Stage350 adds an enforcement layer on top of Stage349.
It converts the Stage349 bridge result into a supply-chain enforcement session.
- CI enforcement for
source_git_commit - Fail-closed blocking of
local-uncommittedin CI - Enforcement session generation
session_sha256bindingwrap_signature_requiredandsignature_presentrecording- Transparency entry generation
previous_hash / entry_hashchain linkage
Stage350 does not:
- Treat old unsigned SBOMs as if they were signed at the time
- Register entries to external Rekor automatically
- Anchor entries to Bitcoin
- Store real private keys or signing keys in GitHub
docs/enforcement/enforcement_session.jsondocs/audit/stage350-transparency-log.json
Private core logic, secrets, signing keys, and private evidence are excluded from GitHub.
accept: evidence is valid enough for enforcementwarn: local/non-CI issue detectedblock: CI environment detected unsafe supply-chain evidence and failed closed