Status
SECURITY / REPRODUCIBILITY / CLAIM BOUNDARY INVENTORY ITEM
Finding
The Core verification workflow clones sibling repositories from GitHub using the current branch state:
git clone --depth 1 "https://github.com/Riverbraid/${repo}.git" "$repo"Risk boundary
This does not prove compromise. It means this workflow should be treated as a live compatibility check, not a pinned verification surface.
Recommended future review
- Decide whether this workflow should remain a live compatibility workflow.
- If a pinned verification claim is desired, clone exact commits from an explicit registry or lock file.
- Document the difference between mutable compatibility checks and pinned verification.
Boundary
This issue records inventory only.
It does not claim a patch was applied.
It does not claim the repository is secure, hardened, audited, or defect free.
It does not change registry, verifier behavior, workflow, protocol, hash, seal, manifest, tag, or release state.
Evidence surface
Repository file: Riverbraid-Core/.github/workflows/verify.yml
Claim boundary: reproducibility and verification surface distinction, not external security audit
Status
SECURITY / REPRODUCIBILITY / CLAIM BOUNDARY INVENTORY ITEM
Finding
The Core verification workflow clones sibling repositories from GitHub using the current branch state:
Risk boundary
This does not prove compromise. It means this workflow should be treated as a live compatibility check, not a pinned verification surface.
Recommended future review
Boundary
This issue records inventory only.
It does not claim a patch was applied.
It does not claim the repository is secure, hardened, audited, or defect free.
It does not change registry, verifier behavior, workflow, protocol, hash, seal, manifest, tag, or release state.
Evidence surface
Repository file:
Riverbraid-Core/.github/workflows/verify.ymlClaim boundary: reproducibility and verification surface distinction, not external security audit