Isolation & security
Reproducibility and Provenance Pinning
Status: Open — design proposal, nothing shipped yet
Shipped baseline
Role repos are resolved by clone-then-fetch-and-merge against the default branch on every jackin load; there is no commit pin, no version/commit field on the role-source config entry, and no --update flag. Trust is a single boolean that never resets on upstream movement. This matches the design's own starting assumption, so no part of the original proposal has landed.
Remaining work
- Add optional
commit/versionfields to the role-source config entry, written by the runtime on first resolve. - Switch subsequent loads to fetch + detached-HEAD checkout of the pinned commit instead of fetch+merge.
- Add a
jackin load --updateflag that re-pins (tag-preferring resolution) and resets trust. - Bump the config schema version and add the migration-registry entry required for any serde-bearing config struct change (see
AGENTS.md). - Surface the resolved version/SHA in the launch summary.
Design details, schema sketch, and open questions needing operator sign-off before implementation: Role repo pinning: design.
Related work
crates/jackin-runtime/src/runtime/repo_cache.rs— current clone/fetch/checkout logic this work would change.crates/jackin-config/src/schema.rs—RoleSource, the struct that would gain the new fields.