# DSSE & Policy Hash Linkage (FL6)

**Goal:** Every export, replay report, and anchor manifest is tied to the exact policy digest that produced it and is verifiable offline via DSSE.

## Binding rules
1. **Policy digest:** `policyVersion` (SHA-256 over policy bundle) is mandatory in ledger events, projections, exports, and replay reports.
2. **DSSE payload types**
   - `application/vnd.stella-ledger-export+json` — export manifests (hashlist + filtersHash).
   - `application/vnd.stella-ledger-anchor+json` — Merkle anchors (see `merkle-anchor-policy.md`).
   - `application/vnd.stella-ledger-harness+json` — replay harness report.
3. **Hashlists:** export manifests contain `sha256` for each emitted NDJSON line (`lineDigest`), plus a dataset digest (`datasetSha256`) over concatenated line digests. Replay harness exposes `eventStreamChecksum` and `projectionChecksum`.
4. **Policy linkage:** DSSE payload must include `policyHash` and `schemaVersion` to prevent replay under mismatched policy versions.

## Offline verification flow
1. Verify DSSE signature (local key or Rekor transparency log if online).
2. Recompute dataset checksum with `tools/LedgerReplayHarness/scripts/verify_export.py --input <export.ndjson> --expected <datasetSha256>`.
3. Cross-check `policyHash` in payload matches policy bundle in use; mismatch → block import/export.

## File locations
- Harness DSSE placeholder now embeds `policyHash` when `LEDGER_POLICY_HASH` env var is set.
- Export manifests and checksums: `docs/modules/findings-ledger/golden-checksums.json`.
- External anchors: `docs/modules/findings-ledger/merkle-anchor-policy.md` (DSSE template).
- Set `LEDGER_POLICY_HASH` before running `tools/LedgerReplayHarness` to imprint the policy digest into the generated `.sig` file.

## Change management
- Any change to payloadType or hash recipe bumps schema version in `schema-catalog.md` and requires new DSSE key roll announcement.