rfc(pnpr): package screening and verdict store#15
Conversation
|
Important Review skippedDraft detected. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Plus Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
PR Summary by QodoRFC: Package screening pipeline and content-addressed verdict store
AI Description
Diagram
High-Level Assessment
Files changed (1)
|
897dda3 to
ea44382
Compare
Summary
Proposes a screening layer for artifacts pnpr serves (aligned with the registries rename after #16):
name@version, not registry), so identical bytes share analysis across registries and signed verdict bundles can be exchanged between deployments later.minimumReleaseAge), hold/block as explicit403with machine-readable reason (never404, to prevent fall-through), publish-time scanning on hosted registries, operator dispositions, and post-serve revocation surfacing.Independent of, but composable with, the patch-provider RFC (#14): a block reason can advertise an available patched artifact when a patch manifest knows one.