From 1b4106b252ac4b7b3235f0ae959717535315645f Mon Sep 17 00:00:00 2001 From: byteworthy Date: Wed, 17 Jun 2026 21:53:50 -0500 Subject: [PATCH 1/4] docs(profile): reground public org README + FUNDING to current canon The public org profile (the github.com/Upstream-Intelligence landing page) was last touched 05-17 and predated the 2026-06-14 canon grounding, so it still sold the retired Founding Pioneer program and the old pack-led positioning. Regrounded against marketing/src/lib/site.ts (the canonical public-copy source): - Pricing: removed Pioneer $49/locked-for-life + $349 'Pro'; now Assist (free), Pay-as-you-go (from $18), Co-pilot (from $1,500/mo + $12/sub), Autopilot (custom). - Positioning: 'nine specialty packs / verticals' -> one connected platform. - Specialties: retired ABA/SNF/PT-OT/dental/dialysis/imaging/home-health list -> current Infusion, Oncology, Rheumatology, GI, Neurology, Cardiology, Orthopedics, Pain Management. - How it works: reframed to the canonical Signal -> Brief -> Action -> Approval -> Outcome loop (approval-gated execution). - Counts: skills 8 -> 9; stats 'last updated' bumped to 2026-06-17. - FUNDING.yml: removed dead upstream.cx/pioneer link. No em/en dashes. Operational specifics left as-is for separate verification (see PR). --- FUNDING.yml | 1 - profile/README.md | 98 +++++++++++++++++++++++------------------------ 2 files changed, 48 insertions(+), 51 deletions(-) diff --git a/FUNDING.yml b/FUNDING.yml index 442445d..7dd80cb 100644 --- a/FUNDING.yml +++ b/FUNDING.yml @@ -1,6 +1,5 @@ github: [] ko_fi: upstream custom: - - "https://upstream.cx/pioneer" - "https://upstream.cx/pricing" - "https://upstream.cx/newsletter" diff --git a/profile/README.md b/profile/README.md index cdc4799..f60da98 100644 --- a/profile/README.md +++ b/profile/README.md @@ -11,29 +11,29 @@ **Care Intelligence Platform for healthcare practices.** -What payers are doing right now. How it affects your revenue. What to do about it. +Care intelligence from benefits and eligibility through revenue intelligence. What payers are doing right now, what it means for the practice, and the prepared action your team approves. [Website](https://upstream.cx) · [Pricing](https://upstream.cx/pricing) · [Developer keys](https://upstream.cx/developers/keys) · [Newsletter](https://upstream.cx/newsletter) -> **Founding Pioneer Program** +> **Start free, pay when you submit** > -> Pioneer seat unlocks: $49/mo locked for life across all future tiers · Direct input into the detection roadmap · Co-authored case study credit when your numbers improve · Quarterly 1:1 strategy call · First access to new specialty packs as they ship. +> Assist is free: payer intelligence, eligibility, and prior-auth requirements. Pay as you go is from $18 per prepared submission with no monthly base. Co-pilot and Autopilot add the prepared workflow when you want it. > -> [Claim a Pioneer seat →](https://upstream.cx/pricing) · [Free claim audit](https://upstream.cx/audit) +> [Start with Assist (free) →](https://app.upstream.cx/signup?tier=assist) · [Free claim audit](https://upstream.cx/audit) --- ## 30 seconds -**Upstream is a Care Intelligence Platform.** It detects payer behavior shifts: denial spikes, adjudication policy changes, payment slowdowns. These surface before traditional reporting catches them. Operators across nine healthcare verticals use Upstream to act before the damage lands. +**Upstream is a Care Intelligence Platform.** It detects payer behavior shifts: denial spikes, adjudication policy changes, payment slowdowns. These surface before traditional reporting catches them. Specialty practices use Upstream to act before the damage lands. **It is not a clearinghouse.** Upstream sits on top of your existing billing stack as a force multiplier. We do not bill payers. We do not bill patients. We do not replace your billing team. We tell them what to work on and when. -**Pioneer beta is open.