up

src/Excititor/StellaOps.Excititor.WebService/Contracts/VexEvidenceContracts.cs

@@ -49,6 +49,36 @@ public sealed record VexEvidenceListItem(
     [property: JsonPropertyName("itemCount")] int ItemCount,
     [property: JsonPropertyName("verified")] bool Verified);
 
+/// <summary>
+/// Evidence Locker manifest reference returned by /evidence/vex/locker/*.
+/// </summary>
+public sealed record VexEvidenceLockerResponse(
+    [property: JsonPropertyName("bundleId")] string BundleId,
+    [property: JsonPropertyName("mirrorGeneration")] string MirrorGeneration,
+    [property: JsonPropertyName("tenant")] string Tenant,
+    [property: JsonPropertyName("publisher")] string Publisher,
+    [property: JsonPropertyName("payloadHash")] string PayloadHash,
+    [property: JsonPropertyName("manifestPath")] string ManifestPath,
+    [property: JsonPropertyName("manifestHash")] string ManifestHash,
+    [property: JsonPropertyName("evidencePath")] string EvidencePath,
+    [property: JsonPropertyName("evidenceHash")] string? EvidenceHash,
+    [property: JsonPropertyName("manifestSizeBytes")] long? ManifestSizeBytes,
+    [property: JsonPropertyName("evidenceSizeBytes")] long? EvidenceSizeBytes,
+    [property: JsonPropertyName("importedAt")] DateTimeOffset ImportedAt,
+    [property: JsonPropertyName("stalenessSeconds")] int? StalenessSeconds,
+    [property: JsonPropertyName("transparencyLog")] string? TransparencyLog,
+    [property: JsonPropertyName("timeline")] IReadOnlyList<VexEvidenceLockerTimelineEntry> Timeline);
+
+/// <summary>
+/// Timeline event for air-gapped imports.
+/// </summary>
+public sealed record VexEvidenceLockerTimelineEntry(
+    [property: JsonPropertyName("eventType")] string EventType,
+    [property: JsonPropertyName("createdAt")] DateTimeOffset CreatedAt,
+    [property: JsonPropertyName("errorCode")] string? ErrorCode,
+    [property: JsonPropertyName("message")] string? Message,
+    [property: JsonPropertyName("stalenessSeconds")] int? StalenessSeconds);
+
 /// <summary>
 /// Response for /evidence/vex/lookup endpoint.
 /// </summary>

src/Excititor/StellaOps.Excititor.WebService/Endpoints/EvidenceEndpoints.cs

@@ -4,6 +4,8 @@ using System.Collections.Immutable;
 using System.Diagnostics;
 using System.Globalization;
 using System.Linq;
+using System.IO;
+using System.Threading.Tasks;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
@@ -17,6 +19,7 @@ using StellaOps.Excititor.Storage.Mongo;
 using StellaOps.Excititor.WebService.Contracts;
 using StellaOps.Excititor.WebService.Services;
 using StellaOps.Excititor.WebService.Telemetry;
+using StellaOps.Excititor.WebService.Options;
 
 namespace StellaOps.Excititor.WebService.Endpoints;
 
