Add sample proof bundle configurations and verification script

- Introduced sample proof bundle configuration files for testing, including `sample-proof-bundle-config.dsse.json`, `sample-proof-bundle.dsse.json`, and `sample-proof-bundle.json`.
- Implemented a verification script `test_verify_sample.sh` to validate proof bundles against specified schemas and catalogs.
- Updated existing proof bundle configurations with new metadata, including versioning, created timestamps, and justification details.
- Enhanced evidence entries with expiration dates and hashes for better integrity checks.
- Ensured all new configurations adhere to the defined schema for consistency and reliability in testing.

src/ExportCenter/__fixtures/export-kit/README.md

@@ -0,0 +1,10 @@
+# Export kit fixtures (EC10)
+
+Fixtures used by determinism/rerun-hash CI and the offline verify script. They are intentionally small, deterministic, and offline-friendly.
+
+- `manifest.json` — sample mirror:delta manifest with selector validation and integrity headers.
+- `manifest.sha256` — hash for tamper detection.
+- `manifest.dsse` — DSSE envelope (placeholder signature) carrying the manifest payload.
+- `provenance.json` — SLSA v1-style provenance with hashedrekord log metadata.
+
+The verify script in `docs/modules/export-center/operations/verify-export-kit.sh` expects these files to be present when running in fixture mode (`VERIFY_FIXTURE=1`).

src/ExportCenter/__fixtures/export-kit/manifest.json

@@ -0,0 +1,142 @@
+{
+  "schema": "https://stellaops.io/export-center/manifest/v1alpha2",
+  "version": "1.1.0",
+  "exportId": "exp-20251204-01",
+  "runId": "run-20251204-ec10",
+  "profile": {
+    "kind": "mirror",
+    "variant": "delta",
+    "name": "demo-mirror-delta",
+    "revision": "r3"
+  },
+  "tenant": "tenant-demo",
+  "selectors": {
+    "tenants": [
+      "tenant-demo"
+    ],
+    "products": [
+      "registry.example.com/app:*"
+    ],
+    "timeWindow": "2025-11-01/2025-11-30",
+    "severities": [
+      "critical",
+      "high"
+    ],
+    "ecosystems": [
+      "npm",
+      "maven"
+    ],
+    "sources": [
+      "concelier",
+      "excititor"
+    ]
+  },
+  "generatedAt": "2025-12-04T00:00:00Z",
+  "rerunHash": "sha256:bc1b8e4a7c0ce3149fb12980544f5bb2118685632b7139bc95edb218f0704a5e",
+  "contents": [
+    {
+      "path": "data/raw/advisories/a0.jsonl.zst",
+      "digest": "sha256:1111111111111111111111111111111111111111111111111111111111111111",
+      "bytes": 1234,
+      "records": 12,
+      "contentType": "application/x-zstd"
+    },
+    {
+      "path": "data/policy/findings.jsonl.zst",
+      "digest": "sha256:2222222222222222222222222222222222222222222222222222222222222222",
+      "bytes": 2048,
+      "records": 8,
+      "contentType": "application/x-zstd"
+    },
+    {
+      "path": "indexes/advisories.index.json",
+      "digest": "sha256:3333333333333333333333333333333333333333333333333333333333333333",
+      "bytes": 512,
+      "records": 3,
+      "contentType": "application/json"
+    }
+  ],
+  "delta": {
+    "baseExportId": "exp-20251129-full",
+    "baseManifestDigest": "sha256:b4se000000000000000000000000000000000000000000000000000000000000",
+    "tombstones": [
+      "vex/obsolete.jsonl",
+      "data/raw/advisories/deleted.jsonl.zst"
+    ],
+    "added": [
+      "data/raw/advisories/a0.jsonl.zst",
+      "indexes/advisories.index.json"
+    ],
+    "removed": [
+      "data/raw/advisories/deleted.jsonl.zst"
+    ]
+  },
+  "integrity": {
+    "httpHeaders": {
+      "Digest": "sha-256=h46EAdZQwLfjhc+XMsuKOG2hfM6av26EjXquGs3Ze6c=",
+      "X-Stella-Signature": "dsse-b64:PLACEHOLDER",
+      "X-Stella-Immutability": "true"
+    },
+    "oci": {
+      "annotations": {
+        "io.stellaops.export.profile": "mirror:delta",
+        "io.stellaops.export.run": "run-20251204-ec10",
+        "io.stellaops.export.manifest-digest": "sha256:878e8401d650c0b7e385cf9732cb8a386da17cce9abf6e848d7aae1acdd97ba7",
+        "io.stellaops.export.provenance-ref": "manifests/provenance.json",
+        "org.opencontainers.image.ref.name": "registry.example.com/stella/export/demo:20251204-delta"
+      }
+    }
+  },
+  "attestations": {
+    "provenanceRef": "manifests/provenance.json",
+    "dsseEnvelope": "manifests/manifest.dsse",
+    "slsaLevel": "https://slsa.dev/provenance/v1",
+    "log": {
+      "kind": "hashedrekord",
+      "logId": "rekor-public",
+      "logIndex": 42,
+      "entryDigest": "sha256:logentry00000000000000000000000000000000000000000000000000000000",
+      "timestamp": "2025-12-04T00:00:01Z"
+    }
+  },
+  "distribution": {
+    "http": {
+      "enabled": true,
+      "retentionDays": 30,
+      "etag": "W/\"exp-20251204-01\"",
+      "rangeRequests": true
+    },
+    "oci": {
+      "enabled": true,
+      "reference": "registry.example.com/stella/export/demo:20251204-delta"
+    },
+    "object": {
+      "enabled": true,
+      "bucket": "stella-exports",
+      "prefix": "tenant-demo/exp-20251204-01"
+    }
+  },
+  "encryption": {
+    "mode": "age",
+    "recipients": [
+      {
+        "keyId": "tenant-demo/age",
+        "fingerprint": "age1demo0demo0demo0demo0demo0demo0demo0demo0demo0",
+        "wrappedKey": "ZGVtb19rZXk="
+      }
+    ],
+    "strict": false
+  },
+  "approval": {
+    "required": true,
+    "reason": "cross-tenant export with mirror subscribers",
+    "approvedBy": "grc-review-2025-12-03",
+    "ticket": "GRC-2044"
+  },
+  "quotas": {
+    "maxActiveRuns": 4,
+    "maxQueuedRuns": 50,
+    "backpressureMode": "reject",
+    "cpuThrottlePercent": 80
+  }
+}

src/ExportCenter/__fixtures/export-kit/manifest.sha256

@@ -0,0 +1 @@
+a38d2b73beb0a805c6e068cd03c96264bcc6fb423ba11dcdc9a9d8970598d8f2  manifest.json

src/ExportCenter/__fixtures/export-kit/provenance.json

@@ -0,0 +1,57 @@
+{
+  "predicateType": "https://slsa.dev/provenance/v1",
+  "subject": [
+    {
+      "name": "manifests/export.json",
+      "digest": { "sha256": "a38d2b73beb0a805c6e068cd03c96264bcc6fb423ba11dcdc9a9d8970598d8f2" }
+    },
+    {
+      "name": "bundle.tar.zst",
+      "digest": { "sha256": "878e8401d650c0b7e385cf9732cb8a386da17cce9abf6e848d7aae1acdd97ba7" }
+    }
+  ],
+  "predicate": {
+    "buildType": "mirror:delta",
+    "builder": { "id": "stellaops/export-center@demo" },
+    "invocation": {
+      "configSource": { "uri": "profile:demo-mirror-delta", "digest": { "sha256": "1111111111111111111111111111111111111111111111111111111111111111" } },
+      "parameters": {
+        "tenant": "tenant-demo",
+        "baseExportId": "exp-20251129-full",
+        "selectors": {
+          "timeWindow": "2025-11-01/2025-11-30",
+          "severities": ["critical", "high"],
+          "ecosystems": ["npm", "maven"]
+        }
+      }
+    },
+    "metadata": {
+      "buildStartedOn": "2025-12-04T00:00:00Z",
+      "buildFinishedOn": "2025-12-04T00:00:01Z",
+      "reproducible": true
+    },
+    "materials": [
+      { "uri": "ledger://tenant-demo/findings?cursor=rev-42", "digest": { "sha256": "2222222222222222222222222222222222222222222222222222222222222222" } },
+      { "uri": "policy://tenant-demo/snapshots/rev-17", "digest": { "sha256": "3333333333333333333333333333333333333333333333333333333333333333" } }
+    ],
+    "environment": {
+      "logs": {
+        "kind": "hashedrekord",
+        "logId": "rekor-public",
+        "logIndex": 42,
+        "entryDigest": "sha256:logentry00000000000000000000000000000000000000000000000000000000",
+        "timestamp": "2025-12-04T00:00:01Z"
+      },
+      "encryption": {
+        "mode": "age",
+        "recipients": [
+          {
+            "recipient": "age1demo0demo0demo0demo0demo0demo0demo0demo0demo0",
+            "wrappedKey": "ZGVtb19rZXk=",
+            "keyId": "tenant-demo/age"
+          }
+        ]
+      }
+    }
+  }
+}