** $49 per month, locked for life. First actionable payer pattern in 30 days or your money back. +**One connected platform.** Benefits and eligibility, prior authorization, denial management, payer intelligence, and revenue intelligence stay connected and under approval. Nothing executes until a person on your team approves it. -[Claim a Pioneer seat →](https://upstream.cx/pricing) · [Free claim audit →](https://upstream.cx/audit) +[Start with Assist (free) →](https://app.upstream.cx/signup?tier=assist) · [Free claim audit →](https://upstream.cx/audit) --- @@ -44,7 +44,7 @@ Three layers. The Care Intelligence Platform is a paid SaaS. The Upstream API an | Repo | What it is | Use if you... | |---|---|---| | [upstream-mcp](https://github.com/Upstream-Intelligence/upstream-mcp) | Model Context Protocol server | want pre-submission claim risk, denial intel, and payer signals inside your Claude workflow. | -| [upstream-skills](https://github.com/Upstream-Intelligence/upstream-skills) | Eight Claude Code skills for billing teams | want denial decoding, appeal drafting, NCCI checks, and prior-auth readiness as slash commands. | +| [upstream-skills](https://github.com/Upstream-Intelligence/upstream-skills) | Nine Claude Code skills for billing teams | want denial decoding, appeal drafting, NCCI checks, and prior-auth readiness as slash commands. | | [upstream-community](https://github.com/Upstream-Intelligence/upstream-community) | Open ML reference implementations | want to see the statistical methodology behind denial detection. Public CMS data only. | | [awesome-payer-risk](https://github.com/Upstream-Intelligence/awesome-payer-risk) | Curated RCM resource list | are getting started in payer behavior and need a reading list. | @@ -56,20 +56,23 @@ The product itself lives at [upstream.cx](https://upstream.cx). The repos above Your billing team learns about a denial spike when this month's report lands. By then it has already cost you the quarter. -Upstream is the early warning system. We monitor payer adjudication patterns and surface shifts the first time they appear, not the thirtieth. Your team gets an actionable alert in their queue with the specific payer, the specific code, and the specific fix. Before the wave hits. +Upstream is the early warning system. We monitor payer adjudication patterns and surface shifts the first time they appear, not the thirtieth. Your team gets an actionable alert in their queue with the specific payer, the specific code, and the specific fix. -Works across ABA, mental health, SUD, SNF, PT/OT, dental, dialysis, imaging, and home health. The detection engine is the same across specialties. The packs add the workflow. +One connected platform covers the specialty practices we serve. The detection engine is the same across specialties; the practice context shapes the workflow. --- ## How it works -1. **Connect.** Claims data, 835 remittance, authorization data, EHR webhooks. APIs, CSV uploads, or pre-built connectors. -2. **Detect.** DriftWatch (statistical denial rate detection), DenialScope (dollar weighted impact), DelayGuard (payment timing deterioration), and specialty specific checks run continuously. -3. **Prioritize.** Issues route by confidence tier and dollar weighted impact. The highest impact, highest confidence work surfaces first. -4. **Act.** One click appeal generation. Auto submit for low risk fixes. Escalate high impact decisions to operators with the document trail attached. +Upstream runs one approval-gated loop. The same workflow objects carry readiness, urgency, the next safe action, execution state, and evidence. -Setup is 12 minutes. Pioneer beta target: first actionable payer pattern in 30 days or your money back. +1. **Signal.** A change in payer behavior or a requirement worth acting on. DriftWatch (statistical denial rate detection), DenialScope (dollar weighted impact), and DelayGuard (payment timing deterioration) run continuously. +2. **Brief.** Plain language: what changed and what it means for the practice. +3. **Action.