Tests fixes, audit progress, UI completions

src/Attestor/__Libraries/StellaOps.Attestor.Bundle/AGENTS.md

@@ -0,0 +1,23 @@
+# Attestor Bundle Library Charter
+
+## Working Directory
+- `src/Attestor/__Libraries/StellaOps.Attestor.Bundle`
+
+## Scope
+- Sigstore bundle models, serialization, builder, and offline verification utilities.
+
+## Required Reading
+- `docs/modules/attestor/README.md`
+- `docs/modules/attestor/architecture.md`
+- `docs/modules/platform/architecture-overview.md`
+- `src/Attestor/AGENTS.md`
+- `src/Attestor/__Libraries/AGENTS.md`
+
+## Working Agreements
+- Update sprint tracker and local `TASKS.md`.
+- Preserve deterministic serialization and offline verification behavior.
+- Avoid network dependencies in bundle verification.
+
+## Testing Rules
+- Cover builder validation, serialization round-trips, and verification error paths.
+- Include inclusion proof and signature verification fixtures.

src/Attestor/__Libraries/StellaOps.Attestor.Bundle/TASKS.md

@@ -0,0 +1,10 @@
+# Attestor Bundle Library Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0045-M | DONE | Maintainability audit for StellaOps.Attestor.Bundle. |
+| AUDIT-0045-T | DONE | Test coverage audit for StellaOps.Attestor.Bundle. |
+| AUDIT-0045-A | TODO | Pending approval for changes. |

src/Attestor/__Libraries/StellaOps.Attestor.Bundling/AGENTS.md

@@ -0,0 +1,22 @@
+# Attestor Bundling Library Charter
+
+## Working Directory
+- `src/Attestor/__Libraries/StellaOps.Attestor.Bundling`
+
+## Scope
+- Attestation bundle aggregation, retention, offline kit export, and org-key signing.
+
+## Required Reading
+- `docs/modules/attestor/README.md`
+- `docs/modules/attestor/architecture.md`
+- `docs/modules/platform/architecture-overview.md`
+- `src/Attestor/AGENTS.md`
+- `src/Attestor/__Libraries/AGENTS.md`
+
+## Working Agreements
+- Update sprint tracker and local `TASKS.md`.
+- Keep bundling deterministic and offline-friendly.
+- Avoid network dependencies in core bundling logic.
+
+## Testing Rules
+- Cover bundling limits, signature handling, retention policy, and offline export.

src/Attestor/__Libraries/StellaOps.Attestor.Bundling/TASKS.md

@@ -0,0 +1,10 @@
+# Attestor Bundling Library Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0047-M | DONE | Maintainability audit for StellaOps.Attestor.Bundling. |
+| AUDIT-0047-T | DONE | Test coverage audit for StellaOps.Attestor.Bundling. |
+| AUDIT-0047-A | TODO | Pending approval for changes. |

src/Attestor/__Libraries/StellaOps.Attestor.GraphRoot/AGENTS.md

@@ -0,0 +1,23 @@
+# Attestor GraphRoot AGENTS
+
+## Purpose & Scope
+- Working directory: `src/Attestor/__Libraries/StellaOps.Attestor.GraphRoot/`.
+- Roles: backend engineer, QA automation.
+- Focus: graph root attestation, Merkle root computation, DSSE envelope creation, Rekor submission.
+
+## Required Reading (treat as read before DOING)
+- `docs/README.md`
+- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
+- `docs/modules/attestor/architecture.md`
+- `docs/modules/platform/architecture-overview.md`
+- Relevant sprint files.
+
+## Working Agreements
+- Preserve deterministic ordering and canonical JSON outputs.
+- Keep DSSE signing and verification spec-aligned (PAE, payloadType).
+- Avoid wall-clock time in core logic; inject time providers where needed.
+- Update `docs/implplan/SPRINT_*.md` and the local `TASKS.md` when starting or completing work.
+
+## Testing
+- Add unit tests under `src/Attestor/__Libraries/__Tests/StellaOps.Attestor.GraphRoot.Tests/`.
+- Ensure tests cover sign/verify, Merkle root determinism, and Rekor submission paths.

