Release 0.2.1: secure advisory sync and record-id hardening

CHANGELOG.md

@@ -0,0 +1,9 @@
+# Changelog
+
+## v0.2.1 - 2026-02-17
+
+- Hardened advisory feed ingestion by rejecting insecure `http://` remote references.
+- Enforced explicit advisory feed schema (`aixv.advisory-feed/v1`) for sync operations.
+- Added `record_id` safety validation (`^[A-Za-z0-9._-]{1,128}$`) to prevent path traversal footguns.
+- Added tests for insecure feed rejection and unsafe record ID rejection.
+

README.md

@@ -1,12 +1,11 @@
 <p align="left">
   <img
-    src="https://www.aixv.org/AIXV-3.png"
-    alt="AIXV logo"
-    width="350"
+    src="https://www.aixv.org/AIXV-repo-banner.png"
+    alt="AIXV repository banner"
   />
 </p>
 
-# AIXV - AI Integrity Exchange & Verification
+# AIXV - AI Integrity eXchange & Verification
 <!--- @begin-badges@ --->
 [![CI](https://github.com/aixv-org/aixv/actions/workflows/ci.yml/badge.svg)](https://github.com/aixv-org/aixv/actions/workflows/ci.yml)
 [![Conformance](https://github.com/aixv-org/aixv/actions/workflows/conformance.yml/badge.svg)](https://github.com/aixv-org/aixv/actions/workflows/conformance.yml)
@@ -15,7 +14,7 @@
 [![PyPI version](https://badge.fury.io/py/aixv.svg)](https://pypi.org/project/aixv)
 <!--- @end-badges@ --->
 
-AIXV is an open standard for AI artifact attestation, provenance, rollback, compromise detection, and investigation.
+**AIXV** is an open standard for AI artifact attestation, provenance, rollback, compromise detection, and investigation.
 
 In practical terms, AIXV helps organizations answer high-stakes questions before deploying or accepting AI artifacts:
 - What exactly is this artifact?
@@ -26,20 +25,20 @@ In practical terms, AIXV helps organizations answer high-stakes questions before
 
 
 AIXV is built for three audiences that need shared, verifiable answers:
-- Technical teams: deterministic verification and machine-readable admission decisions.
-- Enterprise and public-sector risk owners: auditable evidence, policy controls, and incident traceability.
-- Policy, governance, and assurance functions: explicit trust assumptions, conformance checks, and compatibility contracts.
+- **Technical teams**: deterministic verification and machine-readable admission decisions.
+- **Enterprise and public-sector risk owners**: auditable evidence, policy controls, and incident traceability.
+- **Policy, governance, and assurance functions**: explicit trust assumptions, conformance checks, and compatibility contracts.
 
 AIXV composes Sigstore cryptographic primitives and adds AI-native semantics:
-- artifact typing,
-- lineage graphs,
+- Artifact typing,
+- Lineage graphs,
 - ML-specific attestations,
-- advisory/recall workflows,
-- and policy-driven verification.
+- Advisory/recall workflows,
+- Policy-driven verification.
 
 ## Release Posture
 
-Current maturity: **Pre-alpha**.
+Current maturity: **Pre-Alpha**
 
 This repository is a functional preview of the AIXV standard, but not yet a final ratified standard release.
 
@@ -71,16 +70,16 @@ For security and procurement reviews, the strongest immediate signals are:
 
 - `docs/AIXV_STANDARD.md`
 - `docs/NORMATIVE_CORE.md`
-- `docs/QUALITY_BAR.md`
+- `docs/QUALITY.md`
 - `docs/THREAT_MODEL.md`
-- `SECURITY.md`
 - `docs/COMPATIBILITY.md`
 - `docs/TERMINOLOGY.md`
 - `docs/REGISTRIES.md`
-- `docs/PROFILES.md`
+- `docs/ASSURANCE_LEVELS.md`
 - `docs/CONFORMANCE.md`
 - `docs/GOVERNANCE.md`
 - `docs/REPO_CONTROLS.md`
+- `SECURITY.md`
 - `RELEASE.md`
 
