feat: add Attestation Chain and Triage Evidence API clients and models

- Implemented Attestation Chain API client with methods for verifying, fetching, and managing attestation chains.
- Created models for Attestation Chain, including DSSE envelope structures and verification results.
- Developed Triage Evidence API client for fetching finding evidence, including methods for evidence retrieval by CVE and component.
- Added models for Triage Evidence, encapsulating evidence responses, entry points, boundary proofs, and VEX evidence.
- Introduced mock implementations for both API clients to facilitate testing and development.

src/Scanner/StellaOps.Scanner.WebService/Contracts/FindingEvidenceContracts.cs

@@ -0,0 +1,451 @@
+// -----------------------------------------------------------------------------
+// FindingEvidenceContracts.cs
+// Sprint: SPRINT_3800_0001_0001_evidence_api_models
+// Description: Unified evidence API response contracts for findings.
+// -----------------------------------------------------------------------------
+
+using System;
+using System.Collections.Generic;
+using System.Text.Json.Serialization;
+
+namespace StellaOps.Scanner.WebService.Contracts;
+
+/// <summary>
+/// Unified evidence response for a finding, combining reachability, boundary,
+/// VEX evidence, and score explanation.
+/// </summary>
+public sealed record FindingEvidenceResponse
+{
+    /// <summary>
+    /// Unique identifier for the finding.
+    /// </summary>
+    [JsonPropertyName("finding_id")]
+    public string FindingId { get; init; } = string.Empty;
+
+    /// <summary>
+    /// CVE identifier (e.g., "CVE-2021-44228").
+    /// </summary>
+    [JsonPropertyName("cve")]
+    public string Cve { get; init; } = string.Empty;
+
+    /// <summary>
+    /// Component where the vulnerability was found.
+    /// </summary>
+    [JsonPropertyName("component")]
+    public ComponentRef? Component { get; init; }
+
+    /// <summary>
+    /// Reachable call path from entrypoint to vulnerable sink.
+    /// Each element is a fully-qualified name (FQN).
+    /// </summary>
+    [JsonPropertyName("reachable_path")]
+    public IReadOnlyList<string>? ReachablePath { get; init; }
+
+    /// <summary>
+    /// Entrypoint proof (how the code is exposed).
+    /// </summary>
+    [JsonPropertyName("entrypoint")]
+    public EntrypointProof? Entrypoint { get; init; }
+
+    /// <summary>
+    /// Boundary proof (surface exposure and controls).
+    /// </summary>
+    [JsonPropertyName("boundary")]
+    public BoundaryProofDto? Boundary { get; init; }
+
+    /// <summary>
+    /// VEX (Vulnerability Exploitability eXchange) evidence.
+    /// </summary>
+    [JsonPropertyName("vex")]
+    public VexEvidenceDto? Vex { get; init; }
+
+    /// <summary>
+    /// Score explanation with additive risk breakdown.
+    /// </summary>
+    [JsonPropertyName("score_explain")]
+    public ScoreExplanationDto? ScoreExplain { get; init; }
+
+    /// <summary>
+    /// When the finding was last observed.
+    /// </summary>
+    [JsonPropertyName("last_seen")]
+    public DateTimeOffset LastSeen { get; init; }
+
+    /// <summary>
+    /// When the evidence expires (for VEX/attestation freshness).
+    /// </summary>
+    [JsonPropertyName("expires_at")]
+    public DateTimeOffset? ExpiresAt { get; init; }
+
+    /// <summary>
+    /// References to DSSE/in-toto attestations backing this evidence.
+    /// </summary>
+    [JsonPropertyName("attestation_refs")]
+    public IReadOnlyList<string>? AttestationRefs { get; init; }
+}
+
+/// <summary>
+/// Reference to a component (package) by PURL and version.
+/// </summary>
+public sealed record ComponentRef
+{
+    /// <summary>
+    /// Package URL (PURL) identifier.
+    /// </summary>
+    [JsonPropertyName("purl")]
+    public string Purl { get; init; } = string.Empty;
+
+    /// <summary>
+    /// Package name.
