Basically Zero Trust operationalized for the ENTIRE SDLC, from dev all the way to production support.
ABI: Issue credentials only when a requester presents fresh, nonce-bound evidence that passes policy, then expire quickly. Evidence → Policy → Token, with a tamper-evident audit trail.
EnvSecOps: The practice of governing access by verifying environment provenance at request time across dev, ops shells, and workloads—.
What I have (research/reference only): A small, spec-first reference implementation demonstrating the flow: capture/sign DSSE → OPA evaluate → short-lived OIDC/STS → optional Rekor inclusion → evidence bundle (token ↔ attestation ↔ policy version ↔ log entry). It’s not public yet; goal is a portable on-wire spec not a product.
Feedback I’m seeking:
Predicate must/should fields (materials digests, policy ref/hash, nonce, audience, signer identity).
Minimal, swappable PDP contract (deterministic inputs/outputs).
TOCTOU defaults: acceptable drift window, renewal cadence, revocation hooks.
Boundary with SPIFFE/SPIRE (workloads) and a clean model for ops-shell identity.
Auditor-friendly evidence bundle and reporting expectations.
Happy to answer questions; I’ll publish artifacts once the spec is less volatile.