semi implemented and features implemented save checkpoint

docs/features/unchecked/evidencelocker/doctor-evidence-integrity-check.md

@@ -0,0 +1,30 @@
+# Doctor Evidence Integrity Check (DSSE + Rekor + Hash Verification)
+
+## Module
+EvidenceLocker
+
+## Status
+IMPLEMENTED
+
+## Description
+Doctor health check that validates DSSE signature validity, Rekor inclusion (or offline ledger), and evidence hash consistency using canonical JSON, with deterministic and offline-friendly output.
+
+## Implementation Details
+- **Modules**: `src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/`, `src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Core/`
+- **Key Classes**:
+  - `EvidenceSignatureService` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Signing/EvidenceSignatureService.cs`) - validates DSSE signatures on evidence bundles
+  - `Rfc3161TimestampAuthorityClient` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Signing/Rfc3161TimestampAuthorityClient.cs`) - RFC 3161 timestamp verification for Rekor receipts
+  - `NullTimestampAuthorityClient` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Signing/NullTimestampAuthorityClient.cs`) - no-op timestamp client for offline mode
+  - `MerkleTreeCalculator` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Core/Builders/MerkleTreeCalculator.cs`) - recomputes Merkle tree hashes for integrity verification
+  - `EvidenceAuditLogger` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.WebService/Audit/EvidenceAuditLogger.cs`) - logs integrity check results
+  - `OfflineTimestampVerifier` (`src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Timestamping/Verification/OfflineTimestampVerifier.cs`) - verifies timestamps offline without network access
+- **Interfaces**: `IEvidenceSignatureService`, `ITimestampAuthorityClient`
+- **Source**: SPRINT_20260112_004_LB_doctor_evidence_integrity_checks.md
+
+## E2E Test Plan
+- [ ] Run doctor integrity check on a valid evidence bundle and verify DSSE signature, Rekor inclusion, and hash consistency all pass
+- [ ] Tamper with an evidence bundle payload and verify `EvidenceSignatureService` detects the DSSE signature mismatch
+- [ ] Verify `MerkleTreeCalculator` recomputes the Merkle root and detects a modified evidence item
+- [ ] Verify `OfflineTimestampVerifier` validates timestamps without network access using bundled Rekor receipts
+- [ ] Verify `Rfc3161TimestampAuthorityClient` validates RFC 3161 timestamps against the authority
+- [ ] Verify integrity check output is deterministic: same bundle produces identical check results across runs

docs/features/unchecked/evidencelocker/evidence-bundle-export-with-embedded-verify-scripts.md

@@ -0,0 +1,32 @@
+# Evidence Bundle Export with Embedded Verify Scripts
+
+## Module
+EvidenceLocker
+
+## Status
+IMPLEMENTED
+
+## Description
+Standardized evidence-bundle tar.gz export format with embedded verify.sh (POSIX) and verify.ps1 (PowerShell) scripts, bundled public keys for offline verification, Merkle root verification (RFC 6962), BSD-format SHA256 checksums, and async export worker for large bundles with status tracking (pending/processing/ready/failed).
+
+## Implementation Details
+- **Modules**: `src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Export/`, `src/EvidenceLocker/StellaOps.EvidenceLocker/Api/`
+- **Key Classes**:
+  - `TarGzBundleExporter` (`src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Export/TarGzBundleExporter.cs`) - creates tar.gz bundles with embedded verify scripts and checksums
+  - `VerifyScriptGenerator` (`src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Export/VerifyScriptGenerator.cs`) - generates verify.sh (POSIX) and verify.ps1 (PowerShell) scripts
+  - `MerkleTreeBuilder` (`src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Export/MerkleTreeBuilder.cs`) - builds Merkle tree for bundle integrity (RFC 6962)
+  - `ChecksumFileWriter` (`src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Export/ChecksumFileWriter.cs`) - writes BSD-format SHA256 checksums
+  - `BundleManifest` (`src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Export/Models/BundleManifest.cs`) - manifest model for bundle contents
+  - `BundleMetadata` (`src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Export/Models/BundleMetadata.cs`) - metadata model for bundle export
+  - `ExportEndpoints` (`src/EvidenceLocker/StellaOps.EvidenceLocker/Api/ExportEndpoints.cs`) - REST endpoints for export operations
+  - `ExportJobService` (`src/EvidenceLocker/StellaOps.EvidenceLocker/Api/ExportJobService.cs`) - async export worker with status tracking
+- **Interfaces**: `IEvidenceBundleExporter`, `IBundleDataProvider`, `IExportJobService`
+- **Source**: SPRINT_20260106_003_003_EVIDENCE_export_bundle.md
+
+## E2E Test Plan
+- [ ] Export an evidence bundle via `ExportEndpoints` and verify the tar.gz contains verify.sh, verify.ps1, checksums, and public keys
+- [ ] Extract the bundle and run the embedded verify.sh script to confirm it validates checksums and Merkle root
+- [ ] Verify `MerkleTreeBuilder` produces RFC 6962-compliant Merkle tree with correct root hash
+- [ ] Verify `ChecksumFileWriter` writes BSD-format SHA256 checksums matching each file in the bundle
+- [ ] Submit a large bundle export and verify `ExportJobService` tracks status through pending/processing/ready states
+- [ ] Verify the exported bundle can be verified offline using only the embedded scripts and bundled public keys

docs/features/unchecked/evidencelocker/evidence-bundle-importer.md

@@ -0,0 +1,25 @@
+# Evidence Bundle Importer (Import Pipeline)
+
+## Module
+EvidenceLocker
+
+## Status
+IMPLEMENTED
+
+## Description
+Import pipeline for evidence bundles with DSSE signature verification, content-addressed ID recomputation, deduplication, and conflict resolution. Complements the existing "Evidence Bundles (Release Evidence Packs)" and "Audit Bundle Export" with inbound import capability.
+
+## Implementation Details
+- **Modules**: `src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Import/`
+- **Key Classes**:
+  - `EvidenceBundleImporter` (`src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Import/EvidenceBundleImporter.cs`) - imports evidence bundles with DSSE verification, ID recomputation, deduplication, and conflict resolution
+- **Interfaces**: None (uses concrete importer)
+- **Source**: batch_37/file_04.md
+
+## E2E Test Plan
+- [ ] Import a valid evidence bundle via `EvidenceBundleImporter` and verify DSSE signature is validated before ingestion
+- [ ] Verify content-addressed IDs are recomputed during import and match the bundle manifest
+- [ ] Import a duplicate bundle and verify deduplication prevents redundant storage
+- [ ] Import a bundle with a conflicting ID (same ID, different content) and verify conflict resolution handles it
+- [ ] Import a bundle with an invalid DSSE signature and verify the import is rejected
+- [ ] Verify imported bundles are queryable through the standard evidence locker API after import

docs/features/unchecked/evidencelocker/evidence-card-api-endpoint.md

@@ -0,0 +1,30 @@
+# Evidence Card API Endpoint
+
+## Module
+EvidenceLocker
+
+## Status
+IMPLEMENTED
+
+## Description
+API endpoint for evidence card export with format query parameter, response headers (X-Evidence-Pack-Id, X-Content-Digest, X-Evidence-Card-Version, X-Rekor-Log-Index), and OpenAPI spec.
+
+## Implementation Details
+- **Modules**: `src/EvidenceLocker/StellaOps.EvidenceLocker/Api/`, `src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.WebService/`
+- **Key Classes**:
+  - `ExportEndpoints` (`src/EvidenceLocker/StellaOps.EvidenceLocker/Api/ExportEndpoints.cs`) - REST endpoints for evidence card export with format parameter
+  - `ExportJobService` (`src/EvidenceLocker/StellaOps.EvidenceLocker/Api/ExportJobService.cs`) - manages export jobs for evidence cards
+  - `VerdictEndpoints` (`src/EvidenceLocker/StellaOps.EvidenceLocker/Api/VerdictEndpoints.cs`) - verdict-related API endpoints
+  - `VerdictContracts` (`src/EvidenceLocker/StellaOps.EvidenceLocker/Api/VerdictContracts.cs`) - API contract models for verdict data
+  - `EvidenceContracts` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.WebService/Contracts/EvidenceContracts.cs`) - API contract models for evidence data
+  - `EvidencePortableBundleService` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Services/EvidencePortableBundleService.cs`) - creates portable evidence bundles for export
+- **Interfaces**: `IExportJobService`
+- **Source**: SPRINT_20260112_005_BE_evidence_card_api.md
+
+## E2E Test Plan
+- [ ] Call the evidence card export endpoint and verify response includes X-Evidence-Pack-Id, X-Content-Digest, X-Evidence-Card-Version, and X-Rekor-Log-Index headers
+- [ ] Export with format=json and verify the response is valid JSON matching the evidence card schema
+- [ ] Export with format=tar.gz and verify a downloadable archive is returned via `EvidencePortableBundleService`
+- [ ] Verify `VerdictEndpoints` returns verdict data with proper contract models from `VerdictContracts`
+- [ ] Verify the API is documented in OpenAPI spec with correct parameter and response schemas
+- [ ] Verify export of a non-existent evidence card returns a 404 with appropriate error message

