[Feature] Split-portfolio mode — keep adopters' registry + projects/ in a private sibling repo

[atlas-apex]

User Story

As an ApexYard adopter on a personal GitHub account with any private projects, I want the framework's setup flow to recommend a fork-pattern that keeps my portfolio data (registry + per-project handover docs) in a private repo, so that registering my projects under ApexYard governance does not silently publish their names on GitHub.

Driver

The current docs/multi-project.md instructs adopters to fork apexyard and commit apexyard.projects.yaml + projects/<name>/ to that fork. For a free-tier personal GitHub account, a fork of a public repo cannot be private — GitHub blocks the in-place visibility flip with the message "For security reasons, you cannot change the visibility of a fork."

Result: any adopter on the most common shape (single person, GitHub Free, at least one private project) silently publishes their portfolio names + handover findings the moment they push to their fork. The docs don't mention this trip-wire.

This was discovered by a real adopter on 2026-05-02 after committing a bulk-handover of 11 private projects to their fork's public main. Recovery required a force-push history rewrite, redacting issue/PR bodies, deleting a backup branch, and re-architecting to a split-portfolio model. None of which is in the docs today.

Proposal — split-portfolio mode (opt-in)

Introduce a second supported pattern alongside the existing single-fork model:

~/ops/
├── apexyard/         ← public fork of me2resh/apexyard (framework code + tooling)
└── portfolio/        ← private repo (registry + per-project docs — never public)

The fork stays slim, public, upstream-aligned. The portfolio repo holds:

• apexyard.projects.yaml — registry
• projects/<name>/ — handover assessments, threat-model reports, launch-check outputs, debug reports, architecture diagrams, READMEs

Skills resolve both via a new portfolio: config block in onboarding.yaml:

portfolio:
  registry: ../portfolio/apexyard.projects.yaml         # default: ./apexyard.projects.yaml (single-fork model preserved)
  projects_dir: ../portfolio/projects                    # default: ./projects
  ideas_backlog: ../portfolio/projects/ideas-backlog.md  # default: ./projects/ideas-backlog.md

Default values preserve backward compatibility — adopters who don't set portfolio: continue with the single-fork pattern (registry + projects/ in the fork itself).

Acceptance Criteria

• onboarding.yaml schema gains an optional portfolio: block with registry, projects_dir, ideas_backlog fields. Defaults preserve today's single-fork behavior.
• Every skill that reads the registry honors the configured paths. Affected (audit list — pin in PR description):
  • /projects, /inbox, /status, /tasks, /stakeholder-update
  • /handover (writes to configured projects_dir + appends to configured registry)
  • /idea (appends to configured ideas_backlog)
  • /roadmap (reads <projects_dir>/<name>/roadmap.md)
  • /c4 (writes diagrams under configured projects_dir)
  • /validate-idea
• docs/multi-project.md documents both patterns side-by-side, with a clear "which one is right for me?" decision section that names the trip-wire (private projects + free GitHub account → use split mode).
• /setup skill asks at first run: "Do you have any private projects to manage? → recommends split mode and walks through both repo creations."
• Optional follow-up: /split-portfolio migration helper for adopters who already started with the single-fork model and need to move to split (history rewrite + force-push + new private repo + symlinks). Captures the end-to-end recovery flow that would have helped the 2026-05-02 adopter.
• Reference implementation: atlas-apex/apexyard (public fork) + atlas-apex/ops (private portfolio) demonstrate the split mode working today via symlinks + a manual .gitignore on the fork. The framework changes above formalize this.

Out of Scope

• Native private-fork support — that's a GitHub Pro / Team / Enterprise feature, outside the framework's control.
• Cross-machine portfolio sync — adopters with the split mode keep both repos in their account; a clone of each on a new machine restores the setup. Anything fancier (e.g. Dropbox-style sync of just the portfolio dir) is the adopter's concern.
• Migrating committed Issue/PR records — GitHub Issue / PR bodies survive force-pushes; once a private name has been in a public PR, redacting only hides it from casual view (the edit-history timeline is still readable via API). The /split-portfolio helper should warn about this explicitly.

Risks / Dependencies

• Skill audit — every skill currently hardcodes the registry path. Migrating each one is mechanical but must be done atomically (a half-migration leaves some skills reading the wrong path). Suggest landing as one PR.
• Backwards compatibility — existing adopters on the single-fork model must be unaffected. Defaults of the portfolio: block must point at today's locations.
• Upgrade flow — /update (upstream sync) needs to handle the case where the fork has projects/ symlinked to a different repo. The projects/README.md upstream stub may conflict with adopters who symlinked projects/ away. Document the expected resolution: adopter accepts upstream's README or keeps the symlink.

Glossary

Term	Definition
Split-portfolio mode	The proposed two-repo setup: public framework fork + private portfolio repo. The fork stays free of private project names.
Single-fork mode	The current setup documented in docs/multi-project.md: registry + projects/ live inside the fork itself. Works fine when all projects are public OR the adopter has a paid GitHub plan that supports private forks.
Trip-wire	The silent privacy bug: free-tier adopters with private projects can follow today's docs faithfully and end up with their portfolio names on a public GitHub repo before they realize it.
/split-portfolio helper	Optional migration skill that walks an existing single-fork adopter through the recovery to split mode (force-push history rewrite + new private repo + symlinks). Captures lessons from a real adopter's 2026-05-02 migration.

[atlas-apex]

Status update — split into umbrella + two child tickets

Done — PR #144 (merged into dev 2026-05-03)

Minimum-viable starter that closes the silent privacy bug for new adopters:

• ✅ AC3 — docs/multi-project.md documents both modes (single-fork default + split-portfolio for privacy) with a side-by-side table and explicit trip-wire callout
• ✅ AC4 — /setup Step 2a asks the privacy question upfront and branches the configuration flow on the answer (all-public / paid plan / private + Free)

Net effect: a new adopter who follows the docs or runs /setup on a fresh fork will not hit the trip-wire. Split-portfolio mode is fully functional today via the documented symlink workaround — every existing skill resolves through symlinks transparently.

Open — split into two child tickets

The remaining ACs are convenience refactors, not trip-wire fixes. Tracking each as its own issue so they can land independently:

• [Feature] Split-portfolio: portfolio: config block + skill audit refactor (follow-up to #143) #145 — [Feature] Split-portfolio: portfolio: config block + skill audit refactor (P1, AC1 + AC2 bundled)

  • Adds portfolio.{registry, projects_dir, ideas_backlog} to onboarding.yaml schema (with defaults that preserve today's single-fork behaviour)
  • Refactors every skill that hardcodes the registry path (audit list inside the issue: /projects, /inbox, /status, /tasks, /stakeholder-update, /handover, /idea, /roadmap, /c4, /validate-idea)
  • Bundled into one PR because half-migration is dangerous (some skills reading the config + others reading the hardcoded path = inconsistent state)

• [Feature] /split-portfolio migration helper skill (follow-up to #143) #146 — [Feature] /split-portfolio migration helper skill (P2, AC5)

  • Automates the destructive recovery flow for adopters who already pushed private project names to a public fork
  • 10-step skill with explicit operator-confirmation gates at each destructive step (snapshot, history rewrite, force-push, body redaction)
  • P2 because by the time it ships, the docs + privacy gate from PR docs(#143): document split-portfolio mode + add /setup privacy gate #144 should mean very few adopters land in the recovery scenario

Closing this umbrella

Leaving #143 OPEN as the umbrella tracking the full feature. Will close when both #145 and #146 merge.

If anyone hits the trip-wire in the meantime: docs/multi-project.md § "Migrating from single-fork to split-portfolio" has the manual recovery flow.

[atlas-apex]

All children delivered — closing the umbrella

PR #147 merged into dev 2026-05-03 as commit 7a36f74. Both remaining child tickets are now closed:

• ✅ docs(#143): document split-portfolio mode + add /setup privacy gate #144 — docs + /setup privacy gate (merged 2026-05-03)
• ✅ [Feature] Split-portfolio: portfolio: config block + skill audit refactor (follow-up to #143) #145 — portfolio: config block + helper + skill audit + self-healing (closed by PR feat(#145): portfolio config + self-healing + /split-portfolio helper #147)
• ✅ [Feature] /split-portfolio migration helper skill (follow-up to #143) #146 — /split-portfolio migration helper skill (closed manually post-merge; delivered same PR)

Net delivery for #143:

Layer	Shipped
Docs	Both modes (single-fork + split-portfolio) documented in docs/multi-project.md with side-by-side comparison + trip-wire callout
/setup	Privacy gate at Step 2a + config-block-writing Step 2b + portfolio_validate finalization gate
Schema	.claude/project-config.{defaults,}.json → portfolio.{registry, projects_dir, ideas_backlog}
Helper	.claude/hooks/_lib-portfolio-paths.sh (portfolio_registry, portfolio_projects_dir, portfolio_ideas_backlog, portfolio_validate, portfolio_clear_cache)
Self-healing	New SessionStart hook surfaces broken portfolio config at session start (silent on OK, never blocks)
Skill audit	18 SKILL.md files updated with the path-resolution callout; surgical bash-block edits in handover and setup
Migration helper	New /split-portfolio skill with --verify + --dry-run modes, 10-step destructive flow with operator-confirmation gates, GitHub timeline-API survival caveat surfaced
AgDR	docs/agdr/AgDR-0010-portfolio-config-and-self-healing.md
Tests	13 unit cases for the helper, all green

Closing this umbrella. Future-phase items (per AgDR-0010): extract the duplicated callout to a shared conventions doc if it becomes a maintenance burden; add Python parallel to the shell helper if any skill ever needs it; --force flag for /split-portfolio to override pre-flight refusals.