# Rekor Receipt Remediation · RR1–RR10 (Authority/Attestor/Sbomer)

Source: `docs/product-advisories/31-Nov-2025 FINDINGS.md` (RR1–RR10). Scope is Rekor receipt schema/catalog and offline verification path consumed by Authority + Sbomer + Attestor.

## Deliverables & Evidence Map
| ID | Requirement | Deliverable | Evidence & location |
| --- | --- | --- | --- |
| RR1 | DSSE/hashedrekord only | Policy flag `rk1_enforceDsse=true` and routing to hashedrekord recorded in mirror/receipt policy. | `gaps/artifacts/rekor-receipt-policy.v1.json` (+ DSSE). |
| RR2 | Payload size preflight + chunks | `rk2_payloadMaxBytes=1048576` with chunk guidance; embed in policy. | Same policy JSON (rk2 fields) + example `transport-plan` snippet. |
| RR3 | Public/private routing | `rk3_routing` map per shard/tenant documented. | Policy JSON. |
| RR4 | Shard-aware checkpoints | `rk4_shardCheckpoint="per-tenant-per-day"` + freshness fields. | Policy JSON + checklist section. |
| RR5 | Idempotent submission keys | `rk5_idempotentKeys=true`; include sample request header/claim mapping. | Policy JSON + doc section. |
| RR6 | Sigstore bundles in kits | `rk6_sigstoreBundleIncluded=true` + bundle manifest entry for receipts. | Policy JSON + bundle manifest path `gaps/artifacts/rekor-receipt-bundle.v1.json`. |
| RR7 | Checkpoint freshness bounds | `rk7_checkpointFreshnessSeconds` aligned with mirror/transport budgets. | Policy JSON + metrics note. |
| RR8 | PQ dual-sign options | `rk8_pqDualSign` toggle captured with allowed algorithms. | Policy JSON + crypto profile reference. |
| RR9 | Error taxonomy/backoff | `rk9_errorTaxonomy` and retry rules; deterministic table. | `gaps/rekor-receipt-error-taxonomy.md`. |
| RR10 | Policy/graph annotations | `rk10_annotations` fields for policy hash + graph context inside receipts. | Policy JSON + schema doc. |

## Schema & bundle layout
- Receipt schema: `gaps/artifacts/rekor-receipt.schema.json` (includes required fields: tlog URL/key, checkpoint, inclusion proof, bundle hash, policy hash, client version/flags, TSA/Fulcio chain, mirror metadata, repro inputs hash).
- Bundle manifest: `gaps/artifacts/rekor-receipt-bundle.v1.json` referencing schema, policy, transport plan, and sample receipts; DSSE envelope `rekor-receipt-bundle.v1.sigstore.json` when signed.
- Hash index: `docs/modules/authority/gaps/SHA256SUMS` collects schema/policy/bundle hashes and (once signed) DSSE bundle hashes.

## Action Plan
1) Draft `rekor-receipt-policy.v1.json` with rk1–rk10 flags and shard/routing/size constraints; keep keys sorted.
2) Author schema `rekor-receipt.schema.json` with canonical field order and example; ensure inclusion proof + policy hash fields are mandatory.
3) Add error taxonomy markdown `rekor-receipt-error-taxonomy.md` with deterministic table (code, classification, retry policy).
4) Define bundle manifest `rekor-receipt-bundle.v1.json` (hashes will be appended to SHA256SUMS once generated) and note DSSE envelope requirement.
5) Mirror status in sprint `SPRINT_0314_0001_0001_docs_modules_authority.md` (REKOR-RECEIPT-GAPS-314-005) and Authority TASKS.

## Determinism & offline
- Use `sha256sum` over normalized JSON and markdown; store in `gaps/SHA256SUMS`.
- No network dependencies; examples should reference local bundle paths.
- Signing to follow Authority key once available; until then envelopes remain TODO but paths are fixed.