** The prepared work. An appeal, a submission, a verification, scored and ready. +4. **Approval.** A person on your team approves before anything executes. +5. **Outcome.** The tracked result, carried forward into the next case. + +Connect via APIs, CSV uploads, EHR webhooks, or 835 remittance ingestion. --- @@ -77,25 +80,21 @@ Setup is 12 minutes. Pioneer beta target: first actionable payer pattern in 30 d | Pillar | What it does | |---|---| -| **Care Intelligence** | Operational visibility for the people delivering care. Authorization burn, unit and visit tracking, expiration prevention, scheduling friction signals. | -| **Payer Intelligence** | Behavioral fingerprinting. Aggressive Denier, Slow Payer, Prompt Payer, Underpayer cluster classifications. Adjudication shift detection with the date of detection. | -| **Denial Management** | DriftWatch (statistical denial rate detection), DenialScope (dollar weighted impact), DelayGuard (payment timing deterioration). Action queue with one click appeal generation. | +| **Benefits and Eligibility** | Coverage and eligibility posture kept current, with prior-auth requirements surfaced before submission. | | **Prior Authorization Intelligence** | Pre-submission authorization scoring. Approval probability with specific risk factors. Renewal tracking with 30, 14, and 3 day warnings. | +| **Denial Management** | DriftWatch (statistical denial rate detection), DenialScope (dollar weighted impact), DelayGuard (payment timing deterioration). Action queue with one click appeal generation. | +| **Payer Intelligence** | Behavioral fingerprinting. Aggressive Denier, Slow Payer, Prompt Payer, Underpayer cluster classifications. Adjudication shift detection with the date of detection. | +| **Revenue Intelligence** | Dollar weighted impact across the loop, from detection through recovered outcome. | --- ## Specialty coverage -| Specialty | What ships | -|---|---| -| **ABA** | Authorization unit tracking, session monitoring, reauthorization windows, credentialing alerts. | -| **SNF (Skilled Nursing)** | PDPM payment variance, MA reimbursement drift, census risk, stay level alerts, UB-04 revenue code monitoring. | -| **PT / OT** | 8 minute rule compliance, KX modifier threshold tracking ($2,410), session compliance, visit limit warnings. | -| **Dental** | PPO economics signals, downcoding pattern detection, bundling alerts, contract risk visibility, silent PPO detection. | -| **Dialysis** | ESRD PPS variance, MA reimbursement drift, TDAPA and TPNIES tracking, treatment authorization. | -| **Imaging** | Prior authorization requirements by RBM (eviCore, AIM), AUC compliance, advanced imaging risk scoring. | -| **Home Health** | PDGM grouping, Face to Face encounter tracking, NOA timing, certification cycle management. | -| **Behavioral Health** | Authorization windows, session monitoring, denial pattern detection across plan types. | +One connected platform. The detection engine is shared; the practice context shapes the workflow. + +| Specialties served | +|---| +| Infusion · Oncology · Rheumatology · Gastroenterology · Neurology · Cardiology · Orthopedics · Pain Management | --- @@ -109,8 +108,7 @@ Upstream is in a different lane than clearinghouses or legacy enterprise RCM. Mo | Pre-submission claim risk scoring | ✓ | Limited | Limited | ✗ | | Denial drift detection (statistical) | ✓ | ✗ | Manual | ✗ | | Payer cluster classification | ✓ | ✗ | ✗ | ✗ | -| Specialty workflow logic | Nine verticals | Generic | Generic + custom | Generic | -| Setup time | 12 minutes | Days to weeks | Months | Hours | +| Approval-gated execution | ✓ | ✗ | Partial | ✗ | | Replaces billing team | ✗ | ✗ | Sometimes | ✗ | | Bills payers | ✗ | ✓ | ✓ | ✗ | | Open methodology | ✓ ([upstream-community](https://github.com/Upstream-Intelligence/upstream-community)) | ✗ | ✗ | n/a | @@ -129,30 +127,30 @@ The core platform stays private. Three tools are openly available. | Repository | What it is | License | |---|---|---| -| [upstream-mcp](https://github.com/Upstream-Intelligence/upstream-mcp) | Model Context Protocol server. Bring Upstream intelligence into Claude with 12 tools across 5 categories. | MIT | -| [upstream-skills](https://github.com/Upstream-Intelligence/upstream-skills) | Claude Code skill pack. Eight workflow skills for billing teams. | MIT | +| [upstream-mcp](https://github.com/Upstream-Intelligence/upstream-mcp) | Model Context Protocol server. Bring Upstream intelligence into Claude. | MIT | +| [upstream-skills](https://github.com/Upstream-Intelligence/upstream-skills) | Claude Code skill pack. Nine workflow skills for billing teams. | MIT | | [upstream-community](https://github.com/Upstream-Intelligence/upstream-community) | Reference ML implementations using public CMS data. CatBoost denial predictor, drift detection, payer clustering. Methodology, not weights. | MIT | --- ## Built in public -Upstream is a working production system, not a slide deck. Numbers below are pulled from the actual codebase. +Upstream is a working production system, not a slide deck. | Signal | Count | Source | |---|---|---| | Open source modules | 7 | [upstream-community](https://github.com/Upstream-Intelligence/upstream-community) | -| Specialty packs shipped | 9 | ABA, mental health, SUD, SNF, PT/OT, dental, dialysis, imaging, home health | +| Specialties served | 8 | Infusion, Oncology, Rheumatology, GI, Neurology, Cardiology, Orthopedics, Pain Management | | Detection engines live | 6 | DriftWatch, DenialScope, DelayGuard, Authorization Tracking, Pre-Submission Risk Scoring, Behavioral Prediction | -| Public Claude MCP tools | 12 | [upstream-mcp](https://github.com/Upstream-Intelligence/upstream-mcp) | -| Public Claude Code skills | 8 | [upstream-skills](https://github.com/Upstream-Intelligence/upstream-skills) | +| Public Claude MCP tools | [upstream-mcp](https://github.com/Upstream-Intelligence/upstream-mcp) | Operator and intelligence tools for Claude | +| Public Claude Code skills | 9 | [upstream-skills](https://github.com/Upstream-Intelligence/upstream-skills) | | Public CMS data integrations | 7 | NCCI, CARC, RARC, MUE, Physician Fee Schedule, NPPES, Federal Register | | Free tools live | 3 | Claim audit, Plan Denial Heatmap, Prior Auth Sandbox | | BAA template | Available | hello@upstream.cx | | Security disclosure path | Active | security@upstream.cx | | HIPAA technical safeguards | Implemented | [SECURITY.md](https://github.com/Upstream-Intelligence/.github/blob/main/SECURITY.md) | -Last updated: 2026-04-25 +Last updated: 2026-06-17 --- @@ -167,7 +165,7 @@ Real alert format. Synthetic example for illustration only. > **Scope**: Network-wide pattern > > **What we saw** -> UnitedHealthcare adjudication of CPT 97155 paired with diagnosis F84.0 shifted from a 8.2 percent denial baseline (13 week window) to 31.4 percent denial in the last 7 days. Chi-square p less than 0.001. Pattern detected on 835 remittance from multiple operators across 3 states on the same day. +> UnitedHealthcare adjudication of a high-volume specialty code shifted from a 8.2 percent denial baseline (13 week window) to 31.4 percent denial in the last 7 days. Chi-square p less than 0.001. Pattern detected on 835 remittance from multiple operators across 3 states on the same day. > > **Affected work in your account** > 23 in-flight authorizations match the new pattern. @@ -186,11 +184,11 @@ This is what your billing team sees in their queue the morning a payer behavior | Resource | What it gives you | |---|---| -| [upstream-mcp](https://github.com/Upstream-Intelligence/upstream-mcp) | MCP server. Bring Upstream into Claude with 12 tools across 5 categories. | -| [upstream-skills](https://github.com/Upstream-Intelligence/upstream-skills) | Claude Code skill pack. Eight workflow skills for billing teams. | +| [upstream-mcp](https://github.com/Upstream-Intelligence/upstream-mcp) | MCP server. Bring Upstream into Claude. | +| [upstream-skills](https://github.com/Upstream-Intelligence/upstream-skills) | Claude Code skill pack. Nine workflow skills for billing teams. | | [upstream-community](https://github.com/Upstream-Intelligence/upstream-community) | Reference ML implementations. CatBoost denial predictor, drift detection, payer clustering. | | [API documentation](https://upstream.cx/developers) | REST API reference, OpenAPI spec, webhook contracts, rate limits. | -| [Free API key](https://upstream.cx/developers/keys) | 500 calls per month, no credit card, 12 minute setup. | +| [Free API key](https://upstream.cx/developers/keys) | 500 calls per month, no credit card. | --- @@ -199,35 +197,35 @@ This is what your billing team sees in their queue the morning a payer behavior | Resource | What it gives you | |---|---| | [Free claim audit](https://upstream.cx/audit) | Upload one claim file, get back denial pattern analysis. No credit card. | -| [Pricing](https://upstream.cx/pricing) | Pioneer beta $49 per month locked for life. Pro tier $349 per month. Larger plans on request. | +| [Pricing](https://upstream.cx/pricing) | Assist free. Pay as you go from $18 per submission. Co-pilot from $1,500 per month plus $12 per submission. Autopilot custom. | | [Newsletter](https://upstream.cx/newsletter) | Monthly digest of payer behavior shifts and regulatory updates. Free. | | [Blog](https://blog.upstream.cx) | Deep dives on payer behavior, regulatory changes, and operator playbooks. | -| [Pack pages](https://upstream.cx/packs) | Specialty deep dives: ABA, SNF, PT/OT, dental, dialysis, imaging, home health, behavioral health. | +| [Specialties](https://upstream.cx/specialties) | The specialty practices Upstream serves on one connected platform. | --- ## FAQ **What is Upstream?** -A Care Intelligence Platform that detects payer behavior shifts (denial spikes, adjudication policy changes, payment slowdowns) before traditional reporting catches them. Built for healthcare practices in ABA, mental health, SUD, SNF, PT/OT, dental, dialysis, imaging, and home health. +A Care Intelligence Platform that detects payer behavior shifts (denial spikes, adjudication policy changes, payment slowdowns) before traditional reporting catches them. One connected platform for specialty practices, under approval. **Is Upstream a clearinghouse?** No. Upstream sits on top of your existing billing stack as a force multiplier. We do not bill payers. We do not bill patients. We do not replace your billing team. We tell them what to work on and when. **Is Upstream HIPAA compliant?** -Yes. PHI is encrypted at rest using Fernet (AES-128-CBC plus HMAC-SHA256). All claims data lives within a customer scoped tenant boundary. Network signals are derived from anonymized aggregations. Full BAA on every paid plan. SOC 2 controls are in place and the formal Type II audit kicks off as the first Pioneer cohort signs. +Yes. PHI is encrypted at rest using Fernet (AES-128-CBC plus HMAC-SHA256). All claims data lives within a customer scoped tenant boundary. Network signals are derived from anonymized aggregations. Full BAA on every paid plan. SOC 2 controls are in place. **What does Upstream cost?** -Pioneer beta access starts at $49 per month, locked for life. Production tier starts at $349 per month (Pro). Larger plans for multi-location groups and outsourced billing companies are quoted via [upstream.cx/pricing](https://upstream.cx/pricing). +Assist is free. Pay as you go is from $18 per prepared submission with no monthly base. Co-pilot is from $1,500 per month plus $12 per submission. Autopilot is custom, scoped to your volume. Details at [upstream.cx/pricing](https://upstream.cx/pricing). **Is there a free tier?