for git repos, a revision is just a tree id in a big database.
Preventing trees from existing can only happen at push receive time and causes a ton of developer friction.
Especially when teams rely on pull requests, the "reachable from this ref" security boundary is the most practical. It models whether a commit / tree id is included in a specific subset. That subset has certain properties. I think that's what we're saying by context here, but it might need some additional definition here!
_Originally posted by @marcelamelara in https://github.com/slsa-framework/slsa/pull/1094#discussion_r1722360178_
@zachariahcox