fix(deployment): handle YAML frontmatter confidential: false marker

Enhanced confidential document scanner to parse YAML frontmatter:
- Detects YAML frontmatter blocks (--- ... ---)
- Checks for explicit "confidential: false" declaration
- Skips false positive on documents marked non-confidential

Previously blocked: docs with "confidential:" even when set to false
Now allows: docs with explicit "confidential: false" in frontmatter

Fixes deployment blocking of BI documentation which is marked
for public release with confidential: false metadata.

Related: inst_012, inst_015 (confidential document protection)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

scripts/check-confidential-docs.js

@@ -54,7 +54,27 @@ function checkFileContent(filePath) {
   try {
     const content = fs.readFileSync(filePath, 'utf8');
     const lines = content.split('\n');
-    
+
+    // Check for YAML frontmatter
+    if (lines[0] === '---') {
+      let yamlEnd = -1;
+      for (let i = 1; i < Math.min(50, lines.length); i++) {
+        if (lines[i] === '---') {
+          yamlEnd = i;
+          break;
+        }
+      }
+
+      // If we found YAML frontmatter, check for explicit confidential: false
+      if (yamlEnd > 0) {
+        const yamlContent = lines.slice(1, yamlEnd).join('\n');
+        if (/confidential:\s*false/i.test(yamlContent)) {
+          // Explicitly marked as NOT confidential
+          return { confidential: false };
+        }
+      }
+    }
+
     for (let i = 0; i < Math.min(20, lines.length); i++) {
       for (const marker of CONFIDENTIAL_CONTENT_MARKERS) {
         if (marker.test(lines[i])) {
@@ -67,7 +87,7 @@ function checkFileContent(filePath) {
         }
       }
     }
-    
+
     return { confidential: false };
   } catch (err) {
     // Can't read file (binary, etc.) - check by path only