git.stella-ops.org/docs/modules/attestor/payloads.md

# Attestor Payloads (DOCS-ATTEST-73-002)

Schemas/examples for attestations handled by Attestor.

## DSSE payload
```json
{
  "_type": "https://in-toto.io/Statement/v1",
  "subject": [{"name": "sha256:...", "digest": {"sha256": "..."}}],
  "predicateType": "stella.ops/vexObservation@v1",
  "predicate": {
    "observationId": "vex:obs:sha256:...",
    "tenant": "default",
    "providerId": "ubuntu-csaf",
    "createdAt": "2025-11-23T23:10:00Z"
  }
}
```

## Evidence links
- Each payload references evidence hashes (VEX observations/linksets) and optional timeline event IDs.
- Keep payloads aggregation-only; no verdict fields.

## Hashing/signing
- Canonicalize JSON (RFC 8785) before signing.
- Use SHA-256 digests; include in envelope metadata.

## Examples
- Place sample payloads in `docs/samples/attestor/payloads/` (add when available).