Epic 2: Unify image refs to ghcr.io/secai-hub/secai_os + CI enforcement

Fix 22 occurrences of wrong image reference (ghcr.io/sec_ai/secai_os)
across 12 files — scripts, configs, docs, and VM build tooling. All
container image references now use the canonical path matching the
GitHub org (SecAI-Hub/SecAI_OS).

Add CI enforcement:
- image-ref-consistency job greps for known wrong patterns
- docs-validation step verifies release-artifacts.json matches
  release.yml service matrix
- Python test suite (test_image_ref_consistency.py) with 10 tests
  covering repo-wide scan, critical file assertions, and negative
  detection verification
- Machine-readable release-artifacts.json as single source of truth
  for expected release artifact patterns

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: SecAI-Hub

.github/workflows/ci.yml

@@ -165,6 +165,43 @@ jobs:
           sys.exit(errors)
           "
 
+  image-ref-consistency:
+    name: Image Reference Consistency
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: Check for wrong image references
+        run: |
+          CANONICAL="ghcr.io/secai-hub/secai_os"
+
+          # Known wrong patterns (container image refs only)
+          WRONG_PATTERNS=(
+            "ghcr.io/sec_ai/secai_os"
+          )
+
+          ERRORS=0
+          for pattern in "${WRONG_PATTERNS[@]}"; do
+            MATCHES=$(grep -rn \
+              --include='*.sh' --include='*.py' --include='*.yaml' \
+              --include='*.yml' --include='*.md' --include='*.json' \
+              "$pattern" . 2>/dev/null | grep -v '.git/' | grep -v 'node_modules/' || true)
+            if [ -n "$MATCHES" ]; then
+              echo "::error::Found wrong image reference '$pattern':"
+              echo "$MATCHES"
+              ERRORS=$((ERRORS + $(echo "$MATCHES" | wc -l)))
+            fi
+          done
+
+          if [ "$ERRORS" -gt 0 ]; then
+            echo ""
+            echo "::error::Found $ERRORS wrong image reference(s)."
+            echo "All container image references must use: $CANONICAL"
+            exit 1
+          fi
+          echo "OK: All image references use canonical path: $CANONICAL"
+
   check-pins:
     name: Verify action & container pins
     runs-on: ubuntu-latest
@@ -677,6 +714,44 @@ jobs:
               print(f'OK: test-counts.json is current (documented: {documented})')
           "
 
+      - name: Verify release-artifacts.json consistency
+        run: |
+          python3 -c "
+          import json, re, sys
+
+          with open('docs/release-artifacts.json') as f:
+              artifacts = json.load(f)
+
+          # Verify Go services in artifacts.json match release.yml matrix
+          with open('.github/workflows/release.yml') as f:
+              release = f.read()
+
+          # Extract matrix services from release.yml
+          matrix_match = re.search(r'service: \[([^\]]+)\]', release)
+          if not matrix_match:
+              print('FAIL: cannot find service matrix in release.yml')
+              sys.exit(1)
+          release_services = sorted(s.strip() for s in matrix_match.group(1).split(','))
+          artifact_services = sorted(artifacts['go_services'])
+
+          if release_services != artifact_services:
+              print(f'FAIL: release.yml services {release_services} != release-artifacts.json {artifact_services}')
+              sys.exit(1)
+
+          # Verify schema version
+          if artifacts.get('schema_version') != 1:
+              print('FAIL: release-artifacts.json schema_version must be 1')
+              sys.exit(1)
+
+          # Verify canonical image ref
+          canonical = artifacts.get('canonical_image_ref', '')
+          if 'sec_ai' in canonical:
+              print(f'FAIL: canonical_image_ref contains wrong namespace: {canonical}')
+              sys.exit(1)
+
+          print(f'OK: release-artifacts.json consistent ({len(release_services)} Go services, {len(artifacts[\"python_services\"])} Python services)')
+          "
+
   release-gate:
     name: Release Branch Hardened Gate
     if: startsWith(github.ref, 'refs/heads/release/') || github.ref == 'refs/heads/stable'

docs/audit-quick-path.md

@@ -171,14 +171,14 @@ Verify the container image was signed by the expected identity:
 cosign verify \
   --certificate-identity-regexp=".*SecAI-Hub.*" \
   --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
-  ghcr.io/sec_ai/secai_os:latest
+  ghcr.io/secai-hub/secai_os:latest
 
