Reference policy
The reference policy the demo reconciles: copy (busybox) and rebuild (debian-tz) in one self-contained pass.
Redis: semver selection
Semver selection and alias tracking over a real image (redis 7.2.x).
Hardened rebuild
Rebuild path with org hardening: inject internal CA, rewrite package sources.
Attested rebuild
Rebuild path with signed in-toto attestations (SLSA + houba transform).
Pending-deletion (soft delete)
Soft delete: mark dropped tags with a pending-deletion referrer instead of deleting.
Retention
Retention: cap valid in-selection tags by keep-count and age.
Admission gate (Kyverno)
Consumer-side Kyverno gate: admit only images with a fresh houba-signed scan attestation.