[Atlas] Signed artifact attestations from contributors done

Goal

Per-commit attribution
(docs/planning/specs/q-gov-attribution-audit_spec.md) records who claimed to have produced an artifact, but the trailers are
unsigned — anyone with write access to the submodule can forge Task-Id:, Skill:, Account: lines. For artifacts that other
agents read as authoritative inputs (curated datasets, validated
hypotheses, blessed analyses), we need a cryptographic attestation:
"contributor X (with key K) attests that artifact Y has content hash
H at version V". This task adds Ed25519 signing keys per contributor
account, a signature column on artifact_versions, and a verifier
that re-checks signatures on read.

Effort: thorough

Acceptance Criteria

CREATE TABLE contributor_keys (
        contributor_id TEXT NOT NULL,
        key_id         TEXT NOT NULL,    -- short fingerprint
        public_key     BYTEA NOT NULL,   -- 32-byte Ed25519 public key
        algorithm      TEXT NOT NULL DEFAULT 'ed25519',
        registered_at  TIMESTAMPTZ NOT NULL DEFAULT NOW(),
        revoked_at     TIMESTAMPTZ,
        revoke_reason  TEXT,
        PRIMARY KEY (contributor_id, key_id)
      );

      CREATE TABLE artifact_attestation (
        id BIGSERIAL PRIMARY KEY,
        artifact_id    TEXT NOT NULL,
        version_number INT NOT NULL,
        content_hash   TEXT NOT NULL,
        contributor_id TEXT NOT NULL,
        key_id         TEXT NOT NULL,
        signature      BYTEA NOT NULL,
        attested_at    TIMESTAMPTZ NOT NULL DEFAULT NOW(),
        verified_at    TIMESTAMPTZ,
        verification_status TEXT
          CHECK (verification_status IN ('valid','invalid','revoked','unknown')),
        UNIQUE (artifact_id, version_number, contributor_id, key_id)
      );
      CREATE INDEX idx_aa_artifact ON artifact_attestation(artifact_id);

- register_key(contributor_id, public_key_b64) -> key_id.
- revoke_key(contributor_id, key_id, reason).
- attest(artifact_id, version_number, content_hash,
contributor_id, key_id, signature_b64) — verifies and
inserts.
- verify(artifact_id, version_number) -> list[Attestation]
— re-checks every attestation and updates verification_status.
- Canonical message format:
"scidex-attestation-v1\n{artifact_id}\n{version_number}\n
{content_hash}\n{contributor_id}\n{key_id}" — pinned in a
constant and snapshot-tested. No Python pickle, no JSON
ordering ambiguity. verify; do not ship signing in this module (signing keys
stay client-side). The CLI can sign as a convenience. --artifact <id> --version <n> --key <path-to-private-pem>
computes the canonical message, signs locally, and POSTs
to /api/atlas/attestations with the public-key fingerprint
already registered. - POST /api/atlas/keys/register {contributor_id,
public_key_b64} → 201.
- POST /api/atlas/keys/revoke {contributor_id, key_id,
reason}.
- POST /api/atlas/attestations {artifact_id, version_number,
content_hash, contributor_id, key_id, signature_b64} → 201
if signature verifies, 400 if not, 410 if key revoked.
- GET /api/atlas/attestations/{artifact_id} returns the list
with current verification statuses. whose verified_at is null or older than the contributor's
most recent key revoke; updates verification_status.
Invalid attestations emit senate_alerts of kind
attestation_invalid (severity high). contributors (M valid)" badge with hover tooltip listing
contributor_id and verification_status. Wiring lives in the
existing artifact-detail template; small JSON endpoint feeds
it. carries ≥1 valid attestation from a contributor with prior
>5 valid attestations earn a one-time +25 Elo nudge in the
'global' arena. Implemented as a recurring sweep that idem-
potently applies the bonus. register key roundtrip; sign + verify happy path; signature
tampering → invalid; key-revoke at T → attestations from
keys revoked before T stay valid (revocation is forward, not
retroactive — but verification_status becomes revoked for
reads after revoke); canonical-message snapshot test.

Approach

Pin the canonical message format and the unit test first; this

is the cryptographic invariant — every other piece is plumbing.

Migration; module; tests against a fixture key pair.

CLI signer; verify against a manually-constructed

(artifact, version, hash) triple.

API routes; verifier cron.

UI badge; smoke against a fixture-attested hypothesis.

Elo bonus sweep; ensure idempotent.

Dependencies

• q-gov-attribution-audit — establishes the contributor identity

this task signs over.

• scidex/atlas/artifact_registry.compute_content_hash — hashes

signed.

Dependents

• q-trust-provenance-integrity-scanner — verifies attestations

match recomputed input hashes.

Work Log

2026-04-27 — Implementation

Core implementation complete:

Migration (migrations/20260428_artifact_attestations.sql): Created contributor_keys and artifact_attestation tables with all specified columns, indexes, FK constraints, and CHECK constraints. Applied successfully.

Module (scidex/atlas/artifact_attestation.py): Implemented register_key(), revoke_key(), attest(), verify(), verify_all_pending(), and get_attestations_for_artifact(). Uses cryptography>=41 Ed25519PublicKey for signature verification. Canonical message format pinned in CANONICAL_MESSAGE_TEMPLATE constant.

API routes (api.py): Added four endpoints:

- POST /api/atlas/keys/register — register Ed25519 public key
- POST /api/atlas/keys/revoke — revoke a key
- POST /api/atlas/attestations — create attestation (verifies signature)
- GET /api/atlas/attestations/{artifact_id} — get attestations with current verification status

CLI script (scripts/attest_artifact.py): Signs canonical message with Ed25519 private key PEM and POSTs to API.

Verifier cron (scidex/senate/scheduled_tasks.py): Added attestation-verifier daily task that re-verifies all pending attestations and emits senate_alerts for invalid ones.

Remaining acceptance criteria (not in core task scope):

Note: Pre-existing syntax error in api.py at line 35657 (f-string unmatched paren) exists in origin/main and is unrelated to this implementation.