clawdie/layered-soul
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

docs/trusted-supply-chain #9

Merged
clawdie merged 2 commits from docs/trusted-supply-chain into main 2026-06-20 17:26:35 +02:00
Conversation 0 Commits 2 Files changed 2 +110 -12
clawdie commented 2026-06-20 17:26:21 +02:00
Owner
Copy link
No description provided.
clawdie added 2 commits 2026-06-20 17:26:24 +02:00 
External skill marketplaces (clawhub.ai, skills.sh, lobehub, browse.sh,
claude-marketplace) are unvetted instruction streams ingested into an agent's
context — a prompt-injection / supply-chain vector, the same class of risk as
`pkg install` from a random mirror, one layer up. Combined with the poudriere
plan, the conclusion is a first-party repository for BOTH layers.

- HIVE-ONBOARDING §10 (new): the trusted supply chain. pkg.clawdie.si (packages)
  gets a sibling first-party skill repo (proposed skills.clawdie.si). External
  sources become staging/review input, never a direct tenant runtime dep:
  curate → pin → sign → publish. Clarifies clawhub.ai is third-party, unrelated
  to pkg.clawdie.si (different layer + ownership).
- HIVE-ONBOARDING §5: mother expanded as the PAID product surface — paid tenants
  are provisioned first-party-only; that hardening is the thing worth paying for.
  §6 moat + §7 invariant + Status open-work updated to match.
- HOST-MATRIX §2: new "Registry & supply-chain provenance" table (first-party vs
  third-party per layer); mother-build row notes it serves pkg.clawdie.si.

Validation: prettier@3 --check; python3 scripts/layered_soul.py validate . — pass.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
register-tenant/list-tenants (#101) and --jail-name/--jail-root on spawn
(#102) are merged to colibri main (PR #107). Update Status: CLI-driveability
moves to DONE/merged, the critical-path note reflects the manual SQLite +
raw-socket steps are now CLI commands, and the one-line plan drops the
"merge #101/#102" step.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
clawdie merged commit c11df1ac75 into main 2026-06-20 17:26:35 +02:00
clawdie deleted branch docs/trusted-supply-chain 2026-06-20 17:26:37 +02:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: clawdie/layered-soul#9
No description provided.
Delete branch "docs/trusted-supply-chain"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?