fix: remove deprecated in-toto-golang dependency

[Abhishek9639]

Description of the PR

Removes the deprecated in-toto-golang library from the codebase. The guesser, processor, and parser were still importing types from in-toto-golang this PR replaces those with local type definitions.

Changes:

• type_ite6.go: replaced in_toto.Statement / attestationv1.Statement with a local ite6Statement struct that handles both v0.1 and v1 in-toto statement formats
• ite6.go: same swapped attestationv1.Statement for a local struct
• parser_slsa.go: defined local DigestSet, ProvenanceMaterial, ProvenancePredicateV01/V02 types to replace scommon, slsa01, slsa02 imports
• parser_slsa_test.go / sigstore_verifier_test.go: updated to use the new local types
• go.mod: removed in-toto-golang as a direct dependency

Fixes #2036

PR Checklist

• All commits have a Developer Certificate of Origin (DCO) they are generated using -s flag to git commit.
• All new changes are covered by tests
• All CI checks are passing (tests and formatting)

[Abhishek9639]

Hi @funnelfiasco or @jeffmendoza,
This PR removes the remaining in-toto-golang references from the guesser, processor, and parser packages as mentioned in #2036.

The main approach was to define lightweight local structs instead of pulling in the deprecated library the guesser now handles both v0.1 and v1 in-toto statement formats through a single struct. All existing tests pass without changes to test logic.

Let me know if anything needs to be adjusted.
Thanks

[mlieberman85]

Real supply chain win to drop the deprecated dependency, thanks for picking this up. Tests still pass, go.mod cleanup is clean. A few design concerns I'd like to see addressed before merge, none of them blockers individually but together they suggest the cleanup pass would land in a better place.

Structural:

1. ite6Statement is now defined in two files with different shapes: 4 fields in processor/guesser/type_ite6.go (handles both v0.1 and v1), 2 fields in processor/ite6/ite6.go (only v0.1). Different packages so no compile error, but a maintenance trap. If a v1 statement reaches processor/ite6/ite6.go::parseStatement, both fields unmarshal empty and the rest of the pipeline runs on garbage. Either share the struct via an internal package, or document why they intentionally diverge and what a v1 doc does in the second path.

2. The merged v0.1+v1 struct in the guesser loses the explicit two-pass clarity of the original. The old code had two separate Unmarshal calls into properly-typed statements with explicit conditionals. The new code unmarshals everything into one struct and getType()/getPredicateType() prefer v0.1 over v1 on ambiguity. Why does the older spec win? A doc populating both _type and type is malformed, the silent preference is a footgun. Either reject mixed formats, or pick a defensible rule (in-toto v1 is the current standard, defaulting to v0.1 feels backwards).

3. The local type definitions (ProvenancePredicateV01/V02, ProvenanceMaterial, etc.) are dropped into parser_slsa.go mixed with parsing logic. They're really local copies of types you just removed from upstream. Belongs in its own file (e.g. types_legacy.go) with a doc comment explaining why they exist locally and a marker for when SLSA v0.1/v0.2 support could be dropped entirely.

Smaller:

4. Completeness is an inline anonymous struct in both ProvenanceMetadataV01 and ProvenanceMetadataV02. Works, but you can't reference these types elsewhere and they're hard to inspect. Named types would be cleaner.

5. New constants PredicateSLSAProvenanceV01/V02 use uppercase V, the pre-existing PredicateSLSAProvenancev1 uses lowercase v. Pick one convention.

6. Test coverage: I see updates for parser_slsa_test.go and sigstore_verifier_test.go, none for type_ite6.go. The merged-struct guesser logic is the most behavior-changing part of this PR and should have explicit tests for both v0.1 and v1 inputs, plus the ambiguous-fields case.

7. sigstore_verifier_test.go now constructs the statement with hand-rolled local types instead of canonical types. Test still passes, but it's now testing self-defined shapes rather than the format the verifier actually consumes in production. Worth keeping the test types as close to upstream as possible.

None of this is hard to address. Happy to look again.

[Abhishek9639]

Hi @mlieberman85,
Addressed all the feedback unified the ite6Statement struct across both files, flipped the v1 preference in getType()/getPredicateType() and added explicit rejection for ambiguous docs, moved the legacy SLSA types into a separate types_legacy.go with a delete marker, promoted Completeness to named types, fixed the V1 naming inconsistency, and added v1 + ambiguous-fields test cases.
Let me know if anything else needs tweaking.
Thanks

[Abhishek9639]

Hi @mlieberman85,
Pushed a fix for the CI failures there was a missing "time" import in parser_slsa.go causing a compile error, plus two copy-paste bugs where FinishedOn was using StartedOn's values in both fillSLSA1 and fillSLSA02. All fixed now, CI should pass.
Thanks