Implementation Plan

Phase 1 -- Sign + Verify (MSc core)

internal/crypto/signer.go -- Ed25519 sign, verify, digest, CanonicalPayload
cmd/sign -- CLI wrapper with --check-type, --tool, --signing-key, --signer-id, --log-entry
cmd/keygen -- key generation utility
Unit tests: tamper detection, key mismatch, canonical payload determinism

internal/attestation/chain.go -- chain building (Chain.Add, SetNextSignerID, SetNextLogEntry)
internal/attestation/chain.go -- VerifyChainWithOptions with max-age, clock skew, subject consistency, timestamp ordering, duplicate check type detection
cmd/verify -- CLI chain verifier
cmd/gate -- deployment gate with OPA policy evaluation
Unit tests: all tamper attack vectors, VerifyChainWithOptions options matrix
Integration tests: full pipeline to chain to gate

Per-check-type Ed25519 key pairs -- each check type uses a dedicated signing key
SignerID in canonical payload -- signer identity is cryptographically bound
LogEntry plumbing -- transparency log reference attached after signing; enforced at gate with --require-log-entries
--authorized-signers on gate -- per-check-type Go-level key authorization before policy evaluation
verifyAuthorizedSignersCoverage -- rejects chains with unconfigured check types
--policy-hash on gate -- SHA-256 pin of Rego policy file; prevents policy substitution
--max-age on gate -- rejects chains containing attestations older than the limit
deploy.rego authorized_signers rules -- policy-level check mirrors the Go-level check
CI workflow updated -- per-check-type secrets, --signer-id, --log-entry, --authorized-signers, --policy-hash, --max-age, --require-log-entries

internal/threshold/threshold.go -- interfaces and types
Simple t-of-n: collect t independent Ed25519 signatures (internal/threshold/multisig.go)
VerifyThreshold -- verify t-of-n partial signatures, deduplicated and sorted by participant ID
FROST threshold scheme (proper single group signature) -- PhD scope
Distribute over network with GossipProtocol -- PhD scope