docs/features/unchecked/evidencelocker/evidence-card-core.md

@@ -0,0 +1,30 @@
+# Evidence Card Core (Single-File Receipt Export)
+
+## Module
+EvidenceLocker
+
+## Status
+IMPLEMENTED
+
+## Description
+Single-file evidence card export packaging SBOM excerpt, DSSE envelope, and Rekor receipt with deterministic output and offline verification support.
+
+## Implementation Details
+- **Modules**: `src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Services/`, `src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Core/`
+- **Key Classes**:
+  - `EvidencePortableBundleService` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Services/EvidencePortableBundleService.cs`) - creates portable single-file evidence cards
+  - `EvidenceBundlePackagingService` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Services/EvidenceBundlePackagingService.cs`) - packages evidence with SBOM excerpt, DSSE envelope, and Rekor receipt
+  - `EvidenceBundleBuilder` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Builders/EvidenceBundleBuilder.cs`) - builds evidence bundles with deterministic output
+  - `EvidenceBundleMetadata` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Core/Domain/EvidenceBundleMetadata.cs`) - metadata for evidence bundles
+  - `EvidenceBundleSignature` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Core/Domain/EvidenceBundleSignature.cs`) - DSSE signature data for evidence bundles
+  - `EvidenceIdentifiers` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Core/Domain/EvidenceIdentifiers.cs`) - content-addressed identifiers for evidence items
+- **Interfaces**: `IEvidenceBundleBuilder`
+- **Source**: SPRINT_20260112_004_LB_evidence_card_core.md
+
+## E2E Test Plan
+- [ ] Export an evidence card via `EvidencePortableBundleService` and verify it contains SBOM excerpt, DSSE envelope, and Rekor receipt
+- [ ] Verify `EvidenceBundleBuilder` produces deterministic output: exporting the same evidence twice yields bit-identical cards
+- [ ] Verify `EvidenceBundleSignature` includes a valid DSSE signature that can be verified offline
+- [ ] Verify `EvidenceIdentifiers` generates content-addressed IDs consistent with the evidence payload
+- [ ] Verify the evidence card can be verified offline using only the embedded DSSE envelope and public key
+- [ ] Verify `EvidenceBundlePackagingService` packages all required artifacts into a single-file format

docs/features/unchecked/evidencelocker/evidence-locker-with-deterministic-bundles.md

@@ -0,0 +1,32 @@
+# Evidence Locker with Deterministic Bundles
+
+## Module
+EvidenceLocker
+
+## Status
+IMPLEMENTED
+
+## Description
+Full Evidence Locker module with snapshot services, timeline publishing, and infrastructure for deterministic evidence bundle management.
+
+## Implementation Details
+- **Modules**: `src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/`, `src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Core/`
+- **Key Classes**:
+  - `EvidenceSnapshotService` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Services/EvidenceSnapshotService.cs`) - creates point-in-time snapshots of evidence state
+  - `EvidenceBundleBuilder` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Builders/EvidenceBundleBuilder.cs`) - builds deterministic evidence bundles
+  - `EvidenceBundleRepository` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Repositories/EvidenceBundleRepository.cs`) - persists and retrieves evidence bundles
+  - `TimelineIndexerEvidenceTimelinePublisher` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Timeline/TimelineIndexerEvidenceTimelinePublisher.cs`) - publishes evidence events to timeline for audit trail
+  - `NullEvidenceTimelinePublisher` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Timeline/NullEvidenceTimelinePublisher.cs`) - no-op timeline publisher for testing
+  - `EvidenceSnapshotModels` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Core/Domain/EvidenceSnapshotModels.cs`) - snapshot data models
+  - `EvidenceLockerOptions` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Core/Configuration/EvidenceLockerOptions.cs`) - configuration options for evidence locker
+  - `EvidenceLockerMigrationRunner` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Db/EvidenceLockerMigrationRunner.cs`) - database migration runner
+- **Interfaces**: `IEvidenceBundleBuilder`, `IEvidenceBundleRepository`, `IEvidenceTimelinePublisher`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Create an evidence bundle via `EvidenceBundleBuilder` and verify `EvidenceBundleRepository` persists it with deterministic content-addressed ID
+- [ ] Create a snapshot via `EvidenceSnapshotService` and verify it captures the current evidence state accurately
+- [ ] Verify `TimelineIndexerEvidenceTimelinePublisher` publishes evidence events to the timeline index
+- [ ] Verify deterministic output: building the same evidence inputs twice produces identical bundle content and ID
+- [ ] Verify `EvidenceLockerOptions` correctly configures storage backend, retention, and signing options
+- [ ] Verify `EvidenceLockerMigrationRunner` applies database migrations on startup