src/Attestor/__Libraries/StellaOps.Attestor.GraphRoot/TASKS.md

@@ -0,0 +1,10 @@
+# Attestor GraphRoot Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0053-M | DONE | Maintainability audit for StellaOps.Attestor.GraphRoot. |
+| AUDIT-0053-T | DONE | Test coverage audit for StellaOps.Attestor.GraphRoot. |
+| AUDIT-0053-A | TODO | Pending approval for changes. |

src/Attestor/__Libraries/StellaOps.Attestor.Oci/AGENTS.md

@@ -0,0 +1,23 @@
+# Attestor OCI AGENTS
+
+## Purpose & Scope
+- Working directory: `src/Attestor/__Libraries/StellaOps.Attestor.Oci/`.
+- Roles: backend engineer, QA automation.
+- Focus: OCI reference parsing, ORAS/OCI referrer workflows, attestation attach/list/fetch/remove, and registry client contracts.
+
+## Required Reading (treat as read before DOING)
+- `docs/README.md`
+- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
+- `docs/modules/attestor/architecture.md`
+- `docs/modules/platform/architecture-overview.md`
+- Relevant sprint files.
+
+## Working Agreements
+- Follow OCI Distribution Spec 1.1 and DSSE envelope compatibility.
+- Keep digest/manifest generation deterministic and stable.
+- Avoid wall-clock time in outputs; prefer TimeProvider for timestamps.
+- Update `docs/implplan/SPRINT_*.md` and the local `TASKS.md` when starting or completing work.
+
+## Testing
+- Add unit tests under `src/Attestor/__Tests/StellaOps.Attestor.Oci.Tests/`.
+- Cover reference parsing, attach/list/fetch/remove, annotation behavior, and deterministic digests.

src/Attestor/__Libraries/StellaOps.Attestor.Oci/TASKS.md

@@ -0,0 +1,10 @@
+# Attestor OCI Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0056-M | DONE | Maintainability audit for StellaOps.Attestor.Oci. |
+| AUDIT-0056-T | DONE | Test coverage audit for StellaOps.Attestor.Oci. |
+| AUDIT-0056-A | TODO | Pending approval for changes. |

src/Attestor/__Libraries/StellaOps.Attestor.Offline/AGENTS.md

@@ -0,0 +1,23 @@
+# Attestor Offline AGENTS
+
+## Purpose & Scope
+- Working directory: `src/Attestor/__Libraries/StellaOps.Attestor.Offline/`.
+- Roles: backend engineer, QA automation.
+- Focus: offline verification of attestation bundles, trust root handling, and air-gap workflows.
+
+## Required Reading (treat as read before DOING)
+- `docs/README.md`
+- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
+- `docs/modules/attestor/architecture.md`
+- `docs/modules/platform/architecture-overview.md`
+- Relevant sprint files.
+
+## Working Agreements
+- Keep verification deterministic and offline-friendly; no network dependencies.
+- Avoid wall-clock time or randomness in core logic; prefer TimeProvider and stable ordering.
+- Treat DSSE, Merkle, and certificate validation as security-critical; add negative-path tests.
+- Update `docs/implplan/SPRINT_*.md` and the local `TASKS.md` when starting or completing work.
+
+## Testing
+- Add unit tests under `src/Attestor/__Tests/StellaOps.Attestor.Offline.Tests/`.
+- Use deterministic fixtures (fixed time/IDs) and avoid external resources.

