22 lines
1009 B
Markdown
22 lines
1009 B
Markdown
# Trust Policy
|
|
|
|
Yao Meta Skill treats scripts and distributed skill packages as supply-chain surfaces.
|
|
|
|
Governed or team-distributed skills should produce a trust report before release. The report must identify:
|
|
|
|
- secret exposure risk
|
|
- scripts that lack a visible CLI/help surface
|
|
- execution-level CLI `--help` smoke failures
|
|
- interactive or network-capable scripts
|
|
- bounded host policy for each network-capable script
|
|
- reviewer approval for each high-permission capability
|
|
- dependency pinning status
|
|
- runtime trust metadata
|
|
- package integrity hash
|
|
|
|
High-risk secrets or unrestricted remote inline execution block governed release.
|
|
|
|
Network-capable scripts without a matching `security/network_policy.json` entry remain reviewer-visible warnings until the host boundary is declared.
|
|
|
|
High-permission capabilities without valid `security/permission_policy.json` approvals block governed mode. Required approvals must name the reviewer, scope, reason, expiry, evidence, and target-enforcement mapping.
|