# Signals DSSE Evidence Staging (runtime/signals gaps)

Artifacts prepared 2025-12-01 (UTC) for DSSE signing and Evidence Locker ingest:

- Decay config: `docs/modules/signals/decay/confidence_decay_config.yaml`
- Unknowns scoring manifest: `docs/modules/signals/unknowns/unknowns_scoring_manifest.json`
- Heuristic catalog + schema + fixtures: `docs/modules/signals/heuristics/`
- Checksums: `docs/modules/signals/SHA256SUMS`

Planned Evidence Locker paths (to fill post-signing):
- `evidence-locker/signals/decay/2025-12-01/confidence_decay_config.dsse`
- `evidence-locker/signals/unknowns/2025-12-01/unknowns_scoring_manifest.dsse`
- `evidence-locker/signals/heuristics/2025-12-01/heuristics_catalog.dsse`
- `evidence-locker/signals/heuristics/2025-12-01/fixtures/` (golden inputs/outputs)

Pending steps:
1) Sign each artifact with its predicate:
   - `stella.ops/confidenceDecayConfig@v1`
   - `stella.ops/unknownsScoringManifest@v1`
   - `stella.ops/heuristicCatalog@v1`
   Example (replace KEY):
   ```bash
   cosign sign-blob \
     --key cosign.key \
     --predicate-type stella.ops/confidenceDecayConfig@v1 \
     --output-signature confidence_decay_config.dsse \
     decay/confidence_decay_config.yaml
   ```
2) Attach SHA256 from `SHA256SUMS` in DSSE headers/annotations.
3) Place signed envelopes + checksums in the Evidence Locker paths above; update sprint tracker Delivery Tracker rows 5–7 and Decisions & Risks with the final URIs.
4) Add signer/approver IDs to the sprint Execution Log once signatures are complete.

Notes:
- Use UTC timestamps in DSSE `issuedAt`.
- Ensure offline parity by copying envelopes + SHA256SUMS into the offline kit bundle when ready.