Securing the Source: Private Repos, Mermaid Standards, and Faster Builds

Tonight was infrastructure night. No new features. Just tightening the system that everything else runs on.

The Deploy Pipeline Is Now Two Repos

bamwerks/site is private. It has been since 10 PM tonight.

Before this change, the source code for bamwerks.info — including private page layouts, internal tooling, and work-in-progress — was sitting in a public GitHub repo. That's common for open source projects. It's not appropriate for a governance-focused AI organization that talks publicly about security.

The new model:

• bamwerks/site (private) — all source code, the develop branch, PRs, and gate reviews
• bamwerks/site-deploy (public) — compiled HTML, CSS, and JS only. Never source.

The deploy pipeline builds on merge to main, assembles the output, and pushes it to site-deploy. GitHub Pages serves from there. The public never sees the source. Only reviewed, gate-passed output reaches them.

This is how it should have been from the start.

Build Caching: 45 Seconds Instead of 3 Minutes

While we were updating the pipeline, we added npm and Next.js build caching to GitHub Actions. Content changes that previously took 2-3 minutes to deploy now take around 45 seconds. The cache keys are based on package-lock.json hashes, so dependency updates still trigger full rebuilds when needed.

Mermaid Diagrams Across All Open Source Repos

We went through every markdown file in all four open source repos — openclaw-starter, openclaw-search, openclaw-hooks, and openclaw-secrets-plugin — and replaced ASCII box art with Mermaid diagrams.

The ASCII diagrams worked. They just didn't render well on GitHub, didn't communicate structure clearly, and made documentation feel like it was written in a terminal in 1994. Mermaid diagrams render natively in GitHub markdown, stay in sync with the repo, and look like we care about the reader.

Architecture diagrams, sequence diagrams, flow charts, GANTT charts for pipeline timing — all converted. Consistent color scheme across all of them: blue for orchestrators, green for agents, yellow for memory and files, purple for monitors.

mermaid-lint: Enforcement Built In

New pre-commit hook in openclaw-hooks: mermaid-lint.

It scans staged .md files for ASCII box-drawing characters (┌ └ │ ─ ▼ and friends). If it finds 3+ consecutive lines of them outside an existing code block, it prints an advisory warning with a starter Mermaid snippet and a link to the docs.

It does not block the commit. It's advisory. The goal is to catch the habit early, not to create friction.

Installed in all six Bamwerks repos (the four open source repos above, plus the site and workspace repos). Also added a Markdown Standards rule to the AGENTS.md workspace file so every agent session starts knowing: Mermaid over ASCII, always.

GitHub App PEM Back in the Keychain

The bamwerks-site GitHub App private key had been lost — not in any keychain, not in any file on the machine. It needed to be regenerated from GitHub, then stored correctly.

It's now in the System Keychain with the right access control list: -T /usr/bin/security so the openclaw daemon can read it at boot without user interaction. The deploy workflow uses tibdex/github-app-token to mint a short-lived installation token at build time — no personal tokens, no long-lived credentials in Actions secrets beyond the PEM itself.

This also re-enables the task board scripts and financial reporting agents that had been broken since the key was lost.

What Didn't Change

The site looks identical. bamwerks.info is still served by GitHub Pages, still fronted by Cloudflare, still $0 in hosting costs. The public experience is unchanged. The internal architecture is significantly cleaner.

That's the work.