Skip to content

ADR-0017: Optional Verified Artifact Mirror

Accepted

Date: 2026-06-10

Context

Enterprise procurement frequently asks: “How do you know the exact code in our generated app is what was tested?” When the platform retrieves library artifacts at build time from public registries (Maven Central, npm, PyPI, Docker Hub), there’s some risk of upstream tampering, takedowns, or version drift between curation and use.

A verified artifact mirror — a platform-controlled cache of the exact byte-for-byte artifacts referenced by Manifests, with verified checksums — addresses this. It is optional infrastructure, not architectural-core.

Decision

The platform optionally maintains a verified artifact mirror. When enabled:

  • The Manifest references the upstream coordinates (Maven GAV, npm package, Docker image)
  • The platform also stores the verified artifact bytes with checksum, in a platform-controlled storage
  • Generated apps can be configured to pull from the mirror instead of upstream

The mirror is not required for MVP. It is a v1 feature for enterprise tier customers who require supply-chain security guarantees.

Rationale

  • Enterprise customers value this strongly; it’s a real procurement-cycle answer.
  • Standard developer customers don’t need it and shouldn’t pay for it.
  • Mirror infrastructure is non-trivial (storage costs, security, sync logic); not blocking MVP.
  • Architecture remains workable without the mirror; enabling it is additive.

Consequences

  • Manifest schema includes optional fields for mirror coordinates and checksums.
  • The platform’s Curation Pipeline includes mirror sync as an optional step.
  • Cost and operational complexity scale with mirror usage; pricing reflects this.
  • Customers without the mirror pull artifacts directly from upstream registries (with checksum verification still possible from the Manifest).

References