** -The Upstream MCP server has a free tier with 500 API calls per month and no credit card. Free tools include the [Plan Denial Heatmap](https://upstream.cx/tools/denial-heatmap) and the [Prior Auth Sandbox](https://upstream.cx/tools/prior-auth-sandbox). The full platform requires a paid tier (Pioneer $49 per month or higher). +Yes. Assist is free, and the Upstream MCP server has a free tier with 500 API calls per month and no credit card. Free tools include the [Plan Denial Heatmap](https://upstream.cx/tools/denial-heatmap) and the [Prior Auth Sandbox](https://upstream.cx/tools/prior-auth-sandbox). **Does Upstream work with my EHR or billing system?** -Upstream connects via APIs, CSV uploads, EHR webhooks, or 835 remittance ingestion. Pre built connectors are available for Epic (FHIR R4), athenahealth, and Cerner. Open Dental, Dentrix, and Eaglesoft connectors are on the roadmap. +Upstream connects via APIs, CSV uploads, EHR webhooks, or 835 remittance ingestion. **How does Upstream compare to Adonis or Waystar?** -Different lane. Adonis orchestrates billing team work. Waystar is a clearinghouse plus revenue cycle management platform. Upstream watches what payers actually do to your claims and tells you 30 to 60 days before it costs you. Most operators run Upstream alongside one or both of those tools. +Different lane. Adonis orchestrates billing team work. Waystar is a clearinghouse plus revenue cycle management platform. Upstream watches what payers actually do to your claims and tells you 30 to 60 days ahead of the cost. Most operators run Upstream alongside one or both of those tools. **What happens to my data?** Your claims data lives in your customer scoped tenant boundary. PHI is encrypted at rest. Aggregated, anonymized signals contribute to the network detection engine. You can export your data at any time. Full data destruction available on plan cancellation per the BAA. @@ -266,7 +264,7 @@ Free monthly newsletter covering payer behavior shifts, regulatory updates, and Security disclosure → security@upstream.cx · [SECURITY.md](https://github.com/Upstream-Intelligence/.github/blob/main/SECURITY.md) -HIPAA: Fernet AES-128-CBC + HMAC-SHA256. BAA available on all paid plans. SOC 2 controls in place; formal Type II audit begins with first Pioneer cohort. Data export and destruction on cancellation per BAA. +HIPAA: Fernet AES-128-CBC + HMAC-SHA256. BAA available on all paid plans. SOC 2 controls in place. Data export and destruction on cancellation per BAA. Questions: hello@upstream.cx From 54a13f5c4d9a1beb1fa21b4a2ff320db9826ac56 Mon Sep 17 00:00:00 2001 From: byteworthy Date: Wed, 17 Jun 2026 22:18:27 -0500 Subject: [PATCH 2/4] ci(profile): add canon guard so the public profile cannot re-drift The public org profile (profile/README.md + FUNDING.yml) drifted unguarded for a month and still sold the retired Pioneer program until the 2026-06-17 reground. Root cause: this repo had no canon guard while every sibling does. Adds scripts/check-canon.sh + .github/workflows/canon.yml (mirrors the sibling guards) to ban retired Pioneer/pricing/pack framing on the public surfaces. Self-tested: passes clean, proven able to fail on an injected banned line. --- .github/workflows/canon.yml | 13 +++++++++++++ scripts/check-canon.sh | 34 ++++++++++++++++++++++++++++++++++ 2 files changed, 47 insertions(+) create mode 100644 .github/workflows/canon.yml create mode 100755 scripts/check-canon.sh diff --git a/.github/workflows/canon.yml b/.github/workflows/canon.yml new file mode 100644 index 0000000..54d716a --- /dev/null +++ b/.github/workflows/canon.yml @@ -0,0 +1,13 @@ +name: canon + +on: + push: + pull_request: + +jobs: + canon: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: No retired Pioneer/pricing/pack framing on the public profile + run: bash scripts/check-canon.sh diff --git a/scripts/check-canon.sh b/scripts/check-canon.sh new file mode 100755 index 0000000..3ebb111 --- /dev/null +++ b/scripts/check-canon.sh @@ -0,0 +1,34 @@ +#!