Goal
Implement local-first trust and package provenance posture for SourceOS event verification.
Scope
- Define trust evaluation event model.
- Define package receipt lookup abstraction.
- Capture content hash and signature state.
- Represent local, cached, blocked, failed, and explicit network trust lookup states.
- Represent degraded verification without inflating severity into false compromise alerts.
Acceptance criteria
- Unsigned scripts are not automatically treated as malicious.
- Package-managed binaries can be locally verified.
- Trust checks never silently use network access.
- Degraded trust is explainable in the operator narrative.
- Trust evidence can attach to
process.exec and policy.decision events.
Goal
Implement local-first trust and package provenance posture for SourceOS event verification.
Scope
Acceptance criteria
process.execandpolicy.decisionevents.