retest

Signed-off-by: George Jenkins <gvjenkins@gmail.com>

Author: gjenkins8

skills/hip-author-workspace/iteration-2/feature-hip/eval_metadata.json

@@ -0,0 +1,31 @@
+{
+  "eval_id": 0,
+  "eval_name": "feature-hip",
+  "prompt": "I want to write a HIP for adding native support for chart signing using Sigstore/cosign instead of the current PGP-based provenance system.",
+  "assertions": [
+    {
+      "name": "valid_preamble",
+      "description": "Valid YAML frontmatter with hip: 9999, type: feature, status: draft"
+    },
+    {
+      "name": "all_sections_present",
+      "description": "All 11 required sections present"
+    },
+    {
+      "name": "abstract_under_100_words",
+      "description": "Abstract is under 100 words (target: ~50, testing conciseness improvement)"
+    },
+    {
+      "name": "total_under_2500_words",
+      "description": "Total document under 2500 words (iteration-1 was 2915; testing whether length guidance reduces verbosity)"
+    },
+    {
+      "name": "backwards_compat_addresses_prov",
+      "description": "Backwards compat references .prov/PGP migration"
+    },
+    {
+      "name": "no_mailing_list_reference",
+      "description": "Does NOT reference cncf-helm mailing list as primary vetting channel (should reference #helm-dev Slack instead)"
+    }
+  ]
+}

skills/hip-author-workspace/iteration-2/feature-hip/with_skill/grading.json

@@ -0,0 +1,36 @@
+{
+  "eval_name": "feature-hip",
+  "variant": "with_skill",
+  "expectations": [
+    {
+      "text": "valid_preamble",
+      "passed": true,
+      "evidence": "Preamble valid with hip:9999, status:draft"
+    },
+    {
+      "text": "all_sections_present",
+      "passed": true,
+      "evidence": "All 11 sections present"
+    },
+    {
+      "text": "abstract_under_100_words",
+      "passed": true,
+      "evidence": "Abstract is 47 words"
+    },
+    {
+      "text": "total_under_2500_words",
+      "passed": true,
+      "evidence": "Total is 844 words"
+    },
+    {
+      "text": "backwards_compat_addresses_prov",
+      "passed": true,
+      "evidence": "Backwards compat references .prov/PGP"
+    },
+    {
+      "text": "no_mailing_list_reference",
+      "passed": true,
+      "evidence": "No mailing list as primary channel"
+    }
+  ]
+}

skills/hip-author-workspace/iteration-2/feature-hip/with_skill/outputs/hip-9999.md

@@ -0,0 +1,123 @@
+---
+hip: 9999
+title: "Sigstore/Cosign Chart Signing"
+authors: [ "User Name <user@example.com>" ]
+created: "2026-05-30"
+type: "feature"
+status: "draft"
+---
+
+## Abstract
+
+This proposal adds native Sigstore/cosign-based signing and verification for Helm charts as an alternative to the current PGP-based provenance system. Cosign uses keyless signing via OIDC identity, eliminating the need for manual key management and aligning Helm with the signing standard already adopted across the container ecosystem.
+
+## Motivation
+
+### Current Limitations
+
+Helm's existing chart signing relies on PGP-based `.prov` files. This requires chart authors to generate PGP keys, distribute public keys out-of-band, and manage key lifecycle. The complexity means very few charts in the ecosystem are actually signed, undermining the security that provenance was designed to provide.
+
+### Real-World Impact
+
+Platform teams building secure software supply chains cannot enforce chart verification policies because so few charts carry signatures. CI/CD pipelines that verify container images with cosign must use an entirely separate trust model for the Helm charts that deploy those same images. This inconsistency creates gaps in supply chain security.
+
+### Who Is Affected
+
+Chart authors who want to sign but find PGP tooling burdensome, cluster operators who want to enforce verification policies, and platform teams building end-to-end supply chain security with Sigstore.
+
+### Existing Workarounds
+
+Some teams wrap `cosign sign-blob` around packaged `.tgz` files and store signatures externally, but this is ad-hoc, not discoverable, and unsupported by `helm verify`.
+
+## Rationale
+
+### Why Cosign over PGP
+
+PGP key management is the primary barrier to chart signing adoption. Cosign's keyless mode uses OIDC identity providers (GitHub Actions, Google, Microsoft), removing the need to generate, store, and distribute keys. The container ecosystem has already standardized on Sigstore through projects like Kubernetes itself, which signs releases with cosign.
+
+### Why Native Integration
+
+External wrapper scripts cannot integrate with `helm install --verify` or OCI registry workflows. Native support means signatures are discoverable and verifiable through standard Helm commands, which is essential for policy enforcement.
+
+## Specification
+
+### CLI Flags
+
+Signing is added to `helm package` and `helm push`:
+
+```
+helm package mychart/ --cosign-sign
+helm package mychart/ --cosign-sign --cosign-key cosign.key
+helm push mychart-1.0.0.tgz oci://registry.example.com/charts --cosign-sign
+```
+
+Verification is added to `helm install`, `helm pull`, and `helm verify`:
+
+```
+helm install myrelease oci://registry.example.com/charts/mychart --cosign-verify
+helm pull oci://registry.example.com/charts/mychart --cosign-verify
+helm verify mychart-1.0.0.tgz --cosign
+```
+
+When `--cosign-sign` is used without `--cosign-key`, keyless mode is used via OIDC identity. When `--cosign-key` is provided, the specified private key is used.
+
+### Signature Storage
+
+For OCI-stored charts, cosign signatures are stored as a separate tag in the same repository following the cosign convention (`sha256-<digest>.sig`). This is consistent with how container image signatures work and requires no changes to registry infrastructure.
+
+For file-based charts, a `.cosign.sig` file is produced alongside the `.tgz`, similar to the existing `.prov` file.
+
+### Verification Behavior
+
+| Flag | Behavior |
+|------|----------|
+| `--cosign-verify` | Verify cosign signature; fail if missing or invalid |
+| `--verify` (existing) | Unchanged; verifies PGP `.prov` file |
+| Both flags | Both signatures must be present and valid |
+| Neither | No verification (current default behavior) |
+
+### Transparency Log
+
+When keyless signing is used, an entry is recorded in the Rekor transparency log by default. This can be disabled with `--cosign-no-tlog` for air-gapped environments.
+
+### Configuration
+
+Environment variables follow cosign conventions:
+
+- `COSIGN_KEY` -- path to a cosign private key
+- `COSIGN_CERTIFICATE` -- path to a signing certificate
+- `COSIGN_REKOR_URL` -- custom Rekor transparency log URL
+
+## Backwards Compatibility
+
+This proposal is purely additive. Existing PGP-based `--sign`, `--verify`, and `.prov` file workflows remain unchanged. Cosign support uses new, separate flags and does not alter default behavior.
+
+## Security Implications
+
+This proposal improves Helm's security posture by making chart signing practical. Keyless signing via OIDC ties signatures to verifiable identities. The Rekor transparency log provides a tamper-evident record of all signing events. The cosign verification model is well-audited as part of the Sigstore project under the OpenSSF.
+
+## How to Teach This
+
+Documentation should add a "Signing Charts with Cosign" guide alongside the existing provenance documentation. The lead example should show keyless signing in a GitHub Actions workflow, since that is the most common CI/CD environment. Users familiar with `cosign sign` for container images will find the Helm flags analogous.
+
+## Reference Implementation
+
+No implementation exists yet. The work involves integrating the `sigstore/cosign` Go library into the Helm CLI and adding signature handling to the OCI push/pull paths.
+
+## Rejected Ideas
+
+- **Replacing PGP entirely** -- Too disruptive for existing users who have PGP workflows. Cosign is offered alongside PGP, not as a replacement.
+- **Storing signatures inside the OCI manifest** -- This would require custom manifest handling and reduce compatibility with standard registry tooling. Using cosign's standard tag-based approach is simpler and better supported.
+- **Notation (CNCF Notary Project)** -- While also a CNCF project, cosign has significantly wider ecosystem adoption and simpler UX, particularly for keyless signing.
+
+## Open Issues
+
+- Should `helm install` support a configuration option to require cosign verification by default, or should this be left to policy tools like Kyverno and OPA Gatekeeper?
+
+## References
+
+- [Sigstore](https://www.sigstore.dev/)
+- [Cosign Documentation](https://docs.sigstore.dev/cosign/overview/)
+- [Helm Provenance and Integrity](https://helm.sh/docs/topics/provenance/)
+- [HIP-0006: OCI Support](https://github.com/helm/community/blob/main/hips/hip-0006.md)
+- [Rekor Transparency Log](https://docs.sigstore.dev/rekor/overview/)