 # Verify SLSA provenance attestation
 cosign verify-attestation \
   --type slsa \
   --certificate-identity-regexp=".*SecAI-Hub.*" \
   --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
-  ghcr.io/sec_ai/secai_os:latest
+  ghcr.io/secai-hub/secai_os:latest
 ```
 
 Expected: verification succeeds with no errors. Output shows the signing certificate chain.

docs/install/recovery-bootstrap.md

@@ -40,7 +40,7 @@ curl -sSfL https://raw.githubusercontent.com/SecAI-Hub/SecAI_OS/main/cosign.pub
   -o /tmp/cosign.pub
 
 # Verify the image signature — STOP if this fails
-cosign verify --key /tmp/cosign.pub ghcr.io/sec_ai/secai_os:latest
+cosign verify --key /tmp/cosign.pub ghcr.io/secai-hub/secai_os:latest
 ```
 
 You must see a successful verification result. **Do not proceed if verification fails.**
@@ -49,7 +49,7 @@ You must see a successful verification result. **Do not proceed if verification
 
 ```bash
 # One-time unverified pull (safe ONLY because you verified the signature above)
-sudo rpm-ostree rebase ostree-unverified-registry:ghcr.io/sec_ai/secai_os:latest
+sudo rpm-ostree rebase ostree-unverified-registry:ghcr.io/secai-hub/secai_os:latest
 sudo systemctl reboot
 ```
 
@@ -68,7 +68,7 @@ verified by rpm-ostree.
 
 ```bash
 # Lock to signed transport — all future updates verified automatically
-sudo rpm-ostree rebase ostree-image-signed:docker://ghcr.io/sec_ai/secai_os:latest
+sudo rpm-ostree rebase ostree-image-signed:docker://ghcr.io/secai-hub/secai_os:latest
 sudo systemctl reboot
 ```
 
@@ -91,7 +91,7 @@ If your system is currently on the unverified transport (check with
 `rpm-ostree status`), switch to signed transport:
 
 ```bash
-sudo rpm-ostree rebase ostree-image-signed:docker://ghcr.io/sec_ai/secai_os:latest
+sudo rpm-ostree rebase ostree-image-signed:docker://ghcr.io/secai-hub/secai_os:latest
 sudo systemctl reboot
 ```
 
@@ -110,7 +110,7 @@ If `rpm-ostree upgrade` fails with a signature verification error:
 1. Check that the signing policy is intact:
    ```bash
    cat /etc/containers/policy.json | python3 -m json.tool
-   # Should contain a "sigstoreSigned" entry for ghcr.io/sec_ai/secai_os
+   # Should contain a "sigstoreSigned" entry for ghcr.io/secai-hub/secai_os
    ```
 
 2. Check the registries config:

docs/m5-control-matrix.md

@@ -33,7 +33,7 @@ Last updated: 2026-03-14
 | 23 | Prompt injection detection | MCP Firewall global rules | Shell metacharacters and prompt patterns detected and denied | `TestAdversarial_MalformedMCPPayload` | Global rule match in audit log | `go test -run TestAdversarial_MalformedMCPPayload ./services/mcp-firewall/...` |
 | 24 | MCP taint tracking | MCP Firewall taint.go | Session-scoped taint propagation prevents data flow violations | `TestAdversarial_TaintBypassAttempt`, `TestTaint_*` | Taint entries per session ID | `go test -run "TestTaint\|TestAdversarial_Taint" ./services/mcp-firewall/...` |
 | 25 | SBOM generation verification | CI supply-chain-verify job | Syft generates SBOMs for all services | CI workflow step output | CycloneDX SBOM artifacts | `syft dir:services/registry -o cyclonedx-json` (repeat per service) |
-| 26 | Release provenance attestation | Release workflow (release.yml) | cosign attest with SLSA3 provenance | CI workflow attestation step | Signed provenance attestation | `cosign verify-attestation --type slsa ghcr.io/sec_ai/secai_os:latest` |
+| 26 | Release provenance attestation | Release workflow (release.yml) | cosign attest with SLSA3 provenance | CI workflow attestation step | Signed provenance attestation | `cosign verify-attestation --type slsa ghcr.io/secai-hub/secai_os:latest` |
 