docs/features/unchecked/evidencelocker/evidence-packets-for-every-decision.md

@@ -0,0 +1,30 @@
+# Evidence Packets for Every Decision
+
+## Module
+EvidenceLocker
+
+## Status
+IMPLEMENTED
+
+## Description
+Evidence bundles with manifests, attestations, and export capabilities are implemented for audit-grade decision records.
+
+## Implementation Details
+- **Modules**: `src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/`, `src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Export/`
+- **Key Classes**:
+  - `EvidenceBundleBuilder` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Builders/EvidenceBundleBuilder.cs`) - builds evidence bundles for decision records
+  - `EvidenceBundlePackagingService` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Services/EvidenceBundlePackagingService.cs`) - packages evidence with attestations
+  - `EvidenceSignatureService` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Signing/EvidenceSignatureService.cs`) - signs evidence bundles with DSSE
+  - `BundleManifest` (`src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Export/Models/BundleManifest.cs`) - manifest listing bundle contents and hashes
+  - `TarGzBundleExporter` (`src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Export/TarGzBundleExporter.cs`) - exports bundles as tar.gz archives
+  - `EvidenceBundleMetadata` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Core/Domain/EvidenceBundleMetadata.cs`) - metadata for each decision's evidence packet
+- **Interfaces**: `IEvidenceBundleBuilder`, `IEvidenceSignatureService`, `IEvidenceBundleExporter`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Record a release decision and verify `EvidenceBundleBuilder` creates an evidence packet with the decision context
+- [ ] Verify `BundleManifest` lists all evidence items with their content-addressed hashes
+- [ ] Verify `EvidenceSignatureService` signs the evidence packet and the signature is verifiable
+- [ ] Export the decision evidence packet via `TarGzBundleExporter` and verify the archive is complete
+- [ ] Verify every decision type (promote, block, rollback, override) generates a corresponding evidence packet
+- [ ] Verify evidence packets are immutable: attempting to modify after creation fails

docs/features/unchecked/evidencelocker/evidence-re-index-tooling.md

@@ -0,0 +1,29 @@
+# Evidence Re-Index Tooling (CLI)
+
+## Module
+EvidenceLocker
+
+## Status
+IMPLEMENTED
+
+## Description
+CLI commands for evidence store maintenance including reindexing (`stella evidence reindex`), chain-of-custody verification (`stella evidence verify-continuity`), and evidence migration between storage backends.
+
+## Implementation Details
+- **Modules**: `src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Reindexing/`, `src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Core/Reindexing/`
+- **Key Classes**:
+  - `EvidenceReindexService` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Reindexing/EvidenceReindexService.cs`) - rebuilds evidence indexes from object store contents
+  - `EvidenceBundleRepository` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Repositories/EvidenceBundleRepository.cs`) - repository layer for re-indexed bundles
+  - `StorageKeyGenerator` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Storage/StorageKeyGenerator.cs`) - generates consistent storage keys for evidence items
+  - `FileSystemEvidenceObjectStore` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Storage/FileSystemEvidenceObjectStore.cs`) - filesystem storage backend
+  - `S3EvidenceObjectStore` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Storage/S3EvidenceObjectStore.cs`) - S3 storage backend for migration
+- **Interfaces**: `IEvidenceReindexService`
+- **Source**: SPRINT_20260112_018_EVIDENCE_reindex_tooling.md
+
+## E2E Test Plan
+- [ ] Run `EvidenceReindexService` and verify it rebuilds the evidence index from object store contents
+- [ ] Verify reindexing preserves all evidence bundle metadata and content-addressed IDs
+- [ ] Verify chain-of-custody verification detects a gap in the evidence timeline
+- [ ] Migrate evidence from `FileSystemEvidenceObjectStore` to `S3EvidenceObjectStore` and verify all bundles are accessible
+- [ ] Verify `StorageKeyGenerator` produces consistent keys before and after reindexing
+- [ ] Verify reindexing handles corrupt or missing files gracefully with error reporting