skills/hip-author-workspace/iteration-2/feature-hip/with_skill/timing.json

@@ -0,0 +1 @@
+{"total_tokens": 50240, "duration_ms": 115089, "total_duration_seconds": 115.1}

skills/hip-author-workspace/iteration-2/process-hip/eval_metadata.json

@@ -0,0 +1,31 @@
+{
+  "eval_id": 1,
+  "eval_name": "process-hip",
+  "prompt": "I think we should create a formal process for how Helm handles security embargoes and coordinated disclosure with downstream distributors.",
+  "assertions": [
+    {
+      "name": "valid_preamble",
+      "description": "Valid YAML frontmatter with hip: 9999, type: process, status: draft"
+    },
+    {
+      "name": "all_sections_present",
+      "description": "All 11 required sections present"
+    },
+    {
+      "name": "abstract_under_100_words",
+      "description": "Abstract is under 100 words (target: ~50)"
+    },
+    {
+      "name": "total_under_2500_words",
+      "description": "Total document under 2500 words (iteration-1 was 2633)"
+    },
+    {
+      "name": "references_security_md",
+      "description": "References existing SECURITY.md"
+    },
+    {
+      "name": "no_code_in_spec",
+      "description": "Specification defines process steps, not code"
+    }
+  ]
+}

skills/hip-author-workspace/iteration-2/process-hip/with_skill/grading.json

@@ -0,0 +1,41 @@
+{
+  "eval_name": "process-hip",
+  "variant": "with_skill",
+  "expectations": [
+    {
+      "text": "valid_preamble",
+      "passed": true,
+      "evidence": "Preamble valid with hip:9999, status:draft"
+    },
+    {
+      "text": "all_sections_present",
+      "passed": true,
+      "evidence": "All 11 sections present"
+    },
+    {
+      "text": "abstract_under_100_words",
+      "passed": true,
+      "evidence": "Abstract is 49 words"
+    },
+    {
+      "text": "total_under_2500_words",
+      "passed": true,
+      "evidence": "Total is 801 words"
+    },
+    {
+      "text": "type_is_process",
+      "passed": true,
+      "evidence": "type is process"
+    },
+    {
+      "text": "references_security_md",
+      "passed": true,
+      "evidence": "References SECURITY.md"
+    },
+    {
+      "text": "no_code_in_spec",
+      "passed": true,
+      "evidence": "Spec correctly avoids code"
+    }
+  ]
+}

skills/hip-author-workspace/iteration-2/process-hip/with_skill/outputs/hip-9999.md

