up

docs/release/promotion-attestations.md

@@ -1,6 +1,6 @@
 # Promotion-Time Attestations for Stella Ops
 
-> **Status:** Draft – sprint 186/202/203 coordination  
+> **Status:** Stable (2025-11)  
 > **Owners:** Signing Guild · Provenance Guild · DevEx/CLI Guild · Export Center Guild
 
 ## 1. Purpose
@@ -24,7 +24,9 @@ Capture the full promotion-time evidence – image digest, SBOM/VEX artifacts, R
     "to": "prod",
     "actor": "ci/gitlab-runner",
     "timestamp": "2025-11-10T12:34:56Z",
-    "pipeline": "https://git.example.com/acme/api/-/pipelines/12345"
+    "pipeline": "https://git.example.com/acme/api/-/pipelines/12345",
+    "ticket": "JIRA-1234",
+    "notes": "risk accepted by ops"
   },
   "rekor": {
     "uuid": "REKOR_ENTRY_UUID",
@@ -40,6 +42,10 @@ Capture the full promotion-time evidence – image digest, SBOM/VEX artifacts, R
         "signedNote": "BASE64_NOTE"
       }
     }
+  },
+  "attestation": {
+    "bundle_sha256": "sha256:…",   
+    "witness": "optional-transparency-witness-signature"
   }
 }
 ```
@@ -57,6 +63,7 @@ The Provenance Guild implements the predicate builder (task `PROV-OBS-53-003`).
 5. Build `attestation.json` using the template above and current promotion metadata.
 6. Call Signer to produce a DSSE bundle (`cosign attest` or `stella promotion attest`).
 7. Store the bundle alongside `attestation.json` and add both to Offline/Replay kits.
+8. Emit Timeline + Evidence Locker entries with bundle digest.
 
 ### 3.2 Signer responsibilities (`SIGN-CORE-186-004/005/006`)
 
@@ -106,6 +113,6 @@ Artifacts are content-addressed via CAS and mirrored into Offline kits (`docs/re
 | CLI commands | `CLI-PROMO-70-001/002` | TODO |
 | Authority verifier | `AUTH-VERIFY-186-007` | TODO |
 | Export packaging | `EXPORT-OBS-54-002` | TODO |
-| Documentation | `DOCS-PROMO-70-001` | TODO |
+| Documentation | `DOCS-PROMO-70-001` | DONE (2025-11-26) |
 
 When all tasks are completed this document should be updated with status links and sample payloads.

docs/release/templates/determinism-score.md

@@ -0,0 +1,8 @@
+# Release Notes snippet — Scanner Determinism
+
+- **Determinism score:** {{overall_score}} (threshold {{overall_min}}); per-image summary:
+  - {{image_digest}} → score {{score}} ({{identical}}/{{runs}} identical)
+  - {{next_image_digest}} → score {{score}} ({{identical}}/{{runs}} identical)
+- **Inputs:** policy {{policy_sha}}, feeds {{feeds_sha}}, scanner {{scanner_sha}}, platform {{platform}}.
+- **Evidence:** attached `determinism.json` + artefact hashes (DSSE-signed, offline-ready).
+- **Actions:** rerun harness with `stella detscore run --bundle determinism.json` if score < threshold; block promotion until pass.