 ## Installation
@@ -102,29 +101,67 @@ aixv policy create --input policy.json --sign
 aixv verify model.safetensors \
   --policy .aixv/policies/policy.json \
   --policy-trusted-subject security-policy@aixv.org \
+  --assurance-level level-2 \
   --json
 
 # 4) Run conformance checks
 aixv conformance --json
+
+# 5) Optional: enforce signed-and-trusted attestations in lineage/export flows
+aixv provenance model.safetensors \
+  --require-signed-attestations \
+  --trusted-attestation-subject ci-attestations@aixv.org \
+  --json
 ```
 
 ## CLI Surface
 
 ```bash
+# Version
 aixv version
+
+# Signing
 aixv sign model.safetensors --identity-token-env SIGSTORE_ID_TOKEN
+
+# Verification
 aixv verify model.safetensors --identity alice@example.com --issuer https://accounts.google.com
+
+# Attestation
 aixv attest model.safetensors --predicate training --input training.json
+
+# Provenance
 aixv provenance model.safetensors --depth 3
+aixv provenance model.safetensors --view explain --depth 3 --json
+
+# Advisory
 aixv advisory create --advisory-id ADV-2026-0001 --severity critical --input advisory.json --sign
 aixv advisory verify .aixv/advisories/ADV-2026-0001.json --trusted-subject security@aixv.org
+aixv advisory sync --feed advisory-feed.json --trusted-subject security@aixv.org --max-bundle-age-days 30
+
+# Policy
 aixv policy create --input policy.json --sign
 aixv policy verify .aixv/policies/policy.json --trusted-subject security-policy@aixv.org
+aixv policy template --assurance-level level-2 --json
+aixv policy migrate --input policy.json --to-assurance-level level-3 --max-bundle-age-days 30
+
+# Record
 aixv record create --kind waiver --record-id WVR-2026-01 --input waiver.json --sign
 aixv record verify .aixv/policies/policy.json --kind policy --trusted-subject security-policy@aixv.org
+
+# Bundle
+aixv bundle create --input bundle.json --sign
+aixv bundle verify .aixv/records/bundle/bundle-main.json --trusted-subject release@aixv.org
+
+# Conformance
 aixv conformance --json
-aixv rollback model-v2.safetensors --to sha256:...
+
+# Rollback
+aixv rollback model-v2.safetensors --to sha256:... --identity-token-env SIGSTORE_ID_TOKEN
+
+# Export
 aixv export model.safetensors --format in-toto
+aixv export model.safetensors --format slsa --json
+aixv export model.safetensors --format ml-bom --json
 ```
 
 ## Policy Example

SECURITY.md

@@ -56,4 +56,4 @@ The following are non-negotiable invariants:
 
 This repository is pre-alpha. Use in production only with explicit risk acceptance.
 
-For production pilots, minimum controls are defined in `docs/QUALITY_BAR.md`.
+For production pilots, minimum controls are defined in `docs/QUALITY.md`.

docs/AIXV_STANDARD.md

@@ -216,24 +216,28 @@ Policy outputs:
 - Breaking changes require new major version URI.
 - Verifiers SHOULD support at least one prior major version during migration.
 
-## 13. Interoperability Profiles
+## 13. Interoperability Assurance Levels
 
-AIXV profiles define strict subsets for predictable exchange:
-- `core-minimal`: sign + verify + training lineage
-- `core-enterprise`: adds advisories, policy decisions, rollback attestations
-- `core-regulated`: adds immutable retention and evidence export requirements
+AIXV assurance levels define strict subsets for predictable exchange:
+- `level-1`: sign + verify + training lineage
+- `level-2`: adds advisories, policy decisions, rollback attestations
+- `level-3`: adds immutable retention and evidence export requirements
+
+These levels are ordinal assurance tiers and do not encode assumptions about any
+specific sector, procurement regime, or legal jurisdiction.
 
 Export targets:
 - in-toto statements
 - SLSA provenance mappings
-- ML-BOM (SPDX/CycloneDX extension profile)
+- ML-BOM (SPDX/CycloneDX extension format)
 
 ## 14. Security Requirements
 
 - Offline verification MUST be supported with trusted root bootstrapping.
 - Clock skew tolerance MUST be explicit in verifier config.
 - Digest algorithm agility MUST be designed in (`sha256` required in v1).
