Supply Chain

The supply-chain model is still builder-first, but the toolchain has changed.

What the Builder Owns Now

The custom GitHub Action builder image is the repository trust root for:

  • a digest-pinned Debian Bookworm slim Rust base image

  • pinned Rust 1.95.0 and pinned tox

  • Rust toolchain installation, including rustfmt and Clippy

  • OpenSSL development headers

  • a conservative Linux glibc floor for release artifacts

  • Xvfb and the Xlib runtime libraries required for GUI screenshot smoke tests

  • Sphinx and Python docs tooling

  • cargo build / test / clippy / fmt runs

  • docs-site builds from the repository root

  • vendored Cargo dependency resolution

What It No Longer Builds

  • the retired interactive browser app

  • WebAssembly artifacts

  • GitHub Pages site zips pulled from releases

Release Outputs

The release pipeline now focuses on:

  • native CLI and GUI archives

  • macOS GUI .dmg packages

  • Linux .deb packages for both binaries

  • checksums

  • provenance / attestations

  • package-manager metadata

  • repo-owned package metadata

Before attestation, the release workflow now validates:

  • per-platform archive smoke tests

  • macOS GUI .dmg payload validation and host smoke tests

  • Debian package payload validation and Linux host smoke tests for .deb artifacts on Ubuntu 24.04

  • aggregate checksums

  • Homebrew / Scoop / Chocolatey manifest generation

  • the docs-hosted install.sh flow against a local artifact server

  • the checked-in release-validation scripts instead of workflow-only inline shell

GitHub Pages is rebuilt directly from main using the Sphinx docs tree instead of downloading a site zip from a release artifact.

Branch Protection Discipline

The repository now carries scripts/verify_branch_protection.sh plus make verify-branch-protection so operators can detect stale required-check policies before they block a merge. This is a manual or authenticated check because branch protection lives in GitHub configuration rather than the Git tree.

Cargo Dependency Discipline

  • Cargo.lock is committed and release-aware.

  • Cargo dependencies are vendored under vendor/.

  • Workspace Cargo commands run with --locked --frozen --offline in make and CI.

  • make verify-deep runs Rust-native xtask checks for offline metadata, dependency source and license policy, repo-owned shell linting, Python syntax checks for the existing docs/test harness scripts, and tracked-file secret scanning.

  • make quality is the local release-candidate gate: it runs verify-deep, the enforced local scanner subset, ci, and the host-supported GUI e2e harness before remote CI is treated as confirmation. It also requires the local security scanner stack to be installed.

  • deny.toml records the local dependency license/source policy for cargo-deny.

  • scripts/hallucination_check.sh verifies math/security invariants in paranoid-core.

  • scripts/supply_chain_verify.sh verifies vendoring, workflow pinning, and release prerequisites.

  • scripts/security_assurance_gate.py verifies the claim-led PR assurance protocol wiring.

  • Release packaging lives in repo-owned scripts instead of workflow-only inline shell.