# Evidence Locker Attestation Scope Note (v1) — 2025-11-19 ## Scope & Coverage - Predicates: `in-toto Provenance` (DSSE-wrapped) with claims for bundle inputs, normalization pipeline version, tenant scope, and content hashes; optional `Rekor` transparency pointer when online. - Artefacts covered: Evidence Bundle v1 payloads (observations, linksets, normalization diffs) and mirror bundle manifest hash when present. - Tenancy: tenant-id is lowercased, required, and included in subject, claims, and DSSE `_type` to keep air-gap parity. - Transparency: if Rekor unavailable (air-gap), include `transparency.skip_reason` = `offline` and signed local timeline anchor. ## Required claims (PromotionAttestationBuilder input) - `subject.digest` (sha256 of bundle tar) and `subject.name` (bundle_id). - `bundle.created` (UTC RFC3339) and `bundle.version` (semantic). - `pipeline.version` (build ID or git SHA) and `pipeline.inputs` (hashes of observation/linkset payloads). - `tenant` (lowercase) and `scope` (advisory | vex | policy | mixed). - `evidence_bundle` (path/doi) and `transparency` (rekor UUID or skip reason). - `aoc.guardrails` (boolean) and `aoc.details` (list of enforced checks). ## Example builder payload ```json { "subject": {"name": "evidence-bundle-m0", "digest": "sha256:REPLACE"}, "bundle": {"id": "evidence-bundle-m0", "version": "1.0.0", "created": "2025-11-19T00:00:00Z"}, "pipeline": {"version": "git:abcd1234", "inputs": ["sha256:payload-hash-1", "sha256:payload-hash-2"]}, "tenant": "demo", "scope": "vex", "evidence_bundle": "out/evidence/bundles/evidence-bundle-m0.tar.gz", "transparency": {"rekor_uuid": null, "skip_reason": "offline"}, "aoc": {"guardrails": true, "details": ["schema:frozen:1.0", "limits:chunk:max=2000"]} } ``` ## Placement - File: `docs/modules/evidence-locker/attestation-scope-note.md` (this document). - Reference in Evidence Bundle changelog and sprint `Execution Log` when updated. ## Next steps - Swap placeholder digest values with real bundle hash after MIRROR-CRT-56-001 emits artefact. - Attach this note to Concelier/Excititor attestation tasks (CONCELIER-ATTEST-73-001/002, EXCITITOR-ATTEST-73-001/002).