Latticra

Home / Supply-chain security baseline

Release Authority and Update Gates

Supply-chain security baseline

Latticra has guarded CI, dependency, package, artifact, SBOM, update, and runtime-authority rules. Those rules keep release authority closed; they are not production readiness, signed delivery, compliance certification, or external endorsement.

Current Rule

Supply-chain evidence blocks release authority until the release gate is complete.

The baseline records local controls for workflow permissions, pinned actions, checkout credentials, package-manager mutation, dependency review, artifact integrity, SBOM requirements, and update-lane safety. It deliberately preserves no publishing authority, no signing authority, no production installer claim, and no production update claim.

01

Workflow authority

Actions must be pinned, repository permissions explicit and read-only by default, and unreviewed token or secret use blocked.

02

Dependency evidence

New dependencies, bundled binaries, generated artifacts, and vendored material require purpose, ownership, license, and security review.

03

Artifact integrity

Production artifacts require inventory, hashes, SBOM review, signing contracts, recovery behavior, and public non-claim review.

04

Update delivery

The Panel signed-updater delivery gate stays closed until manifest, signature, hash, channel, rollback, validation, and receipt evidence exist.

Current Snapshot

The baseline is present, but release authority is still zero.

These fields are meant to be read as a release blocker: the project has guard rules and source records, not a production supply-chain claim.

supply_chain_security_baseline 1
pinned_ci_actions_required 1
sbom_required_before_production_installer 1
kev_nvd_review_required_before_release 1
release_publishing_authority_granted 0
production_update_claim_allowed 0
runtime_authority_granted 0
external_endorsement_claimed 0

Release Gate

Production release wording requires all required evidence.

A release artifact, production installer, production update lane, or internet-facing service needs inventory, SBOM, third-party review, vulnerability review, workflow authority review, signing boundary, recovery behavior, and non-claim review before the wording can change.

Present now

Supply-chain baseline, status record, guard script, CI rules, dependency review rules, and release non-claim language.

Required before release

SBOM, dependency inventory review, KEV/NVD review, integrity hashes, signing authority contract, rollback or recovery contract, vulnerability disclosure path, and production non-claim review.

Denied now

Artifact publication, release signing, release secret access, workflow write-token authority, production installer claims, production update claims, and production security claims.

Authority Baselines

Runtime and updater authority are separate gates, not side effects of packaging work.

Supply-chain review cannot silently grant runtime, update, network, signing, or host authority. Each authority surface needs its own contract, evidence, denial cases, and status alignment.

Baseline

Supply-chain controls

CI, dependency, package, artifact, SBOM, release, and update-lane requirements are guarded by local checks.

Closed

Signed updater delivery

Network self-update and signed update apply remain blocked without signed manifests, artifact verification, rollback, validation, and receipts.

Closed

Runtime authority

Tool execution, host I/O, network opens, MCP invocation, model execution, signing, recovery, boot, and hardware effects remain denied.

Closed

Production claims

No SLSA level, NIST compliance, CISA CPG compliance, external endorsement, production protection, or production readiness is claimed.

Local Commands

Check the guards that hold the line.

These commands validate the public boundary records without publishing, signing, fetching updates, granting secrets, or enabling runtime behavior.

Supply-chain baseline

sh scripts/test-supply-chain-security-baseline.sh
sh scripts/test-quality-safety-guards.sh

Runtime authority gate

sh scripts/test-zero-trust-runtime-authority-baseline.sh
sh scripts/test-runtime-boundary-policy-expansion-after-threat-model.sh

Updater delivery gate

sh scripts/test-latticra-panel-signed-updater-delivery-gate.sh
sh scripts/latticra-panel-signed-updater-delivery-gate.sh

Source Records

Use exact records before repeating a release or security claim.

Supply-chain baselineRepository, CI, dependency, package, installer, artifact, SBOM, release, and update-lane controls. Supply-chain statusCurrent status fields and expected guard output for the baseline. Zero-trust runtime authority baselinePer-request authority prerequisites, identity/resource visibility, audit records, and closed runtime gates. Zero-trust runtime statusStatus fields for future runtime, tool, host I/O, network, MCP, update, recovery, boot, and hardware authority. Signed-updater delivery gateReader-facing guide to the closed signed-delivery gate, local-checkout updater lane, denial transcript, and no-effect fixtures. Panel signed-updater gateClosed gate for any future signed or network-delivered updater path. Updater gate statusStatus checkpoint for missing manifest, signature, verification, rollback, validation, and receipt evidence. Production installer contractRequired gates before installer readiness, daily-driver readiness, or production install claims. Installer readiness boundaryCLI payload evidence, local artifact manifest fixture, and production installer non-claims. High-assurance baselineSource-tracked security posture and future control allocation. Identity and access managementPrivileged access, service identity, account lifecycle, workflow identity, and hosted-access non-claims. Security logging and monitoringEvent-source inventory, audit events, redaction, retention, triage, telemetry blockers, and no monitoring claims. Backup and recovery resilienceRollback or recovery contract context before release, updater, hosted-service, and recovery claims. Secure configuration and change managementConfiguration inventory, secure baselines, approved changes, rollback planning, drift detection, exceptions, and no hardening claims. Network exposure and remote accessNetwork-client restrictions, remote access, RMM, DNS/TLS, and internet-facing service non-claims. Data classification and protectionData inventory, sensitive-data flow mapping, log/report redaction, telemetry blockers, and customer-data non-claims. Cryptographic assurance and key managementFIPS/CMVP claim gates, signing authority blockers, key lifecycle, randomness, and no production crypto claims. Vulnerability management gateKEV/NVD review, disclosure paths, exception records, release blocking, and product-security non-claims. Incident response boundaryReporting routes, evidence preservation, response gates, and incident-response non-claims. Security overviewSafe testing, effect gates, runtime denial, and security non-claims. Packaging readinessPlatform package-shape records and distribution non-claims. Local validationPanel install evidence, package guards, disposable VM gates, and dry-run contracts.