Recorder Asset Core Decision Gate
Docs
Decision Gate Docs

Deterministic, replayable gate evaluation with auditable decisions.

Asset Core docs

Decision Gate Threat Model

Overview

Decision Gate is a deterministic, replayable control plane for gated disclosure and stage advancement. It evaluates evidence-backed conditions, emits auditable decisions, and supports offline verification via runpacks. It does not run agent conversations.

Decision Gate is composed of:

  • Control plane core (scenario engine, evidence evaluation, run state, runpack builder/verifier).
  • MCP server (JSON-RPC over stdio/HTTP/SSE) and CLI tooling.
  • Provider federation (built-in providers plus external MCP providers).
  • Dispatch/broker layer (payload resolution and delivery).
  • Storage layers (SQLite or in-memory run state + schema registry, optional object storage for runpacks).
  • Repository overview and security posture: README.md and SECURITY.md.
  • Operational guidance and controls: Security guide.
  • Standards and investigation workflow: Docs/standards/codebase_engineering_standards.md, Docs/standards/agent_investigation_guide.md.
  • Architecture references: Docs/architecture/decision_gate_auth_disclosure_architecture.md, Docs/architecture/decision_gate_evidence_trust_anchor_architecture.md, Docs/architecture/decision_gate_runpack_architecture.md, Docs/architecture/decision_gate_namespace_registry_rbac_architecture.md, Docs/architecture/decision_gate_provider_capability_architecture.md.
  • Component READMEs: crates/decision-gate-core/README.md, crates/decision-gate-mcp/README.md, crates/decision-gate-broker/README.md, crates/decision-gate-providers/README.md.

Security Goals

  • Deterministic evaluation with no hidden mutation of state.
  • Evidence-backed disclosure only; fail closed on missing, invalid, or unverifiable evidence.
  • Auditability and tamper detection for run state and runpacks.
  • Minimized data exposure; default to safe summaries and redacted evidence.
  • Clear trust boundaries between control plane, providers, dispatch targets, and storage.
  • Least-privilege tool access and registry operations with explicit authz.
  • Bounded resource usage (request size, provider response size, rate limits).

Non-Goals / Out of Scope

  • Protecting confidentiality after data is disclosed to downstream systems.
  • Protecting against full host or kernel compromise without external controls.
  • Securing external MCP providers, downstream sinks, or client applications.
  • Hardware attestation, secure enclave guarantees, or key custody services.
  • Cryptographic signing of runpacks or schema records (beyond metadata fields).
  • TLS termination and proxy trust (deployment responsibility).

Assets

  • Scenario specifications, conditions, and policy tags (security logic).
  • Run state logs: triggers, gate evaluations, decisions, packets, submissions, tool calls.
  • Evidence values, hashes, anchors, and signatures.
  • Namespace authority configuration and namespace mappings.
  • Data shape registry records (JSON Schemas), versions, and optional signing metadata.
  • Dispatch payloads, envelopes, and receipts.
  • Runpack artifacts, manifests, and verification reports.
  • Provider contracts (capability contracts) and schemas.
  • Typed runtime auth descriptors (scheme_name, credential_binding, apiKey name/location) embedded in runtime profiles.
  • Audit logs (tool authz, precheck, registry ACL, tenant authz, usage).
  • Configuration files, provider auth tokens, registry ACL/principal mappings, and signature verification keys.
  • Run state store (SQLite or in-memory), schema registry store, and runpack output directory.
  • Object storage buckets for runpack artifacts and archives (S3-compatible).
  • Docs catalog content and any extra docs ingested from disk.

Adversary Model

  • Nation-state adversaries with full knowledge of Decision Gate behavior.
  • Untrusted or compromised clients emitting triggers or tool calls.
  • Malicious or faulty evidence providers and external MCP servers.
  • Compromised insiders with access to configuration, storage, or logs.
  • Network attackers able to MITM, replay, or drop traffic.
  • Malicious or mistaken scenario authors who can define unsafe specs.
  • Malicious schema registrants or policy administrators who can poison registry entries.
  • Attackers controlling content references or broker sources (SSRF/exfiltration risk).
  • Attackers who can tamper with on-disk provider contracts, configs, or runpack artifacts.

Trust Boundaries

  • MCP server transports (stdio, HTTP, SSE): all JSON-RPC inputs are untrusted.
  • Scenario definition input: specs can encode disclosure logic and data access.
  • Evidence provider boundary: built-in providers vs external MCP providers.
  • Namespace authority backend (Asset Core or registry): namespace validation is external and must fail closed.
  • Provider contracts and configuration files on disk.
  • Typed credential resolver backends (default local encrypted secret store in OSS; enterprise backends via seam) are external trust boundaries for secret material. OSS local secret storage is metadata v2 with Argon2id-derived keys and AES-256-GCM at rest; legacy metadata v1 is hard-rejected. Explicit env:// resolution is development-only and gated by dev.allow_dev_env_credentials.
  • Schema registry backend (in-memory/SQLite) and registry ACL decisions.
  • Run state store and runpack artifacts: treat storage as untrusted.
  • Runpack object storage (S3-compatible) and metadata: treat as untrusted and verify hashes for every artifact.
  • Broker sources (http/file/inline) and sinks (external systems).
  • Dispatch targets and downstream systems receiving disclosures.
  • Offline verification environment and artifact readers.
  • Tenant authorization adapters and usage meters (if configured) are external decision points.
  • Docs extra_paths ingestion (local disk) and MCP resources/list/read.

Entry Points and Attack Surfaces

  • MCP JSON-RPC methods: tools/list, tools/call, resources/list, resources/read.
  • MCP tools: scenario_define, scenario_start, scenario_status, scenario_next, scenario_submit, scenario_trigger, evidence_query, runpack_export, runpack_verify, providers_list, provider_contract_get, provider_check_schema_get, schemas_list, schemas_register, schemas_get, scenarios_list, precheck, decision_gate_docs_search.
  • CLI commands: serve, runpack export, runpack verify, authoring validate/normalize, and secret-store administration (secrets init, secrets put --from-env, secrets import --env-file --map, secrets list, secrets remove, secrets doctor).
  • Config file and environment variable DECISION_GATE_CONFIG.
  • External MCP provider processes and HTTP endpoints.
  • Typed provider artifacts (capabilities_path, runtime_profile_path) loaded from local disk.
  • Built-in providers: env, json, http, rest, time (filesystem, environment, network).
  • External content references for packet payloads (http://, https://, file://, inline:).
  • Config paths, provider contracts, provider commands/URLs, docs extra paths.
  • Runpack storage destinations (local output dir or object storage).

Security Controls and Invariants

  • Canonical JSON hashing (RFC 8785) with non-finite float rejection for specs, logs, runpacks, and hashes.
  • Tri-state evaluation with Unknown treated as non-passing.
  • Evidence hash normalization; optional signature verification (ed25519) when configured.
  • Provider contract registry validates provider check params and allowed comparators; strict comparator/type validation is default-on.
  • Namespace authority checks enforce tenant/namespace scoping and fail closed on unknown or unavailable catalogs.
  • Evidence trust lanes enforced (verified by default); dev-permissive explicitly lowers trust to asserted for non-exempt providers only.
  • Schema registry ACL enforces role/policy-class access and can require signing metadata; registry operations are audited.
  • Anchor policy enforcement rejects evidence missing required anchors and propagates anchor requirements into runpack verification.
  • Size and path limits for config files, provider contracts, run state stores, docs ingestion, runpack artifacts, and object-store keys.
  • JSON provider enforces root-bound relative paths and emits file_path_rooted anchors with root_id + normalized path.
  • RET logic hard limits: DSL inputs capped at 1 MiB with nesting depth 32; serialized requirement inputs capped at 1 MiB with default max depth 32; plan execution stack depth capped at 64 frames; constant pools capped at 65,536 entries.
  • HTTP/SSE request body limits, stdio framing header limits (8 KiB cumulative), fail-closed duplicate Content-Length rejection, provider-specific response size limits, and provider timeouts.
  • Typed runtime profiles enforce deterministic digest validation before provider activation and fail closed on mismatched profile content.
  • Typed OpenAPI import enforces operation-effective security resolution (operation.security precedence, explicit unauthenticated alternatives) and rejects unsupported/ambiguous security requirement shapes fail closed.
  • Typed OpenAPI projection metadata (x-decision-gate.projections) is treated as untrusted input: importer enforces deterministic id uniqueness, RFC6901 pointer validity, schema validity, and fail-closed rejection for JSON object/array-complex responses missing required projections.
  • Typed runtime auth is operation-scoped and explicit: only bearer/basic/apiKey(header|query|cookie) are supported; oauth2 and openIdConnect remain out of scope and fail closed.
  • Typed OpenAPI imports require an explicit credential_bindings field; omitted fields and missing secured-scheme mappings are rejected before import/runtime execution.
  • Each secured credential binding requires explicit wire render metadata (value_render), preventing implicit auth formatting drift.
  • Credential locator parsing is fail-closed at import/register/runtime boundaries: only secret:// and env:// schemes are accepted; bare env names and unknown schemes are rejected.
  • Runtime auth credential values are stored as raw secrets and rendered deterministically at use-time (identity or prefix). Preformatted-prefix collisions are rejected with raw-secret remediation errors.
  • secret:// paths enforce anti-traversal and bounded syntax (./.. rejected, max path length 256 chars, max 8 segments, max segment length 64, [A-Za-z0-9_.-] segment charset).
  • Typed runtime outbound controls enforce per-provider inflight caps and bounded retry policy for timeout/429/503, including bounded Retry-After usage.
  • Inflight request caps and optional rate limiting for MCP tool calls.
  • MCP tool calls require explicit authn/authz (local-only by default; bearer or mTLS subject allowlists when configured) with audit logging.
  • Debug mutation diagnostics endpoint (/debug/mutation_stats) is protected by the same auth model as MCP tool calls and fails closed (401/403) on unauthenticated/unauthorized requests.
  • Tool visibility filters list/call surfaces; docs search/resources can be disabled.
  • Tenant authorization hook (if configured) gates tool calls and is audited.
  • Precheck is read-only: asserted evidence validated against schemas, no run state mutation or disclosures.
  • Safe summaries for client-facing status; evidence redaction by policy.
  • scenario_submit.payload and scenario_trigger.payload are persisted as run logs and included in runpacks; treat them as non-secret audit data channels.
  • SQLite run state uses canonical JSON + hash verification on load; runpack manifests use file hashes + root hash for integrity.

