Skip to content

Design: Surface publisher identity in evidence views #6

Description

@jpower432

Design Question

How should studio surface publisher identity when core adds trusted publishing?

Context

Core Epic #71 (Trusted Publishing) adds target-bound publisher authorization. Evidence will carry publisher metadata (issuer, subject) and a publisher-authorized trust signal.

This creates two opportunities for studio:

  1. Posture/audit views — show who submitted evidence (e.g., "from repo:myorg/ci-pipeline via GitHub Actions OIDC")
  2. Trust filtering — the assistant could filter or flag evidence from unauthorized publishers when classifying

Options Considered

  • Option A: Surface publisher info passively — display it in posture tables and audit results but don't change classification logic
  • Option B: Make publisher authorization a factor in posture classification — evidence from unauthorized publishers gets a different classification or warning
  • Option C: Defer until trusted publishing is actually in use and we have real data to design against

Related

  • complytime-core#71 — Epic: Trusted Publishing
  • complytime-core#72 — Trust signals (publisher-authorized check)
  • agents/assistant/skills/posture-check/SKILL.md — classification criteria

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/agentStudio assistant agent, graph, skillsarea/workbenchWorkbench HTTP server, BFF endpointstype/designDesign discussion or architectural exploration

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions