Root docs
Repository viewer
Legacy docs parity surface
Back to repository viewer
Repository document
Supply-Chain Security
supply-chain-security.md
Boundary
This route preserves legacy markdown access inside the Next.js surface. The raw repository file remains authoritative.
Open raw fileSupply-Chain Security
PrivateDAO treats supply-chain review as part of protocol review, not as a separate afterthought.
Scope
The repository publishes reviewer-visible evidence for:
Cargo.lockpackage-lock.jsonyarn.lockpackage.jsonCargo.tomlAnchor.toml
These files define the dependency and toolchain surface that shapes builds, tests, scripts, and reviewer artifacts.
Why It Matters
- Lockfiles reduce ambiguity between reviewed code and reproduced code.
- Toolchain manifests make dependency drift easier to detect.
- Cryptographic integrity over dependency artifacts helps reviewers verify that the evidence surface was not silently rewritten after generation.
Current Boundary
- This repository publishes lockfile and manifest integrity evidence.
- It does not claim a complete SBOM for every transitive binary dependency outside these manifests.
- It does not replace external dependency auditing or registry compromise monitoring.
Verification Commands
npm run build:supply-chain-attestation
npm run verify:supply-chain-attestation
npm run build:cryptographic-manifest
npm run verify:cryptographic-manifest
npm run verify:allReviewer Artifacts
docs/supply-chain-attestation.generated.mddocs/supply-chain-attestation.generated.jsondocs/cryptographic-manifest.generated.jsondocs/verification-gates.md