Witness Plane
Witnesses, quorum, and fork visibility
The Witness Plane makes stream history harder to rewrite quietly. Witnesses sign monotonic checkpoint progression and emit fork evidence when they observe conflicting histories for the same stream.
Witnesses
A witness is an independent service with its own identity key and key epoch. It stores the last accepted checkpoint per tenant stream and only signs a new checkpoint when it extends the previous history.
| Role | Purpose |
|---|---|
| Attesto-operated witness | Managed witness for early production policies and baseline availability. |
| Customer-operated witness | Customer-side view of checkpoint progression, commonly through Local Vault. |
| Assurance witness | Independent assurance or auditor-operated witness for higher trust policies. |
| Partner witness | Trusted third-party witness used in customer-specific policy designs. |
Quorum
Quorum describes how many witnesses must sign for a checkpoint to satisfy tenant policy. A managed-only policy can be useful for a simple stream. A 2-of-3 policy is stronger because the verifier can require agreement across multiple independent views.
{
"policy_id": "policy-2026-01",
"required": 2,
"witnesses": [
"attesto-managed",
"customer-local-vault",
"assurance-witness"
]
}Fork evidence and fork visibility
A fork is a conflict where two checkpoint heads claim incompatible history for the same stream. The witness must not hide this by picking one side. It records machine-readable fork evidence so the verifier can reject ambiguous history.
{
"kind": "fork_evidence",
"stream_id": "str_...",
"conflicting_checkpoints": [
{"checkpoint_id": "chk_a", "checkpoint_head_hash": "hex-a"},
{"checkpoint_id": "chk_b", "checkpoint_head_hash": "hex-b"}
],
"detected_by": "customer-local-vault",
"result": "verifier_rejects_ambiguous_history"
}Public witness API shape
GET /witness/v1/identity: witness identity, key epoch, supported algorithms.POST /witness/v1/checkpoints: submit checkpoint statement for signing.GET /witness/v1/checkpoints/{checkpoint_id}: retrieve witness statement.GET /witness/v1/forks: retrieve fork evidence visible to the caller.