feat(goalos): add GoalOS product catalog, site builder, validation, docs, and CI

[MontrealAI]

Motivation

• Provide a safe, public GoalOS commercialization and proof layer as a GitHub-hosted proof/education surface while keeping paid delivery on Squarespace + Stripe.
• Create a single source-of-truth product catalog and generate bilingual, accessible product pages and an AI Efficiency Score quiz from that catalog.
• Add guardrails and automated checks to prevent leaking paid buyer artifacts and unsupported claims into the public repo.

Description

• Add a 9-product catalog at data/goalos_products.json and generate site pages including site/goalos/, site/products/ (hub + 9 product pages), and site/ai-efficiency-score/ via scripts/build_goalos_product_pages.py (marker <!-- GENERATED_BY_GOALOS_PRODUCT_BUILDER -->).
• Add validation and safety scripts: scripts/validate_goalos_products.py, scripts/guard_no_paid_product_files.py, scripts/check_site_links.py, and scripts/repo_claim_boundary_check.py to enforce catalog integrity, ban paid ZIPs in public paths, verify local links, and scan for unsupported claims.
• Add commerce documentation and runbook under docs/commerce/ (squarespace_stripe_delivery_guide.md, paid_product_security.md, product_ladder.md, and goalos_public_layer_operations.md) describing GitHub/Squarespace/Stripe boundaries and delivery rules.
• Add pytest tests (tests/test_goalos_product_catalog.py, tests/test_goalos_product_pages.py, tests/test_no_paid_product_files.py, tests/test_goalos_claim_boundaries.py) and a GitHub Actions workflow .github/workflows/goalos-product-site-ci.yml to build, validate, guard, link-check, run claim checks, and run tests.
• Safely update the homepage within guarded comments to add the GoalOS Product Ladder section without disturbing existing proofs or AEP-001 content.

Testing

• Ran the site build with python scripts/build_goalos_product_pages.py and validated generated pages with python scripts/validate_goalos_products.py, both succeeding.
• Executed the paid-file guard python scripts/guard_no_paid_product_files.py, local link checker python scripts/check_site_links.py, and claim-boundary checker python scripts/repo_claim_boundary_check.py, all returning success.
• Installed dev requirements and ran the test suite with pytest -q, which passed the new GoalOS-focused tests and the existing suite in this environment.

---

Codex Task

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 623e01bee0

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Include releases in the paid-ZIP checklist

This manual release checklist omits releases/, but paid buyer ZIPs there are still public and explicitly prohibited elsewhere (docs/commerce/paid_product_security.md says no GitHub Releases, with only releases/AEP-001/ excepted) and the guard script scans releases as a public prefix. If an operator follows this checklist during a release review, a paid package committed under releases/ could pass the documented safety check despite violating the repository boundary; include releases/ with the AEP-001 exception here.

Useful? React with 👍 / 👎.