docs/features/unchecked/evidencelocker/incident-mode.md

@@ -0,0 +1,26 @@
+# Incident Mode
+
+## Module
+EvidenceLocker
+
+## Status
+IMPLEMENTED
+
+## Description
+Incident mode management with state tracking, manager service, and incident notifier for evidence integrity violations.
+
+## Implementation Details
+- **Modules**: `src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Services/`, `src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Core/`
+- **Key Classes**:
+  - `IncidentModeManager` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Services/IncidentModeManager.cs`) - manages incident mode activation, deactivation, and state transitions
+  - `EvidenceAuditLogger` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.WebService/Audit/EvidenceAuditLogger.cs`) - logs audit events during incident mode
+- **Interfaces**: `IIncidentModeState`, `IEvidenceIncidentNotifier`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Activate incident mode via `IncidentModeManager` and verify `IIncidentModeState` reflects the active state
+- [ ] Verify `IEvidenceIncidentNotifier` sends notifications when evidence integrity violations are detected
+- [ ] Verify incident mode prevents evidence deletion or modification while active
+- [ ] Deactivate incident mode and verify normal operations resume
+- [ ] Verify `EvidenceAuditLogger` records incident mode activation/deactivation events with timestamps
+- [ ] Verify incident mode state persists across service restarts

docs/features/unchecked/evidencelocker/offline-kit-with-sbom-dsse-rekor-receipt.md

@@ -0,0 +1,32 @@
+# Offline Kit with SBOM + DSSE + Rekor Receipt
+
+## Module
+EvidenceLocker
+
+## Status
+IMPLEMENTED
+
+## Description
+Offline kit import with SBOM, DSSE attestation verification, offline timestamp verification, and bundled test fixtures for offline scenarios.
+
+## Implementation Details
+- **Modules**: `src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Timestamping/`, `src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Import/`, `src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Export/`
+- **Key Classes**:
+  - `TimestampBundleExporter` (`src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Timestamping/Bundle/TimestampBundleExporter.cs`) - exports timestamp bundles for offline kits
+  - `TimestampBundleImporter` (`src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Timestamping/Bundle/TimestampBundleImporter.cs`) - imports timestamp bundles from offline kits
+  - `OfflineTimestampVerifier` (`src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Timestamping/Verification/OfflineTimestampVerifier.cs`) - verifies Rekor timestamps offline
+  - `TimestampEvidence` (`src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Timestamping/Models/TimestampEvidence.cs`) - timestamp evidence data model
+  - `RevocationEvidence` (`src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Timestamping/Models/RevocationEvidence.cs`) - revocation evidence for offline verification
+  - `RetimestampService` (`src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Timestamping/RetimestampService.cs`) - re-timestamps evidence for extended retention
+  - `TimestampEvidenceRepository` (`src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Timestamping/TimestampEvidenceRepository.cs`) - persists timestamp evidence
+  - `EvidenceBundleImporter` (`src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Import/EvidenceBundleImporter.cs`) - imports evidence bundles from offline kits
+- **Interfaces**: `IRetimestampService`, `ITimestampEvidenceRepository`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Export an offline kit via `TimestampBundleExporter` containing SBOM, DSSE attestation, and Rekor receipt
+- [ ] Import the offline kit via `TimestampBundleImporter` and verify all components are ingested
+- [ ] Verify `OfflineTimestampVerifier` validates Rekor receipts without network access
+- [ ] Verify `RetimestampService` re-timestamps evidence before certificate expiry
+- [ ] Verify `TimestampEvidence` and `RevocationEvidence` models capture all required fields for offline verification
+- [ ] Verify the offline kit can be verified in an air-gapped environment using only bundled artifacts

docs/features/unchecked/evidencelocker/provenance-bundle-export-and-independent-verification.md

