Skip to content

mokkunsuzuki-code/stage350

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Stage350: Supply-Chain Evidence Enforcement Session Layer

Stage350 adds an enforcement layer on top of Stage349.

It converts the Stage349 bridge result into a supply-chain enforcement session.

What Stage350 Adds

  1. CI enforcement for source_git_commit
  2. Fail-closed blocking of local-uncommitted in CI
  3. Enforcement session generation
  4. session_sha256 binding
  5. wrap_signature_required and signature_present recording
  6. Transparency entry generation
  7. previous_hash / entry_hash chain linkage

What Stage350 Does Not Do

Stage350 does not:

  • Treat old unsigned SBOMs as if they were signed at the time
  • Register entries to external Rekor automatically
  • Anchor entries to Bitcoin
  • Store real private keys or signing keys in GitHub

Public Evidence

  • docs/enforcement/enforcement_session.json
  • docs/audit/stage350-transparency-log.json

Safety Boundary

Private core logic, secrets, signing keys, and private evidence are excluded from GitHub.

Decision Model

  • accept: evidence is valid enough for enforcement
  • warn: local/non-CI issue detected
  • block: CI environment detected unsafe supply-chain evidence and failed closed

About

Stage350: Supply-chain evidence enforcement session layer with CI fail-closed, SHA256 session binding, signature requirement recording, and transparency hash chain.

Topics

Resources

License

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors