Priority 3 of the IEP convergence debt plan (2026-05-20)
Drives audit-harness supply-chain hardening: npm sigstore provenance; .harness-hash self-pinning; 4-manifest version reconciliation; Apache 2.0 license drift fix; signed Python/Rust artifacts; CI hard-fail on policy edit without re-init; bash version floor; polyglot dependabot. DNSSEC + CAA pre-flight via iah-E06 cluster is a P3 blocker.
Acceptance: audit-harness --version reports one canonical version; all 4 manifests agree and say Apache-2.0; npm view @intentsolutions/audit-harness@<v> --json | jq .dist.provenance returns a sigstore record; .harness-hash exists in repo, CI fails when a script is modified without audit-harness init rerun; Python wheels + Rust crate ship with attestations; bash floor check exits non-zero on bash 3.x; DNSSEC + CAA pre-flight passes for evals.intentsolutions.io.
Beads (canonical):
bd_000-projects-t3q8 (this umbrella) — iep-P3-audit-harness-hardening
bd_000-projects-itpl — iah-self-pin (.harness-hash init)
bd_000-projects-t0ba — iah-sigstore (npm provenance workflow)
bd_000-projects-uoz3 — iah-version-drift (one-shot 4-manifest reconcile)
bd_000-projects-ck2e — iah-license-drift (Python + Rust MIT → Apache 2.0)
bd_000-projects-q0f — iah-E06 cluster (DNSSEC + CAA pre-flight) + 4 sub-beads
bd_000-projects-873c — iah-kernel-shadow-check (NEW — CI gate)
bd_000-projects-hd5y — iah-version-canonical-check (NEW — version drift CI)
bd_000-projects-jcgw — iah-bash-floor (NEW — bash version guard)
bd_000-projects-cp2n — iah-dependabot-polyglot (NEW — pip + cargo + npm)
bd_000-projects-kyk1 — iah-py-sigstore (NEW — sigstore-python wheel signing)
bd_000-projects-13ty — iah-rust-attest (NEW — crates.io attestation)
Plane mirror: pending — will be linked via bd-sync link.
MIRROR RULE: bd-sync handles fan-out — bd-sync note bd_000-projects-t3q8 and bd-sync close bd_000-projects-t3q8 mirror to GH + Plane automatically.
- Jeremy Longshore
intentsolutions.io
Priority 3 of the IEP convergence debt plan (2026-05-20)
Drives audit-harness supply-chain hardening: npm sigstore provenance;
.harness-hashself-pinning; 4-manifest version reconciliation; Apache 2.0 license drift fix; signed Python/Rust artifacts; CI hard-fail on policy edit without re-init; bash version floor; polyglot dependabot. DNSSEC + CAA pre-flight viaiah-E06cluster is a P3 blocker.Acceptance:
audit-harness --versionreports one canonical version; all 4 manifests agree and sayApache-2.0;npm view @intentsolutions/audit-harness@<v> --json | jq .dist.provenancereturns a sigstore record;.harness-hashexists in repo, CI fails when a script is modified withoutaudit-harness initrerun; Python wheels + Rust crate ship with attestations; bash floor check exits non-zero on bash 3.x; DNSSEC + CAA pre-flight passes forevals.intentsolutions.io.Beads (canonical):
bd_000-projects-t3q8(this umbrella) — iep-P3-audit-harness-hardeningbd_000-projects-itpl— iah-self-pin (.harness-hashinit)bd_000-projects-t0ba— iah-sigstore (npm provenance workflow)bd_000-projects-uoz3— iah-version-drift (one-shot 4-manifest reconcile)bd_000-projects-ck2e— iah-license-drift (Python + Rust MIT → Apache 2.0)bd_000-projects-q0f— iah-E06 cluster (DNSSEC + CAA pre-flight) + 4 sub-beadsbd_000-projects-873c— iah-kernel-shadow-check (NEW — CI gate)bd_000-projects-hd5y— iah-version-canonical-check (NEW — version drift CI)bd_000-projects-jcgw— iah-bash-floor (NEW — bash version guard)bd_000-projects-cp2n— iah-dependabot-polyglot (NEW — pip + cargo + npm)bd_000-projects-kyk1— iah-py-sigstore (NEW — sigstore-python wheel signing)bd_000-projects-13ty— iah-rust-attest (NEW — crates.io attestation)Plane mirror: pending — will be linked via
bd-sync link.MIRROR RULE:
bd-synchandles fan-out —bd-sync note bd_000-projects-t3q8andbd-sync close bd_000-projects-t3q8mirror to GH + Plane automatically.intentsolutions.io