Resolve the conflict between ADR-011 (tags-not-digests) and the security work (digest pinning) with one coherent rule that respects ADR-011's stateless/stateful split: - Stateful → pin `tag@digest` (readable tag + integrity digest): legible diffs AND tamper-evidence. Snapshots cover broken updates; the digest covers swapped images. - Stateless → rolling tags (latest/stable); digest-pinning would defeat the rolling design. Integrity rests on official/verified images + disposability. Aligned across ADR-011 (decision 2), ADR-004 (image management), ADR-002 (supply-chain row), accepted-risk R1, the service checklist, and TODO 15.6. TODO 16.7 marked decided. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| decisions | ||
| hardware | ||
| reviews | ||
| runbooks | ||
| security | ||
| superpowers | ||
| FRICTION.md | ||
| README.md | ||
| TODO.md | ||
docs/
Project documentation.
decisions/— Architecture Decision Records (ADRs): the "why" behind the design. Numbered from 001; each records context, the decision, and what was ruled out.runbooks/— step-by-step operational procedures (add a host, add a role, rotate secrets).
For what is actually built vs only designed, see STATUS.md at the repo root —
the ADRs describe intent, not necessarily current reality.