Open-core layer

External audit intake packet

GitCaster publishes an external-audit intake packet so reviewers can inspect the public open-core security scope without receiving managed platform internals or private credentials. This is not an external security audit, not an audit completion claim, and not production security readiness.

Intake JSON Auditor packet Security scripts

Packet artifacts

These public files describe what an independent auditor can review.

public-alpha

Audit scope

Public scope for the future independent GitCaster security audit.

docs-source/developer-layers/external-audit-intake.md

Auditor packet

Contributor-readable packet that explains included and excluded audit surfaces.

apps/web/public/gitcaster-external-audit-intake.md

Public JSON

Machine-readable public-alpha intake status and blocked external audit completion fields.

apps/web/public/gitcaster-external-audit-intake.json

Artifact intake gate

Public truth-table row that keeps independent audit artifacts blocked_external until real receipts exist.

apps/web/lib/status-truth.ts

Checker

Deterministic claim-honesty check for the public audit intake surface.

scripts/security/check-external-audit-intake-public-alpha.cjs

Evidence

Generated proof that the intake packet is safe to publish and does not claim audit completion.

launch/evidence/external-audit-intake-public-alpha.json

Included review scope

The packet is limited to public developer layers and claim-honesty surfaces.

bounded

Public open-core repository source and website claim surfaces

Security package, redteam scripts, beta safety gate, and local proof tooling

Protocol, identity, capabilities, SDK, CLI, MCP, local node, docs, fixtures, and examples

Public status table, proof panel, release rules, and external blocker copy

Excluded private scope

These remain closed and are not shipped in the public intake packet.

closed

Managed orchestration, billing, custody, enterprise controls, and production operations

Private credentials, .env files, operator secrets, signer material, and wallet keys

Closed managed runtime internals, high-scale infrastructure, and proprietary optimizations

Any claim that GitCaster is externally audited before independent proof is imported

Audit completion remains blocked

Independent artifact intake status is blocked_external. GitCaster can only claim external audit completion after these independent proof files are imported and strict gates pass.

blocked_external

.quilibrium/operator-secrets/gitcaster-external-security-audit/external-security-audit-report.json

.quilibrium/operator-secrets/gitcaster-external-security-audit/auditor-attestation.json

.quilibrium/operator-secrets/gitcaster-external-security-audit/findings-remediation-matrix.json

Verification command

The checker verifies the packet, public JSON, and blocked audit-completion claims.

deterministic

pnpm run external-audit-intake:check