Cross-trust-domain attestation: domain A signs a statement asserting that domain B’s identity (or a specific actor in B) is recognized within A’s trust fabric, optionally bounded by capability scope and time. Used by SPIFFE federated trust bundles, business-partner trust links, and sovereignty federations (TF-0002 “federated” identity mode).