git.stella-ops.org/docs/policy/auth-signals-lib-115.md

# POLICY-AUTH-SIGNALS-LIB-115 · Shared P/A/S contracts (draft v0.1)

Purpose: deliver shared models/schemas for Policy, Authority, and Signals so Concelier/Excititor consumers can bind without merge logic.

## Core models (C#-friendly, JSON schema inline)
- `PolicyAuthSignal`:
  - `id` (string, required) — stable identifier (ULID preferred)
  - `tenant` (string, required)
  - `subject` (string, required) — e.g., `purl`, `sbom://`, `service://`
  - `signal_type` (string, enum: `reachability`, `attestation`, `risk`, `vex`)
  - `source` (string, required) — producer service
  - `confidence` (float?, optional)
  - `evidence` (array of `EvidenceRef`)
  - `created` (string, UTC ISO-8601, required)
- `EvidenceRef`:
  - `kind` (string, enum: `linkset`, `runtime`, `attestation`, `bundle`)
  - `uri` (string, required) — CAS or storage pointer
  - `digest` (string, sha256, required)
  - `scope` (string) — tenant/scopes
- `Provenance`:
  - `pipeline` (string) — build id
  - `inputs` (array<string>) — hashes of inputs
  - `signer` (string)
  - `transparency` (object: `rekor_uuid` or `skip_reason`)

## JSON schema stub (add-only)
See `schemas/policy-auth-signals-lib-115.json` (to be emitted with the NuGet package).

## Package plan
- Project: `StellaOps.Policy.AuthSignals` (net10.0)
- Deliverables: models, JSON schema, sample fixtures, `PolicyAuthSignalJsonContext` for source generators, deterministic serialization.
- Publish target: `local-nugets/` (version `0.1.0-alpha+draft`), then promote after guild ratification.

## Fixtures (to include in package)
- `fixtures/policy-auth-signal-sample.json`
- `fixtures/policy-auth-signal-reachability.json`
- Schema: `schemas/policy-auth-signals-lib-115.json`

## Status
- NuGet package `StellaOps.Policy.AuthSignals` 0.1.0-alpha built and placed in `local-nugets/` (sha256: `8ab5aa6c0daf5e56e1355d4d6bcaf110a8bc28b28a5ee1970864bcd4b6ba6750`). Awaiting guild ratification to promote beyond alpha.