feat: Add guild charters and task boards for various components

- Introduced guild charters for Scanner Deno, PHP, Ruby, Native, WebService, Java, Surface.Env, Surface.FS, Surface.Secrets, Surface.Validation, UI, Zastava Observer, Zastava Webhook, Zastava Core, and Plugin Platform. - Each charter outlines the mission, scope, required reading, and working agreements for the respective guilds. - Created task boards for Surface.Env, Surface.FS, Surface.Secrets, Surface.Validation, and Zastava components to track progress and dependencies. - Ensured all documents emphasize determinism, offline readiness, security, and integration with shared Surface libraries.
2025-11-01 02:21:46 +02:00
parent e5629454cf
commit 66cb6c4b8a
227 changed files with 9913 additions and 6210 deletions
--- a/docs/forensics/provenance-attestation.md
+++ b/docs/forensics/provenance-attestation.md
@@ -0,0 +1,41 @@
+# Provenance & Attestation Reference
+
+This guide explains how StellaOps generates, signs, verifies, and distributes DSSE attestations for SBOMs, policy evaluations, and runtime evidence.
+
+## 1. Attestation Workflow
+
+1. **Scanner** produces signed payload requests (SBOM, report metadata).
+2. **Signer** authenticates the caller, verifies release integrity, and issues DSSE bundles (keyless or KMS-backed).
+3. **Attestor** submits bundles to Rekor v2, caches inclusion proofs, and serves verification packages.
+4. **Consumers** (Export Center, Evidence Locker, CLI, Policy Engine) fetch bundles for verification.
+
+## 2. DSSE Payload Types
+
+- `StellaOps.BuildProvenance@1`
+- `StellaOps.SBOMAttestation@1`
+- `StellaOps.ScanResults@1`
+- `StellaOps.PolicyEvaluation@1`
+- `StellaOps.VEXAttestation@1`
+- `StellaOps.RiskProfileEvidence@1`
+
+Schemas live under `src/Attestor/StellaOps.Attestor.Types` and are documented in module architecture guides.
+
+## 3. Verification
+
+- CLI command `stella attest verify` requests proofs from Attestor.
+- Services embed Rekor UUID/index and DSSE digests in their APIs for downstream verification.
+- Verification pipeline checks signature trust roots, Rekor inclusion proofs, and transparency witness endorsements when enabled.
+
+## 4. Offline/air-gap considerations
+
+- Export Center bundles incorporate attestations and proofs for offline verification.
+- Evidence Locker stores immutable attestation bundles with retention policies.
+
+## 5. References
+
+- `docs/modules/signer/architecture.md`
+- `docs/modules/attestor/architecture.md`
+- `docs/modules/export-center/architecture.md`
+- `docs/modules/policy/architecture.md`
+- `docs/modules/telemetry/architecture.md`
+- `src/Provenance/StellaOps.Provenance.Attestation`