@@ -436,6 +439,115 @@ public static class EvidenceEndpoints
 
             return Results.Ok(response);
         }).WithName("GetVexAdvisoryEvidence");
+
+        // GET /evidence/vex/locker/{bundleId}
+        app.MapGet("/evidence/vex/locker/{bundleId}", async (
+            HttpContext context,
+            string bundleId,
+            [FromQuery] string? generation,
+            IOptions<VexMongoStorageOptions> storageOptions,
+            IOptions<AirgapOptions> airgapOptions,
+            [FromServices] IAirgapImportStore airgapImportStore,
+            [FromServices] IVexHashingService hashingService,
+            CancellationToken cancellationToken) =>
+        {
+            var scopeResult = ScopeAuthorization.RequireScope(context, "vex.read");
+            if (scopeResult is not null)
+            {
+                return scopeResult;
+            }
+
+            if (!TryResolveTenant(context, storageOptions.Value, out var tenant, out var tenantError))
+            {
+                return tenantError;
+            }
+
+            if (string.IsNullOrWhiteSpace(bundleId))
+            {
+                return Results.BadRequest(new { error = new { code = "ERR_BUNDLE_ID", message = "bundleId is required" } });
+            }
+
+            var record = await airgapImportStore.FindByBundleIdAsync(tenant, bundleId.Trim(), generation?.Trim(), cancellationToken)
+                .ConfigureAwait(false);
+
+            if (record is null)
+            {
+                return Results.NotFound(new { error = new { code = "ERR_NOT_FOUND", message = "Locker manifest not found" } });
+            }
+
+            // Optional local hash/size computation when locker root is configured
+            long? manifestSize = null;
+            long? evidenceSize = null;
+            string? evidenceHash = null;
+
+            var lockerRoot = airgapOptions.Value.LockerRootPath;
+            if (!string.IsNullOrWhiteSpace(lockerRoot))
+            {
+                TryHashFile(lockerRoot, record.PortableManifestPath, hashingService, out var manifestHash, out manifestSize);
+                if (!string.IsNullOrWhiteSpace(manifestHash))
+                {
+                    record.PortableManifestHash = manifestHash!;
+                }
+
+                TryHashFile(lockerRoot, record.EvidenceLockerPath, hashingService, out evidenceHash, out evidenceSize);
+            }
+
+            var timeline = record.Timeline
+                .OrderBy(entry => entry.CreatedAt)
+                .Select(entry => new VexEvidenceLockerTimelineEntry(
+                    entry.EventType,
+                    entry.CreatedAt,
+                    entry.ErrorCode,
+                    entry.Message,
+                    entry.StalenessSeconds))
+                .ToList();
+
+            var response = new VexEvidenceLockerResponse(
+                record.BundleId,
+                record.MirrorGeneration,
+                record.TenantId,
+                record.Publisher,
+                record.PayloadHash,
+                record.PortableManifestPath,
+                record.PortableManifestHash,
+                record.EvidenceLockerPath,
+                evidenceHash,
+                manifestSize,
+                evidenceSize,
+                record.ImportedAt,
+                record.Timeline.FirstOrDefault()?.StalenessSeconds,
+                record.TransparencyLog,
+                timeline);
+
+            return Results.Ok(response);
+        }).WithName("GetVexEvidenceLockerManifest");
+    }
+
+    private static void TryHashFile(string root, string relativePath, IVexHashingService hashingService, out string? digest, out long? size)
+    {
+        digest = null;
+        size = null;
+        try
+        {
+            if (string.IsNullOrWhiteSpace(relativePath))
+            {
+                return;
+            }
+
+            var fullPath = Path.GetFullPath(Path.Combine(root, relativePath));
+            if (!File.Exists(fullPath))
+            {
+                return;
+            }
+
+            var data = File.ReadAllBytes(fullPath);
+            digest = hashingService.ComputeHash(data, "sha256");
+            size = data.LongLength;
+        }
+        catch
+        {
+            // Ignore I/O errors and continue with stored metadata
+        }
     }
 
     private static bool TryResolveTenant(HttpContext context, VexMongoStorageOptions options, out string tenant, out IResult? problem)

src/Excititor/StellaOps.Excititor.WebService/Options/AirgapOptions.cs

@@ -22,4 +22,12 @@ internal sealed class AirgapOptions
     /// Empty list means allow all.
     /// </summary>
     public List<string> TrustedPublishers { get; } = new();
+
+    /// <summary>
+    /// Optional root path for locally stored locker artefacts (portable manifest, evidence NDJSON).
+    /// When set, /evidence/vex/locker/* endpoints will attempt to read files from this root to
+    /// compute deterministic hashes and sizes; otherwise only stored hashes are returned.
+    /// </summary>
+    public string? LockerRootPath { get; set; }
+        = null;
 }