+    /// </summary>
+    [JsonPropertyName("name")]
+    public string Name { get; init; } = string.Empty;
+
+    /// <summary>
+    /// Package version.
+    /// </summary>
+    [JsonPropertyName("version")]
+    public string Version { get; init; } = string.Empty;
+
+    /// <summary>
+    /// Package type/ecosystem (npm, maven, nuget, etc.).
+    /// </summary>
+    [JsonPropertyName("type")]
+    public string Type { get; init; } = string.Empty;
+}
+
+/// <summary>
+/// Proof of how code is exposed as an entrypoint.
+/// </summary>
+public sealed record EntrypointProof
+{
+    /// <summary>
+    /// Type of entrypoint (http_handler, grpc_method, cli_command, etc.).
+    /// </summary>
+    [JsonPropertyName("type")]
+    public string Type { get; init; } = string.Empty;
+
+    /// <summary>
+    /// Route or path (e.g., "/api/v1/users", "grpc.UserService.GetUser").
+    /// </summary>
+    [JsonPropertyName("route")]
+    public string? Route { get; init; }
+
+    /// <summary>
+    /// HTTP method if applicable (GET, POST, etc.).
+    /// </summary>
+    [JsonPropertyName("method")]
+    public string? Method { get; init; }
+
+    /// <summary>
+    /// Authentication requirement (none, optional, required).
+    /// </summary>
+    [JsonPropertyName("auth")]
+    public string? Auth { get; init; }
+
+    /// <summary>
+    /// Execution phase (startup, runtime, shutdown).
+    /// </summary>
+    [JsonPropertyName("phase")]
+    public string? Phase { get; init; }
+
+    /// <summary>
+    /// Fully qualified name of the entrypoint symbol.
+    /// </summary>
+    [JsonPropertyName("fqn")]
+    public string Fqn { get; init; } = string.Empty;
+
+    /// <summary>
+    /// Source file location.
+    /// </summary>
+    [JsonPropertyName("location")]
+    public SourceLocation? Location { get; init; }
+}
+
+/// <summary>
+/// Source file location reference.
+/// </summary>
+public sealed record SourceLocation
+{
+    /// <summary>
+    /// File path relative to repository root.
+    /// </summary>
+    [JsonPropertyName("file")]
+    public string File { get; init; } = string.Empty;
+
+    /// <summary>
+    /// Line number (1-indexed).
+    /// </summary>
+    [JsonPropertyName("line")]
+    public int? Line { get; init; }
+
+    /// <summary>
+    /// Column number (1-indexed).
+    /// </summary>
+    [JsonPropertyName("column")]
+    public int? Column { get; init; }
+}
+
+/// <summary>
+/// Boundary proof describing surface exposure and controls.
+/// </summary>
+public sealed record BoundaryProofDto
+{
+    /// <summary>
+    /// Kind of boundary (network, file, ipc, etc.).
+    /// </summary>
+    [JsonPropertyName("kind")]
+    public string Kind { get; init; } = string.Empty;
+
+    /// <summary>
+    /// Surface descriptor (what is exposed).
+    /// </summary>
+    [JsonPropertyName("surface")]
+    public SurfaceDescriptor? Surface { get; init; }
+
+    /// <summary>
+    /// Exposure descriptor (how it's exposed).
+    /// </summary>
+    [JsonPropertyName("exposure")]
+    public ExposureDescriptor? Exposure { get; init; }
+
+    /// <summary>
+    /// Authentication descriptor.
+    /// </summary>
+    [JsonPropertyName("auth")]
+    public AuthDescriptor? Auth { get; init; }
+
+    /// <summary>
+    /// Security controls in place.
+    /// </summary>
+    [JsonPropertyName("controls")]
+    public IReadOnlyList<ControlDescriptor>? Controls { get; init; }
+
+    /// <summary>
+    /// When the boundary was last verified.
+    /// </summary>
+    [JsonPropertyName("last_seen")]
+    public DateTimeOffset LastSeen { get; init; }
+
+    /// <summary>
+    /// Confidence score (0.0 to 1.0).
+    /// </summary>
+    [JsonPropertyName("confidence")]
+    public double Confidence { get; init; }
+}
+
+/// <summary>
+/// Describes what attack surface is exposed.
