Tech Review: Mondrian v0.1.0 — Action Items

## P0 — Proof chain
- [ ] Define `policy.yaml` schema and rule kinds (`iac`,`deploy`,`device`)
- [ ] Implement OPA/Cedar engine adapter and 5 stock rules
- [ ] Emit in-toto Statement + SLSA Provenance; Sigstore keyless sign; record to Rekor
- [ ] `mondrian verify` validates signatures + Rekor inclusion; outputs `proof.zip`
- [ ] Add pass/fail `examples/terraform` with golden outputs

## P1 — Developer Experience & CI
- [ ] `goreleaser` and Homebrew tap; publish v0.1.0 binaries
- [ ] Add `go vet`, `golangci-lint`, `go test` in CI
- [ ] Upload `proof.zip` on success; verify in a second job
- [ ] Add CONTRIBUTING.md, SECURITY.md, CODEOWNERS

## P2 — Evidence platform
- [ ] Minimal Merkle log chain per repo
- [ ] `mondrian serve` read-only API for attestations
- [ ] osquery pack + `device` rule mapping

## Docs
- [ ] Data-flow diagram: code → gate → attestation → log → verify
- [ ] Show exact SLSA fields populated
- [ ] Threat model v0: attacker tries to bypass CI, tamper proofs, spoof device state

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Tech Review: Mondrian v0.1.0 — Action Items #7

P0 — Proof chain

P1 — Developer Experience & CI

P2 — Evidence platform

Docs

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Tech Review: Mondrian v0.1.0 — Action Items #7

Description

P0 — Proof chain

P1 — Developer Experience & CI

P2 — Evidence platform

Docs

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions