# Signer Guild Task Board (UTC 2025-10-19)

| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
|----|--------|----------|------------|-------------|---------------|
| SIGNER-API-11-101 | DONE (2025-10-21) | Signer Guild | — | `/sign/dsse` pipeline with Authority auth, PoE introspection, release verification, DSSE signing. | ✅ `POST /api/v1/signer/sign/dsse` enforces OpTok audience/scope, DPoP/mTLS binding, PoE introspection, and rejects untrusted scanner digests.<br>✅ Signing pipeline supports keyless (Fulcio) plus optional KMS modes, returning DSSE bundles + cert metadata; deterministic audits persisted.<br>✅ Regression coverage in `SignerEndpointsTests` (`dotnet test src/StellaOps.Signer/StellaOps.Signer.Tests/StellaOps.Signer.Tests.csproj`). |
| SIGNER-REF-11-102 | DONE (2025-10-21) | Signer Guild | — | `/verify/referrers` endpoint with OCI lookup, caching, and policy enforcement. | ✅ `GET /api/v1/signer/verify/referrers` validates trusted scanner digests via release verifier and surfaces signer metadata; JSON responses served deterministically.<br>✅ Integration tests cover trusted/untrusted digests and validation failures (`SignerEndpointsTests`). |
| SIGNER-QUOTA-11-103 | DONE (2025-10-21) | Signer Guild | — | Enforce plan quotas, concurrency/QPS limits, artifact size caps with metrics/audit logs. | ✅ Quota middleware derives plan limits from PoE claims, applies per-tenant concurrency/QPS/size caps, and surfaces remaining capacity in responses.<br>✅ Unit coverage exercises throttled/artifact-too-large paths via in-memory quota service. |

> Remark (2025-10-19): Wave 0 prerequisites reviewed—none outstanding. SIGNER-API-11-101, SIGNER-REF-11-102, and SIGNER-QUOTA-11-103 moved to DOING for kickoff per EXECPLAN.md.

> Update status columns (TODO / DOING / DONE / BLOCKED) in tandem with code changes and associated tests.