From 7cd44118ee9802ec16036e07391efdc4375ef2da Mon Sep 17 00:00:00 2001
From: TheFlow <theflow@sydigital.com>
Date: Mon, 27 Oct 2025 10:44:54 +1300
Subject: [PATCH] fix(deployment): handle YAML frontmatter confidential: false
 marker
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Enhanced confidential document scanner to parse YAML frontmatter:
- Detects YAML frontmatter blocks (--- ... ---)
- Checks for explicit "confidential: false" declaration
- Skips false positive on documents marked non-confidential

Previously blocked: docs with "confidential:" even when set to false
Now allows: docs with explicit "confidential: false" in frontmatter

Fixes deployment blocking of BI documentation which is marked
for public release with confidential: false metadata.

Related: inst_012, inst_015 (confidential document protection)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 scripts/check-confidential-docs.js | 24 ++++++++++++++++++++++--
 1 file changed, 22 insertions(+), 2 deletions(-)

diff --git a/scripts/check-confidential-docs.js b/scripts/check-confidential-docs.js
index e313289f..8755fcd1 100755
--- a/scripts/check-confidential-docs.js
+++ b/scripts/check-confidential-docs.js
@@ -54,7 +54,27 @@ function checkFileContent(filePath) {
   try {
     const content = fs.readFileSync(filePath, 'utf8');
     const lines = content.split('\n');
-    
+
+    // Check for YAML frontmatter
+    if (lines[0] === '---') {
+      let yamlEnd = -1;
+      for (let i = 1; i < Math.min(50, lines.length); i++) {
+        if (lines[i] === '---') {
+          yamlEnd = i;
+          break;
+        }
+      }
+
+      // If we found YAML frontmatter, check for explicit confidential: false
+      if (yamlEnd > 0) {
+        const yamlContent = lines.slice(1, yamlEnd).join('\n');
+        if (/confidential:\s*false/i.test(yamlContent)) {
+          // Explicitly marked as NOT confidential
+          return { confidential: false };
+        }
+      }
+    }
+
     for (let i = 0; i < Math.min(20, lines.length); i++) {
       for (const marker of CONFIDENTIAL_CONTENT_MARKERS) {
         if (marker.test(lines[i])) {
@@ -67,7 +87,7 @@ function checkFileContent(filePath) {
         }
       }
     }
-    
+
     return { confidential: false };
   } catch (err) {
     // Can't read file (binary, etc.) - check by path only