Supply-Chain Assurance Profile

This profile defines the immediate advanced assurance baseline for the zenzic family repositories (zenzic, zenzic-doc, zenzic-action).

It is designed to be enforceable with repository-local gates, reproducible in CI, and auditable from logs.

1) Target Level

Operational target: advanced assurance baseline now.
Scope: source integrity, deterministic verification, fail-closed policy paths, and cross-repository parity controls.
Rule: no silent downgrade from hard gates to advisory warnings.

Control	Required behavior	Enforcement locus
Single verification entrypoint	Local and CI must converge on `just verify`	`justfile` + CI workflows
Sovereign core resolution	`ZENZIC_CORE_PATH -> ./_zenzic_core -> ../zenzic`, fail-closed	`justfile`, `noxfile.py`, CI
Governed branch override	`ZENZIC_CORE_REF` requires ticket/reason/approver/expiry	`zenzic-action` self-check workflow
Lexical boundary guard	Forbidden terms blocked in governed paths	`scripts/enforce-radical-unawareness.sh` + pre-commit
Public contract drift guard	Required guard markers must exist; release recipes must not auto-create tags	`release-contracts` recipes
License provenance hygiene	SPDX/REUSE verification required	pre-commit `reuse` + CI

Run from repository root unless noted otherwise.

just release-contracts
just verify

Tagging policy: tags are created and pushed manually after merge; release recipes must not create tags.

Lexical guard (policy-as-code):

bash scripts/enforce-radical-unawareness.sh

Docs parity contract (in zenzic-doc):

uvx nox -s verify-codes-parity

License provenance check:

uvx reuse lint

A release candidate is considered assurance-compliant only if:

This baseline is the minimum industrial profile now in force.

Planned next layer: