NVIDIA
diff --git a/‎.github/actions/README.md‎
Lines changed: 3 additions & 3 deletions b/‎.github/actions/README.md‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎.github/copilot-instructions.md‎
Lines changed: 3 additions & 3 deletions b/‎.github/copilot-instructions.md‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎CONTRIBUTING.md‎
Lines changed: 20 additions & 6 deletions b/‎CONTRIBUTING.md‎
Lines changed: 20 additions & 6 deletions
diff --git a/‎DEVELOPMENT.md‎
Lines changed: 1 addition & 1 deletion b/‎DEVELOPMENT.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎README.md‎
Lines changed: 2 additions & 4 deletions b/‎README.md‎
Lines changed: 2 additions & 4 deletions
diff --git a/‎RELEASING.md‎
Lines changed: 2 additions & 2 deletions b/‎RELEASING.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎docs/README.md‎
Lines changed: 2 additions & 5 deletions b/‎docs/README.md‎
Lines changed: 2 additions & 5 deletions
@@ -196,13 +196,13 @@ This action runs `tools/setup-tools --skip-go --skip-docker` in auto mode, which
 ```yaml
 - uses: ./.github/actions/cloud-run-deploy
   with:
-    project_id: 'eidosx'
+    project_id: 'example-gcp-project'
     workload_identity_provider: 'projects/.../providers/github-actions-provider'
-    service_account: 'github-actions@eidosx.iam.gserviceaccount.com'
+    service_account: 'github-actions@example-gcp-project.iam.gserviceaccount.com'
     region: 'us-west1'
     service: 'api'
     source_image: 'ghcr.io/nvidia/aicrd:v1.0.0'
-    target_registry: 'us-docker.pkg.dev/eidosx/demo'
+    target_registry: 'us-docker.pkg.dev/example-gcp-project/demo'
     image_name: 'aicrd'
     ghcr_token: ${{ github.token }}
 ```
 
@@ -53,7 +53,7 @@ func (r *Reader) Read(url string) ([]byte, error) {
 **Git Configuration:**
 - Commit to `main` branch (not `master`)
 - Do NOT add `Co-Authored-By` lines (organization policy)
-- Use DCO sign-off: `git commit -s -m "message"`
+- Use cryptographic commit signing: `git commit -S -m "message"` (use `-s` only when DCO sign-off is required for non-member contributions)
 
 **Decision Framework:**
 Choose solutions based on: testability, readability, consistency, simplicity, reversibility
@@ -178,7 +178,7 @@ NVIDIA AICR provides validated GPU-accelerated Kubernetes configurations through
    make test
    ```
 
-→ See [Bundler Development Guide](docs/contributor/component.md) for full details
+→ See [Bundler Development Guide](../docs/contributor/component.md) for full details
 
 ### I Need To: Add New API Endpoint
 
@@ -800,7 +800,7 @@ jobs:
       - uses: ./.github/actions/cloud-run-deploy
         with:
           source_image: 'ghcr.io/nvidia/aicrd:${{ github.ref_name }}'
-          target_registry: 'us-docker.pkg.dev/eidosx/demo'
+          target_registry: 'us-docker.pkg.dev/example-gcp-project/demo'
 ```
 
 **Supply Chain Security:**
 
@@ -150,18 +150,22 @@ Trust is established through evidence, not assertions. Every released artifact c
    - DEVELOPMENT.md for developer workflow changes
    - Code comments and godoc for API changes
 
-3. **Commit with DCO sign-off:**
+3. **Commit with required provenance:**
    ```bash
+   # External contributors (DCO sign-off required)
    git commit -s -m "feat: add network collector
 
    - Implement NetworkCollector interface
    - Add unit tests with 80% coverage
    - Update factory registration
 
    Fixes #123"
+
+   # NVIDIA org members / automation (DCO sign-off exempt)
+   git commit -S -m "feat: add network collector"
    ```
 
-   **Important**: Always use `-s` flag for DCO sign-off.
+   External contributors must use `-s`. NVIDIA organization members are exempt from DCO bot sign-off checks and should use cryptographic signing (`-S`).
 
 ### Creating the Pull Request
 
@@ -178,7 +182,7 @@ Trust is established through evidence, not assertions. Every released artifact c
    - Go tests with race detector
    - golangci-lint
    - YAML linting
-   - Security scan (Trivy)
+   - Security scans (Trivy in CI, Grype in `make scan`)
    - Coverage tracking
    - E2E tests
 
@@ -190,7 +194,9 @@ Trust is established through evidence, not assertions. Every released artifact c
 
 3. **Address Feedback** by pushing new commits:
    ```bash
-   git commit -s -m "address review: improve error handling"
+   git commit -s -m "address review: improve error handling"   # external contributors
+   # or
+   git commit -S -m "address review: improve error handling"   # NVIDIA org members / automation
    git push origin your-branch
    ```
 
@@ -226,9 +232,9 @@ git push origin --delete your-branch
 
 ## Developer Certificate of Origin
 
-All contributions must include a DCO sign-off to certify that you have the right to submit the contribution under the project's license.
+Contributions must satisfy Developer Certificate of Origin (DCO) policy. External contributors (non-NVIDIA organization members) must include a DCO sign-off on each commit. NVIDIA organization members are exempt from DCO bot sign-off checks and should use cryptographic signing (`-S`).
 
-### How to Sign Off
+### How to Sign Off (External Contributors)
 
 Add the `-s` flag to your commit:
 
@@ -258,6 +264,14 @@ git commit --amend --signoff
 git push --force-with-lease origin your-branch
 ```
 