/usr/bin/env bash +# Canon guard for the public org profile (github.com/Upstream-Intelligence). +# +# profile/README.md + FUNDING.yml are the most public surface in the ecosystem. +# They drifted unguarded for a month and still advertised the RETIRED Founding +# Pioneer program ($49/mo locked for life) and the old pack-led positioning until +# the 2026-06-17 reground. This guard bans that retired framing so the public face +# cannot silently drift again. +# +# Current canon source: upstream-v2/marketing/src/lib/site.ts +# Tiers = Assist (free) / Pay as you go (from $18) / Co-pilot / Autopilot. +# ONE connected platform. No packs, no verticals, no Pioneer. +# Mirrors the sibling repos' scripts/check-canon.sh. +set -euo pipefail + +ROOT="$(cd "$(dirname "$0")/.." && pwd)" + +# Retired program + pricing + pack framing. Case-insensitive. +PATTERN='pioneer|founding 5|founding pioneer|locked for life|\$49|\$349|specialty pack|/pioneer' + +# Scan the public surfaces only. Exclude this script (it contains the banned list). +hits="$(grep -rIniE "$PATTERN" "$ROOT/profile" "$ROOT/FUNDING.yml" \ + --exclude="check-canon.sh" 2>/dev/null || true)" + +if [ -n "$hits" ]; then + echo "FAIL: retired Pioneer / pricing / pack framing on a public surface:" >&2 + echo "$hits" >&2 + echo "" >&2 + echo "Current canon: Assist (free) / Pay as you go / Co-pilot / Autopilot. ONE platform, no packs." >&2 + echo "Source of truth: upstream-v2/marketing/src/lib/site.ts" >&2 + exit 1 +fi + +echo "canon OK: no retired Pioneer / pricing / pack framing on the public profile" From 79d1c1301ab865ec383d598eb86908b9a2d93177 Mon Sep 17 00:00:00 2001 From: byteworthy Date: Wed, 17 Jun 2026 22:24:49 -0500 Subject: [PATCH 3/4] ci(profile): broaden canon guard to the whole org repo The guard scanned only profile/ + FUNDING.yml, but BRAND.md, SECURITY.md, SUPPORT.md, CONTRIBUTING.md and the other org-default files are public surfaces too and were unguarded (same condition that let profile/README.md drift). Now scans repo-wide. Self-tested: passes clean, proven able to fail on drift injected into BRAND.md (a non-profile file). --- scripts/check-canon.sh | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/scripts/check-canon.sh b/scripts/check-canon.sh index 3ebb111..5ec9a6d 100755 --- a/scripts/check-canon.sh +++ b/scripts/check-canon.sh @@ -18,8 +18,12 @@ ROOT="$(cd "$(dirname "$0")/.." && pwd)" # Retired program + pricing + pack framing. Case-insensitive. PATTERN='pioneer|founding 5|founding pioneer|locked for life|\$49|\$349|specialty pack|/pioneer' -# Scan the public surfaces only. Exclude this script (it contains the banned list). -hits="$(grep -rIniE "$PATTERN" "$ROOT/profile" "$ROOT/FUNDING.yml" \ +# Scan the whole repo: profile/README.md + FUNDING.yml drifted, but BRAND.md, +# SECURITY.md, SUPPORT.md, CONTRIBUTING.md and the other org-default files are +# public surfaces too and were unguarded. Exclude this script (it holds the list). +hits="$(grep -rIniE "$PATTERN" "$ROOT" \ + --exclude-dir=.git \ + --exclude-dir=node_modules \ --exclude="check-canon.sh" 2>/dev/null || true)" if [ -n "$hits" ]; then From cb0a72097206727e48f778beed97a31efadf09e6 Mon Sep 17 00:00:00 2001 From: byteworthy Date: Wed, 17 Jun 2026 22:25:59 -0500 Subject: [PATCH 4/4] fix(ci): canon workflow step name must not contain the banned words The broadened repo-wide scan flagged its own workflow file: the step name contained 'Pioneer', so the guard self-triggered and failed for the wrong reason. Reworded the step to 'Verify no retired pricing or program framing'. check-canon.sh is already excluded; this removes the last self-reference. Guard now passes clean repo-wide and still fails on real drift (tested against SECURITY.md). --- .github/workflows/canon.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/canon.yml b/.github/workflows/canon.yml index 54d716a..9c3bb1b 100644 --- a/.github/workflows/canon.yml +++ b/.github/workflows/canon.yml @@ -9,5 +9,5 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - name: No retired Pioneer/pricing/pack framing on the public profile + - name: Verify no retired pricing or program framing on public surfaces run: bash scripts/check-canon.sh