synchronicity¶

Supply-chain security hub for the llamaclaw ecosystem.

Part of the fifteen-repository llamaclaw umbrella. Sibling of propagator (infrastructure sync) and parallelism (coordination protocol).

Why this exists¶

Repeated supply-chain incidents — npm package takeovers, PyPI typosquats, compromised GitHub Actions — mean that a multi-language, multi-repository umbrella like llamaclaw cannot treat dependency security as a passive concern. synchronicity is the active hub: it collects Software Bills of Materials (SBOMs), maintains pinned-and-hashed manifests, tracks CVE advisories against the ecosystem, stores cosign signing keys and verification policy, and holds the audit trail that lets a human answer the question “what exactly is in production right now?”

The repository is a hub, not a framework. It holds artefacts and policies. The active scanning work is done by the sibling repositories’ CI workflows and by scripts/ in this repo that can be run locally.

Layout¶

synchronicity/
├── README.md                # this file
├── STATUS.md                # honest current-state audit of plan-tier limits + active controls
├── SECURITY.md              # how to report a vulnerability in any llamaclaw repo
├── POLICIES.md              # supply-chain policies (pinning, signing, review)
├── sboms/                   # per-repo SBOMs, regenerated per release
│   ├── esml/                # e.g. esml-0.2.0.cyclonedx.json
│   ├── turboquant/
│   └── …                    # one subdir per sibling repo
├── pins/                    # pinned dependency manifests (hash-locked)
│   ├── esml/requirements.pinned.txt
│   ├── esml/Renv.pinned.lock
│   └── …
├── policies/                # machine-readable policy (cosign, rekor, vex)
├── audits/                  # dated CVE audit reports
├── advisories/              # downstream-reported advisories (GitHub Security Advisories mirror)
└── scripts/                 # tooling: sbom-generate, pin-audit, cve-check, cosign-verify

Scope¶

In scope. SBOM generation and storage; pinned-manifest maintenance; CVE scanning against pinned manifests; cosign signing of release artefacts; audit trail for every security-relevant decision; policy documentation.

Out of scope. Runtime intrusion detection (use OS-level tools); secret scanning (use GitHub’s built-in push-protection and secret-scanning); fuzzing (lives in each sub-repository’s tests/fuzz/ as needed).

Quick start¶

git clone git@github.com:llamaclaw/synchronicity.git
cd synchronicity
scripts/sbom-generate.sh ../esml                 # regenerate SBOM for esml
scripts/pin-audit.sh                             # compare pins/ against current lock-files
scripts/cve-check.sh                             # scan pins/ against OSV.dev
scripts/cosign-verify.sh ghcr.io/llamaclaw/esml:dev   # verify container signature

Relationship to sibling repos¶

Repo	Role in supply chain
`synchronicity` (this)	Hub: SBOMs, pins, CVE tracking, signing policy
`propagator`	Propagates the SBOM-generate CI workflow into every sibling repo
`parallelism`	Coordinates concurrent security-response work across sessions
`installer`	Consumes signed release artefacts and published SBOMs
`deploy`	Enforces runtime policy (least-privilege, no-agent-to-agent)
`yoda`	Journals security incidents in `yodavision/mistakes/` and the cross-session memex

License¶

GPL-3.0-or-later. See LICENSE.