From 9186498041b3c4d0a2338c445831df059ee0306f Mon Sep 17 00:00:00 2001
From: Wentzel-DevDocs <276652875+Wentzel-DevDocs@users.noreply.github.com>
Date: Sun, 24 May 2026 15:53:41 -0500
Subject: [PATCH] Document artifact repo quarantine

---
 README.md                                     | 22 ++++++
 .../DEV-736-artifact-repo-quarantine.md       | 77 +++++++++++++++++++
 2 files changed, 99 insertions(+)
 create mode 100644 README.md
 create mode 100644 compliance/DEV-736-artifact-repo-quarantine.md

diff --git a/README.md b/README.md
new file mode 100644
index 000000000..273862f45
--- /dev/null
+++ b/README.md
@@ -0,0 +1,22 @@
+# devdocsorg.github.io
+
+## SOC 2 repository status
+
+This repository is classified for DEV-736 as a legacy static artifact repository.
+The checked-in surface is generated GitHub Pages output: static HTML, images,
+fonts, JavaScript worker files, schemas, sitemap data, `.nojekyll`, and a `CNAME`
+for `docs.devdocs.work`. No application source tree, package manifest, CI
+workflow, server runtime, database client, or deployment pipeline definition is
+present in this checkout.
+
+Production boundary status: treat this repository as a production-adjacent
+hosting boundary while GitHub Pages or the `docs.devdocs.work` custom domain can
+serve from it. It should not be used as the authoritative documentation source or
+as a place to make product changes.
+
+Operational rule: do not edit hosted content here except for emergency rollback
+or explicitly approved retirement work. Make source documentation changes in the
+canonical documentation repository, then publish through the approved pipeline.
+
+See [compliance/DEV-736-artifact-repo-quarantine.md](compliance/DEV-736-artifact-repo-quarantine.md)
+for the quarantine, lockdown, retirement, and acceptance checklist.
diff --git a/compliance/DEV-736-artifact-repo-quarantine.md b/compliance/DEV-736-artifact-repo-quarantine.md
new file mode 100644
index 000000000..0e5801b1a
--- /dev/null
+++ b/compliance/DEV-736-artifact-repo-quarantine.md
@@ -0,0 +1,77 @@
+# DEV-736 Artifact Repository Quarantine
+
+## Scope
+
+DEV-736 covers the duplicate `devdocsorg.github.io` repository and its GitHub
+Pages artifact surface. This document is intentionally documentation-only and
+does not change hosted content, routing, domain configuration, or generated
+assets.
+
+## Classification
+
+- Repository type: legacy static artifact repository.
+- Contents observed: generated HTML, CSS, JavaScript, workers, images, schemas,
+  sitemap data, `.nojekyll`, and `CNAME`.
+- Canonical source status: not canonical source of truth. No source application
+  tree, dependency manifest, build command, test command, CI workflow, or release
+  pipeline was present in this checkout.
+- Secrets status: no secrets are required for this repository to serve static
+  artifacts. Repository settings should still be checked for GitHub Actions
+  secrets, Pages deploy keys, environment secrets, and third-party integration
+  tokens before archival or deletion.
+
+## Production Boundary Status
+
+This repository must be treated as production-adjacent until ownership confirms
+that it no longer serves public traffic. The root `CNAME` currently points Pages
+configuration at `docs.devdocs.work`; while that domain or GitHub Pages remains
+active, this repository is inside the documentation hosting control boundary.
+
+No new production functionality should be developed here. Changes should be
+limited to quarantine documentation, access control, retirement mechanics, or
+emergency rollback approved by the repository owner.
+
+## Required Lockdown Steps
+
+1. Identify and record the canonical documentation source repository and current
+   deployment pipeline owner.
+2. Confirm whether `docs.devdocs.work` or any other public URL still resolves to
+   artifacts from this repository.
+3. Freeze content edits in this repository except for approved retirement or
+   emergency rollback work.
+4. Restrict write/admin access to repository owners responsible for retirement.
+5. Confirm branch protection or equivalent review requirements for the serving
+   branch until retirement is complete.
+6. Review repository settings for Actions secrets, environment secrets, deploy
+   keys, webhooks, GitHub Pages settings, and third-party integrations; remove
+   anything no longer required.
+7. Disable GitHub Pages for this repository after traffic has been migrated or
+   confirmed inactive.
+8. Remove or repoint the custom domain only after DNS and Pages migration have
+   been validated.
+9. Archive or delete the repository after retention, evidence, and rollback
+   requirements are satisfied.
+
+## Retirement Evidence
+
+Capture the following evidence before closing DEV-736:
+
+- Canonical documentation repository and pipeline link.
+- Screenshot or export of repository access controls after lockdown.
+- Screenshot or export of GitHub Pages status after disablement or migration.
+- DNS validation showing `docs.devdocs.work` no longer depends on this
+  repository, if applicable.
+- Confirmation that repository secrets, deploy keys, webhooks, and integrations
+  were reviewed and removed or explicitly retained with owner approval.
+- Archive/delete decision, retention rationale, and approval record.
+
+## Acceptance Criteria
+
+- Repository README clearly labels this repo as a legacy static artifact repo.
+- Production boundary status is documented and acknowledges the current
+  `docs.devdocs.work` Pages surface.
+- Required lockdown and retirement steps are documented.
+- Evidence requirements for SOC 2 closure are documented.
+- Hosted static content behavior is unchanged by this patch.
+- No secrets or environment files are required, introduced, or inspected by this
+  documentation patch.