7b01c7d6ac
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
- Introduced a blueprint for explainable quiet alerts, detailing phases for SBOM, VEX readiness, and attestations. - Developed a roadmap for deterministic diff-aware rescans, enhancing scanner speed and efficiency. - Implemented a hash-based SBOM layer cache to optimize container scans by reusing previous results. - Created a multi-runtime reachability corpus to validate function-level reachability across various programming languages. - Proposed a stable SBOM model using SPDX 3.0.1 for persistence and CycloneDX 1.6 for interchange. - Established a validation plan for quiet scans, focusing on provenance and CI integration. - Documented guidelines for the Findings Ledger module, outlining roles, execution rules, and testing protocols.
1.1 KiB
1.1 KiB
2025-10-27 — Policy scope migration guidance
Summary
- Updated Authority defaults (
etc/authority.yaml) to register apolicy-cliclient using the fine-grained scope set introduced by AUTH-POLICY-23-001 (policy:read,policy:author,policy:review,policy:simulate,findings:read). - Added release/CI documentation call-outs instructing operators to reissue tokens that previously relied on
policy:write/policy:submit/policy:runscopes. - Introduced a repo verification script so future config changes fail CI when policy clients regress to the legacy scope bundles.
Next steps
| Team | Follow-up | Target |
|---|---|---|
| Authority Core | Rotate long-lived policy CLI tokens in staging to confirm new scope set before freezing release 2025.10. | 2025-10-29 |
| DevOps Guild | Update automation secrets (CI/CD, offline kit) to point at the regenerated policy-cli credentials. |
Sprint 23 stand-up |
| Docs Guild | Fold the broader scope matrix refresh into AUTH-POLICY-23-003 once the dual-approval workflow lands. | Blocked on AUTH-POLICY-23-002 |