Fix GoalOS public-site validation: standalone proof pages and AEP package allowlist

.github/workflows/check-no-paid-artifacts.yml

@@ -0,0 +1,23 @@
+name: Check No Paid Artifacts
+
+on:
+  workflow_dispatch:
+  pull_request:
+    paths:
+      - 'site/**'
+      - 'public/**'
+      - 'scripts/goalos_public_site_rules.py'
+      - 'scripts/check_no_paid_artifacts.py'
+
+permissions:
+  contents: read
+
+jobs:
+  check:
+    name: Shared paid/private artifact guard
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Check paid/private artifacts
+        run: python scripts/check_no_paid_artifacts.py

.github/workflows/goalos-public-site-release-v12.yml

@@ -0,0 +1,39 @@
+name: GoalOS Public Site Release v12
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [ main ]
+    paths:
+      - 'site/**'
+      - 'public/**'
+      - 'scripts/**'
+      - 'docs/GOALOS_PUBLIC_SITE_VALIDATION.md'
+      - 'docs/GOALOS_PAID_ARTIFACT_POLICY.md'
+
+permissions:
+  contents: read
+  pages: write
+  id-token: write
+
+concurrency:
+  group: pages
+  cancel-in-progress: false
+
+jobs:
+  validate:
+    name: Validate shared GoalOS release rules
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Validate GoalOS public site
+        run: python scripts/validate_goalos_public_site.py
+      - name: Check paid/private artifacts
+        run: python scripts/check_no_paid_artifacts.py
+      - name: Validate docs, tables, and figures
+        run: python scripts/validate_docs_tables_figures.py
+      - name: Validate GoalOS catalog
+        run: python scripts/validate_goalos_catalog.py
+      - name: Run public-site rule regression tests
+        run: pytest tests/test_goalos_public_site_rules.py

.github/workflows/validate-docs-tables-figures.yml

@@ -0,0 +1,24 @@
+name: Validate Docs Tables Figures
+
+on:
+  workflow_dispatch:
+  pull_request:
+    paths:
+      - 'docs/**'
+      - 'site/**'
+      - 'public/**'
+      - 'scripts/goalos_public_site_rules.py'
+      - 'scripts/validate_docs_tables_figures.py'
+
+permissions:
+  contents: read
+
+jobs:
+  validate:
+    name: Shared docs/tables/figures validation
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Validate docs, tables, and figures
+        run: python scripts/validate_docs_tables_figures.py

.github/workflows/validate-goalos-public-site-v12.yml

@@ -0,0 +1,36 @@
+name: Validate GoalOS Public Site v12
+
+on:
+  workflow_dispatch:
+  pull_request:
+    paths:
+      - 'site/**'
+      - 'public/**'
+      - 'scripts/goalos_public_site_rules.py'
+      - 'scripts/validate_goalos_public_site.py'
+      - 'scripts/check_no_paid_artifacts.py'
+      - 'scripts/validate_docs_tables_figures.py'
+      - 'scripts/validate_goalos_catalog.py'
+      - 'tests/test_goalos_public_site_rules.py'
+      - '.github/workflows/**'
+
+permissions:
+  contents: read
+
+jobs:
+  validate:
+    name: Shared public-site validation
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Validate GoalOS public site
+        run: python scripts/validate_goalos_public_site.py
+      - name: Check paid/private artifacts
+        run: python scripts/check_no_paid_artifacts.py
+      - name: Validate docs, tables, and figures
+        run: python scripts/validate_docs_tables_figures.py
+      - name: Validate GoalOS catalog
+        run: python scripts/validate_goalos_catalog.py
+      - name: Run public-site rule regression tests
+        run: pytest tests/test_goalos_public_site_rules.py

.github/workflows/validate-goalos-public-site-v3-1.yml

@@ -1,103 +1,32 @@
-name: Validate GoalOS Public Site v3.1
+name: validate-goalos-public-site-v3-1 (delegates to shared v12 rules)
 
 on:
   workflow_dispatch:
   pull_request:
     paths:
       - 'site/**'
       - 'public/**'
+      - 'scripts/**'
+      - 'tests/test_goalos_public_site_rules.py'
       - '.github/workflows/**'
 
