# Authority CI/CD Timestamping

This document describes the CI/CD timestamping orchestration added in Sprint `SPRINT_20260208_025_Authority_rfc_3161_tsa_client_for_ci_cd_timestamping`.

## Scope
- Automatically request RFC-3161 timestamps for pipeline artifacts (SBOMs, attestations, logs, or other digest-addressed artifacts).
- Persist deterministic artifact-to-token mappings for replay, lookup, and audit.
- Support pipeline-scoped and environment-scoped timestamp policies without requiring network access in tests.

## Implementation
- Orchestration service:
  - `src/Authority/__Libraries/StellaOps.Authority.Timestamping/CiCdTimestampingService.cs`
  - `src/Authority/__Libraries/StellaOps.Authority.Timestamping/ICiCdTimestampingService.cs`
- Artifact timestamp registry:
  - `src/Authority/__Libraries/StellaOps.Authority.Timestamping/IArtifactTimestampRegistry.cs`
  - `src/Authority/__Libraries/StellaOps.Authority.Timestamping/InMemoryArtifactTimestampRegistry.cs`
- Policy models:
  - `src/Authority/__Libraries/StellaOps.Authority.Timestamping/PipelineTimestampingPolicyOptions.cs`
  - `src/Authority/__Libraries/StellaOps.Authority.Timestamping/CiCdTimestampingModels.cs`
- DI registration:
  - `src/Authority/__Libraries/StellaOps.Authority.Timestamping/TimestampingServiceCollectionExtensions.cs`

## Policy behavior
- `DefaultPolicy` applies when no pipeline override exists.
- `Pipelines[<pipelineId>]` overrides the default policy.
- `Pipelines[<pipelineId>].Environments[<environment>]` overrides the pipeline policy.
- Core controls:
  - `Enabled`
  - `RequiredSuccessCount`
  - `MaxAttemptsPerArtifact`
  - `RequireDistinctProviders`
  - `IncludeNonce`
  - `CertificateRequired`
  - `HashAlgorithm`
  - `PolicyOid`

## Determinism and offline posture
- Artifact processing is deterministic: artifacts are sorted by digest and type before orchestration.
- Digest normalization is deterministic (`algo:hex-lowercase`).
- Nonce generation is deterministic when `IncludeNonce=true` (derived from pipeline/artifact identity and attempt index).
- Tests use in-memory fakes only and run without network access.

## Test coverage
- `src/Authority/__Tests/StellaOps.Authority.Timestamping.Tests/CiCdTimestampingServiceTests.cs`
- `src/Authority/__Tests/StellaOps.Authority.Timestamping.Tests/InMemoryArtifactTimestampRegistryTests.cs`

Validation command used:
- `dotnet test src/Authority/__Tests/StellaOps.Authority.Timestamping.Tests/StellaOps.Authority.Timestamping.Tests.csproj --no-restore -p:BuildProjectReferences=false -v minimal`