Security
Exportable evidence matters more than promises. Here we explain how Shipyard keeps NDJSON logs, checksums, and artifacts verifiable.
Evidence & integrity
Every run generates gate logs, signed bundles, and SHA256SUMS so you can verify what shipped and when. We may update tooling, but these artifacts remain consistent per release.
- Evidence Pack: bundles SPEC.md, VERIFY_REPORT.md, SHA256SUMS.txt, and signed archives.
- Checksums: distributed artifacts include SHA256 values to detect tampering.
- Local-first: verification occurs before anything leaves your repo, and we surface the raw outputs.
Policy anchors
Canonical contact details live in /.well-known/security.txt, and responsible disclosure is described on the disclosure page.
- security.txt — published contacts and scope.
- Disclosure policy — how to report issues privately.
- Compliance waitlist — best effort assistance around evidence expectations.
Need compliance evidence?
We aim to describe the exact artifacts we can deliver. Reach out via /waitlist/?persona=compliance to get help framing evidence for your auditors.