Skip to content

Multi-attester, role-aware signatures on warden.lock #23

Description

@ernestprovo23

Surfaced via a conclave council run (synthesize + adversarial passes), 2026-06-07.

Council verdict: DEFER (not merged into cosign #16). A distinct governance layer — role registry, quorum logic, --require-role enforcement — none of which are natural cosign extensions. Collapsing into #16 risks blocking it or shipping a half-baked role model.

Scope (when unblocked)

  • Lock schema: attestations: [{key_id, role, sig, signed_at}], stored outside overall_digest.
  • pin --approve --role security-review|service-owner appends an attestation without changing overall_digest.
  • check --require-role ... fails closed if required roles are missing.
  • warden attest list <lock> helper.

Effort: M.
Sequencing: after #16 (cosign) and #19 (provenance) — order is 2 → 3 → 4. Docs must steer toward secure key storage or the feature gives false assurance.

Metadata

Metadata

Assignees

No one assigned

    Labels

    deferredValid but sequenced for a later cycleenhancementNew feature or requestroadmapPlanned work from the threat model / roadmapsecuritySecurity-relevant work or review

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions