PROJECT-POLICY.md

# Project policy for David's code/web projects

This policy follows `docs/ADR-0002-app-projects-environments-and-repos.md`.
Agent and memory governance is defined in `docs/ADR-0003-agent-user-and-memory-governance.md`.
Solution documentation and acceptance criteria are governed by `docs/ADR-0004-app-solution-documentation-and-acceptance.md`.
Approved technologies and engineering standards are governed by `docs/ADR-0005-approved-technologies-and-engineering-standards.md`.
Security and integrity are governed by `docs/ADR-0006-security-and-integrity.md`.

## Ownership question

Before starting a new code/web project, Kompis must ask which company owns it:

1. Be Viable AB
2. HEL Management AB

Do not assume based on mailbox, domain, or previous project.

## Default admin emails

- Be Viable AB: `david.westman@beviable.se`
- HEL Management AB: `david.westman@helmanagement.com`

## Security default

Projects are private/internal by default. Do not expose public access unless David explicitly asks.

Use the Bosse Bokdoktor baseline:

- Internal access gate before OAuth/external login
- Secrets in Cloudflare/host environment, never in GitHub
- Cloudflare Access support where appropriate
- Future-ready user management with roles and permissions
- David initially sole admin unless he specifies others

## Organization

Keep projects separated by owner and purpose:

- Dedicated app repos per project
- Dedicated hosting/project entries per app
- Company ownership reflected in docs/README/environment where practical
- `openclaw-kompis-brain` remains only the OpenClaw/Kompis brain backup repo

See `docs/ADR-0001-openclaw-brain-repo.md` for the brain-repo boundary.