+/// </summary>
+public sealed record SurfaceDescriptor
+{
+    /// <summary>
+    /// Type of surface (api, web, cli, library).
+    /// </summary>
+    [JsonPropertyName("type")]
+    public string Type { get; init; } = string.Empty;
+
+    /// <summary>
+    /// Protocol (http, https, grpc, tcp).
+    /// </summary>
+    [JsonPropertyName("protocol")]
+    public string? Protocol { get; init; }
+
+    /// <summary>
+    /// Port number if network-exposed.
+    /// </summary>
+    [JsonPropertyName("port")]
+    public int? Port { get; init; }
+}
+
+/// <summary>
+/// Describes how the surface is exposed.
+/// </summary>
+public sealed record ExposureDescriptor
+{
+    /// <summary>
+    /// Exposure level (public, internal, private).
+    /// </summary>
+    [JsonPropertyName("level")]
+    public string Level { get; init; } = string.Empty;
+
+    /// <summary>
+    /// Whether the exposure is internet-facing.
+    /// </summary>
+    [JsonPropertyName("internet_facing")]
+    public bool InternetFacing { get; init; }
+
+    /// <summary>
+    /// Network zone (dmz, internal, trusted).
+    /// </summary>
+    [JsonPropertyName("zone")]
+    public string? Zone { get; init; }
+}
+
+/// <summary>
+/// Describes authentication requirements.
+/// </summary>
+public sealed record AuthDescriptor
+{
+    /// <summary>
+    /// Whether authentication is required.
+    /// </summary>
+    [JsonPropertyName("required")]
+    public bool Required { get; init; }
+
+    /// <summary>
+    /// Authentication type (jwt, oauth2, basic, api_key).
+    /// </summary>
+    [JsonPropertyName("type")]
+    public string? Type { get; init; }
+
+    /// <summary>
+    /// Required roles/scopes.
+    /// </summary>
+    [JsonPropertyName("roles")]
+    public IReadOnlyList<string>? Roles { get; init; }
+}
+
+/// <summary>
+/// Describes a security control.
+/// </summary>
+public sealed record ControlDescriptor
+{
+    /// <summary>
+    /// Type of control (rate_limit, waf, input_validation, etc.).
+    /// </summary>
+    [JsonPropertyName("type")]
+    public string Type { get; init; } = string.Empty;
+
+    /// <summary>
+    /// Whether the control is active.
+    /// </summary>
+    [JsonPropertyName("active")]
+    public bool Active { get; init; }
+
+    /// <summary>
+    /// Control configuration details.
+    /// </summary>
+    [JsonPropertyName("config")]
+    public string? Config { get; init; }
+}
+
+/// <summary>
+/// VEX (Vulnerability Exploitability eXchange) evidence.
+/// </summary>
+public sealed record VexEvidenceDto
+{
+    /// <summary>
+    /// VEX status (not_affected, affected, fixed, under_investigation).
+    /// </summary>
+    [JsonPropertyName("status")]
+    public string Status { get; init; } = string.Empty;
+
+    /// <summary>
+    /// Justification for the status.
+    /// </summary>
+    [JsonPropertyName("justification")]
+    public string? Justification { get; init; }
+
+    /// <summary>
+    /// Impact statement explaining why not affected.
+    /// </summary>
+    [JsonPropertyName("impact")]
+    public string? Impact { get; init; }
+
+    /// <summary>
+    /// Action statement (remediation steps).
+    /// </summary>
+    [JsonPropertyName("action")]
+    public string? Action { get; init; }
+
+    /// <summary>
+    /// Reference to the VEX document/attestation.
+    /// </summary>
+    [JsonPropertyName("attestation_ref")]
+    public string? AttestationRef { get; init; }
+
+    /// <summary>
+    /// When the VEX statement was issued.
+    /// </summary>
+    [JsonPropertyName("issued_at")]
+    public DateTimeOffset? IssuedAt { get; init; }
+
+    /// <summary>
+    /// When the VEX statement expires.
+    /// </summary>
+    [JsonPropertyName("expires_at")]
+    public DateTimeOffset? ExpiresAt { get; init; }
+
+    /// <summary>
+    /// Source of the VEX statement (vendor, first-party, third-party).
