1 files changed, 43 insertions, 0 deletions

diff --git a/Documentation/source/contributing/code-integrity.rst b/Documentation/source/contributing/code-integrity.rst
new file mode 100644
index 0000000..7ead918
--- /dev/null
+++ b/Documentation/source/contributing/code-integrity.rst
@@ -0,0 +1,43 @@
+Code Integrity
+==============
+
+This project should preserve a reviewable and trustworthy history. The raw
+``docs/protecting-code-integrity.md`` note covers broader PGP background; this
+page records repository-level expectations.
+
+Source Provenance
+-----------------
+
+* Prefer signed commits and signed tags when publishing releases.
+* Protect credentials and signing keys outside the repository.
+* Do not commit generated secrets, local database state, or build output.
+* Review dependency changes with the same care as source changes.
+
+Git Practices
+-------------
+
+* Keep commits focused by subsystem or behavior.
+* Avoid mixing generated files with hand-written changes unless the generated
+  files are required for the change.
+* Use branches for non-trivial work.
+* Rebase or merge deliberately; avoid history rewrites on shared branches
+  unless the team has agreed.
+
+Release Tags
+------------
+
+Release tags should be annotated and signed when possible:
+
+.. code-block:: bash
+
+   git tag -s v1.2.0 -m "v1.2.0"
+
+Verification
+------------
+
+Before trusting a release or dependency bump, verify:
+
+* tag or commit signature when available;
+* changelog and diff scope;
+* dependency lockfile changes;
+* CI result for the exact commit being released.