Skip to main content

TrustPlane Auth v0.1 boundary

v0.1 is a local product-readiness boundary for the OSS Auth Plane. It is not a deployment, publication, or operations boundary. The canonical gate is make v01-acceptance.

A green make v01-acceptance says the local Auth Plane contract is ready for review. It does not authorize release tags, image/package publishing, wiki sync, hosted rollout, or cluster deployment.

Included in v0.1

  • Local broker over a Unix domain socket
  • transcript-v1 proof binding
  • Atomic replay protection on accepted presentations
  • Route key-binding policy
  • Bundle freshness evaluation (incl. local fail-closed stale-bundle behavior)
  • Provenance and context policy hooks
  • SPIFFE workload source for the documented attested_workload profile
  • CLI signing via the OSS trustplane CLI
  • Transcript conformance across checked languages
  • Audit event schema for v0.1 deny/decision events
  • A documented non-Kubernetes EC2/JWKS-style software source boundary
  • make v01-acceptance as the canonical local readiness gate

OSS CLI scope (exactly these)

trustplane gen-key
trustplane issue
trustplane sign
trustplane verify
trustplane bundle build
trustplane bundle merge-source
trustplane bundle remove-source
trustplane bundle sign
trustplane bundle verify
trustplane broker issue
trustplane up
trustplane demo

Outside v0.1

Provider-specific cloud deployment · managed policy distribution · hardware/KMS signer production path · public OSS release · wiki sync · publish automation · release tagging · enroll · onboard · list-keys · blindfold · gateway-call · cloud IID proof flows · managed tenant/provider/principal/policy administration · managed bundle publish/sign/distribute. SDK extraction and per-language SDK repos are also downstream of v0.1 (only shared conformance-vector hardening may overlap).

The EC2/non-Kubernetes source is software, not attested_workload

The v0.1 non-Kubernetes JWKS path proves caller support without API keys through software signing policy — but it does not verify cloud instance identity documents, enclave identity, hardware-bound signing, cloud IAM identity, or SPIRE-on-VM SVIDs. Those remain future work.

Reviewer checklist (before any later tag/deploy)

make boundaries
scripts/check-boundaries.sh
make transcript-conformance
make v01-acceptance
go test ./internal/... ./pkg/... ./spec ./cmd/... ./examples/...
make test
scripts/public-release-scan.sh
git diff --check

Plus: README, ROADMAP, and docs/auth-plane-parity.md describe v0.1 as local readiness, not deployment readiness; and the diff contains no deploy, release, publish, or wiki work.

Status note (durability)

The v0.1 acceptance artifacts exist and pass: full test suite green, a real acceptance gate, a real release-boundary doc, conformance, and audit schema. One durability gap remains: CI runs make test + make boundaries but not make v01-acceptance or make transcript-conformance — so the gate is currently manual. Wiring those two into CI is the recommended step to keep v0.1 from silently regressing.