src/Attestor/__Libraries/StellaOps.Attestor.Offline/TASKS.md

@@ -0,0 +1,10 @@
+# Attestor Offline Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0058-M | DONE | Maintainability audit for StellaOps.Attestor.Offline. |
+| AUDIT-0058-T | DONE | Test coverage audit for StellaOps.Attestor.Offline. |
+| AUDIT-0058-A | TODO | Pending approval for changes. |

src/Attestor/__Libraries/StellaOps.Attestor.Persistence/TASKS.md

@@ -0,0 +1,10 @@
+# Attestor Persistence Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0060-M | DONE | Maintainability audit for StellaOps.Attestor.Persistence. |
+| AUDIT-0060-T | DONE | Test coverage audit for StellaOps.Attestor.Persistence. |
+| AUDIT-0060-A | TODO | Pending approval for changes. |

src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/TASKS.md

@@ -0,0 +1,10 @@
+# Attestor ProofChain Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0062-M | DONE | Maintainability audit for StellaOps.Attestor.ProofChain. |
+| AUDIT-0062-T | DONE | Test coverage audit for StellaOps.Attestor.ProofChain. |
+| AUDIT-0062-A | TODO | Pending approval for changes. |

src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/AGENTS.md

@@ -0,0 +1,24 @@
+# StellaOps.Attestor.StandardPredicates Local Agent Charter
+
+## Scope
+- This charter applies to `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/**`.
+
+## Primary roles
+- Backend engineer (C# / .NET 10).
+- QA automation engineer (xUnit).
+
+## Required reading (treat as read before edits)
+- `docs/modules/attestor/architecture.md`
+- `docs/product-advisories/14-Dec-2025 - Proof and Evidence Chain Technical Reference.md`
+- RFC 8785 (JSON Canonicalization Scheme)
+- SPDX 3.0.1, CycloneDX 1.6/1.7, and SLSA provenance v1.0 references
+
+## Working agreements
+- Determinism is mandatory: canonical JSON, stable ordering, UTC timestamps only.
+- Avoid network access; keep parsing offline-friendly.
+- Prefer explicit validation with structured errors and stable metadata output.
+- Keep predicate parsing logic pure and side-effect free; log only for diagnostics.
+
+## Testing expectations
+- Every behavior change must be covered by tests under `src/Attestor/__Tests/StellaOps.Attestor.StandardPredicates.Tests`.
+- Include numeric canonicalization edge cases, schema validation behavior, and SBOM hash determinism checks.

src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/TASKS.md

@@ -0,0 +1,10 @@
+# Attestor StandardPredicates Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0064-M | DONE | Maintainability audit for StellaOps.Attestor.StandardPredicates. |
+| AUDIT-0064-T | DONE | Test coverage audit for StellaOps.Attestor.StandardPredicates. |
+| AUDIT-0064-A | TODO | Pending approval for changes. |

src/Attestor/__Libraries/StellaOps.Attestor.TrustVerdict.Tests/AGENTS.md

@@ -0,0 +1,22 @@
+# Attestor TrustVerdict Tests AGENTS
+
+## Purpose & Scope
+- Working directory: `src/Attestor/__Libraries/StellaOps.Attestor.TrustVerdict.Tests/`.
+- Roles: QA automation, backend engineer.
+- Focus: TrustVerdict service, cache, Merkle builder, and canonicalization correctness.
+
+## Required Reading (treat as read before DOING)
+- `docs/modules/attestor/architecture.md`
+- `docs/product-advisories/14-Dec-2025 - Proof and Evidence Chain Technical Reference.md`
+- RFC 8785 (JSON Canonicalization Scheme)
+- Relevant sprint files.
+
+## Working Agreements
+- Determinism is mandatory: stable ordering and fixed timestamps in tests.
+- Separate unit vs integration/perf tests with explicit categories.
+- Avoid wall-clock time; use FakeTimeProvider or fixed timestamps.
+- Update `docs/implplan/SPRINT_*.md` and the local `TASKS.md` when starting or completing work.
+
+## Testing
+- Use xUnit + FluentAssertions + TestKit; prefer deterministic fixtures.
+- Cover canonicalization numeric edge cases, Merkle proof consistency, and cache expiry behavior.

