Surfaced by the user reviewing the v1.81 release chain. The release attestation is cosign-only; sigil is documented as part of the intended chain but wired into nothing.
Current state (release.yml)
cosign sign-blob (keyless OIDC) over SHA256SUMS.txt → .sig/.pem/.cosign.bundleactions/attest-build-provenance → in-toto SLSA v1 provenance
Both are Sigstore/Fulcio, CI-level — they prove provenance (came from this workflow, logged in Rekor).
The gap
sigil (PulseEngine-native Ed25519 attestation) is referenced in the design but implemented nowhere:
FV-RELAY-STREAM-014 says "Attestation (sigil/cosign, feature-loop step 6)" — but only cosign ships → over-claim to correct.SWARCH-RELAY-SEC-001 marks the relay-sec session-key sigil role (Ed25519 over the X25519 exchange, rekey-on-reboot) as "planned" (line 153) — also unimplemented.- sigil isn't installed locally either (external tool, like gale/kiln).
Why sigil belongs before cosign (not redundant)
- cosign = provenance: "built by this CI", public transparency log.
- sigil = endorsement: the project's own trust root signing the artifact + binding it to the verification evidence (rivet trace + Kani + witness MC/DC). "Our verified pipeline blessed this, under our key."
- Order: sigil attests the evidence-bound artifact → cosign wraps it in public CI transparency.
What's been shipping cosign-only
v1.78, v1.79, v1.80, v1.81 — four releases, past the feature-loop's "step-6 N/A for 3 features → file it" threshold.
Asks (two sub-tasks)
- Release attestation: wire sigil into release.yml (sign the bundle / evidence manifest with the project Ed25519 key, before cosign). Prereq: sigil installed/available in CI (currently absent) — coordinate with the sigil repo.
- Artifact hygiene: correct
FV-RELAY-STREAM-014's "sigil/cosign" to "cosign (+ SLSA provenance); sigil planned" until (1) lands, so the artifact stops claiming an unshipped step.
Separately tracks the relay-sec runtime sigil session-key role (SWARCH-RELAY-SEC-001 "planned") — related but distinct from release signing.
Surfaced by the user reviewing the v1.81 release chain. The release attestation is cosign-only; sigil is documented as part of the intended chain but wired into nothing.
Current state (release.yml)
cosign sign-blob(keyless OIDC) overSHA256SUMS.txt→.sig/.pem/.cosign.bundleactions/attest-build-provenance→ in-toto SLSA v1 provenanceBoth are Sigstore/Fulcio, CI-level — they prove provenance (came from this workflow, logged in Rekor).
The gap
sigil (PulseEngine-native Ed25519 attestation) is referenced in the design but implemented nowhere:
FV-RELAY-STREAM-014says "Attestation (sigil/cosign, feature-loop step 6)" — but only cosign ships → over-claim to correct.SWARCH-RELAY-SEC-001marks the relay-sec session-key sigil role (Ed25519 over the X25519 exchange, rekey-on-reboot) as "planned" (line 153) — also unimplemented.Why sigil belongs before cosign (not redundant)
What's been shipping cosign-only
v1.78, v1.79, v1.80, v1.81 — four releases, past the feature-loop's "step-6 N/A for 3 features → file it" threshold.
Asks (two sub-tasks)
FV-RELAY-STREAM-014's "sigil/cosign" to "cosign (+ SLSA provenance); sigil planned" until (1) lands, so the artifact stops claiming an unshipped step.Separately tracks the relay-sec runtime sigil session-key role (SWARCH-RELAY-SEC-001 "planned") — related but distinct from release signing.