Module evidence_signing 

Shared signing-payload shapes for host event-stream payloads. Adding a field invalidates existing signatures - bump signing version.

Structs

ActivationFailedSignedPayload

ClosureSignatureMismatchSignedPayload

LastConfirmedAtSignedPayload

Soak-state attestation, bound to (hostname, rollout) so a stale signature can’t replay across rollouts. Without this signature CP cannot trust the agent’s claimed confirmation time (replay would short-circuit the soak gate). Verified against hosts.<hostname>.pubkey from fleet.resolved.

ManifestMismatchSignedPayload

Manifest signed but agent’s content-bound checks failed (hash, host_set membership, or pinned-bytes drift).

ManifestMissingSignedPayload

Agent could not load + parse the advertised rollout manifest.

ManifestVerifyFailedSignedPayload

Manifest signature didn’t verify against trust roots.

RealiseFailedSignedPayload

RollbackTriggeredSignedPayload

StaleTargetSignedPayload

VerifyMismatchSignedPayload