Restructure solution layout by module

src/Provenance/StellaOps.Provenance.Attestation/AGENTS.md

@@ -0,0 +1,20 @@
+# StellaOps Provenance & Attestation Guild Charter
+
+## Mission
+Provide shared libraries and tooling for generating, signing, and verifying provenance attestations (DSSE/SLSA) used by evidence bundles, exports, and timeline verification flows.
+
+## Scope
+- DSSE statement builders with Merkle and digest utilities.
+- Signer/validator abstractions for KMS, cosign, offline keys.
+- Provenance schema definitions reused across services and CLI.
+- Verification harnesses for evidence locker and export center integrations.
+
+## Collaboration
+- Partner with Evidence Locker, Exporter, Orchestrator, and CLI guilds for integration.
+- Coordinate with Security Guild on key management policies and rotation logs.
+- Ensure docs in `/docs/forensics/provenance-attestation.md` stay aligned with implementation.
+
+## Definition of Done
+- Libraries ship with deterministic serialization tests.
+- Threat model reviewed before each release.
+- Sample statements and verification scripts committed under `samples/provenance/`.

src/Provenance/StellaOps.Provenance.Attestation/TASKS.md

@@ -0,0 +1,13 @@
+# Provenance & Attestation Task Board — Epic 15: Observability & Forensics
+
+## Sprint 53 – Evidence Bundle Foundations
+| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
+|----|--------|----------|------------|-------------|---------------|
+| PROV-OBS-53-001 | TODO | Provenance Guild | TELEMETRY-OBS-50-001 | Implement DSSE/SLSA `BuildDefinition` + `BuildMetadata` models with canonical JSON serializer, Merkle digest helpers, and deterministic hashing tests. Publish sample statements for orchestrator/job/export subjects. | Models serialized deterministically; test vectors stored under `samples/provenance/`; compliance checklist recorded. |
+| PROV-OBS-53-002 | TODO | Provenance Guild, Security Guild | PROV-OBS-53-001 | Build signer abstraction (cosign/KMS/offline) with key rotation hooks, audit logging, and policy enforcement (required claims). Provide unit tests using fake signer + real cosign fixture. | Signer abstraction delivers DSSE envelopes; rotation docs updated; tests cover key expiry + claim enforcement. |
+
+## Sprint 54 – Verification Tooling
+| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
+|----|--------|----------|------------|-------------|---------------|
+| PROV-OBS-54-001 | TODO | Provenance Guild, Evidence Locker Guild | PROV-OBS-53-002, EVID-OBS-53-001 | Deliver verification library that validates DSSE signatures, Merkle roots, and timeline chain-of-custody, exposing reusable CLI/service APIs. Include negative-case fixtures and offline timestamp verification. | Verification API integrated into evidence locker; tests cover success/failure; timestamp (RFC3161) optional hook documented. |
+| PROV-OBS-54-002 | TODO | Provenance Guild, DevEx/CLI Guild | PROV-OBS-54-001, CLI-FORENSICS-54-001 | Generate .NET global tool for local verification + embed command helpers for CLI `stella forensic verify`. Provide deterministic packaging and offline kit instructions. | Tool published to `local-nuget`; CLI integration tests pass; offline instructions documented. |