@@ -0,0 +1,120 @@
+---
+hip: 9999
+title: "Security Embargo and Coordinated Disclosure Process"
+authors: [ "George Jenkins" ]
+created: "2026-05-30"
+type: "process"
+status: "draft"
+---
+
+## Abstract
+
+This proposal establishes a formal process for managing security embargoes and coordinating vulnerability disclosure with downstream distributors who package Helm. It defines an embargo timeline, a downstream notification list with eligibility criteria, and participant obligations so that patched releases across the ecosystem ship simultaneously when a CVE goes public.
+
+## Motivation
+
+### Current Limitations
+
+Helm's SECURITY.md documents reporting, triage, and public disclosure but contains no process for pre-disclosure coordination with downstream packagers. When the security team publishes a fix, distributors learn about it simultaneously with the public and must scramble to rebuild and ship.
+
+### Real-World Impact
+
+Users who install Helm through Linux distributions (Fedora, Debian, Alpine), cloud providers, or package managers (Homebrew, Chocolatey) remain vulnerable for hours or days after a CVE is published while downstream maintainers react. This gap is avoidable with advance notice.
+
+### Who Is Affected
+
+Distribution maintainers are forced into emergency response with no lead time. End users on downstream channels face delayed protection. The security team lacks a repeatable process for coordination.
+
+### Existing Workarounds
+
+Some distributors monitor Helm's release channels closely or rely on informal relationships with maintainers. This is inconsistent, unscalable, and leaves smaller distributors out entirely.
+
+## Rationale
+
+### Why a formal list rather than ad-hoc notification
+
+Ad-hoc emails to known contacts are error-prone and depend on institutional memory. A documented list with eligibility criteria and removal procedures ensures consistency across security team membership changes.
+
+### Why align with Kubernetes's model
+
+Many Helm downstream distributors already participate in the Kubernetes private distributors list. Aligning reduces cognitive overhead and leverages a proven structure, scaled down for Helm's smaller vulnerability volume.
+
+### Why a fixed 7-day embargo window
+
+A fixed default provides predictability for both the security team and distributors. Variable windows add coordination overhead without proportional benefit. Seven days balances preparation time against leak risk.
+
+## Specification
+
+### Downstream Notification List
+
+The Helm project will maintain a private mailing list (`cncf-helm-distros@lists.cncf.io`) for pre-disclosure notification, separate from the inbound reporting list.
+
+### Eligibility Criteria
+
+Applicants must meet all of the following:
+
+1. Actively package and distribute Helm through a publicly available channel
+2. Serve a non-trivial user base
+3. Have capability to produce patched builds within the embargo window
+4. Have no unresolved history of embargo violations
+
+### Application Process
+
+1. Send a request to `cncf-helm-security@lists.cncf.io` with distribution name, packaging description, user base estimate, two security contacts, and agreement to embargo obligations.
+2. The security team reviews; approval requires two security team members.
+3. Approved applicants are added to the list. Member organizations are published in SECURITY.md.
+
+### Removal
+
+Members are removed for: voluntary withdrawal, embargo violation (immediate removal, 12-month reinstatement wait), or inactivity (failure to respond to two consecutive notifications, removed after 30-day notice).
+
+### Embargo Process
+
+1. **Day 0**: Security team finalizes patch and determines timeline.
+2. **Day 0-1**: Notification sent to downstream list with vulnerability description, severity, patch, planned disclosure date, and workarounds.
+3. **Days 1-7**: Distributors prepare patched releases privately. No disclosure permitted outside immediate security response teams.
+4. **Day 7**: Public disclosure per existing SECURITY.md process. Distributors may publish simultaneously.
+
+### Timeline Adjustments
+
+- Default: 7 calendar days
+- Minimum: 2 days (active exploitation or imminent leak)
+- Maximum: 14 days (at distributor request if leak risk is low)
+
+### Severity Threshold
+
+The embargo process applies when: CVSS >= 7.0, or the vulnerability enables remote code execution, privilege escalation, or credential disclosure.
+
+## Backwards Compatibility
+
+This proposal is purely additive. The existing reporting and disclosure workflow in SECURITY.md is unchanged. Distributors who do not join the list are unaffected.
+
+## Security Implications
+
+Sharing vulnerability details pre-disclosure increases leak risk. This is mitigated by strict eligibility criteria, embargo violation consequences (removal plus 12-month wait), and a short maximum window of 14 days.
+
+## How to Teach This
+
+SECURITY.md will gain a new "Coordinated Disclosure for Downstream Distributors" section explaining eligibility, application, and obligations. An announcement on the `cncf-helm` mailing list will invite known distributors to apply. Vulnerability reporters need no process changes.
+
+## Reference Implementation
+
+Create the `cncf-helm-distros@lists.cncf.io` mailing list, update SECURITY.md with the new section, and conduct initial outreach to known distributors.
+
+## Rejected Ideas
+
+- **Private GitHub repository for patches** -- rejected because it requires GitHub accounts, provides less granular access control than a mailing list, and diverges from the Kubernetes model.
+- **Per-vulnerability opt-in notifications** -- rejected because the extra round-trip adds latency during time-sensitive coordination without meaningful security benefit.
+- **Unlimited embargo extensions** -- rejected because open-ended embargoes increase leak risk and delay protection for direct-install users.
+
+## Open Issues
+
+- Should embargo notifications use PGP or a modern alternative like age?
+- How should embargo timelines coordinate with Kubernetes when vulnerabilities span both projects?
+
+## References
+
+- [Helm SECURITY.md](https://github.com/helm/community/blob/main/SECURITY.md)
+- [Kubernetes Security Release Process](https://kubernetes.io/docs/reference/issues-security/security-release-process/)
+- [Kubernetes Private Distributors List](https://github.com/kubernetes/security/blob/master/private-distributors-list.md)
+- [Go Security Policy](https://go.dev/security/policy)

skills/hip-author-workspace/iteration-2/process-hip/with_skill/timing.json

@@ -0,0 +1 @@
+{"total_tokens": 50798, "duration_ms": 105720, "total_duration_seconds": 105.7}