source
Public Import Plan
This plan converts the private source tree into the public Ardur repo without
This plan converts the private source tree into the public Ardur repo without turning Ardur into a monorepo dump.
Goals
- make Ardur a code-bearing public product repo
- keep the public root simple: docs, Python, Go, deploy, examples, workflows
- preserve
VIBAP,MCEP, SPIFFE, Biscuit, AAT, EAT, and related protocol names where they describe real technical artifacts - remove obsolete product codenames from public-facing copy, examples, media, paths, and capability IDs
- keep every public claim tied to exported code, verifier output, proof media, or an explicit limitation
Target Layout
ardur/
├── README.md
├── LICENSE
├── CONTRIBUTING.md
├── SECURITY.md
├── CODE_OF_CONDUCT.md
├── docs/
├── python/
├── go/
├── deploy/
│ └── k8s/
│ └── spire/
├── examples/
└── .github/
└── workflows/
Source Mapping
| Source area | Ardur target | Mode | Notes |
|---|---|---|---|
vibap-prototype/vibap/ | python/vibap/ | copy then rename public commands | Core Python runtime, CLI, receipts, passports, policy, proof tooling. |
vibap-prototype/verification/ | python/verification/ | copy | Verifier and proof-bundle support. |
vibap-prototype/tests/ | python/tests/ | curated copy | Keep tests that back public claims; defer corpus-heavy research tests. |
vibap-prototype/examples/ | examples/missions/ | curated copy | Mission examples for quickstart. |
| selected demos | examples/ | curated copy | SDK agents, live governance, hardening foundation, and delegation examples. |
| selected integrations | python/integrations/ | curated copy | Include only framework surfaces claimed in docs. |
VIBAP/pkg/credential/ | go/pkg/credential/ | copy | Credential issuance and verification. |
VIBAP/pkg/governance/ | go/pkg/aat/ | copy | Go AAT credential-attenuation engine (constraints, derivation, PoP, chain verification). |
VIBAP/pkg/policy/ | go/pkg/policy/ | copy | Policy evaluation surface. |
VIBAP/pkg/spiffe/ | go/pkg/spiffe/ | copy | SPIFFE/SPIRE identity path. |
selected VIBAP/pkg/* | go/pkg/* | curated copy | Provenance, issuer, AAT, trust, transparency, API if referenced by retained code. |
selected VIBAP/cmd/* | go/cmd/* | curated copy | CLI, operator, webhook, and live benchmark only if public docs use them. |
VIBAP/spec/mission-governance/v0alpha1/ | go/spec/mission-governance/v0alpha1/ or docs/spec/ | copy | Public schema and protocol-root material. |
selected VIBAP/benchmark/* | go/benchmark/* | curated copy | Minimal reproducible scenario packs only. |
k8s/spire/ | deploy/k8s/spire/ | copy | Deployment-oriented identity design surface. |
| source docs | docs/ | rewrite | Use substance, not private session framing. |
Exclude By Default
- local runtime state such as
.vibap/ - private keys, tokens, generated receipts, and local evidence bundles unless intentionally reviewed as public fixtures
- session logs, inboxes, branch coordination notes, and AI-team runbooks
- machine-local paths and private workspace assumptions
- generated reports, build artifacts, caches, raw benchmark archives, and historical trace dumps
- side-program material unless it directly strengthens Ardur’s public runtime-governance story
Import Order
Phase 0 shell — done. Intent, status, roadmap, media, and security docs are present and live with the rest of the repo.
Public-safe metadata — done. Root
.gitignore, packaging metadata, and public-safe workflows landed before the larger code surfaces.Python runtime and verifier — done.
python/vibapis imported with the runtime, verifier surface, selected tests, and a workingpip install -e .quickstart. New surfaces added since the original plan: the Ardur Personal Hub service (personal_hub.py), the Claude Code hook (claude_code_hook.py), telemetry and reporting modules, the native-messaging host, and theARDUR.mdprofile compiler.Examples — partly done. Runnable: LangChain, LangGraph, AutoGen, Ardur Personal browser extension, desktop-observe, native-host, plus the Claude Code plugin pointer. JSON missions remain runnable. Deferred adapter specs: OpenAI Agents SDK, Google ADK.
Go runtime and protocol schemas — done.
go/is a coherent module covering credential, governance, policy, SPIFFE, AAT (constraint engine, derivation, PoP, chain verification — 49 tests), provenance, issuer, trust, transparency, and CLI surfaces.Deployment material — partly done. SPIRE/Kubernetes material is present under
deploy/k8s/spire/with an honest README about privileges and unverified cluster surfaces. Helm templates remain stubs by design (deploy/helm/ardur/README.md).Docs and article spine — partly done. Quickstart, framework integration, security model, known limitations, protocol roots, public-import-plan, and engineering standards are public. Articles 05 and 06 of the journey-log series ship. Technical reference pages live under
docs/reference/. Conformance test vectors and a few companion fixtures referenced by the v0.1 specs remain to be imported.CI and release gates — done.
.github/workflows/ships dedicated Python (3.10 + 3.13) and Go test jobs, CodeQL static analysis, link-check, secret-scan, format validation, and the Hugo site build. A proof-smoke workflow lands once stable verifier commands and artifact paths are public.
Release Discipline
devis the integration branch.mainis release-only.- Promote
devtomainonly after repeated local verification and passing CI. - Any claim added to
mainmust map to a command, artifact, verifier report, or limitation note.
Verification Checklist
- no obsolete product codename strings in public files
- no machine-local paths
- no private session or coordination references
- no secrets or generated private keys
- README links all resolve
- Python quickstart passes
- proof smoke passes
- Go module sanity check passes for retained Go surface
- Kubernetes material passes schema checks or is explicitly marked design-only
- public workflows do not require private secrets