Tracked follow-up from the June 2026 org-wide security hardening review. Wave 1/2 fixes are merged and published; this is remaining hardening. (flagged in #368)
When the per-session TEE report call fails, close_session() falls back to the startup report, which carries no chain-root commitment. The verifier rejects this for hardware platforms (fail-closed at verify), but the runtime still issues the claim. Consider failing closed at runtime (refuse to issue an unbound claim) or clearly marking it.
Tracked follow-up from the June 2026 org-wide security hardening review. Wave 1/2 fixes are merged and published; this is remaining hardening. (flagged in #368)
When the per-session TEE report call fails, close_session() falls back to the startup report, which carries no chain-root commitment. The verifier rejects this for hardware platforms (fail-closed at verify), but the runtime still issues the claim. Consider failing closed at runtime (refuse to issue an unbound claim) or clearly marking it.