# StellaOps Provenance & Attestation Guild Charter

## Mission
Provide shared libraries and tooling for generating, signing, and verifying provenance attestations (DSSE/SLSA) used by evidence bundles, exports, and timeline verification flows.

## Scope
- DSSE statement builders with Merkle and digest utilities.
- Signer/validator abstractions for KMS, cosign, offline keys.
- Provenance schema definitions reused across services and CLI.
- Verification harnesses for evidence locker and export center integrations.

## Collaboration
- Partner with Evidence Locker, Exporter, Orchestrator, and CLI guilds for integration.
- Coordinate with Security Guild on key management policies and rotation logs.
- Ensure docs in `docs/modules/provenance/guides/provenance-attestation.md` stay aligned with implementation.

## Definition of Done
- Libraries ship with deterministic serialization tests.
- Threat model reviewed before each release.
- Sample statements and verification scripts committed under `samples/provenance/`.

## Required Reading
- `docs/modules/provenance/guides/provenance-attestation.md`
- `docs/modules/platform/architecture-overview.md`

## Working Agreement
- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work.
- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.
- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context.