up

src/Scanner/StellaOps.Scanner.Worker/Options/ScannerWorkerOptions.cs

@@ -28,6 +28,8 @@ public sealed class ScannerWorkerOptions
 
     public StellaOpsCryptoOptions Crypto { get; } = new();
 
+    public SigningOptions Signing { get; } = new();
+
     public DeterminismOptions Determinism { get; } = new();
 
     public sealed class QueueOptions
@@ -208,4 +210,35 @@ public sealed class ScannerWorkerOptions
         /// </summary>
         public int? ConcurrencyLimit { get; set; }
     }
+
+    public sealed class SigningOptions
+    {
+        /// <summary>
+        /// Enable DSSE signing for surface artifacts (composition recipe, layer fragments).
+        /// When disabled, the worker will fall back to deterministic hash envelopes.
+        /// </summary>
+        public bool EnableDsseSigning { get; set; }
+
+        /// <summary>
+        /// Identifier recorded in DSSE signatures.
+        /// </summary>
+        public string KeyId { get; set; } = "scanner-hmac";
+
+        /// <summary>
+        /// Shared secret material for HMAC-based DSSE signatures (base64 or hex).
+        /// Prefer <see cref=\"SharedSecretFile\"/> for file-based loading.
+        /// </summary>
+        public string? SharedSecret { get; set; }
+
+        /// <summary>
+        /// Optional path to a file containing the shared secret (base64 or hex).
+        /// </summary>
+        public string? SharedSecretFile { get; set; }
+
+        /// <summary>
+        /// Allow deterministic fallback when signing is enabled but no secret is provided.
+        /// Keeps offline determinism while avoiding hard failures in sealed-mode runs.
+        /// </summary>
+        public bool AllowDeterministicFallback { get; set; } = true;
+    }
 }