Threat model
The daemon-first boundary model every review assumes — read it first; findings make sense against it.
The threat model, internal review notes, and audit preparation live in the repository — versioned next to the code they describe.
The daemon-first boundary model every review assumes — read it first; findings make sense against it.
Pre-production manual review notes and candidate-vulnerability audits of the core runtime.
The standing request template and evidence package for third-party auditors.
It's written into the project plan as a hard constraint. Release gates also ship every bundle with checksums, an SBOM, and build provenance — so what auditors review is provably what you download.