Design Question
How should studio surface publisher identity when core adds trusted publishing?
Context
Core Epic #71 (Trusted Publishing) adds target-bound publisher authorization. Evidence will carry publisher metadata (issuer, subject) and a publisher-authorized trust signal.
This creates two opportunities for studio:
- Posture/audit views — show who submitted evidence (e.g., "from repo:myorg/ci-pipeline via GitHub Actions OIDC")
- Trust filtering — the assistant could filter or flag evidence from unauthorized publishers when classifying
Options Considered
- Option A: Surface publisher info passively — display it in posture tables and audit results but don't change classification logic
- Option B: Make publisher authorization a factor in posture classification — evidence from unauthorized publishers gets a different classification or warning
- Option C: Defer until trusted publishing is actually in use and we have real data to design against
Related
- complytime-core#71 — Epic: Trusted Publishing
- complytime-core#72 — Trust signals (publisher-authorized check)
agents/assistant/skills/posture-check/SKILL.md — classification criteria
Design Question
How should studio surface publisher identity when core adds trusted publishing?
Context
Core Epic #71 (Trusted Publishing) adds target-bound publisher authorization. Evidence will carry publisher metadata (issuer, subject) and a
publisher-authorizedtrust signal.This creates two opportunities for studio:
Options Considered
Related
agents/assistant/skills/posture-check/SKILL.md— classification criteria