Public / Private Projection Flow

Shows how private truth becomes a public-safe projection and how enforcement consumes it.

graph TD
    PT["Private truth layer<br/>private graph truth"]
    RG["RepoGraph<br/>graph schema and semantics"]
    RULES["Projection rules<br/>visibility and redaction"]
    PM["PlatformManifest<br/>public-safe projection"]
    BA["Boundary artifact<br/>frozen export"]
    CU["Custodian<br/>fail-closed verifier"]
    OPS[OperationsCenter]
    OC[OperatorConsole]
    SB[SwitchBoard]

    PT -->|"private truth export"| RULES
    RG -->|"schema and semantics"| RULES
    RULES --> PM
    PM --> BA
    BA --> CU
    CU -->|"verified context"| OPS
    CU -->|"verified context"| OC
    CU -->|"verified context"| SB

Rules

• Private truth never flows directly to consumers — it passes through projection and redaction first.
• PlatformManifest owns the public-safe projection surface; it does not own private truth.
• Custodian fails closed when the boundary artifact is absent.
• Consumers (OperationsCenter, OperatorConsole, SwitchBoard) receive verified public-safe context only.
• Local manifests used at runtime are never published to the public surface.