Stage358 extends Stage357 by enforcing signing-time validity against key lifecycle temporal metadata.
Stage357 maps runtime decisions into defensive actions.
Stage358 checks whether a signing event occurred inside the allowed key validity window.
Stage358 adds:
- Stage357 action receipt loading
- Stage357 action_receipt_sha256 binding
- signing_time metadata
- key valid_from metadata
- key valid_until metadata
- revoked_at metadata handling
- temporal validity rule
- fail-closed temporal decision
- metadata-only validation receipt
Stage358 answers this question:
Was the claimed signing time inside the key's allowed validity window?
In simple terms:
Stage354 creates the key lifecycle ledger.
Stage355 checks key status.
Stage356 decides whether runtime should proceed.
Stage357 maps that decision into defensive actions.
Stage358 checks whether the signing time fits inside the key validity period.
Temporal Rule
Stage358 checks:
valid_from <= signing_time <= valid_until
If revocation metadata exists, it also checks:
signing_time < revoked_at
If these rules fail, Stage358 returns:
block
Inputs
Stage358 reads:
docs/actions/stage357_runtime_action_receipt.json
docs/actions/stage357_runtime_action_policy.json
docs/keys/stage354_key_rotation_ledger.json
Outputs
Stage358 generates:
docs/time-validity/stage358_signing_time_validity_policy.json
docs/time-validity/stage358_signing_time_validity_result.json
docs/time-validity/stage358_signing_time_validity_summary.txt
Current Decision
Current decision:
accept_temporal_validity
This means:
Stage357 receipt exists
Stage357 action receipt SHA256 is bound
signing_time exists
valid_from exists
valid_until exists
signing_time is inside the validity window
signing_time is not after revocation
no private keys are published
no real signature claim is made
no fake PQC signature claim is made
Safety Boundary
Stage358 does not:
publish private keys
publish raw secrets
claim real GPG verification
claim real Sigstore verification
claim real Rekor inclusion
claim real PQC signature verification
Stage358 is metadata-only temporal validation.
Relationship to Stage357
Stage357:
Maps runtime decisions into defensive actions.
Stage358:
Checks signing-time validity against key lifecycle temporal rules.
License
MIT License