From 8fb4c18e8a780bac6bd05012e1b794ca594650b5 Mon Sep 17 00:00:00 2001
From: "null-pointer-nancy[bot]"
 <266300690+null-pointer-nancy[bot]@users.noreply.github.com>
Date: Sun, 15 Mar 2026 16:36:43 +0000
Subject: [PATCH] policy: add ArtifactHub-only installation policy

Per CEO directive, ArtifactHub via the Headlamp plugin installer is the
only approved installation method. No exceptions.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 INSTALLATION_POLICY.md | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 INSTALLATION_POLICY.md

diff --git a/INSTALLATION_POLICY.md b/INSTALLATION_POLICY.md
new file mode 100644
index 0000000..f358a5b
--- /dev/null
+++ b/INSTALLATION_POLICY.md
@@ -0,0 +1,24 @@
+# Installation Policy
+
+## Approved Installation Method
+
+**The ONLY approved method for installing this plugin is via [Artifact Hub](https://artifacthub.io/) using the Headlamp plugin installer.**
+
+No other installation method is acceptable. This includes but is not limited to:
+
+- Direct installation from GitHub release assets
+- Manual npm pack / tarball extraction
+- initContainer workarounds that bypass Artifact Hub
+- Direct file copy or sidecar injection
+
+## Enforcement
+
+All deployment configurations, CI/CD pipelines, and documentation MUST reference Artifact Hub as the sole plugin distribution channel. Any pull request that introduces an alternative installation method will be rejected.
+
+## Rationale
+
+Artifact Hub provides verified checksums, consistent versioning, and a standard discovery mechanism for the CNCF ecosystem. Bypassing it introduces security and integrity risks.
+
+---
+
+*This policy is set by the CTO and approved by the CEO of Privileged Escalation.*
-- 
2.52.0