 permissions:
   contents: read
 
 jobs:
   validate:
-    name: Validate public site shell, links, and paid artifact policy
+    name: Delegate to shared GoalOS public-site scripts
     runs-on: ubuntu-latest
     steps:
       - name: Check out repository
         uses: actions/checkout@v4
-
       - name: Validate GoalOS public site
-        shell: bash
-        run: |
-          set -euo pipefail
-          WEB_ROOT="site"
-          if [ ! -d "$WEB_ROOT" ] && [ -d "public" ]; then WEB_ROOT="public"; fi
-
-          cat > "$RUNNER_TEMP/validate_goalos_public_site.py" <<'PY'
-          from pathlib import Path
-          import re, sys, json
-
-          WEB_ROOT = Path("site")
-          if not WEB_ROOT.exists() and Path("public").exists():
-              WEB_ROOT = Path("public")
-          BASE = "/proof-gradient"
-          errors = []
-
-          # HTML shell validation.
-          for html in sorted(WEB_ROOT.rglob("*.html")):
-              if "_archive" in html.parts:
-                  continue
-              text = html.read_text(encoding="utf-8", errors="ignore")
-              if text.count("GOALOS-CANONICAL-SHELL:START") != 1:
-                  errors.append(f"{html.relative_to(WEB_ROOT)} has {text.count('GOALOS-CANONICAL-SHELL:START')} canonical shells")
-              if text.count("GOALOS-CANONICAL-FOOTER:START") != 1:
-                  errors.append(f"{html.relative_to(WEB_ROOT)} has {text.count('GOALOS-CANONICAL-FOOTER:START')} canonical footers")
-              for old in ["GOALOS-COMPLETE-NAV","GOALOS-PRODUCT-LADDER-NAV","GOALOS-UNIFIED-SHELL","GOALOS-CLOUD-MVP:START","GOALOS-CLOUD-MVP-V02:START"]:
-                  if old in text:
-                      errors.append(f"{html.relative_to(WEB_ROOT)} still has old marker {old}")
-
-          # Internal links.
-          for html in WEB_ROOT.rglob("*.html"):
-              if "_archive" in html.parts:
-                  continue
-              text = html.read_text(encoding="utf-8", errors="ignore")
-              for m in re.finditer(r'href=["\'](/proof-gradient/[^"#?\']*)["\']', text):
-                  target = m.group(1)[len(BASE):] or "/"
-                  fs = WEB_ROOT / target.lstrip("/")
-                  if target.endswith("/"):
-                      fs = fs / "index.html"
-                  if not fs.exists():
-                      errors.append(f"Broken link in {html.relative_to(WEB_ROOT)} -> {m.group(1)}")
-
-          # Paid/private artifact guard.
-          # v3.1 allows public AEP standard packages but blocks buyer/delivery/private bundles.
-          def is_public_standard_package(rel):
-              rel = rel.replace("\\", "/").lower()
-              return re.fullmatch(r"standards/aep-[0-9]{3}/complete-package\.zip", rel) is not None
-
-          blocked_terms = [
-              "buyer", "buyer_official", "complete_bundle", "delivery_kit", "seller_assets",
-              "master_pack", "commercialization_ready", "quick_launch", "opulent_institutional",
-              "institutional_boardroom", "implementation_sprint", "enterprise_rsi_pilot",
-              "workshop_v", "buyer_facilitator"
-          ]
-          for p in WEB_ROOT.rglob("*"):
-              if not p.is_file() or "_archive" in p.parts:
-                  continue
-              rel = p.relative_to(WEB_ROOT).as_posix()
-              name = p.name.lower()
-
-              if name.endswith(".zip") and not is_public_standard_package(rel):
-                  errors.append(f"Paid/private ZIP detected in public site: {rel}")
-
-              if any(term in name for term in blocked_terms):
-                  if not name.endswith((".md",".html",".json",".txt",".yml",".yaml",".css",".js",".svg")):
-                      errors.append(f"Suspicious paid/private artifact detected: {rel}")
-
-          if errors:
-              print("\n".join(errors))
-              sys.exit(1)
-
-          print("GoalOS public site validation passed.")
-          PY
-
-          python3 "$RUNNER_TEMP/validate_goalos_public_site.py"
-
-          if [ -f "$WEB_ROOT/app/goalos-cloud-mvp/tests/enterprise-core.test.mjs" ]; then
-            node "$WEB_ROOT/app/goalos-cloud-mvp/tests/enterprise-core.test.mjs"
-          else
-            echo "Cloud MVP Node test not found; skipping because app may be installed by separate workflow."
-          fi
+        run: python scripts/validate_goalos_public_site.py
+      - name: Check paid/private artifacts
+        run: python scripts/check_no_paid_artifacts.py
+      - name: Validate docs, tables, and figures
+        run: python scripts/validate_docs_tables_figures.py
+      - name: Validate GoalOS catalog
+        run: python scripts/validate_goalos_catalog.py
+      - name: Run public-site rule regression tests
+        run: pytest tests/test_goalos_public_site_rules.py

