# Evidence-First Security with DSSE Envelopes

## Module
Attestor

## Status
VERIFIED

## Description
All security findings are wrapped in DSSE envelopes; SmartDiff results are attested as delta verdicts and published to OCI registries.

## Implementation Details
- **DSSE Envelope Signing**: Multiple signing layers across Attestor:
  - `src/Attestor/StellaOps.Attestor.Envelope/EnvelopeSignatureService.cs` -- core envelope signing
  - `__Libraries/StellaOps.Attestor.ProofChain/Signing/ProofChainSigner.cs` -- proof chain signing
  - `StellaOps.Attestor.Core/Signing/DsseSigningService.cs` -- core attestation signing
- **Delta Verdict Attestation**: `Predicates/DeltaVerdictPredicate.cs` -- delta verdict wrapped in DSSE. `Statements/DeltaVerdictStatement.cs` -- in-toto statement.
- **OCI Publication**: `src/Attestor/__Libraries/StellaOps.Attestor.Oci/Services/` -- `IOciAttestationAttacher.cs`, `OrasAttestationAttacher.cs` -- attaches DSSE-signed attestations to OCI images. `ISbomOciPublisher.cs`, `SbomOciPublisher.cs` -- publishes SBOMs to OCI.
- **Trust Verdict OCI**: `__Libraries/StellaOps.Attestor.TrustVerdict/Oci/TrustVerdictOciAttacher.cs` (with `.Attach`, `.FetchList`) -- attaches trust verdicts to OCI artifacts.
- **Evidence Predicate**: `Predicates/EvidencePredicate.cs` -- wraps security evidence in attestable predicate.
- **Smart Diff**: `__Tests/StellaOps.Attestor.Types.Tests/SmartDiffSchemaValidationTests.cs` -- validates smart diff schema.
- **Tests**: `__Tests/StellaOps.Attestor.Oci.Tests/OrasAttestationAttacherTests.cs`, `SbomOciPublisherTests.cs`

## E2E Test Plan
- [ ] Wrap a security finding in a DSSE envelope via `ProofChainSigner` and verify the evidence predicate is signed
- [ ] Create a delta verdict from SmartDiff results and sign it as a DSSE envelope
- [ ] Publish the signed delta verdict to an OCI registry via `OrasAttestationAttacher` and verify it is attached as a referrer
- [ ] Publish an SBOM to OCI via `SbomOciPublisher` and verify the DSSE signature is attached
- [ ] Attach a trust verdict to an OCI image via `TrustVerdictOciAttacher` and verify the referrer list includes it
- [ ] Fetch the list of attestations for an OCI image via `TrustVerdictOciAttacher.FetchList` and verify all attached attestations are returned
- [ ] Verify a retrieved DSSE envelope from OCI validates correctly

## Verification

| Check | Result |
|-------|--------|
| Tier 0 - Source Verification | PASS |
| Tier 1 - Build + Code Review | PASS |
| Tier 2 - Behavioral Verification | PASS |
| Verified Date | 2026-02-13 |
| Run ID | run-001 |