Safe public publish (Vault lane)

Never ship in the public site tree

• Real cryptographic seeds, production passwords, or private key material of any kind.
• Full private lattice states, live ciphertext tied to identifiable users, or dumps from partner systems.
• Internal .env, API keys (sk_live_, AWS access keys, Slack tokens), VPN configs, or employee-only URLs.
• The entire private research monorepo or a raw mirror of internal vault/ unless counsel has decided that disclosure is intentional.
• Paths or filenames that reveal undisclosed filing strategy, counsel notes, or trade-secret recipe steps you still rely on commercially.

Papers and PDFs (disclosure tiers)

Choose deliberately:

• Tier A — Web only: Honest narrative + research status + no full technical PDF. Lowest irreversible surface.
• Tier B — Executive / redacted PDF: Motivation, threat framing, roadmap; equations or construction detail only after redaction and counsel sign-off.
• Tier C — Full monograph PDF: Treat as irreversible technical publication (prior art, reviewer bait, clone surface). Counsel + author together. If hosted, keep under assets/docs/phikey/ as on Phyllux Vault; compress for web size limits.

Demos and tools (happy in the world, not enabling misuse)

• Demo appendix — use only synthetic placeholders (e.g. long x strings). Never paste production seeds into issues, chats, or public repos.
• Pattern lab — open-layer research tooling; explicitly not production vault cryptography.
• Public phyllux-core constants and mesh exports are already a chosen disclosure level; do not extend that to partner-only tuning or skip tables counsel has not cleared.

Automated preflight (repo script)

From the site repository root (phyllux-technologies-web):

npm run preflight

Runs scan:public then generate-sitemap. Scan only: npm run scan:public (same as powershell -ExecutionPolicy Bypass -File .\scripts\scan-public-deploy.ps1).

Fix or remove any match before deploy. Current heuristics include PEM and PGP private blocks, AWS AKIA/ASIA key ids, Stripe sk_live_, Slack tokens, and GitHub ghp_ PATs; files over 2 MB are skipped for performance. The script does not replace human review.

Optional: npm run git-hooks:install once per clone so git push runs npm run preflight via .githooks/pre-push. Undo: npm run git-hooks:uninstall. On macOS/Linux, if Git refuses the hook, run chmod +x .githooks/pre-push once (hook scripts use LF via .gitattributes).

After publish

• Spot-check the live URL in a private window; confirm no directory listing of sensitive folders.
• If you removed a file, assume copies may still exist (archive.org, mirrors). Deletion is not secrecy.