semi implemented and features implemented save checkpoint

docs/features/unchecked/scanner/human-approval-attestation-service.md

@@ -0,0 +1,27 @@
+# Human Approval Attestation Service (stella.ops/human-approval@v1 predicate)
+
+## Module
+Scanner
+
+## Status
+IMPLEMENTED
+
+## Description
+Generates DSSE-signed attestations for human approval decisions with 30-day TTL auto-expiry. Uses stella.ops/human-approval@v1 predicate. Integrates with the Approvals API (POST/GET/DELETE /api/v1/scans/{scanId}/approvals).
+
+## Implementation Details
+- **Attestation Service**:
+  - `src/Scanner/StellaOps.Scanner.WebService/Services/IHumanApprovalAttestationService.cs` - `IHumanApprovalAttestationService`, `HumanApprovalAttestationInput`, `HumanApprovalAttestationResult`
+  - `src/Scanner/StellaOps.Scanner.WebService/Services/HumanApprovalAttestationService.cs` - Generates DSSE-signed attestations with 30-day TTL
+- **Contracts**:
+  - `src/Scanner/StellaOps.Scanner.WebService/Contracts/HumanApprovalStatement.cs` - `stella.ops/human-approval@v1` predicate model
+- **API Endpoints**:
+  - `src/Scanner/StellaOps.Scanner.WebService/Endpoints/ApprovalEndpoints.cs` - `ApprovalEndpoints` with `CreateApprovalRequest`, `RevokeApprovalRequest`, `ApprovalResponse`, `ApprovalListResponse`
+
+## E2E Test Plan
+- [ ] Create a human approval via `POST /api/v1/scans/{scanId}/approvals` and verify a DSSE-signed attestation is generated
+- [ ] Verify the attestation uses `stella.ops/human-approval@v1` predicate type
+- [ ] Verify the attestation includes the approver identity, timestamp, and scope
+- [ ] List approvals via `GET /api/v1/scans/{scanId}/approvals` and verify active approvals are returned
+- [ ] Verify 30-day TTL auto-expiry removes expired approvals
+- [ ] Revoke an approval via `DELETE /api/v1/scans/{scanId}/approvals/{approvalId}` and verify it is removed