# Risk Bundle Provider Matrix & Signing Baseline

Status: Baseline for Sprint 0164-0001-0001 (RISK-BUNDLE-69/70 chain)

## Provider catalog (deterministic ordering)
| Provider ID | Source feed (offline-ready) | Coverage | Refresh cadence | Signing / integrity | Notes |
| --- | --- | --- | --- | --- | --- |
| cisa-kev | CISA Known Exploited Vulnerabilities JSON | Exploited CVEs with required/known exploited flag | Daily | DSSE signature using ExportCenter signing key; feed hash recorded in `provider-manifest.json` | Mandatory; fails bundle if feed missing or hash mismatch. |
| first-epss | FIRST EPSS CSV snapshot | Probability scores per CVE | Daily | DSSE signature; SHA-256 of snapshot stored in manifest | Optional; omit if snapshot stale >48h unless `allowStale=true`. |
| osv | OpenSSF OSV bulk JSON (per-ecosystem shards) | OSS advisories with affected package ranges | Weekly | DSSE signature; per-shard SHA-256 list | Included only when `includeOsv=true` in job options to keep bundle size constrained. |
| vendor-csaf | CSAF vendor advisories (Red Hat, SUSE, Debian) mirrored via Offline Kit | Vendor-specific CVEs, remediations | Weekly | Detached signature per CSAF document (vendor-provided where available) plus bundle-level DSSE manifest | Requires Offline Kit mirror; missing vendor feeds logged but bundle continues if `allowPartialVendors=true`. |

## Manifest baseline
- Generate `provider-manifest.json` with sorted provider entries. Fields per provider: `{id, source, snapshotDate, sha256, signaturePath, optional}`.
- Store DSSE envelope for `provider-manifest.json` at `signatures/provider-manifest.dsse` (cosign/KMS).
- Include provider digests in `manifests/provenance.json` materials array with URI `risk-provider://<id>/<snapshotDate>`.

## Signing baseline
- Use Export Center signing path (cosign + Authority KMS) for:
  - `provider-manifest.json` (DSSE)
  - Aggregated `risk-bundle.tar.*` (detached signature `risk-bundle.sig`)
- Vendor-provided signatures (when present) are preserved inside `providers/<id>/` and referenced from `provider-manifest.json`.
- Rekor publishing remains optional; default **off** for offline kits (`rekor_publish=false`).

## Validation rules (bundle build)
- Fail build if any mandatory provider (currently `cisa-kev`) is missing or hash mismatch.
- Warn (non-fatal) when optional providers are stale beyond cadence unless `allowStale=true`.
- Deterministic ordering: providers sorted by `id`; files sorted lexicographically inside bundle.
- Record bundle-level inputs hash combining provider SHA-256 values (stable ordering) and include in provenance `materials[]`.

## Verification workflow alignment
- CLI `stella risk bundle verify` must validate:
  - DSSE on `provider-manifest.json`
  - Hash match for each provider snapshot
  - Presence (or allowed absence) per `optional` flag
  - Detached signature on bundle archive (cosign/KMS)
- Offline verification uses bundled public key (`signatures/pubkeys/<tenant>.pem`).

## Next steps / TODOs
- Add test fixtures: minimal provider snapshots (kev+epss) with fixed hashes for deterministic regression tests.
- Update ExportCenter worker to emit `provider-manifest.json` and DSSE using existing signing pipeline.
- Extend CLI verify command to surface per-provider status (missing/stale/hash mismatch) and exit non-zero on mandatory failures.