Allow a service other than the 'build service' to generate provenance
This is just an initial thought. We might only want this adjustment at L2 but still make the build service generate the provenance at L3+. On the other hand, maybe as long as the builder _reports_ the data and it's confident in that data, it would be fine for some other service to generate the provenance? That would allow for a 'trusted service' to translate one provenance format to another (in addition to gathering the data from API calls).