git.stella-ops.org/src/Attestor/StellaOps.Provenance.Attestation/AGENTS.md

StellaOps Provenance & Attestation Guild Charter

Mission

Provide shared libraries and tooling for generating, signing, and verifying provenance attestations (DSSE/SLSA) used by evidence bundles, exports, and timeline verification flows.

Scope

• DSSE statement builders with Merkle and digest utilities.
• Signer/validator abstractions for KMS, cosign, offline keys.
• Provenance schema definitions reused across services and CLI.
• Verification harnesses for evidence locker and export center integrations.

Collaboration

• Partner with Evidence Locker, Exporter, Orchestrator, and CLI guilds for integration.
• Coordinate with Security Guild on key management policies and rotation logs.
• Ensure docs in docs/modules/provenance/guides/provenance-attestation.md stay aligned with implementation.

Definition of Done

• Libraries ship with deterministic serialization tests.
• Threat model reviewed before each release.
• Sample statements and verification scripts committed under samples/provenance/.

Required Reading

• docs/modules/provenance/guides/provenance-attestation.md
• docs/modules/platform/architecture-overview.md

Working Agreement

• 1. Update task status to DOING/DONE in both correspoding sprint file /docs/implplan/SPRINT_*.md and the local TASKS.md when you start or finish work.
• 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
• 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
• 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.
• 5. Revert to TODO if you pause the task without shipping changes; leave notes in commit/PR descriptions for context.