 - Replay protection SHOULD check transparency log integrated time and bundle uniqueness.
+- Remote advisory ingestion SHOULD enforce monotonic integrated time per advisory ID and reject stale bundles by configured age.
 - All critical security decisions MUST be auditable with machine-readable reason codes.
 
 ## 15. Reference CLI Contract (v1)
@@ -242,7 +246,8 @@ Export targets:
 - `aixv attest <artifact> --predicate <type> --input <json>`
 - `aixv verify <artifact> [--policy <file>]`
 - `aixv provenance <artifact> [--depth N]`
-- `aixv advisory create|verify|list ...`
+- `aixv advisory create|verify|list|sync ...`
+- `aixv policy template|migrate|create|verify ...`
 - `aixv rollback <artifact> --to <digest>`
 - `aixv export <artifact> --format in-toto|slsa|ml-bom|aixv`
 

docs/ASSURANCE_LEVELS.md

@@ -0,0 +1,39 @@
+# AIXV Assurance Levels (v1 Draft)
+
+Assurance levels are constrained operating modes that define required controls.
+Levels are ordinal only; they do not imply any specific industry, jurisdiction,
+or regulatory framework.
+
+## level-1
+
+Required:
+- Signed artifact verification bound to trusted subject identities.
+- Deterministic JSON output for automation.
+- Policy validation (`aixv.policy/v1`) when policy input is provided.
+- Optional enforcement gate: `verify --assurance-level level-1`.
+
+## level-2
+
+Includes `level-1`, plus:
+- Signed policy verification enabled by default.
+- Signed advisory verification for policy-driven advisory enforcement.
+- AdmissionDecision output persisted/logged by deployment systems.
+- Enforcement gate: `verify --assurance-level level-2` requires:
+  - `--policy`,
+  - signed policy verification enabled,
+  - `require_signed_advisories=true`,
+  - configured advisory trust subjects.
+
+## level-3
+
+Includes `level-2`, plus:
+- Evidence retention requirements for signatures, policy records, advisories, and decisions.
+- Immutable audit trail integration requirements.
+- Formal conformance testing requirement before production use.
+- Enforcement gate: `verify --assurance-level level-3` additionally requires:
+  - `max_bundle_age_days`,
+  - `require_no_active_advisories=true`.
+
+Operational helpers:
+- `policy template --assurance-level <level>` generates a baseline policy payload.
+- `policy migrate --to-assurance-level <level>` upgrades existing policy payloads while preserving explicit trust roots.

docs/CONFORMANCE.md

@@ -45,3 +45,10 @@ Runtime conformance report:
 - `policy.fixture.valid.v1`: valid policy fixture is accepted.
 - `policy.fixture.invalid.v1`: invalid policy fixture is rejected.
 - `record.fixture.policy.v1`: signed-record policy fixture parses with expected kind.
+- `policy.unknown-field.reject.v1`: unknown policy fields are rejected.
+- `policy.advisory-trust.subject-fallback.v1`: advisory trust roots fall back to policy `subject`.
+- `advisory.signed-policy.filtering.v1`: when signed advisories are required, untrusted advisories are ignored and trusted advisories drive enforcement.
+- `bundle.schema.validation.v1`: bundle records validate canonical multi-artifact membership semantics.
+- `advisory.sync.replay-freshness.v1`: advisory feed ingestion rejects replayed/stale integrated times and stale bundles.
+- `crypto.invalid-bundle.artifact.reject.v1`: malformed artifact signature bundles are rejected fail-closed.
+- `crypto.invalid-bundle.statement.reject.v1`: malformed DSSE statement bundles are rejected fail-closed.

docs/CRITIQUES_AND_DECISIONS.md

@@ -72,7 +72,7 @@ Decision:
 - Evidence remains queryable via stored attestations/advisories/signatures.
 
 Status:
-- Implemented as explicit rollback event record; lineage expansion ongoing.
+- Implemented as explicit rollback event record and signed by default (`rollback --sign` default true); lineage expansion ongoing.
 
 ## 7. "Over-flexible tooling leads to insecure defaults"
 
@@ -88,8 +88,66 @@ Decision:
 Status:
 - Implemented; further hardening planned with signed remote feeds.
 