@@ -0,0 +1,30 @@
+# Provenance Bundle Export and Independent Verification
+
+## Module
+EvidenceLocker
+
+## Status
+IMPLEMENTED
+
+## Description
+Provenance attestation with build models, signers, and verification is implemented. EvidenceLocker supports tar.gz bundle export with Merkle tree integrity.
+
+## Implementation Details
+- **Modules**: `src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Export/`, `src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/`
+- **Key Classes**:
+  - `TarGzBundleExporter` (`src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Export/TarGzBundleExporter.cs`) - exports provenance bundles as tar.gz with Merkle tree
+  - `MerkleTreeBuilder` (`src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Export/MerkleTreeBuilder.cs`) - builds Merkle tree for bundle integrity verification
+  - `VerifyScriptGenerator` (`src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Export/VerifyScriptGenerator.cs`) - generates verification scripts for independent verification
+  - `EvidenceSignatureService` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Signing/EvidenceSignatureService.cs`) - signs provenance bundles with DSSE
+  - `EvidencePortableBundleService` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Services/EvidencePortableBundleService.cs`) - creates portable provenance bundles
+  - `BundleManifest` (`src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Export/Models/BundleManifest.cs`) - manifest with provenance attestation references
+- **Interfaces**: `IEvidenceBundleExporter`, `IEvidenceSignatureService`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Export a provenance bundle via `TarGzBundleExporter` and verify it contains SLSA provenance attestation and Merkle tree
+- [ ] Verify `MerkleTreeBuilder` computes correct Merkle root matching all bundle items
+- [ ] Verify `VerifyScriptGenerator` creates scripts that independently verify provenance signatures and Merkle root
+- [ ] Verify `EvidenceSignatureService` signs the provenance bundle and the signature is independently verifiable
+- [ ] Verify the exported bundle can be verified by a third party using only the bundle contents and public key
+- [ ] Verify `EvidencePortableBundleService` creates a self-contained portable bundle for air-gapped environments

docs/features/unchecked/evidencelocker/rekor-timestamp-in-evidence-graph-metadata.md

@@ -0,0 +1,28 @@
+# Rekor Timestamp in Evidence Graph Metadata
+
+## Module
+EvidenceLocker
+
+## Status
+IMPLEMENTED
+
+## Description
+Evidence graph signature metadata extended with Rekor integrated time (RFC3339) and entry URL for UI timestamp linking and verifiable provenance display.
+
+## Implementation Details
+- **Modules**: `src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Core/Domain/`, `src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/`
+- **Key Classes**:
+  - `EvidenceBundleSignature` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Core/Domain/EvidenceBundleSignature.cs`) - extended with Rekor integrated time and entry URL fields
+  - `EvidenceBundleMetadata` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Core/Domain/EvidenceBundleMetadata.cs`) - metadata model with Rekor timestamp references
+  - `Rfc3161TimestampAuthorityClient` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Signing/Rfc3161TimestampAuthorityClient.cs`) - retrieves and validates RFC 3161 timestamps
+  - `TimelineIndexerEvidenceTimelinePublisher` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Timeline/TimelineIndexerEvidenceTimelinePublisher.cs`) - publishes Rekor-timestamped events to the timeline
+- **Interfaces**: `ITimestampAuthorityClient`, `IEvidenceTimelinePublisher`
+- **Source**: SPRINT_20260112_004_FINDINGS_evidence_graph_rekor_time.md
+
+## E2E Test Plan
+- [ ] Create a signed evidence bundle and verify `EvidenceBundleSignature` includes Rekor integrated time in RFC3339 format
+- [ ] Verify `EvidenceBundleSignature` includes a Rekor entry URL that resolves to the correct log entry
+- [ ] Verify `Rfc3161TimestampAuthorityClient` retrieves and validates RFC 3161 timestamps from the authority
+- [ ] Verify `TimelineIndexerEvidenceTimelinePublisher` publishes events with Rekor timestamps for UI display
+- [ ] Verify the Rekor entry URL is clickable and links to the transparency log entry in the UI
+- [ ] Verify timestamp metadata persists in `EvidenceBundleMetadata` and is returned by API queries

docs/features/unchecked/evidencelocker/s3-object-lock-for-evidence-locker.md

@@ -0,0 +1,28 @@
+# S3 Object Lock (WORM Retention) for Evidence Locker
+
+## Module
+EvidenceLocker
+
+## Status
+IMPLEMENTED
+
+## Description
+Object Lock configuration in EvidenceLockerOptions with mode, default retention days, legal hold; enforcement headers in S3 storage for WORM retention and legal hold behavior with startup validation.
+
+## Implementation Details
+- **Modules**: `src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Storage/`, `src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Core/Configuration/`
+- **Key Classes**:
+  - `S3EvidenceObjectStore` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Storage/S3EvidenceObjectStore.cs`) - S3 storage with Object Lock headers for WORM retention
+  - `EvidenceLockerOptions` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Core/Configuration/EvidenceLockerOptions.cs`) - configuration including Object Lock mode, retention days, and legal hold settings
+  - `EvidenceObjectStore` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Core/Storage/EvidenceObjectStore.cs`) - base object store abstraction
+  - `StorageKeyGenerator` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Storage/StorageKeyGenerator.cs`) - generates storage keys for evidence objects
+- **Interfaces**: `IEvidenceLockerStorage`
+- **Source**: SPRINT_20260112_002_EVIDENCE_evidence_locker_audit_pack_hardening.md
+
+## E2E Test Plan
+- [ ] Configure `EvidenceLockerOptions` with Object Lock mode=COMPLIANCE and retention=365 days and verify `S3EvidenceObjectStore` applies WORM headers on write
+- [ ] Verify stored objects cannot be deleted before retention period expires
+- [ ] Enable legal hold via `EvidenceLockerOptions` and verify objects are locked regardless of retention period
+- [ ] Verify startup validation rejects invalid Object Lock configurations (e.g., retention days < 1)
+- [ ] Verify `S3EvidenceObjectStore` sends correct S3 headers (x-amz-object-lock-mode, x-amz-object-lock-retain-until-date, x-amz-object-lock-legal-hold)
+- [ ] Verify Object Lock mode=GOVERNANCE allows deletion with proper override permissions

