fcb5ffe25d
- Fix namespace conflicts (Subgraph → PoESubgraph) - Add hash sanitization for Windows filesystem (colon → underscore) - Update all test mocks to use It.IsAny<>() - Add direct orchestrator unit tests - All 8 PoE tests now passing (100% success rate) - Complete SPRINT_3500_0001_0001 documentation Fixes compilation errors and Windows filesystem compatibility issues. Tests: 8/8 passing Files: 8 modified, 1 new test, 1 completion report 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
23 lines
853 B
Markdown
23 lines
853 B
Markdown
# Security and governance
|
|
|
|
## Security policy
|
|
- Coordinated disclosure with a defined SLA and published keys.
|
|
- Security fixes are prioritized for supported release lines.
|
|
|
|
## Hardening guidance
|
|
- Non-root containers and read-only filesystems.
|
|
- TLS for all external traffic, optional mTLS internally.
|
|
- DPoP or mTLS sender constraints for tokens.
|
|
- Signed artifacts and verified plugin signatures.
|
|
- No mandatory outbound traffic for core verification paths.
|
|
|
|
## Governance
|
|
- Lazy consensus with maintainer review for non-trivial changes.
|
|
- Explicit security review for sensitive changes.
|
|
- Contribution rules and code of conduct apply to all repos.
|
|
|
|
## Compliance and evidence
|
|
- Evidence is content-addressed, signed, and replayable.
|
|
- Audit packages include decision traces, inputs, and signatures.
|
|
- Unknowns are preserved and surfaced, not hidden.
|