+### NVIDIA Org Members and Automation
+
+NVIDIA organization members are exempt from DCO bot sign-off checks (`.github/dco.yml`). Use cryptographic commit signing:
+
+```bash
+git commit -S -m "Your commit message"
+```
+
 ### What You're Certifying
 
 By signing off, you certify the Developer Certificate of Origin 1.1:
 
@@ -801,7 +801,7 @@ make validate-local RECIPE=recipe.yaml IMAGE_TAG=dev
 
 For detailed information on adding validation checks and constraint validators, see:
 
-**[pkg/validator/checks/README.md](../pkg/validator/checks/README.md)**
+**[pkg/validator/checks/README.md](pkg/validator/checks/README.md)**
 
 This comprehensive guide covers:
 - Architecture overview (Job-based validation, test registration framework)
 
@@ -48,8 +48,6 @@ This separation allows the same validated configuration to be applied consistent
 
 Install the latest version using the installation script:
 
-> Note: Temporally, while the repo is private, make sure to include your GitHub token first:
-
 ```shell
 curl -sfL https://raw.githubusercontent.com/NVIDIA/aicr/main/install | bash -s --
 ```
@@ -122,7 +120,7 @@ You integrate AICR into CI/CD pipelines, GitOps workflows, or larger platforms.
 
 ## Documentation & Resources
 
-- **[Documentation](/docs)** – Documentation, guides, and examples.
+- **[Documentation](docs/README.md)** – Documentation, guides, and examples.
 - **[Roadmap](ROADMAP.md)** – Feature priorities and development timeline
 - **[Overview](docs/README.md)** - Detailed system overview and glossary
 - **[Security](SECURITY.md)** - Security-related resources 
@@ -131,4 +129,4 @@ You integrate AICR into CI/CD pipelines, GitOps workflows, or larger platforms.
 
 ## Contributing
 
-Contributions are welcome. See [contributing](/CONTRIBUTING.md) for development setup, contribution guidelines, and the pull request process.
+Contributions are welcome. See [CONTRIBUTING.md](CONTRIBUTING.md) for development setup, contribution guidelines, and the pull request process.
@@ -29,7 +29,7 @@ Every release must pass these automated gates before artifacts are published:
 - Unit tests with race detector
 - golangci-lint + yamllint
 - License header verification
-- Trivy vulnerability scan
+- Vulnerability scans (Trivy in release workflows, Grype in `make scan`)
 - E2E tests on Kind cluster
 
 If any gate fails, the release pipeline stops. Fix forward on `main` and cut a new tag.
@@ -148,7 +148,7 @@ sha256sum -c checksums.txt --ignore-missing
 
 > **Note**: Demonstration only — not a production service. Self-host `aicrd` for production use. See [API Server Documentation](docs/contributor/api-server.md).
 
-The `aicrd` API server demo deploys to Google Cloud Run on successful release (project: `eidosx`, region: `us-west1`, auth: Workload Identity Federation).
+The `aicrd` API server demo deploys to Google Cloud Run on successful release (region: `us-west1`, auth: Workload Identity Federation). Project-specific details are managed in CI configuration.
 
 ## Troubleshooting
 
 
@@ -104,7 +104,7 @@ AICR prioritizes trust in the software supply chain.
 
 - `api/` — OpenAPI specifications for the REST API
 - `cmd/` — Entry points for CLI (`aicr`) and API server (`aicrd`)
-- `deployments/` — Kubernetes manifests for agent deployment
+- `recipes/` — Recipe overlays, component values, and validation checks
 - `docs/` — User-facing documentation, guides, and architecture docs
 - `examples/` — Example snapshots, recipes, and comparisons
 - `infra/` — Infrastructure as code (Terraform) for deployments
@@ -154,11 +154,8 @@ For engineers integrating AICR into CI/CD pipelines, GitOps workflows, or larger
 
 ### Install CLI
 
-> Note: Temporally, while the repo is private, make sure to include your GitHub token first:
-
 ```shell
-curl -sfL -H "Authorization: token $GITHUB_TOKEN" \
-  https://raw.githubusercontent.com/NVIDIA/aicr/main/install | bash -s --
+curl -sfL https://raw.githubusercontent.com/NVIDIA/aicr/main/install | bash -s --
 ```
 
 See [Installation Guide](user/installation.md) for manual installation, building from source, and container images.