was merged into `main`.
+2. Hosted `repo_gate` on `8cc34c2` completed with `success`.
+3. Hosted `connected_nuget_audit` on `8cc34c2` completed with `success`.
+4. Dependabot dynamic jobs on `8cc34c2` completed with `success`.
+5. Local `main` and `origin/main` are aligned.
+6. The private-core repository remains `Private`.
+7. The public proof surface has been split into `https://github.com/rovsh44-glitch/helper-proof-bundle-lfl20`.
+
 ## Remaining Work
 
-The remaining work after this security/posture branch is hosted verification and merge, not proof-bundle runtime remediation:
+The next work is not proof-bundle runtime remediation. It is controlled expansion:
 
-1. Push this branch and open a PR.
-2. Rerun hosted `repo-gate` and `nuget-security-audit`.
-3. Merge after hosted checks pass.
-4. Confirm updated `main` remains aligned locally and remotely.
-5. Keep the private-core repository Private.
-6. Publish only a separate curated public showcase/proof-bundle repo when external publication is needed.
+1. Keep `Helper` private-core source in the private repository.
+2. Use the public proof repository only for sanitized artifacts and reviewed narrative.
+3. Start a separate model A/B stage against baseline tag `helper-private-core-2026-04-15-green`.
+4. If private-code scanning becomes mandatory, solve it through an eligible GitHub security tier or external scanner, not by publishing the full source tree.

doc/analysis/HELPER_REPO_SECURITY_AND_CONFORMANCE_AUDIT_2026-04-15.md

@@ -160,11 +160,28 @@ Closure on this branch:
 - Private-core/public-showcase policy was revalidated.
 - Full `npm run ci:gate` passed after the remediation.
 
-## Current Action Plan
-
-1. Push this remediation through a normal PR.
-2. Rerun `repo-gate` and `nuget-security-audit` on the PR.
-3. Merge the remediation PR after hosted checks pass.
-4. Confirm `repo-gate` and `nuget-security-audit` on updated `main`.
-5. Close or let GitHub supersede stale Dependabot PRs `#34` through `#37`.
-6. Keep the private-core repo Private and create a separate public showcase/proof-bundle repository when publication is needed.
+## Closure After PR 43
+
+Current private-core baseline:
+
+1. `main` is aligned locally and remotely at `8cc34c2`.
+2. Baseline tag `helper-private-core-2026-04-15-green` is attached to the current private-core `main`.
+3. PR `#43` closed dependency security and private-core posture.
+4. Hosted `repo_gate` on `8cc34c2` completed with `success`.
+5. Hosted `connected_nuget_audit` on `8cc34c2` completed with `success`.
+6. Dependabot jobs on `8cc34c2` completed with `success`.
+7. `npm audit --json` on current `main` returns `0` vulnerabilities.
+8. Stale Dependabot PRs `#34` through `#37` are closed as superseded by the consolidated lockfile remediation.
+
+Public/private split:
+
+1. The private-core repository remains `Private`.
+2. The public proof repository is published at `https://github.com/rovsh44-glitch/helper-proof-bundle-lfl20`.
+3. The public repository contains sanitized LFL20 corpus/results/reports/manifest material only, not private-core source code.
+
+## Next Action Plan
+
+1. Keep private-core controls green: `repo_gate`, `connected_nuget_audit`, Dependabot, repo-owned secret/config/docs gates.
+2. Treat `https://github.com/rovsh44-glitch/helper-proof-bundle-lfl20` as the public evidence surface for LFL20.
+3. Start the model A/B stage only after this fixed baseline, using `helper-private-core-2026-04-15-green` as the comparison anchor.
+4. If code scanning becomes mandatory for private-core source, use an eligible GitHub security tier or an external scanner instead of making the full source tree public.

doc/security/GITHUB_PRIVATE_REPO_SECURITY_AUTOMATION_STATUS_2026-04-12.md

@@ -84,3 +84,21 @@ Correct publication/security split:
 2. Keep Dependabot alerts, automated security fixes, `repo_gate`, `connected_nuget_audit`, and repo-owned scans as the private-core controls.
 3. Create a separate public showcase/proof-bundle repository for reviewed public-safe material, especially the reproducible LFL20 proof bundle and narrative docs.
 4. If code scanning is required for private-core source, move to an eligible GitHub security tier or eligible organization/enterprise setup instead of widening source visibility.
+
+## 2026-04-15 Implementation Update
+
+Status: `implemented for LFL20 public proof`
+
+The separate public proof repository has been created:
+
+- `https://github.com/rovsh44-glitch/helper-proof-bundle-lfl20`
+
+Current private-core security baseline:
+
+1. `repo_gate` on private `main` commit `8cc34c2`: `success`.
+2. `connected_nuget_audit` on private `main` commit `8cc34c2`: `success`.
+3. Dependabot dynamic jobs on private `main` commit `8cc34c2`: `success`.
+4. `npm audit --json` on current local `main`: `0` vulnerabilities.
+5. Magick.NET runtime dependency was removed from the private-core security boundary.
+
+This means the absence of GitHub code scanning on the private repository remains a known tier limitation, but it is no longer blocking the current dependency-security or public-proof publication path.

doc/security/PUBLIC_VISIBILITY_DECISION_2026-04-11.md

@@ -56,3 +56,24 @@ The intended public claim is therefore narrow:
 It is not:
 
 `The full Helper private-core source tree is public/open-source.`
+
+## 2026-04-15 Publication Closure
+
+Status: `implemented`
+
+The approved publication path has now been executed for the first narrow public proof surface:
+
+1. Private-core `Helper` remains `Private`.
+2. Baseline tag `helper-private-core-2026-04-15-green` was created on the green private-core `main`.
+3. A separate public proof repository was created: `https://github.com/rovsh44-glitch/helper-proof-bundle-lfl20`.
+4. The public repository contains sanitized LFL20 artifacts only:
+   - selected `LFL20` corpus JSONL
+   - sanitized per-case results
+   - analyzer summaries
+   - evidence-fusion audit
+   - case-level metrics
+   - manifest/checksums
+   - reproducibility and limitation notes
+5. The public repository does not contain private-core source, tests, internal scripts, runtime logs, auth files, local paths, or raw request envelopes.
+
+This closes the immediate public/private alignment gap. Future public updates should extend the proof-bundle repository or create additional sanitized showcase repositories, not widen the private-core repository visibility.