src/Attestor/__Libraries/StellaOps.Attestor.TrustVerdict.Tests/TASKS.md

@@ -0,0 +1,10 @@
+# Attestor TrustVerdict Tests Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0068-M | DONE | Maintainability audit for TrustVerdict tests. |
+| AUDIT-0068-T | DONE | Test coverage audit for TrustVerdict tests. |
+| AUDIT-0068-A | TODO | Pending approval for changes. |

src/Attestor/__Libraries/StellaOps.Attestor.TrustVerdict/AGENTS.md

@@ -0,0 +1,23 @@
+# StellaOps.Attestor.TrustVerdict Local Agent Charter
+
+## Scope
+- This charter applies to `src/Attestor/__Libraries/StellaOps.Attestor.TrustVerdict/**`.
+
+## Primary roles
+- Backend engineer (C# / .NET 10).
+- QA automation engineer (xUnit).
+
+## Required reading (treat as read before edits)
+- `docs/modules/attestor/architecture.md`
+- `docs/product-advisories/14-Dec-2025 - Proof and Evidence Chain Technical Reference.md`
+- RFC 8785 (JSON Canonicalization Scheme)
+
+## Working agreements
+- Determinism is mandatory: canonical JSON, stable ordering, UTC timestamps only.
+- Evidence Merkle roots must align across service, cache, and verifier implementations.
+- Avoid network dependencies in library code paths; keep offline-friendly defaults.
+- Use explicit invariant-culture formatting for strings that affect hashes.
+
+## Testing expectations
+- Every behavior change must be covered by tests under `src/Attestor/__Libraries/StellaOps.Attestor.TrustVerdict.Tests`.
+- Include canonicalization edge cases, Merkle root consistency, and repository mapping tests.

src/Attestor/__Libraries/StellaOps.Attestor.TrustVerdict/TASKS.md

@@ -0,0 +1,10 @@
+# Attestor TrustVerdict Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0067-M | DONE | Maintainability audit for StellaOps.Attestor.TrustVerdict. |
+| AUDIT-0067-T | DONE | Test coverage audit for StellaOps.Attestor.TrustVerdict. |
+| AUDIT-0067-A | TODO | Pending approval for changes. |

src/Attestor/__Libraries/__Tests/StellaOps.Attestor.GraphRoot.Tests/AGENTS.md

@@ -0,0 +1,21 @@
+# Attestor GraphRoot Tests AGENTS
+
+## Purpose & Scope
+- Working directory: `src/Attestor/__Libraries/__Tests/StellaOps.Attestor.GraphRoot.Tests/`.
+- Roles: QA automation, backend engineer.
+- Focus: graph root attestation, Merkle root computation, DSSE envelope signing/verification.
+
+## Required Reading (treat as read before DOING)
+- `docs/README.md`
+- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
+- `docs/modules/attestor/architecture.md`
+- `docs/modules/platform/architecture-overview.md`
+- Relevant sprint files.
+
+## Working Agreements
+- Keep tests deterministic: fixed IDs and predictable fixtures.
+- Classify integration tests accurately (Unit vs Integration).
+- Add negative-path tests for malformed inputs and signature failures.
+
+## Testing
+- Cover DSSE PAE signing, signature verification, Rekor submission behavior, and tamper detection.

src/Attestor/__Libraries/__Tests/StellaOps.Attestor.GraphRoot.Tests/TASKS.md

@@ -0,0 +1,10 @@
+# Attestor GraphRoot Tests Task Board
+
+This board mirrors active sprint tasks for this module.
+Source of truth: `docs/implplan/SPRINT_20251229_049_BE_csproj_audit_maint_tests.md`.
+
+| Task ID | Status | Notes |
+| --- | --- | --- |
+| AUDIT-0054-M | DONE | Maintainability audit for StellaOps.Attestor.GraphRoot.Tests. |
+| AUDIT-0054-T | DONE | Test coverage audit for StellaOps.Attestor.GraphRoot.Tests. |
+| AUDIT-0054-A | TODO | Pending approval for changes. |