Implement the provenance ledger + `conductor ssot verify` + attestation

[ronimoe]

Context

The committed JSONL provenance ledger (agent id, model, params, plan-hash->code-hash) is designed but not implemented. It is a rebuildable projection of GitHub.

Scope

• Append the ledger on land; conductor ssot trace/verify (every released commit -> issue+changeset; every closed issue -> a release).
• OIDC-bound verdict signatures; optional Sigstore/Rekor.

Acceptance

conductor ssot verify flags broken links; the ledger rebuilds from GitHub metadata.

Seam

new tools/conductor/ssot.py; verifier.py verdict records; ADR-0010.

[ronimoe]

Implemented (this commit).

ssot.py is the rebuildable provenance projection — build_ledger / trace / verify / rebuild + a GitHubReader (fail-closed, injectable) — plus attest.py (self-asserted run-binding) and trailers.py (shared trailer table).

Adversarial pass caught and fixed two blockers: (1) there was no authoritative join key — the design would have guessed issue↔changeset from agent+sha8 (collision-prone). Fixed by threading an authoritative change_id map through the changeset → plan → release journal; an unresolved change_id is marked, never guessed. (2) land_message emitted a scalar Closes, losing multi-issue commits — now one line per issue, parser is its exact inverse.

verify fails closed on reader outage, anchors on the journal (squash-rewritten trailers are advisory), and treats a reverted/force-pushed change as not backing a closed issue. authority=github on every violation; a grep-guard test enforces that no blocking-path module imports ssot (no split-brain). 16 unit tests (real git). Remaining for full close: live gh api graphql reader validation; the honest caveat that the self-asserted attestation provides no non-repudiation without the opt-in Sigstore path.