git.stella-ops.org/docs/forensics/provenance-attestation.md

# Provenance & Attestation Reference

This guide explains how StellaOps generates, signs, verifies, and distributes DSSE attestations for SBOMs, policy evaluations, and runtime evidence.

## 1. Attestation Workflow

1. **Scanner** produces signed payload requests (SBOM, report metadata).
2. **Signer** authenticates the caller, verifies release integrity, and issues DSSE bundles (keyless or KMS-backed).
3. **Attestor** submits bundles to Rekor v2, caches inclusion proofs, and serves verification packages.
4. **Consumers** (Export Center, Evidence Locker, CLI, Policy Engine) fetch bundles for verification.

## 2. DSSE Payload Types

- `StellaOps.BuildProvenance@1`
- `StellaOps.SBOMAttestation@1`
- `StellaOps.ScanResults@1`
- `StellaOps.PolicyEvaluation@1`
- `StellaOps.VEXAttestation@1`
- `StellaOps.RiskProfileEvidence@1`

Schemas live under `src/Attestor/StellaOps.Attestor.Types` and are documented in module architecture guides.

## 3. Verification

- CLI command `stella attest verify` requests proofs from Attestor.
- Services embed Rekor UUID/index and DSSE digests in their APIs for downstream verification.
- Verification pipeline checks signature trust roots, Rekor inclusion proofs, and transparency witness endorsements when enabled.

## 4. Offline/air-gap considerations

- Export Center bundles incorporate attestations and proofs for offline verification.
- Evidence Locker stores immutable attestation bundles with retention policies.

## 5. References

- `docs/modules/signer/architecture.md`
- `docs/modules/attestor/architecture.md`
- `docs/modules/export-center/architecture.md`
- `docs/modules/policy/architecture.md`
- `docs/modules/telemetry/architecture.md`
- `src/Provenance/StellaOps.Provenance.Attestation`