dpndncY

Attestations: DSSE over in-toto

Every decision dpndncY makes is emitted as a DSSE envelope wrapping an in-toto v1 Statement. The Statement names the subject (what the decision is about), a predicateType (which kind of decision), and a predicate (the evidence). The envelope is signed, so the decision is tamper-evident and verifiable offline with one public key.

The three predicate types

predicateTypeEmittedPayload
https://dpndncy.io/scan/v1per scanFindings + the signal stack that produced each.
https://dpndncy.io/firewall/v1per allow / block / bypassThe install evaluated, the verdict, and the rule that decided it.
https://dpndncy.io/agent/runtime-trace/v1per CI jobCaptured events summary + the SHA-256 of the full event log.

Envelope shape

DSSE envelope (abridged)
{
  "payloadType": "application/vnd.in-toto+json",
  "payload": "<base64url in-toto Statement>",
  "signatures": [
    { "keyid": "sha256:HmCC8oTtuG…", "sig": "<base64url signature>" }
  ]
}

The payload decodes to an in-toto Statement with _type, subject (name + sha256 digest), predicateType, and predicate. Each predicate has a versioned JSON Schema — see Attestation reference.

Signing

Default signatures use RS256 (RSASSA-PKCS1-v1_5 + SHA-256) over the DSSE PAE-encoded payload. The signing key is yours (autogen for dev, BYOK for production). Optionally sign keyless via Sigstore when an OIDC identity is available — see Sigstore.

Offline-verifiable by design
Because it’s standard DSSE + in-toto, anyone with your public key can verify a decision with dpndncy-verify — no call back to dpndncY, no portal login. See Verify offline.