sprints and audit work

src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/ISuppressionDsseSigner.cs

@@ -0,0 +1,34 @@
+using StellaOps.Attestor.Envelope;
+
+namespace StellaOps.Scanner.Reachability.Witnesses;
+
+/// <summary>
+/// Service for creating and verifying DSSE-signed suppression witness envelopes.
+/// Sprint: SPRINT_20260106_001_002 (SUP-014)
+/// </summary>
+public interface ISuppressionDsseSigner
+{
+    /// <summary>
+    /// Signs a suppression witness and wraps it in a DSSE envelope.
+    /// </summary>
+    /// <param name="witness">The suppression witness to sign.</param>
+    /// <param name="signingKey">The key to sign with.</param>
+    /// <param name="cancellationToken">Cancellation token.</param>
+    /// <returns>Result containing the signed DSSE envelope.</returns>
+    SuppressionDsseResult SignWitness(
+        SuppressionWitness witness,
+        EnvelopeKey signingKey,
+        CancellationToken cancellationToken = default);
+
+    /// <summary>
+    /// Verifies a DSSE-signed suppression witness envelope.
+    /// </summary>
+    /// <param name="envelope">The DSSE envelope to verify.</param>
+    /// <param name="publicKey">The public key to verify with.</param>
+    /// <param name="cancellationToken">Cancellation token.</param>
+    /// <returns>Result containing the verified witness.</returns>
+    SuppressionVerifyResult VerifyWitness(
+        DsseEnvelope envelope,
+        EnvelopeKey publicKey,
+        CancellationToken cancellationToken = default);
+}