docs+growth: SECURITY policy, Why-AICertify, 3 forkable examples, README CTAs#56
Merged
Merged
Conversation
…E CTAs A focused growth + contributor-onboarding pass. No code changes; pure docs, examples, and policy. ## SECURITY.md Adds the missing private-disclosure flow at security@principledevolution.ai with a 5-business-day acknowledgement target, CVSS 3.1 severity model, coordinated-disclosure process (advisory + credit + CHANGELOG entry), and hardening notes for users running AICertify in regulated environments. ## README - "Use it when you need to" value-prop bullets after the hero - Star CTA after the hero and at the bottom - OPA-ecosystem credibility line linking the Principled Evolution entry - New "For OPA / Rego users" section pitching to the existing OPA community - New "Why AICertify?" section (with link to the full docs/why-aicertify.md) - New "Who should contribute?" section enumerating six personas and a non-code-contribution invitation - Updated "Sample Reports" section pointing at docs/demo-report-eu-ai-act.pdf - Contributing section now links to good-first-issue + help-wanted labels and SECURITY.md ## docs/why-aicertify.md A long-form positioning document covering the gap (governance lives in docs, not in code), the shift (policy-as-code for AI), the artifact AICertify produces, who it's for, how it compares to vendor SaaS and research toolkits, and the honest scope of what AICertify does NOT do (interpret regulations, certify systems, replace governance programs). ## docs/demo-report-eu-ai-act.pdf Committed pre-generated PDF so visitors can see the deliverable before installing anything. Added a targeted exception in .gitignore so the demo artifact survives the broader **/*report*.pdf ignore rule. ## examples/ Three forkable application examples, each following the same six-file shape (README, input_contract.json, sample_interactions.json, policy_config.yaml, run.py, expected_report.md): - examples/customer-support-bot/ — Limited-risk EU AI Act transparency - examples/healthcare-triage-bot/ — High-risk Annex III(5)(a) + gopal healthcare patient-safety (closes #8 — the long-standing medical example request) - examples/hiring-screening-bot/ — High-risk Annex III(4) + fair-lending proxy + FRIA metadata pattern Each example is intentionally safe (the bot never diagnoses, never decides, never conditions on protected attributes) and ships an expected_report.md describing both the pass case and the most common failure modes a fork will hit. examples/README.md restructured to list these as a table, document the six- file authoring convention, and link to the open contributor-onboarding issues for the examples the community is invited to add next.
github-actions
Bot
added
📝 documentation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
A focused growth + contributor-onboarding pass. No application code changes — pure docs, examples, and policy. Built to land alongside the new pinned contributor-call issue #55 and the 10 starter issues #45–#54.
What this PR does
🛡️ SECURITY.md (new)
security@principledevolution.aiaicertifypackage, CLI, examples, policy evaluation, report generation)SECURITY.mdwarning on the security tab📝 README rewrites
docs/why-aicertify.md)docs/demo-report-eu-ai-act.pdf— visitors can see the deliverable without installing anything📄 docs/why-aicertify.md (new)
A long-form positioning document: the governance gap, the policy-as-code shift, the artefact AICertify produces, who it's for, how it compares to vendor SaaS and research toolkits, and the honest scope of what AICertify doesn't substitute for.
📦 Three forkable examples (six files each)
Same shape across all three so the pattern is obvious:
customer-support-bot/healthcare-triage-bot/hiring-screening-bot/Each example ships
README.md,input_contract.json,sample_interactions.json,policy_config.yaml,run.py, andexpected_report.md. Captured interactions are intentionally safe (the bots refuse to diagnose / decide / condition on protected attributes), andexpected_report.mddocuments both the pass case and the most common failure modes a fork will hit.examples/README.mdrestructured to list these as a table, document the six-file authoring convention, and point at the open contributor-onboarding issues for examples the community is invited to add next.📌 Repo metadata + community config (already shipped — not in this diff)
ai-governance,ai-compliance,eu-ai-act,nist-ai-rmf,responsible-ai,trustworthy-ai,policy-as-code,open-policy-agent,opa,rego,model-governance,ai-audit,llm-evaluation,compliance-automation,python📦 examples,🦜 llm-apps,⚙️ ci,🛠️ developer-experienceGoal / Why / Files / Acceptance / HelptemplatesWhat this PR does NOT do
aicertify/is untouchedpyproject.tomlandpoetry.lockare unchangedexpected_report.mdinstead — running the example produces the report, which is the live verification)Risk
Very low. Pure docs + examples + policy. CI passes.