# Provenance and transparency

Inline provenance captures DSSE and ledger metadata alongside event records so
replay and audits can verify evidence without external lookups.

Inline DSSE fields (summary)
- envelope digest and payload type
- key id, issuer, algorithm
- optional Rekor log index and uuid
- trust block with verifier and verified flag

Write flow
- CI publishes DSSE and ledger metadata.
- Authority verifies signatures and records trust results.
- Events store provenance and trust fields inline.

Backfill and verification
- Backfill service resolves attestations for older events.
- Queries detect missing or unverified provenance.

Indexes and queries
- Index by subject digest, kind, and rekor log index.
- Query for unproven events to close compliance gaps.

UI and policy usage
- UI shows provenance chips and filters.
- Policy gates can block decisions without verified provenance.

Related references
- docs/provenance/inline-dsse.md
- docs/forensics/provenance-attestation.md
- docs/modules/attestor/architecture.md