+    /// </summary>
+    [JsonPropertyName("source")]
+    public string? Source { get; init; }
+}
+
+/// <summary>
+/// Score explanation with additive breakdown of risk factors.
+/// </summary>
+public sealed record ScoreExplanationDto
+{
+    /// <summary>
+    /// Kind of scoring algorithm (stellaops_risk_v1, cvss_v4, etc.).
+    /// </summary>
+    [JsonPropertyName("kind")]
+    public string Kind { get; init; } = string.Empty;
+
+    /// <summary>
+    /// Final computed risk score.
+    /// </summary>
+    [JsonPropertyName("risk_score")]
+    public double RiskScore { get; init; }
+
+    /// <summary>
+    /// Individual score contributions.
+    /// </summary>
+    [JsonPropertyName("contributions")]
+    public IReadOnlyList<ScoreContributionDto>? Contributions { get; init; }
+
+    /// <summary>
+    /// When the score was computed.
+    /// </summary>
+    [JsonPropertyName("last_seen")]
+    public DateTimeOffset LastSeen { get; init; }
+}
+
+/// <summary>
+/// Individual contribution to the risk score.
+/// </summary>
+public sealed record ScoreContributionDto
+{
+    /// <summary>
+    /// Factor name (cvss_base, epss, reachability, gate_multiplier, etc.).
+    /// </summary>
+    [JsonPropertyName("factor")]
+    public string Factor { get; init; } = string.Empty;
+
+    /// <summary>
+    /// Weight applied to this factor (0.0 to 1.0).
+    /// </summary>
+    [JsonPropertyName("weight")]
+    public double Weight { get; init; }
+
+    /// <summary>
+    /// Raw value before weighting.
+    /// </summary>
+    [JsonPropertyName("raw_value")]
+    public double RawValue { get; init; }
+
+    /// <summary>
+    /// Weighted contribution to final score.
+    /// </summary>
+    [JsonPropertyName("contribution")]
+    public double Contribution { get; init; }
+
+    /// <summary>
+    /// Human-readable explanation of this factor.
+    /// </summary>
+    [JsonPropertyName("explanation")]
+    public string? Explanation { get; init; }
+}

src/Scanner/StellaOps.Scanner.WebService/Endpoints/WitnessEndpoints.cs

@@ -0,0 +1,251 @@
+// -----------------------------------------------------------------------------
+// WitnessEndpoints.cs
+// Sprint: SPRINT_3700_0001_0001_witness_foundation
+// Task: WIT-010
+// Description: API endpoints for DSSE-signed path witnesses.
+// -----------------------------------------------------------------------------
+
+using System.Text.Json;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Routing;
+using StellaOps.Scanner.Storage.Repositories;
+using StellaOps.Scanner.WebService.Security;
+
+namespace StellaOps.Scanner.WebService.Endpoints;
+
+internal static class WitnessEndpoints
+{
+    public static void MapWitnessEndpoints(this RouteGroupBuilder apiGroup, string witnessSegment = "witnesses")
+    {
+        ArgumentNullException.ThrowIfNull(apiGroup);
+
+        var witnesses = apiGroup.MapGroup($"/{witnessSegment.TrimStart('/')}");
+
+        witnesses.MapGet("/{witnessId:guid}", HandleGetWitnessByIdAsync)
+            .WithName("scanner.witnesses.get")
+            .Produces<WitnessResponseDto>(StatusCodes.Status200OK)
+            .Produces(StatusCodes.Status404NotFound)
+            .RequireAuthorization(ScannerPolicies.ScansRead);
+
+        witnesses.MapGet("", HandleListWitnessesAsync)
+            .WithName("scanner.witnesses.list")
+            .Produces<WitnessListResponseDto>(StatusCodes.Status200OK)
+            .RequireAuthorization(ScannerPolicies.ScansRead);
+
+        witnesses.MapGet("/by-hash/{witnessHash}", HandleGetWitnessByHashAsync)
+            .WithName("scanner.witnesses.get-by-hash")
+            .Produces<WitnessResponseDto>(StatusCodes.Status200OK)
+            .Produces(StatusCodes.Status404NotFound)
+            .RequireAuthorization(ScannerPolicies.ScansRead);
+
+        witnesses.MapPost("/{witnessId:guid}/verify", HandleVerifyWitnessAsync)
+            .WithName("scanner.witnesses.verify")
+            .Produces<WitnessVerificationResponseDto>(StatusCodes.Status200OK)
+            .Produces(StatusCodes.Status404NotFound)
+            .RequireAuthorization(ScannerPolicies.ScansRead);
+    }
+
+    private static async Task<IResult> HandleGetWitnessByIdAsync(
+        Guid witnessId,
+        IWitnessRepository repository,
+        CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(repository);
+
+        var witness = await repository.GetByIdAsync(witnessId, cancellationToken).ConfigureAwait(false);
+        if (witness is null)
+        {
+            return Results.NotFound();
+        }
+
+        return Results.Ok(MapToDto(witness));
+    }
+
+    private static async Task<IResult> HandleGetWitnessByHashAsync(
+        string witnessHash,
+        IWitnessRepository repository,
+        CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(repository);
+
+        if (string.IsNullOrWhiteSpace(witnessHash))
+        {
+            return Results.NotFound();
+        }
+
+        var witness = await repository.GetByHashAsync(witnessHash, cancellationToken).ConfigureAwait(false);
+        if (witness is null)
+        {
+            return Results.NotFound();
+        }
+
+        return Results.Ok(MapToDto(witness));
+    }
+
+    private static async Task<IResult> HandleListWitnessesAsync(
+        HttpContext context,
+        IWitnessRepository repository,
+        CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(repository);
+
+        var query = context.Request.Query;
+        IReadOnlyList<WitnessRecord> witnesses;
+
+        if (query.TryGetValue("scanId", out var scanIdValue) && Guid.TryParse(scanIdValue, out var scanId))
+        {
+            witnesses = await repository.GetByScanIdAsync(scanId, cancellationToken).ConfigureAwait(false);
+        }
+        else if (query.TryGetValue("cve", out var cveValue) && !string.IsNullOrWhiteSpace(cveValue))
+        {
+            witnesses = await repository.GetByCveAsync(cveValue!, cancellationToken).ConfigureAwait(false);
+        }
+        else if (query.TryGetValue("graphHash", out var graphHashValue) && !string.IsNullOrWhiteSpace(graphHashValue))
+        {
+            witnesses = await repository.GetByGraphHashAsync(graphHashValue!, cancellationToken).ConfigureAwait(false);
+        }
+        else
+        {
+            // No filter provided - return empty list (avoid full table scan)
+            witnesses = [];
+        }
+
+        return Results.Ok(new WitnessListResponseDto
+        {
+            Witnesses = witnesses.Select(MapToDto).ToList(),
+            TotalCount = witnesses.Count
+        });
+    }
+
+    private static async Task<IResult> HandleVerifyWitnessAsync(
+        Guid witnessId,
+        IWitnessRepository repository,
+        CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(repository);
+
+        var witness = await repository.GetByIdAsync(witnessId, cancellationToken).ConfigureAwait(false);
+        if (witness is null)
+        {
+            return Results.NotFound();
+        }
+
+        // Basic verification: check if DSSE envelope exists and witness hash is valid
+        var verificationStatus = "valid";
+        string? verificationError = null;
+
+        if (string.IsNullOrEmpty(witness.DsseEnvelope))
+        {
+            verificationStatus = "unsigned";
+            verificationError = "Witness does not have a DSSE envelope";
+        }
+        else
+        {
+            // TODO: WIT-009 - Add actual DSSE signature verification via Attestor
+            // For now, just check the envelope structure
+            try
+            {
+                var envelope = JsonDocument.Parse(witness.DsseEnvelope);
+                if (!envelope.RootElement.TryGetProperty("signatures", out var signatures) ||
+                    signatures.GetArrayLength() == 0)
+                {
+                    verificationStatus = "invalid";
+                    verificationError = "DSSE envelope has no signatures";
+                }
+            }
+            catch (JsonException ex)
+            {
+                verificationStatus = "invalid";
+                verificationError = $"Invalid DSSE envelope JSON: {ex.Message}";
+            }
+        }
+
+        // Record verification attempt
+        await repository.RecordVerificationAsync(new WitnessVerificationRecord
+        {
+            WitnessId = witnessId,
+            VerifiedAt = DateTimeOffset.UtcNow,
+            VerifiedBy = "api",
+            VerificationStatus = verificationStatus,
+            VerificationError = verificationError
+        }, cancellationToken).ConfigureAwait(false);
+
+        return Results.Ok(new WitnessVerificationResponseDto
+        {
+            WitnessId = witnessId,
+            WitnessHash = witness.WitnessHash,
+            Status = verificationStatus,
+            Error = verificationError,
+            VerifiedAt = DateTimeOffset.UtcNow,
+            IsSigned = !string.IsNullOrEmpty(witness.DsseEnvelope)
+        });
+    }
+
+    private static WitnessResponseDto MapToDto(WitnessRecord record)
+    {
+        return new WitnessResponseDto
+        {
+            WitnessId = record.WitnessId,
+            WitnessHash = record.WitnessHash,
+            SchemaVersion = record.SchemaVersion,
+            WitnessType = record.WitnessType,
+            GraphHash = record.GraphHash,
+            ScanId = record.ScanId,
+            RunId = record.RunId,
+            CreatedAt = record.CreatedAt,
+            SignedAt = record.SignedAt,
+            SignerKeyId = record.SignerKeyId,
+            EntrypointFqn = record.EntrypointFqn,
+            SinkCve = record.SinkCve,
+            IsSigned = !string.IsNullOrEmpty(record.DsseEnvelope),
+            Payload = JsonDocument.Parse(record.PayloadJson).RootElement,
+            DsseEnvelope = string.IsNullOrEmpty(record.DsseEnvelope) 
+                ? null 
+                : JsonDocument.Parse(record.DsseEnvelope).RootElement
+        };
+    }
+}
+
+/// <summary>
+/// Response DTO for a single witness.
+/// </summary>
+public sealed record WitnessResponseDto
+{
+    public Guid WitnessId { get; init; }
+    public required string WitnessHash { get; init; }
+    public required string SchemaVersion { get; init; }
+    public required string WitnessType { get; init; }
+    public required string GraphHash { get; init; }
+    public Guid? ScanId { get; init; }
+    public Guid? RunId { get; init; }
+    public DateTimeOffset CreatedAt { get; init; }
+    public DateTimeOffset? SignedAt { get; init; }
+    public string? SignerKeyId { get; init; }
+    public string? EntrypointFqn { get; init; }
+    public string? SinkCve { get; init; }
+    public bool IsSigned { get; init; }
+    public JsonElement Payload { get; init; }
+    public JsonElement? DsseEnvelope { get; init; }
+}
+
+/// <summary>
+/// Response DTO for witness list.
+/// </summary>
+public sealed record WitnessListResponseDto
+{
+    public required IReadOnlyList<WitnessResponseDto> Witnesses { get; init; }
+    public int TotalCount { get; init; }
+}
+
+/// <summary>
+/// Response DTO for witness verification.
+/// </summary>
+public sealed record WitnessVerificationResponseDto
+{
+    public Guid WitnessId { get; init; }
+    public required string WitnessHash { get; init; }
+    public required string Status { get; init; }
+    public string? Error { get; init; }
+    public DateTimeOffset VerifiedAt { get; init; }
+    public bool IsSigned { get; init; }
+}

src/Scanner/StellaOps.Scanner.WebService/Program.cs

@@ -470,6 +470,7 @@ apiGroup.MapScanEndpoints(resolvedOptions.Api.ScansSegment);
 apiGroup.MapReachabilityDriftRootEndpoints();
 apiGroup.MapProofSpineEndpoints(resolvedOptions.Api.SpinesSegment, resolvedOptions.Api.ScansSegment);
 apiGroup.MapReplayEndpoints();
+apiGroup.MapWitnessEndpoints(); // Sprint: SPRINT_3700_0001_0001
 
 if (resolvedOptions.Features.EnablePolicyPreview)
 {