Threats and Mitigations

Authentication, Authorization, and Access Control

  • Unauthorized tool access: local-only defaults, bearer/mTLS modes, per-tool allowlists, tool visibility filters, auth-gated debug diagnostics endpoints, and audit logging.
  • Tenant/namespace abuse: namespace authority checks, default namespace deny-by-default, tenant authz hooks, and registry ACLs.
  • Registry poisoning/leakage: ACL rules and optional signing metadata requirements with audit trails.

Input Validation and Parsing

  • Untrusted JSON-RPC/config inputs: strict typed decoding, comparator validation, canonical JSON normalization, and size/path limits.
  • JSONPath/YAML parsing in json provider: root-bound relative paths (absolute paths rejected), traversal checks, size limits, and structured error handling.
  • JSONPath/header extraction in rest provider: GET-only request surface, bounded responses, JSON content-type enforcement for json_path, strict request header validation, and auth-header override rejection.
  • Provider contract tampering: contract path validation and canonical hashing of contract payloads.
  • Typed provider artifact tampering: config validation requires typed artifact paths/protocol metadata and runtime loading verifies canonical profile digest integrity before execution.
  • Typed runtime request-binding abuse: path bindings are percent-encoded before template substitution, typed header bindings reject reserved/auth-owned names, and runtime security bounds enforce timeout/response-size ceilings.
  • Typed OpenAPI security-shape abuse: importer rejects multi-scheme AND requirements, missing security scheme refs, malformed security requirement objects/scopes, and invalid/missing apiKey name/in.
  • Typed OpenAPI projection abuse: importer rejects malformed projection arrays, duplicate projection ids, invalid RFC6901 pointers, and invalid projection schemas; runtime JSON-pointer extraction failures remain fail closed.

Evidence Integrity and Authenticity

  • Malicious or faulty providers: trust lanes, optional signature verification, anchor policy enforcement, and canonical evidence hashing.
  • External MCP providers: response size limits, timeouts, and correlation ID sanitization. Stdio framing headers are size-capped and duplicate Content-Length headers are rejected before payload parsing; treat providers as untrusted processes or remote services.
  • Typed runtime providers: profile/source digests are bound into runtime execution and evidence anchors; tampered runtime profile artifacts are rejected before checks run.

Disclosure and Data Exposure

  • Evidence leakage through tools: evidence redaction policies for evidence_query and scenario_next feedback; safe summaries by default.
  • Sensitive data in submit/trigger payloads: payloads are intentionally durable for audit/replay; mitigated by integration policy (no raw secrets, use opaque handles and external secret stores).
  • Policy bypass in dispatch: optional policy engine (permit_all, deny_all, or static rules) gates disclosure before dispatch.

Storage and Runpack Integrity

  • Run state tampering: SQLite store verifies canonical hash on load and fails closed; run state versions are append-only (with optional retention pruning).
  • Runpack tampering: verifier checks artifact hashes, root hash, and anchor policy; no built-in signing (external signing/WORM required for non-repudiation).

External Providers, Sources, and Dispatch

  • Broker sources (http/file/inline) used for payload resolution: content hash verification, content type checks, size limits, no redirects (HTTP), broker-owned transport policy (no caller-injected HTTP client overrides), and optional root path enforcement (file).
  • Built-in providers: allowlists/denylists and size limits for env, root restrictions and size limits for json, and host allowlists + DNS-pinned peer validation + private/link-local deny-by-default for http and rest.
  • Typed OpenAPI HTTP providers: runtime execution reuses hardened HTTP controls (DNS pinning, redirect rejection, status/content-type validation, bounded response reads) with deterministic typed anchors.
  • Typed import + lifecycle tooling enforces bounded timeout_ms, bounded max_response_bytes, bounded operation_allowlist cardinality, bounded outbound inflight/retry controls, required credential_binding mapping, and fail-closed duplicate check_id rejection in contracts/runtime profiles.

Availability and Resource Exhaustion

  • Large requests/responses: max_body_bytes, provider response caps, schema size limits, runpack artifact limits, and optional rate limiting/inflight limits.
  • Provider timeouts: HTTP provider timeouts and MCP provider response caps.
  • Typed outbound retry bursts: bounded attempts/backoff and per-provider outbound inflight caps mitigate retry storms and fan-out amplification.

Supply Chain and Execution Environment

  • Release workflows enforce full artifact supply-chain evidence generation and verification before release eligibility or publish can proceed.
  • Every release subject requires SBOM coverage, provenance, and signature verification; missing coverage is a hard failure.
  • Keyless OIDC signing (cosign) is required in CI with certificate issuer and identity-regexp verification.
  • Vulnerability policy is fail-closed: block High/Critical vulnerabilities plus any CVE in the CISA Known Exploited Vulnerabilities feed.
  • Supply-chain evidence artifacts are retained with release artifacts for audit and offline verification.
  • External providers execute with local privileges; use OS sandboxing, scoped credentials, and minimal permissions.
  • Provider contracts, configs, and docs extra_paths are local file inputs and must be protected by file system ACLs and integrity controls.

Multi-Tenant and Isolation

  • Tenant/namespace IDs are labels, not access controls: enforce authn/authz, tenant authz hooks, and registry ACLs in shared deployments.

Auditability and Observability

  • Auth decisions, registry access, tenant authz, and usage are logged with structured audit events; precheck logs are hash-only by default.

Implementation References (Controls and Protections)

Core Runtime

  • Canonical JSON hashing and non-finite float rejection: crates/decision-gate-core/src/core/hashing.rs.
  • Tri-state comparator evaluation: crates/decision-gate-core/src/runtime/comparator.rs.
  • Trust lane enforcement and anchor policy validation: crates/decision-gate-core/src/runtime/engine.rs, crates/decision-gate-core/src/core/evidence.rs.
  • Safe summaries: crates/decision-gate-core/src/core/summary.rs.
  • Runpack build/verify and artifact size limits: crates/decision-gate-core/src/runtime/runpack.rs.

MCP Server and Tooling

  • Authn/authz, tool allowlists, bearer parsing, and auth audit: crates/decision-gate-mcp/src/auth.rs, crates/decision-gate-config/src/config.rs.
  • Request limits (max body, inflight, rate limiting) and transport handling: crates/decision-gate-mcp/src/server.rs, crates/decision-gate-config/src/config.rs.
  • Stdio framing header size enforcement for server and provider transports: crates/decision-gate-mcp/src/server.rs, crates/decision-gate-mcp/src/evidence.rs.
  • Correlation ID sanitization: crates/decision-gate-mcp/src/correlation.rs.
  • Tool visibility, docs gating, evidence redaction, and precheck handling: crates/decision-gate-mcp/src/tools/router.rs.
  • Deterministic docs ingestion with bounded extra-doc budgets: crates/decision-gate-mcp/src/docs.rs.
  • Audit event payloads: crates/decision-gate-mcp/src/audit.rs.
  • Tenant authz and usage meter seams: crates/decision-gate-mcp/src/tenant_authz.rs, crates/decision-gate-mcp/src/usage.rs.
  • Provider contract validation + strict comparator validation: crates/decision-gate-mcp/src/capabilities.rs, crates/decision-gate-mcp/src/validation.rs.
  • Evidence signature verification, external MCP provider response caps, and typed provider runtime-profile loading: crates/decision-gate-mcp/src/evidence.rs.

