# SIGNALS-24-003 · Provenance appendix checklist (v1)

Purpose: unblock provenance enrichment for runtime facts so SIGNALS-24-003 can advance once CAS promotion is approved.

## Required fields (per runtime fact)
- `callgraph_id` (matches CAS manifest id)
- `ingested_at` (UTC ISO-8601), `received_at`
- `tenant`
- `source` (host/service emitting facts)
- `pipeline_version` (git SHA or build ID)
- `provenance_hash` (sha256 of raw fact blob)
- `signer` (key id) and optional `rekor_uuid` or `skip_reason: offline`

## Steps
1) Freeze provenance JSON schema (`provenance.runtime.fact.v1`).
2) Add enrichment stage writing provenance into CAS alongside runtime facts.
3) Emit DSSE attestation per batch of runtime facts; store in CAS.
4) Update `/signals/runtime-facts/ndjson` handler to return `provenance_hash` and `callgraph_id` when available.
5) Add validation tests to ensure add-only evolution and deterministic ordering.

## Deliverables
- Schema file: `docs/signals/provenance-24-003.md` (this file) with field list and invariants.
- Test fixtures: reuse `tests/reachability/corpus/*/vex.openvex.json` provenance anchors; add `provenance_hash` coverage to `ReachabilityLatticeTests` when available.

## Owners
- Signals Guild (implementation)
- Runtime Guild (schema review)
- Authority Guild (signing/attestation)

## Status
- Checklist published 2025-11-19; awaiting schema/signing approval to proceed.