Fix GoalOS public-site validation: standalone proof pages and AEP package allowlist

[MontrealAI]

Motivation

• The previous validator treated every HTML as a canonical marketing page and every ZIP as a paid artifact, producing false positives for standalone proof pages and public AEP packages.
• Validation rules were duplicated across workflows and embedded scripts, which made maintenance error-prone and caused inconsistent enforcement.

Description

• Centralized classification and policy in scripts/goalos_public_site_rules.py with functions for path normalization, is_public_aep_package, is_standalone_proof_page, is_app_page, requires_canonical_shell, and is_blocked_paid_or_private_artifact so all validators share the same rules.
• Replaced embedded logic with shared validation scripts: scripts/validate_goalos_public_site.py, scripts/check_no_paid_artifacts.py, scripts/validate_docs_tables_figures.py, and scripts/validate_goalos_catalog.py that import the shared rules and produce clearer, actionable error messages.
• Made minimal edits to the two failing proof pages (site/rsi-ai-first-blockchain-capital-machine-proof.html, site/rsi-ai-first-governance-capital-engine-proof.html) to mark them as standalone proofs (<!-- GOALOS-STANDALONE-PROOF --> + <meta name="goalos-page-type" content="standalone-proof">), add a visible /proof-gradient/ backlink and QUEBEC.AI identity, and ensure required title/description metadata.
• Added regression tests tests/test_goalos_public_site_rules.py for AEP allowlist, blocked buyer ZIPs, standalone-proof detection, app-page detection, safe assets, and canonical-shell requirements.
• Updated and created workflows to call the shared scripts instead of embedding rules: .github/workflows/validate-goalos-public-site-v12.yml, check-no-paid-artifacts.yml, validate-docs-tables-figures.yml, goalos-public-site-release-v12.yml, and updated legacy workflows to delegate to the new v12 flow.
• Added documentation describing the classifier, allowlist, how to mark standalone proof pages, and the paid-file policy: docs/GOALOS_PUBLIC_SITE_VALIDATION.md, docs/GOALOS_PAID_ARTIFACT_POLICY.md, and updated docs/GOALOS_REPO_AUDIT.md and README.md notes.

Testing

• Ran python scripts/validate_goalos_public_site.py and it passed for the repository public root (no canonical-shell false positives after classification changes).
• Ran python scripts/check_no_paid_artifacts.py and it passed while allowing standards/AEP-001/complete-package.zip and similar standards/AEP-###/complete-package.zip paths.
• Ran python scripts/validate_docs_tables_figures.py and python scripts/validate_goalos_catalog.py and both passed.
• Ran the regression suite pytest tests/test_goalos_public_site_rules.py and all tests passed.

---

Codex Task

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ccac283aea

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Block paid/private directories, not just filenames

When a paid/private material is stored under a sensitive directory with a neutral basename, e.g. site/private/runbook.pdf or site/buyer_deliverables/receipt.pdf, both public-site validators pass it because this check scans only PurePosixPath(rel).name and ignores the rest of the relative path. That leaves non-ZIP buyer/private deliverables in public deploy roots undetected despite the new policy covering buyer-paid and private materials anywhere under site/ or public/; check the normalized full path or path parts instead of only the basename.

Useful? React with 👍 / 👎.