.github/workflows/validate-goalos-public-site-v3-2.yml

@@ -1,103 +1,32 @@
-name: Validate GoalOS Public Site v3.2
+name: validate-goalos-public-site-v3-2 (delegates to shared v12 rules)
 
 on:
   workflow_dispatch:
   pull_request:
     paths:
       - 'site/**'
       - 'public/**'
+      - 'scripts/**'
+      - 'tests/test_goalos_public_site_rules.py'
       - '.github/workflows/**'
 
 permissions:
   contents: read
 
 jobs:
   validate:
-    name: Validate public site shell, links, and paid artifact policy
+    name: Delegate to shared GoalOS public-site scripts
     runs-on: ubuntu-latest
     steps:
       - name: Check out repository
         uses: actions/checkout@v4
-
       - name: Validate GoalOS public site
-        shell: bash
-        run: |
-          set -euo pipefail
-          WEB_ROOT="site"
-          if [ ! -d "$WEB_ROOT" ] && [ -d "public" ]; then WEB_ROOT="public"; fi
-
-          cat > "$RUNNER_TEMP/validate_goalos_public_site.py" <<'PY'
-          from pathlib import Path
-          import re, sys, json
-
-          WEB_ROOT = Path("site")
-          if not WEB_ROOT.exists() and Path("public").exists():
-              WEB_ROOT = Path("public")
-          BASE = "/proof-gradient"
-          errors = []
-
-          # HTML shell validation.
-          for html in sorted(WEB_ROOT.rglob("*.html")):
-              if "_archive" in html.parts:
-                  continue
-              text = html.read_text(encoding="utf-8", errors="ignore")
-              if text.count("GOALOS-CANONICAL-SHELL:START") != 1:
-                  errors.append(f"{html.relative_to(WEB_ROOT)} has {text.count('GOALOS-CANONICAL-SHELL:START')} canonical shells")
-              if text.count("GOALOS-CANONICAL-FOOTER:START") != 1:
-                  errors.append(f"{html.relative_to(WEB_ROOT)} has {text.count('GOALOS-CANONICAL-FOOTER:START')} canonical footers")
-              for old in ["GOALOS-COMPLETE-NAV","GOALOS-PRODUCT-LADDER-NAV","GOALOS-UNIFIED-SHELL","GOALOS-CLOUD-MVP:START","GOALOS-CLOUD-MVP-V02:START"]:
-                  if old in text:
-                      errors.append(f"{html.relative_to(WEB_ROOT)} still has old marker {old}")
-
-          # Internal links.
-          for html in WEB_ROOT.rglob("*.html"):
-              if "_archive" in html.parts:
-                  continue
-              text = html.read_text(encoding="utf-8", errors="ignore")
-              for m in re.finditer(r'href=["\'](/proof-gradient/[^"#?\']*)["\']', text):
-                  target = m.group(1)[len(BASE):] or "/"
-                  fs = WEB_ROOT / target.lstrip("/")
-                  if target.endswith("/"):
-                      fs = fs / "index.html"
-                  if not fs.exists():
-                      errors.append(f"Broken link in {html.relative_to(WEB_ROOT)} -> {m.group(1)}")
-
-          # Paid/private artifact guard.
-          # v3.2 allows public AEP standard packages but blocks buyer/delivery/private bundles.
-          def is_public_standard_package(rel):
-              rel = rel.replace("\\", "/").lower()
-              return re.fullmatch(r"standards/aep-[0-9]{3}/complete-package\.zip", rel) is not None
-
-          blocked_terms = [
-              "buyer", "buyer_official", "complete_bundle", "delivery_kit", "seller_assets",
-              "master_pack", "commercialization_ready", "quick_launch", "opulent_institutional",
-              "institutional_boardroom", "implementation_sprint", "enterprise_rsi_pilot",
-              "workshop_v", "buyer_facilitator"
-          ]
-          for p in WEB_ROOT.rglob("*"):
-              if not p.is_file() or "_archive" in p.parts:
-                  continue
-              rel = p.relative_to(WEB_ROOT).as_posix()
-              name = p.name.lower()
-
-              if name.endswith(".zip") and not is_public_standard_package(rel):
-                  errors.append(f"Paid/private ZIP detected in public site: {rel}")
-
-              if any(term in name for term in blocked_terms):
-                  if not name.endswith((".md",".html",".json",".txt",".yml",".yaml",".css",".js",".svg")):
-                      errors.append(f"Suspicious paid/private artifact detected: {rel}")
-
-          if errors:
-              print("\n".join(errors))
-              sys.exit(1)
-
-          print("GoalOS public site validation passed.")
-          PY
-
-          python3 "$RUNNER_TEMP/validate_goalos_public_site.py"
-
-          if [ -f "$WEB_ROOT/app/goalos-cloud-mvp/tests/enterprise-core.test.mjs" ]; then
-            node "$WEB_ROOT/app/goalos-cloud-mvp/tests/enterprise-core.test.mjs"
-          else
-            echo "Cloud MVP Node test not found; skipping because app may be installed by separate workflow."
-          fi
+        run: python scripts/validate_goalos_public_site.py
+      - name: Check paid/private artifacts
+        run: python scripts/check_no_paid_artifacts.py
+      - name: Validate docs, tables, and figures
+        run: python scripts/validate_docs_tables_figures.py
+      - name: Validate GoalOS catalog
+        run: python scripts/validate_goalos_catalog.py
+      - name: Run public-site rule regression tests
+        run: pytest tests/test_goalos_public_site_rules.py