 ## End-to-End Enforcement Paths
 

docs/release-artifacts.json

@@ -0,0 +1,79 @@
+{
+  "schema_version": 1,
+  "description": "Machine-readable source of truth for expected release artifacts. Used by CI docs-validation and test_release_artifacts.py.",
+  "canonical_image_ref": "ghcr.io/secai-hub/secai_os",
+  "go_services": [
+    "airlock",
+    "registry",
+    "tool-firewall",
+    "gpu-integrity-watch",
+    "mcp-firewall",
+    "policy-engine",
+    "runtime-attestor",
+    "integrity-monitor",
+    "incident-recorder"
+  ],
+  "architectures": ["linux-amd64", "linux-arm64"],
+  "python_services": [
+    "agent",
+    "ui",
+    "quarantine",
+    "common",
+    "diffusion-worker",
+    "search-mediator"
+  ],
+  "artifacts": {
+    "required": {
+      "go_binaries": {
+        "pattern": "{service}-{arch}",
+        "description": "Static Go binaries for each service and architecture"
+      },
+      "go_sboms": {
+        "pattern": "{service}-sbom.cdx.json",
+        "description": "CycloneDX SBOM per Go service"
+      },
+      "python_sboms": {
+        "pattern": "{service}-sbom.cdx.json",
+        "description": "CycloneDX SBOM per Python service"
+      },
+      "checksums": {
+        "files": ["SHA256SUMS", "SHA256SUMS.sig"],
+        "description": "Checksums and cosign detached signature"
+      },
+      "manifest": {
+        "files": ["RELEASE_MANIFEST.json"],
+        "description": "Machine-readable release manifest"
+      },
+      "image_digest": {
+        "files": ["IMAGE_DIGEST"],
+        "description": "OCI image digest for this release"
+      }
+    },
+    "optional": {
+      "iso": {
+        "pattern": "secai-os-{version}-x86_64.iso",
+        "signature": "secai-os-{version}-x86_64.iso.sig",
+        "description": "Bootable ISO (requires isogenerator)",
+        "required_when": "always (standard runner)"
+      },
+      "qcow2": {
+        "pattern": "secai-os-{version}.qcow2",
+        "signature": "secai-os-{version}.qcow2.sig",
+        "description": "QCOW2 disk image for KVM/QEMU/Proxmox",
+        "required_when": "vars.HAS_KVM_RUNNER == 'true'"
+      },
+      "ova": {
+        "pattern": "secai-os-{version}.ova",
+        "signature": "secai-os-{version}.ova.sig",
+        "description": "OVA appliance for VirtualBox/VMware",
+        "required_when": "vars.HAS_KVM_RUNNER == 'true'"
+      },
+      "bootc_iso": {
+        "pattern": "secai-os-{version}-x86_64-bootc.iso",
+        "signature": "secai-os-{version}-x86_64-bootc.iso.sig",
+        "description": "Experimental bootc-image-builder ISO",
+        "required_when": "vars.ENABLE_BOOTC_ISO == 'true'"
+      }
+    }
+  }
+}

docs/supply-chain-provenance.md

@@ -25,7 +25,7 @@ build → attest → sign → verify → promote
 
 ### 1. Build (build.yml)
 - BlueBuild action builds the OS image from `recipes/recipe.yml`
-- Image published to `ghcr.io/sec_ai/secai_os`
+- Image published to `ghcr.io/secai-hub/secai_os`
 - cosign signs the image using `SIGNING_SECRET`
 
 ### 2. Attest (build.yml + release.yml)

files/scripts/build-services.sh

@@ -552,7 +552,7 @@ with open('${POLICY_JSON}') as f:
 policy.setdefault('transports', {})
 policy['transports'].setdefault('docker', {})
 