+## 8. "Signed attestations are emitted but not enforced downstream"
+
+Risk:
+- Provenance/export views could include unsigned or untrusted attestation claims without explicit operator intent.
+
+Decision:
+- Added strict mode for lineage/export flows:
+  - `--require-signed-attestations`
+  - trusted signer subject/issuer constraints for attestation verification.
+- Signed attestation verification uses Sigstore DSSE verification and requires payload match with stored statements.
+
+Status:
+- Implemented in `provenance` and `export` CLI flows.
+
+## 9. "Assurance levels are documented but not enforced"
+
+Risk:
+- Organizations cannot reliably prove they are operating in a specific assurance level.
+
+Decision:
+- Added verifier assurance-level gates:
+  - `verify --assurance-level level-1`
+  - `verify --assurance-level level-2`
+  - `verify --assurance-level level-3`
+- Levels are ordinal control tiers, not labels for specific sectors or regulatory regimes.
+- Assurance-level gates enforce required policy controls and signed-control-plane constraints.
+
+Status:
+- Implemented.
+
+## 10. "Lineage investigation needs explicit trace/impact/explain modes"
+
+Risk:
+- Operators cannot quickly pivot from compromised ancestor to impacted descendants or produce compact explanations.
+
+Decision:
+- `provenance` now supports:
+  - `--view trace` (ancestors),
+  - `--view impact` (descendants),
+  - `--view explain` (condensed trust/advisory evidence).
+
+Status:
+- Implemented.
+
+## 11. "Single-file trust is not enough for model releases"
+
+Risk:
+- Real releases ship multiple artifacts (weights, tokenizer, config); single-artifact trust checks are insufficient.
+
+Decision:
+- Added strict signed bundle records (`kind=bundle`, `aixv.bundle/v1`) with:
+  - canonical digest normalization,
+  - primary-member consistency,
+  - signature verification and optional required-member checks.
+
+Status:
+- Implemented via `bundle create` and `bundle verify`.
+
 ## Next hardening steps
 
-1. Add signed remote advisory feed ingestion with replay/freshness protection.
-2. Add conformance test vectors for every failure mode above.
-3. Add compatibility profile gates (`core-minimal`, `core-enterprise`, `core-regulated`).
+1. Add authenticated advisory feed discovery/rotation (beyond direct feed URL ingestion).
+2. Add conformance vectors for additional malformed feed and rollback edge cases.
+3. Add organization-ready policy packs built on `policy template`/`policy migrate`.

docs/QUALITY_BAR.md → docs/QUALITY.md

@@ -1,6 +1,6 @@
-# AIXV Quality Bar (Core)
+# AIXV Quality (Core)
 
-This is the minimal bar for production-grade provenance verification in AIXV.
+This document defines core quality requirements for production-grade provenance verification in AIXV.
 
 ## 1. Cryptographic Integrity
 
@@ -12,6 +12,10 @@ This is the minimal bar for production-grade provenance verification in AIXV.
 
 - Policy is treated as a signed record (`kind=policy`) and can be verified independently.
 - Advisories are treated as signed records (`kind=advisory`) and can be required-signed by policy.
+- Multi-artifact bundles are represented as signed bundle records (`kind=bundle`, `aixv.bundle/v1`).
+- When `require_signed_advisories=true`, only signed-and-trusted advisories influence admission outcomes.
+- Advisory feed ingestion (`advisory sync`) rejects replayed/stale updates and supports max-age freshness checks.
+- Rollback records are signed by default (`rollback --sign`), preserving append-only evidence.
 - Admission decisions are explicit and machine-readable (`allow|deny`, violations, evidence).
 
 ## 3. Schema Stability
@@ -36,4 +40,4 @@ This is the minimal bar for production-grade provenance verification in AIXV.
 
 - Commands support deterministic JSON output (`--json`) for CI/CD and admission hooks.
 - Decision outcomes are reproducible from signed evidence + policy.
-
+- Verifier assurance-level gates (`level-1|level-2|level-3`) provide explicit assurance mode enforcement.