docs/features/unchecked/evidencelocker/sovereign-crypto-routing-for-evidence-locker.md

@@ -0,0 +1,27 @@
+# Sovereign Crypto Routing for Evidence Locker
+
+## Module
+EvidenceLocker
+
+## Status
+IMPLEMENTED
+
+## Description
+Regional crypto profile routing within the Evidence Locker, directing signing and verification operations to the appropriate crypto provider (FIPS, eIDAS, GOST, SM) based on tenant configuration.
+
+## Implementation Details
+- **Modules**: `src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Signing/`, `src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.WebService/`
+- **Key Classes**:
+  - `EvidenceSignatureService` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Signing/EvidenceSignatureService.cs`) - routes signing operations to regional crypto providers
+  - `TenantResolution` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.WebService/Security/TenantResolution.cs`) - resolves tenant context for crypto profile selection
+  - `EvidenceLockerOptions` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Core/Configuration/EvidenceLockerOptions.cs`) - configuration including regional crypto profile settings
+- **Interfaces**: `IEvidenceSignatureService`
+- **Source**: SPRINT_0161_0001_0001_evidencelocker.md
+
+## E2E Test Plan
+- [ ] Configure a tenant with FIPS crypto profile and verify `EvidenceSignatureService` uses FIPS-compliant signing algorithms
+- [ ] Configure a tenant with eIDAS crypto profile and verify eIDAS-compliant signatures are produced
+- [ ] Verify `TenantResolution` correctly resolves the tenant's crypto profile from the request context
+- [ ] Verify signing and verification round-trip: sign with one crypto profile and verify with the same profile
+- [ ] Verify cross-profile verification: an evidence bundle signed with FIPS can be verified using the correct public key
+- [ ] Verify `EvidenceLockerOptions` rejects invalid crypto profile configurations at startup

docs/features/unchecked/evidencelocker/verdict-ledger-bom-ref-extraction-and-indexing.md

@@ -0,0 +1,28 @@
+# Verdict Ledger bom-ref Extraction and Indexing
+
+## Module
+EvidenceLocker
+
+## Status
+IMPLEMENTED
+
+## Description
+Added bom-ref extraction and component-level indexing to the verdict ledger, enabling queries by SBOM component reference for auditing which components were evaluated in each verdict.
+
+## Implementation Details
+- **Modules**: `src/EvidenceLocker/StellaOps.EvidenceLocker/`, `src/EvidenceLocker/StellaOps.EvidenceLocker/Api/`
+- **Key Classes**:
+  - `PostgresVerdictRepository` (`src/EvidenceLocker/StellaOps.EvidenceLocker/Storage/PostgresVerdictRepository.cs`) - PostgreSQL repository with bom-ref extraction and component-level indexing
+  - `VerdictEndpoints` (`src/EvidenceLocker/StellaOps.EvidenceLocker/Api/VerdictEndpoints.cs`) - API endpoints for verdict queries including by bom-ref
+  - `VerdictContracts` (`src/EvidenceLocker/StellaOps.EvidenceLocker/Api/VerdictContracts.cs`) - contract models for verdict data with bom-ref fields
+  - `EvidenceLockerDataSource` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Db/EvidenceLockerDataSource.cs`) - database connection for verdict queries
+- **Interfaces**: `IVerdictRepository`
+- **Source**: SPRINT_20260118_015_Attestor_verdict_ledger_foundation.md
+
+## E2E Test Plan
+- [ ] Store a verdict via `PostgresVerdictRepository` and verify bom-ref fields are extracted and indexed
+- [ ] Query verdicts by bom-ref via `VerdictEndpoints` and verify only verdicts for that component are returned
+- [ ] Verify `VerdictContracts` include bom-ref in response models
+- [ ] Verify component-level indexing: query by bom-ref returns all verdicts that evaluated that component
+- [ ] Verify multiple bom-refs per verdict are correctly indexed and queryable
+- [ ] Verify bom-ref extraction handles edge cases (empty bom-ref, special characters, very long refs)

docs/features/unchecked/evidencelocker/verifiable-evidence-for-every-release-decision.md

