Supply-chain risk & SBOM
Vendor-neutrality at the SKU boundary, current build artifact + signature posture, and the SBOM / Sigstore / SLSA roadmap.
This page is for SCRM (supply-chain risk management) reviewers, contract counsel evaluating EO 14028 / NIST SP 800-218 alignment, and government OSPO teams. It documents the current Pleach build pipeline posture honestly, including what is not yet in place.
Current state (2026-06-15)
Build artifacts are produced by tsup (the standard TypeScript bundle
tool) and published to npmjs.org with npm-default signatures. There is
no SBOM emitted with the publish, and tarballs are not signed by
Sigstore yet.
Two things are in place today that materially reduce SCRM exposure:
1. Vendor-neutrality at the SKU boundary
@pleach/core and @pleach/compliance carry zero cloud-SDK runtime
dependencies. This is enforced at the SKU boundary, not by
convention:
@pleach/coredeclares no dependency on@aws-sdk/*,@azure/*,@google-cloud/*, or@anthropic-ai/sdk.@pleach/compliancedeclares no dependency on any cloud SDK.- Provider integrations live in separate SKUs that the host opts
into. For example, the IAM identity provider at
@pleach/gateway/identity/providers/iamaccepts an injectedSTSClientand does not declare@aws-sdk/client-stsas a build-time dep.
For an air-gapped or fed-cloud deployment, this means the core runtime
ships without dragging in a transitive dependency tree of cloud SDKs
the operator does not want. A vendored snapshot of @pleach/core is
small, auditable, and has no cloud-vendor side imports.
2. Per-SKU dependency review
Every @pleach/* SKU's package.json carries an explicit
dependencies / peerDependencies / optionalDependencies block.
Optional peers (like pdfkit for PDF export in @pleach/compliance)
are declared as optional and the runtime gracefully degrades when they
are absent. There is no implicit transitive runtime dependency that
the operator is not asked to install.
A current npm ls snapshot for any SKU is available on request and is
the operator's audit anchor today, pending the SBOM workflow below.
Build pipeline
The pipeline produces deterministic output (modulo timestamp
embeddings) and is reproducible from a clean checkout at the publish
SHA. The audit:harness-package:local-clone nightly gate verifies
this end-to-end — it packs @pleach/core as a tarball, installs it in
a tmpdir scratch environment, and smoke-imports SessionRuntime +
createPleachRuntime. It reports a clean 8.8 MB tarball, 3.7 s install
time, no runtime warnings.
v1.x roadmap
Three SCRM-relevant deliverables are explicitly v1.x (post-1.0 minor release):
SLSA provenance attestation
Target: SLSA Build Level 3 provenance for every published tarball. Build Level 3 requires hosted build (so the build environment is audit-anchored) and provenance signed by the build platform.
The governmentAgent recipe accepts slsaProvenance: boolean and
stamps it on the runtime as procurement-visible metadata today. The
attestation artifact itself is not yet produced — that is a publish-
pipeline addition, not a runtime addition.
Sigstore signing
Target: keyless Sigstore signing of every published tarball under the project's trusted-publisher identity (npm OIDC trusted publishing). Sigstore provides a public, append-only transparency log of every signed publish, so a downstream consumer can verify the tarball they installed matches what the project published.
Pending operator-attended setup of the OIDC trusted-publisher relationship on the npm side.
SBOM emission
Target: CycloneDX 1.5 or SPDX 2.3 SBOM attached to each npm publish
under a known artifact name. The dependency graph is derivable from
package.json + the resolved lockfile, so the workflow is mechanical
once Sigstore signing is in place (so the SBOM itself can be signed
under the same trusted-publisher identity).
The governmentAgent recipe accepts sbomFormat: "cyclonedx-1.5" | "spdx-2.3" and surfaces it as procurement-visible metadata, so a
host that wires SBOM emission externally can still declare the
intended format.
Vendor-neutrality regression-lock
Two audit gates enforce that the SCRM posture above does not regress:
audit:no-cross-sku-type-import-in-core—packages/core/src/cannot import types from any sibling@pleach/*SKU outside the explicit allowlist (@pleach/coreself +@pleach/compliance- contract). This defends against accidental coupling that would drag cloud SDKs into the core runtime via a transitive type-graph path.audit:domain-string-purity—@pleach/corecannot carry any host-specific or cloud-vendor-specific brand string.
Both gates run on every PR. They are mechanical regression-locks, not prescriptive design rules — they fail loud the moment a PR introduces a coupling the SKU boundary forbids.
Operator items
For SCRM reviewers, the following operator items are available today on request:
npm lssnapshot for any@pleach/*SKU at any published version. Captures the exact dependency tree at publish time.- Third-party dependency review schedule. The project reviews third-party runtime dependencies quarterly against known-CVE feeds and against the project's vendor-neutrality posture.
- Build environment anchor. The publish git SHA +
tsupconfigtsconfig.jsonare all under version control; a third-party reviewer can rebuild from source at any published version and byte-compare the bundle.
- License snapshot. Per-SKU
LICENSEfiles; see License compatibility.
What this page does not claim
- Does not claim SLSA Build Level 3 today. The build is currently Level 1 (versioned source + scripted build); Level 3 is roadmap.
- Does not claim Sigstore-signed tarballs today. Roadmap.
- Does not claim SBOM emission today. Roadmap.
- Does not claim FedRAMP / IL5 / IL6 authorization. See the Government & public sector landing for the honest authorization posture.
Related
Air-gapped architecture
How `@pleach/core` enforces an outbound URL allowlist at the runtime boundary, and the v2+ gaps for fully offline install.
Student safety
The shipped student-safety scrubber from @pleach/compliance/education — what it redacts today, the composable KeyedRegexScrubber shape for district-specific extensions, and the honest gap on per-category content moderation.