boma/docs/security
sjat 2f4218814a Reconcile image pinning to a tiered tag@digest rule
Resolve the conflict between ADR-011 (tags-not-digests) and the security work
(digest pinning) with one coherent rule that respects ADR-011's stateless/stateful
split:

- Stateful → pin `tag@digest` (readable tag + integrity digest): legible diffs AND
  tamper-evidence. Snapshots cover broken updates; the digest covers swapped images.
- Stateless → rolling tags (latest/stable); digest-pinning would defeat the rolling
  design. Integrity rests on official/verified images + disposability.

Aligned across ADR-011 (decision 2), ADR-004 (image management), ADR-002
(supply-chain row), accepted-risk R1, the service checklist, and TODO 15.6.
TODO 16.7 marked decided.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-04 19:21:36 +02:00
..
accepted-risks.md Reconcile image pinning to a tiered tag@digest rule 2026-06-04 19:21:36 +02:00
service-checklist.md Reconcile image pinning to a tiered tag@digest rule 2026-06-04 19:21:36 +02:00
service-security-template.md Add per-service SECURITY.md convention; one role per service 2026-06-04 16:09:33 +02:00