Providers and Broker

  • Built-in provider limits and policies: crates/decision-gate-providers/src/env.rs, crates/decision-gate-providers/src/json.rs, crates/decision-gate-providers/src/http.rs, crates/decision-gate-providers/src/rest.rs, crates/decision-gate-providers/src/time.rs.
  • Typed provider runtime execution and profile digest enforcement: crates/decision-gate-providers/src/typed.rs.
  • Provider allow/deny policy: crates/decision-gate-providers/src/registry.rs.
  • Typed import/adaptation/codegen pipeline: crates/decision-gate-typed/src/lib.rs, crates/decision-gate-typed/src/adapter_openapi.rs, crates/decision-gate-typed/src/adapter_protobuf.rs, crates/decision-gate-typed/src/capability_codegen.rs, crates/decision-gate-typed/src/runtime_codegen.rs.
  • Broker payload validation and source restrictions: crates/decision-gate-broker/src/broker.rs, crates/decision-gate-broker/src/source/file.rs, crates/decision-gate-broker/src/source/http.rs, crates/decision-gate-broker/src/source/inline.rs.

Storage and Contracts

  • SQLite run state + schema registry integrity and size limits: crates/decision-gate-store-sqlite/src/store.rs.
  • In-memory stores (tests/demos only): crates/decision-gate-core/src/runtime/store.rs.
  • Object-store runpack export key validation: crates/decision-gate-mcp/src/runpack_object_store.rs.
  • Config file size/path validation and defaults: crates/decision-gate-config/src/config.rs.
  • Canonical tool and schema contracts: crates/decision-gate-contract/src/tooling.rs, crates/decision-gate-contract/src/schemas.rs.
  • Contract output generation and verification with descriptor-relative no-follow file operations: crates/decision-gate-contract/src/contract.rs.
  • CLI authoring/runpack tooling: crates/decision-gate-cli/src/main.rs.

Release CI Supply Chain

  • Supply-chain artifact generation and evidence contract emission: scripts/ci/supply_chain_generate.sh, Docs/generated/supply_chain/supply_chain_evidence.schema.json.
  • Supply-chain verification hard gates: scripts/ci/supply_chain_verify.sh, scripts/ci/vuln_policy_gate.py.
  • Release and publish workflow enforcement: .github/workflows/release.yml, .github/workflows/publish.yml.

Operational Requirements

  • Restrict MCP access to authenticated transports (mTLS, IPC ACLs, reverse proxy auth) and enforce TLS for HTTP/SSE (or explicit upstream termination).
  • Configure server.auth for non-loopback deployments; rotate tokens and maintain tool allowlists.
  • Keep dev-permissive disabled in production; require verified trust lanes.
  • Require signature verification for external providers where integrity matters; manage key distribution securely.
  • Configure allowlists for env, json, http, and rest providers; avoid unrestricted file access.
  • For typed providers, protect capabilities_path and runtime_profile_path artifacts with filesystem ACLs and integrity controls; treat these files as untrusted input until digest verification succeeds.
  • Restrict schemas_register, schemas_get, schemas_list, precheck, and scenarios_list to trusted callers (tool allowlists + tenant authz + registry ACLs). Restrict provider discovery tools with tool allowlists and provider_discovery allow/deny lists.
  • Configure schema registry ACL rules and signing metadata requirements where provenance matters; protect the registry store.
  • Limit or disable runpack_export for untrusted callers; restrict output paths and object-store prefixes.
  • Store run state and runpacks in tamper-evident storage; sign manifests externally when non-repudiation is required.
  • Apply OS-level sandboxing for external providers and broker sources.
  • Set server.max_body_bytes, server.limits, and provider timeouts to prevent resource exhaustion.
  • Disable docs search/resources in untrusted environments or restrict extra paths to read-only locations.

Failure Posture

  • Fail closed on missing, invalid, or unverifiable evidence.
  • Reject invalid configs, tool calls, and schema registrations.
  • Do not disclose data on Unknown or ambiguous outcomes.