@@ -0,0 +1,30 @@
+# Verifiable Evidence for Every Release Decision
+
+## Module
+EvidenceLocker
+
+## Status
+IMPLEMENTED
+
+## Description
+Timestamped evidence with attestation assembly and export services supports verifiable, audit-grade release decision records.
+
+## Implementation Details
+- **Modules**: `src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/`, `src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Timestamping/`
+- **Key Classes**:
+  - `EvidenceBundleBuilder` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Builders/EvidenceBundleBuilder.cs`) - assembles verifiable evidence for release decisions
+  - `EvidenceSignatureService` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Signing/EvidenceSignatureService.cs`) - signs evidence with DSSE for verifiability
+  - `RetimestampService` (`src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Timestamping/RetimestampService.cs`) - provides timestamps for evidence records
+  - `EvidenceSnapshotService` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Services/EvidenceSnapshotService.cs`) - captures point-in-time evidence snapshots
+  - `EvidenceBundleRepository` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Repositories/EvidenceBundleRepository.cs`) - persists verifiable evidence bundles
+  - `TimestampEvidence` (`src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Timestamping/Models/TimestampEvidence.cs`) - timestamp evidence model for RFC 3161/Rekor timestamps
+- **Interfaces**: `IEvidenceBundleBuilder`, `IEvidenceSignatureService`, `IRetimestampService`, `IEvidenceBundleRepository`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Record a release decision and verify `EvidenceBundleBuilder` creates a verifiable evidence bundle with DSSE signature
+- [ ] Verify `EvidenceSignatureService` produces DSSE signatures that are independently verifiable
+- [ ] Verify `RetimestampService` attaches RFC 3161 or Rekor timestamps to evidence records
+- [ ] Verify `EvidenceSnapshotService` captures the complete decision context at the time of the decision
+- [ ] Verify evidence bundles persisted via `EvidenceBundleRepository` maintain integrity over time (content hash matches)
+- [ ] Verify end-to-end: create, sign, timestamp, store, retrieve, and independently verify an evidence bundle

docs/features/unchecked/evidencelocker/vex-evidence-auto-linking-service.md

@@ -0,0 +1,28 @@
+# VEX Evidence Auto-Linking Service (IVexEvidenceLinker)
+
+## Module
+EvidenceLocker
+
+## Status
+IMPLEMENTED
+
+## Description
+Service that auto-links VEX assertions to supporting binary-diff evidence by matching patched findings to VEX entries, storing evidence URIs with confidence scores, and validating DSSE signatures before accepting links.
+
+## Implementation Details
+- **Modules**: `src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/`, `src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Core/`
+- **Key Classes**:
+  - `EvidenceBundleRepository` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Repositories/EvidenceBundleRepository.cs`) - retrieves evidence bundles for VEX linking
+  - `EvidenceSignatureService` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Signing/EvidenceSignatureService.cs`) - validates DSSE signatures before accepting evidence links
+  - `EvidenceIdentifiers` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Core/Domain/EvidenceIdentifiers.cs`) - content-addressed identifiers for evidence linking
+  - `EvidenceBundleMetadata` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Core/Domain/EvidenceBundleMetadata.cs`) - metadata including VEX link references
+- **Interfaces**: `IEvidenceBundleRepository`, `IEvidenceSignatureService`
+- **Source**: SPRINT_20260113_003_001_EXCITITOR_vex_evidence_linker.md
+
+## E2E Test Plan
+- [ ] Create a VEX assertion for a patched CVE and verify the service auto-links it to the corresponding binary-diff evidence
+- [ ] Verify evidence URIs are stored with confidence scores reflecting the match quality
+- [ ] Verify `EvidenceSignatureService` validates DSSE signatures on evidence before accepting the link
+- [ ] Verify VEX entries without matching binary-diff evidence are not linked (no false positives)
+- [ ] Verify linked evidence is queryable by VEX assertion ID and by CVE identifier
+- [ ] Verify links are immutable: once created, evidence links cannot be modified without creating a new version