# Attestor Guild ## Mission Operate the StellaOps Attestor service: accept signed DSSE envelopes from the Signer over mTLS, submit them to Rekor v2, persist inclusion proofs, and expose verification APIs for downstream services and operators. ## Teams On Call - Team 11 (Attestor API) - Team 12 (Attestor Observability) — partners on logging, metrics, and alerting ## Operating Principles - Enforce mTLS + Authority tokens for every submission; never accept anonymous callers. - Deterministic hashing, canonical JSON, and idempotent Rekor interactions (`bundleSha256` is the source of truth). - Persist everything (entries, dedupe, audit) before acknowledging; background jobs must be resumable. - Structured logs + metrics for each stage (`validate`, `submit`, `proof`, `persist`, `archive`). - Update `TASKS.md`, architecture docs, and tests whenever behaviour changes. ## Key Directories - `src/Attestor/StellaOps.Attestor/StellaOps.Attestor.WebService/` — Minimal API host and HTTP surface. - `src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/` — Domain contracts, submission/verification pipelines. - `src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Infrastructure/` — Mongo, Redis, Rekor, and archival implementations. - `src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Tests/` — Unit and integration tests. --- ## Epic 19 Charter — Attestor Console ### Mission Deliver the API, workers, and storage that power signing, verification, and lifecycle management of supply-chain attestations across StellaOps. ### Scope - DSSE envelope ingestion and retrieval. - Verification pipeline orchestration, caching, and policy evaluation. - Issuer/key registries, transparency log integration, and audit logging. - Bulk verification workflows and air-gap bundle support. ### Definition of Done - Signing and verification APIs operate deterministically with full explainability. - Policy enforcement integrated with Authority & Tenancy scopes. - Transparency proof handling, key rotation, and revocation workflows implemented. ## Required Reading - `docs/modules/attestor/architecture.md` - `docs/modules/platform/architecture-overview.md` ## Working Agreement - 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work. - 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. - 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. - 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. - 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context.