Threat Model Delta (2026-02-01)

  • Added explicit coverage for docs search/resources, tool visibility filters, correlation ID sanitization, and audit payload redaction.
  • Expanded broker/source protections and object-store key validation coverage.
  • Mapped security controls to concrete code locations for traceability.
  • Added explicit authoring input size/depth limits in contract normalization.
  • Added HTTP source host allow/deny policy with private/link-local IP guards.
  • Enforced symlink-safe file source opens for rooted file disclosures.

Threat Model Delta (2026-02-14)

  • Tightened debug diagnostics boundary: /debug/mutation_stats now follows MCP auth semantics and fails closed for unauthorized callers.
  • Added end-to-end auth/schema coverage for debug mutation diagnostics to keep the contract auditable and deterministic under security regression.

Threat Model Delta (2026-02-15)

  • Added explicit coverage for CLI stdio MCP framing header limits and duplicate Content-Length rejection in hostile transport scenarios.
  • Added MCP server and external provider framing-header caps (8 KiB cumulative) to close pre-parse resource exhaustion paths.
  • Added fail-closed duplicate Content-Length rejection for MCP stdio framing in both server and external-provider transport adapters.
  • Added deterministic, bounded docs ingestion references for docs.extra_paths to reduce traversal nondeterminism and startup amplification risk.
  • Added built-in HTTP provider DNS resolution pinning and default private / link-local destination denial to close hostname-only SSRF bypass paths.
  • Added descriptor-relative no-follow file operations and atomic sibling-temp writes for contract artifact generation/verification to reduce TOCTOU risk under concurrent local filesystem mutation.

Threat Model Delta (2026-02-17)

  • Added built-in REST provider attack-surface coverage for GET-only external API evidence extraction (json_path, header) without external MCP adapters.
  • Added REST-specific header hygiene controls, including reserved-header rejection and auth-managed header override denial.
  • Extended provider hardening references to include REST provider DNS pinning, private/link-local deny-by-default, JSON content-type gating for json_path, and bounded response handling.
  • Added typed provider boundary coverage for local capability/runtime artifacts and fail-closed typed runtime profile digest validation.
  • Added typed OpenAPI runtime attack-surface coverage for profile-driven request binding, strict response validation, and deterministic typed anchors.
  • Added typed runtime header-reservation and auth-header ownership enforcement plus safe path-parameter encoding to block delimiter injection.
  • Added typed import/runtime hard limits (timeout_ms, max_response_bytes, and operation_allowlist length) with fail-closed validation.
  • Mapped typed import/codegen/runtime protections to OSS implementation files for traceable security review.

Threat Model Delta (2026-02-19)

  • Hardened typed lifecycle tool boundaries: all typed_providers_* mutations now require explicit tenant_id + namespace_id and pass scoped context through authz, namespace authority, and usage-meter hooks.
  • Extended tenant-authz request context with optional provider_id for provider-scoped tool calls (typed_providers_*, evidence_query) so enterprise RBAC can enforce provider-level policy at the seam.
  • Added scoped typed runtime resolution seam (TypedProfileResolver) keyed by (tenant_id, namespace_id, provider_id) to prevent cross-scope profile selection when lifecycle state shares provider ids.
  • Resolver invocation now snapshots the configured typed resolver before calling it, avoiding lock-held resolver execution and reducing deadlock/DoS risk from re-entrant resolver implementations.
  • Added REST runtime policy hook seam (RestPolicyEvaluator) for fail-closed pre-network deny decisions on egress host/scheme and auth-scheme usage.
  • Added deterministic REST policy deny-code coverage in provider tests to keep enforcement/audit vocabulary stable across integrations.
  • Updated release supply-chain posture to implemented state: complete artifact-level SBOM/provenance/signature verification with keyless OIDC signing and hard vulnerability policy gates (High/Critical + KEV).
  • Added release CI implementation references for supply-chain generation, verification, and workflow enforcement.

Threat Model Delta (2026-02-20)

  • Added CI workflow hardening policy enforcement via scripts/ci/workflow_hardening_check.py for immutable full-SHA action pinning and fail-closed rejection of mutable installer pipe-to-shell patterns.
  • Added explicit self-hosted PR trust-boundary policy: any pull-request workflow job using self-hosted runners must enforce same-repo guards (head.repo.full_name == github.repository).
  • Reduced default workflow token scope for release/publish and constrained OIDC write usage to release/publish jobs that sign/verify supply-chain evidence.
  • Tightened keyless signature verification scope in release/publish by binding cert identity regexp to repository + workflow path + tag refs.