git.stella-ops.org/docs-archived/product/advisories/09-Feb-2026 - Repro Bundle SLSA v1 in-toto DSSE offline mode.md

09-Feb-2026 - Repro Bundle SLSA v1 in-toto DSSE offline mode

Advisory source

• Source: user-provided product advisory text (planning session, 2026-02-09 UTC).
• Scope: per-artifact reproducible evidence bundle with SLSA v1 provenance, in-toto link, DSSE signatures, optional Rekor anchoring, and full offline verification mode.

Outcome

• Result: gaps confirmed in current implementation.
• Decision: advisory translated into docs + sprint tasks and archived.

Confirmed gap themes

• Strict SLSA policy enforcement is incomplete for required fields and fail-closed validation behavior.
• Canonicalization policy is not yet enforced as one deterministic pipeline.
• Promotion gates do not yet fail closed on missing/non-compliant reproducibility evidence.
• Offline Rekor verification has trust-based shortcuts that need hardening.
• Toolchain digest pinning and deterministic packaging are not fully enforced across release scripts.

Translation artifacts

• Active sprint: docs/implplan/SPRINT_20260209_001_DOCS_repro_bundle_gap_closure.md
• High-level product/docs update: docs/key-features.md
• Module contract: docs/modules/attestor/repro-bundle-profile.md

Notes

• Supersedes/extends: none recorded.
• External web fetches: none.