Skip to content

mokkunsuzuki-code/stage358

Repository files navigation

Stage358: Signing-Time Validity Enforcement Layer

Stage358 extends Stage357 by enforcing signing-time validity against key lifecycle temporal metadata.

Stage357 maps runtime decisions into defensive actions.

Stage358 checks whether a signing event occurred inside the allowed key validity window.


What Stage358 Adds

Stage358 adds:

  • Stage357 action receipt loading
  • Stage357 action_receipt_sha256 binding
  • signing_time metadata
  • key valid_from metadata
  • key valid_until metadata
  • revoked_at metadata handling
  • temporal validity rule
  • fail-closed temporal decision
  • metadata-only validation receipt

Main Purpose

Stage358 answers this question:

Was the claimed signing time inside the key's allowed validity window?

In simple terms:

Stage354 creates the key lifecycle ledger.
Stage355 checks key status.
Stage356 decides whether runtime should proceed.
Stage357 maps that decision into defensive actions.
Stage358 checks whether the signing time fits inside the key validity period.
Temporal Rule

Stage358 checks:

valid_from <= signing_time <= valid_until

If revocation metadata exists, it also checks:

signing_time < revoked_at

If these rules fail, Stage358 returns:

block
Inputs

Stage358 reads:

docs/actions/stage357_runtime_action_receipt.json
docs/actions/stage357_runtime_action_policy.json
docs/keys/stage354_key_rotation_ledger.json
Outputs

Stage358 generates:

docs/time-validity/stage358_signing_time_validity_policy.json
docs/time-validity/stage358_signing_time_validity_result.json
docs/time-validity/stage358_signing_time_validity_summary.txt
Current Decision

Current decision:

accept_temporal_validity

This means:

Stage357 receipt exists
Stage357 action receipt SHA256 is bound
signing_time exists
valid_from exists
valid_until exists
signing_time is inside the validity window
signing_time is not after revocation
no private keys are published
no real signature claim is made
no fake PQC signature claim is made
Safety Boundary

Stage358 does not:

publish private keys
publish raw secrets
claim real GPG verification
claim real Sigstore verification
claim real Rekor inclusion
claim real PQC signature verification

Stage358 is metadata-only temporal validation.

Relationship to Stage357

Stage357:

Maps runtime decisions into defensive actions.

Stage358:

Checks signing-time validity against key lifecycle temporal rules.
License

MIT License

About

Stage358: Signing-Time Validity Enforcement Layer with key lifecycle temporal verification, Stage357 receipt binding, validity-window checks, revocation-time checks, and fail-closed temporal decisions.

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors