stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

consolidation of some of the modules, localization fixes, product advisories work, qa work

Browse Source
This commit is contained in:
master
2026-03-05 03:54:22 +02:00
parent 7bafcc3eef
commit 8e1cb9448d
3878 changed files with 72600 additions and 46861 deletions
Download Patch File Download Diff File Expand all files Collapse all files

55
docs/modules/provenance/README.md
View File

@@ -1,51 +1,20 @@
# Provenance
# StellaOps Provenance (Relocated)
> Provenance attestation library for SLSA/DSSE compliance.
> **Sprint 204 (2026-03-04):** The Provenance module source has been consolidated under the Attestor trust domain.
> Source code is now at `src/Attestor/StellaOps.Provenance.Attestation/` and `src/Attestor/StellaOps.Provenance.Attestation.Tool/`.
> Architecture documentation is now in the [Attestor architecture dossier](../attestor/architecture.md#trust-domain-model-sprint-204----2026-03-04).
> Archived standalone docs are in `docs-archived/modules/provenance/`.
## Purpose
## Purpose (unchanged)
Provenance provides deterministic, verifiable provenance attestations for all StellaOps artifacts. It enables SLSA compliance through DSSE statement generation, Merkle tree construction, and cryptographic verification.
Provenance is a **library** (not a standalone service) that provides deterministic, verifiable provenance attestations for all StellaOps artifacts. It enables SLSA compliance through DSSE statement generation, Merkle tree construction, and cryptographic verification.
## Quick Links
## Note on StellaOps.Provenance (shared library)
- [Architecture](./architecture.md) - Technical design and implementation details
- [Guides](./guides/) - Attestation generation guides
The `src/__Libraries/StellaOps.Provenance/` library is a separate, lower-level provenance data model used by Concelier and other consumers. It was NOT moved by Sprint 204 and remains at its original location.
## Status
## Why the move
| Attribute | Value |
|-----------|-------|
| **Maturity** | Production |
| **Last Reviewed** | 2025-12-29 |
| **Maintainer** | Security Guild |
Provenance attestation libraries are consumed primarily by the Attestor trust domain (proofchain, evidence packs, verification). Consolidating source ownership under `src/Attestor/` clarifies trust-boundary responsibilities.
## Key Features
- **DSSE Statement Generation**: Build provenance attestations per DSSE spec
- **SLSA Compliance**: Support for SLSA build predicates
- **Merkle Tree Construction**: Content-addressed integrity verification
- **Promotion Attestations**: Track artifact promotions across environments
- **Verification Harness**: Validate attestation chains
## Dependencies
### Upstream (this module depends on)
- **Signer/KMS** - Key management for signing (delegated)
### Downstream (modules that depend on this)
- **Attestor** - Stores generated attestations
- **EvidenceLocker** - Evidence bundle attestations
- **ExportCenter** - Export attestations
## Notes
Provenance is a **library**, not a standalone service. It does not:
- Store attestations (handled by Attestor and EvidenceLocker)
- Hold signing keys (delegated to Signer/KMS)
All attestation outputs are deterministic with canonical JSON serialization.
## Related Documentation
- [Attestor Architecture](../attestor/architecture.md)
- [DSSE Specification](../../security/trust-and-signing.md)
See the [Trust Domain Model](../attestor/architecture.md#trust-domain-model-sprint-204----2026-03-04) for details.