-policy['transports']['docker']['ghcr.io/sec_ai/secai_os'] = [{
+policy['transports']['docker']['ghcr.io/secai-hub/secai_os'] = [{
     'type': 'sigstoreSigned',
     'keyPath': '${COSIGN_PUB}',
     'signedIdentity': {'type': 'matchRepository'}
@@ -562,7 +562,7 @@ with open('${POLICY_JSON}', 'w') as f:
     json.dump(policy, f, indent=2)
     f.write('\n')
 
-print('  -> policy.json updated: sigstoreSigned entry for ghcr.io/sec_ai/secai_os')
+print('  -> policy.json updated: sigstoreSigned entry for ghcr.io/secai-hub/secai_os')
 " || fail_build "Failed to update container signing policy"
     else
         echo "WARNING: ${POLICY_JSON} not found — signing policy not configured"

files/scripts/secai-bootstrap.sh

@@ -27,7 +27,7 @@ set -euo pipefail
 # ---------------------------------------------------------------------------
 # Configuration
 # ---------------------------------------------------------------------------
-REGISTRY="ghcr.io/sec_ai/secai_os"
+REGISTRY="ghcr.io/secai-hub/secai_os"
 COSIGN_PUB_URL="https://raw.githubusercontent.com/SecAI-Hub/SecAI_OS/main/cosign.pub"
 # SHA256 fingerprint of the expected cosign.pub — update after key rotation
 COSIGN_PUB_SHA256="de6a17ed1cd444a2671798f14d6bf98c1658259dc443a130eba9f40855a7d310"
@@ -197,7 +197,7 @@ mkdir -p "$(dirname "$REGISTRIES_YAML")"
 cat > "$REGISTRIES_YAML" <<'YAML'
 ## SecAI OS — enable sigstore signature attachments for cosign-signed images.
 docker:
-  ghcr.io/sec_ai/secai_os:
+  ghcr.io/secai-hub/secai_os:
     use-sigstore-attachments: true
 YAML
 chmod 0644 "$REGISTRIES_YAML"
@@ -218,7 +218,7 @@ with open('${POLICY_JSON}') as f:
 policy.setdefault('transports', {})
 policy['transports'].setdefault('docker', {})
 
-policy['transports']['docker']['ghcr.io/sec_ai/secai_os'] = [{
+policy['transports']['docker']['ghcr.io/secai-hub/secai_os'] = [{
     'type': 'sigstoreSigned',
     'keyPath': '${COSIGN_PUB_DEST}',
     'signedIdentity': {'type': 'matchRepository'}
@@ -238,7 +238,7 @@ policy = {
     'default': [{'type': 'insecureAcceptAnything'}],
     'transports': {
         'docker': {
-            'ghcr.io/sec_ai/secai_os': [{
+            'ghcr.io/secai-hub/secai_os': [{
                 'type': 'sigstoreSigned',
                 'keyPath': '${COSIGN_PUB_DEST}',
                 'signedIdentity': {'type': 'matchRepository'}

files/scripts/secai-setup-wizard.sh

@@ -21,7 +21,7 @@ set -euo pipefail
 SECURE_AI_ROOT="/var/lib/secure-ai"
 COSIGN_PUB="/etc/pki/containers/secai-cosign.pub"
 WIZARD_MARKER="${SECURE_AI_ROOT}/.wizard-complete"
-REGISTRY="ghcr.io/sec_ai/secai_os"
+REGISTRY="ghcr.io/secai-hub/secai_os"
 HEALTH_CHECK="/usr/libexec/secure-ai/first-boot-check.sh"
 SETUP_VAULT="/usr/libexec/secure-ai/setup-vault.sh"
 TPM2_SEAL="/usr/libexec/secure-ai/tpm2-seal-vault.sh"

files/system/etc/containers/registries.d/secai-os.yaml

@@ -2,5 +2,5 @@
 ## This allows rpm-ostree to verify cosign signatures during rebase/upgrade.
 
 docker:
-  ghcr.io/sec_ai/secai_os:
+  ghcr.io/secai-hub/secai_os:
     use-sigstore-attachments: true