1
Select the release action
Start with one side effect such as cloud.deploy.preview, cloud.deploy.production, customer.export, or credential.export.
Customer workflow package
Release-agent proof from install to auditor packet.
This package gives a customer one concrete workflow: control a release or cloud-deploy agent, prove a safe action can run, prove a dangerous action is blocked before execution, then share a verified packet.
2
Publish release policy
Allow preview deployment, require review for production deployment, and block credential export or destructive rollback paths.
3
Wrap the tool
Use the customer framework adapter or strict preflight around the release tool before the deploy function body runs.
4
Run allowed proof
Execute a preview deployment or dry-run release action and sync the allowed evidence into Profile.
5
Run blocked proof
Attempt the prohibited action and prove zero dangerous body calls before the response.
6
Share packet
Export auditor JSON/Markdown, verify the proof, and share the redacted link with the buyer or security reviewer.
Policy template
| Allowed | cloud.deploy.preview, release.plan.read, changelog.generate |
| Review required | cloud.deploy.production, release.rollback |
| Blocked | credential.export, secrets.read, db.drop_table |
| Detector advisory | Prompt injection or sensitive-data findings block sharing until reviewed, but action prevention still happens at preflight. |
Command path
| Onboard | imladri onboard --worker-url https://<worker> --email [email protected] --password <password> --scan-path . |
| Publish | imladri policy publish --allow cloud.deploy.preview,release.plan.read --review cloud.deploy.production --block credential.export,secrets.read |
| Proof run | imladri proof run --allowed-action cloud.deploy.preview --blocked-action credential.export --stack "Release agent" |
| Scan | imladri scan --path . --fail-on new --upload |
| Export | imladri proof export --format json --redaction auditor --output release-agent-proof.json |
| Verify | imladri proof verify --input release-agent-proof.json |
Acceptance checklist
| Policy | Profile shows the published release policy and active SDK key fingerprint. |
| Allowed decision | The preview deployment action is allowed and logged with source, latency, and request context. |
| Blocked decision | credential.export or secrets.read is denied before the function body and no committed side effect occurs. |
| Detector lane | Prompt/data-risk warnings are either absent, fixed, or accepted with reviewer context. |
| Proof packet | JSON proof verifies digest and hash-chain state, and auditor share uses redacted mode. |
| Cleanup | Old SDK keys, temporary branches, and provider resources are revoked, destroyed, or stopped. |