Skip to content

[backlog] Public lockfile registry/discovery for community known-good locks #27

Description

@ernestprovo23

Surfaced via a conclave council run (synthesize + adversarial passes), 2026-06-07.

Council verdict: CUT this cycle (revisitable). Not off-mission in principle, but introduces a new trust model (who curates "known-good"?), a new attack surface (registry poisoning), and L effort — all before the core integrity primitives are proven. npm/PyPI built registries after their hash/signing primitives were stable; follow the same sequence.

Revisit when: signing (#16), provenance (#19), and the schema-diff engine (#15) are stable.
Status: parked backlog — read-only-by-default client if/when built. Labeled wontfix for this cycle, not permanently.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requestroadmapPlanned work from the threat model / roadmapwontfixThis will not be worked on

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions