feat: Implement Filesystem and MongoDB provenance writers for PackRun execution context

- Added `FilesystemPackRunProvenanceWriter` to write provenance manifests to the filesystem.
- Introduced `MongoPackRunArtifactReader` to read artifacts from MongoDB.
- Created `MongoPackRunProvenanceWriter` to store provenance manifests in MongoDB.
- Developed unit tests for filesystem and MongoDB provenance writers.
- Established `ITimelineEventStore` and `ITimelineIngestionService` interfaces for timeline event handling.
- Implemented `TimelineIngestionService` to validate and persist timeline events with hashing.
- Created PostgreSQL schema and migration scripts for timeline indexing.
- Added dependency injection support for timeline indexer services.
- Developed tests for timeline ingestion and schema validation.

docs/modules/attestor/README.md

@@ -2,8 +2,10 @@
 
 Attestor converts signed DSSE evidence from the Signer into transparency-log proofs and verifiable reports for every downstream surface (Policy Engine, Export Center, CLI, Console, Scheduler). It is the trust backbone that proves SBOM, scan, VEX, and policy artefacts were signed, witnessed, and preserved without tampering.
 
-## Latest updates (2025-10-19)
-- Platform Events refresh published canonical `attestor.logged@1` samples under `docs/events/samples/` and validated schemas (`docs/updates/2025-10-18-docs-guild.md`, `docs/updates/2025-10-19-docs-guild.md`). Consumers should align verification workflows and tests with those sample envelopes.
+## Latest updates (2025-11-30)
+- Sprint tracker `docs/implplan/SPRINT_0313_0001_0001_docs_modules_attestor.md` and module `TASKS.md` added to mirror status.
+- Observability runbook stub + dashboard placeholder added under `operations/` (offline import) pending next demo outputs.
+- Platform Events samples (2025-10-18/19) remain the current canonical `attestor.logged@1`; keep verification workflows aligned.
 
 ## Why it exists
 - **Evidence first:** organisations need portable, verifiable attestations that prove build provenance, SBOM availability, policy verdicts, and VEX statements.
@@ -44,10 +46,11 @@ All predicates capture subjects, issuer metadata, policy context, materials, opt
 - Export Center packages attestation bundles (`stella export attestation-bundle`) for Offline Kit delivery.
 - Transparency logs can be mirrored; offline mode records gaps and provides compensating controls.
 
-## Observability & performance
-- Metrics: `attestor_submission_total`, `attestor_verify_seconds`, `attestor_cache_hit_ratio`, `attestor_rekor_latency_seconds`.
-- Logs capture tenant, issuer, subject digests, Rekor UUID, proof status, and policy verdict.
-- Performance target: ≥1 000 envelopes/minute per worker with cached verification, batched operations, and concurrency controls.
+## Observability & performance
+- Metrics: `attestor_submission_total`, `attestor_verify_seconds`, `attestor_cache_hit_ratio`, `attestor_rekor_latency_seconds`.
+- Logs capture tenant, issuer, subject digests, Rekor UUID, proof status, and policy verdict.
+- Performance target: ≥1 000 envelopes/minute per worker with cached verification, batched operations, and concurrency controls.
+- Observability assets: `operations/observability.md` and `operations/dashboards/attestor-observability.json` (offline import).
 
 ## Key integrations
 - Signer (DSSE source), Authority (scopes & tenancy), Export Center (attestation bundles), Policy Engine (verification policies), Scanner/Excititor (subject evidence), Notify (key rotation & verification alerts), Observability stack (dashboards/alerts).

docs/modules/attestor/TASKS.md

@@ -0,0 +1,9 @@
+# Attestor · TASKS (status mirror)
+
+| Task ID | Status | Owner(s) | Notes / Evidence |
+| --- | --- | --- | --- |
+| ATTESTOR-DOCS-0001 | DONE (2025-11-05) | Docs Guild | README aligned with latest release notes and attestation samples. |
+| ATTESTOR-OPS-0001 | BLOCKED (2025-11-30) | Ops Guild | Await next demo outputs; observability runbook stub added. |
+| ATTESTOR-ENG-0001 | DONE (2025-11-27) | Module Team | Implementation plan readiness tracker added. |
+
+> Keep this table in lockstep with `docs/implplan/SPRINT_0313_0001_0001_docs_modules_attestor.md` (TODO/DOING/DONE/BLOCKED updates go to both files).

docs/modules/attestor/operations/dashboards/attestor-observability.json

@@ -0,0 +1,6 @@
+{
+  "_note": "Placeholder Grafana dashboard stub for Attestor. Replace panels when metrics endpoints are available; keep offline-import friendly.",
+  "schemaVersion": 39,
+  "title": "Attestor Observability (stub)",
+  "panels": []
+}

docs/modules/attestor/operations/observability.md

@@ -0,0 +1,39 @@
+# Attestor observability runbook (stub · 2025-11-29 demo)
+
+## Dashboards (offline import)
+- Grafana JSON: `docs/modules/attestor/operations/dashboards/attestor-observability.json` (import locally; no external data sources assumed).
+- Planned panels: signing latency p95/p99, verification failure rate, transparency log submission lag, key rotation age, DSSE verification errors, queue depth/backlog, and attestation bundle size histogram.
+
+## Key metrics
+- `attestor_sign_latency_seconds_bucket` — signing latency per request.
+- `attestor_verify_failures_total{reason}` — verification failures.
+- `attestor_tlog_submission_latency_seconds_bucket` — transparency log latency.
+- `attestor_key_rotation_age_seconds` — time since last rotation.
+- `attestor_queue_backlog` — pending attestation jobs.
+- `attestor_bundle_size_bytes_bucket` — bundle size distribution.
+
+## Logs & traces
+- Correlate by `correlationId`, `attestationId`, `tenant`, `keyId`. Include `policyVersion`, `tlogIndex`, and `rekorUrl` where applicable.
+- Traces disabled by default for air-gap; enable by pointing OTLP exporter to on-prem collector.
+
+## Health/diagnostics
+- `/health/liveness` and `/health/readiness` check signer availability, tlog reachability, and storage.
+- `/status` exposes build version, commit, feature flags; verify against offline bundle manifest.
+- Verification probe: `POST /api/attestations/verify` with sample bundle once demo outputs land.
+
+## Alert hints
+- Signing latency p99 > 1s.
+- Verification failure spikes.
+- Transparency log submission lag > 10s.
+- Key rotation age exceeding policy threshold.
+- Queue backlog above configured threshold.
+
+## Offline verification steps
+1) Import Grafana JSON locally; point to Prometheus scrape labeled `attestor`.
+2) Run sample verification once demo bundle available and confirm metrics/logs emit locally.
+3) Fetch `/status` and compare commit/version to offline bundle manifest.
+
+## Evidence locations
+- Sprint tracker: `docs/implplan/SPRINT_0313_0001_0001_docs_modules_attestor.md`.
+- Module docs: `README.md`, `architecture.md`, `implementation_plan.md`.
+- Dashboard stub: `operations/dashboards/attestor-observability.json`.