# PROV-OBS-53-001 draft: provenance observers for mirror bundles

Goal: allow downstream services to verify mirror bundle manifests and tarballs using published hashes and (when available) DSSE/TUF signatures.

## Inputs
- Manifest: `out/mirror/thin/mirror-thin-v1.manifest.json`
- Tarball: `out/mirror/thin/mirror-thin-v1.tar.gz`
- Hashes: `.sha256` files adjacent to artefacts
- (Future) DSSE envelope + TUF metadata under `out/mirror/thin/tuf/`

## Observer checks (draft)
1) Hash verification: recompute SHA256 for manifest and tarball; compare to `.sha256` files.
2) Schema check: ensure manifest fields `version`, `created`, `layers[]`, `indexes[]` exist; all digests are `sha256:`.
3) Determinism: verify tar entry order matches manifest order and tar headers are owner=0:0, mtime=0, sorted paths.
4) Optional DSSE: once available, verify DSSE envelope signature over manifest using `mirror-ed25519-test-1` public key.
5) Optional TUF: once available, verify `timestamp.json` -> `snapshot.json` -> `targets.json` -> artefact hashes.

## Implementation notes
- These checks can be implemented as a small CLI (Go/C#/Python). For now, reference artefacts live in `out/mirror/thin/` for test runners.
- Determinism probe: `tar --list --utc --full-time -vvf mirror-thin-v1.tar.gz` should show epoch mtimes and sorted entries.