up

src/Scanner/__Libraries/StellaOps.Scanner.ProofSpine/HmacDsseSigningService.cs

@@ -77,7 +77,7 @@ public sealed class HmacDsseSigningService : IDsseSigningService
 
             if (CryptographicOperations.FixedTimeEquals(expected.SignatureBytes, provided))
             {
-                return Task.FromResult(new DsseVerificationOutcome(true, expected.IsTrusted, failureReason: null));
+                return Task.FromResult(new DsseVerificationOutcome(true, expected.IsTrusted, FailureReason: null));
             }
 
             return Task.FromResult(new DsseVerificationOutcome(false, expected.IsTrusted, "dsse_sig_mismatch"));
@@ -141,4 +141,3 @@ public sealed class HmacDsseSigningService : IDsseSigningService
         }
     }
 }
-

src/Scanner/__Libraries/StellaOps.Scanner.ProofSpine/ProofSpineModels.cs

@@ -0,0 +1,66 @@
+using StellaOps.Replay.Core;
+
+namespace StellaOps.Scanner.ProofSpine;
+
+/// <summary>
+/// Represents a complete verifiable decision chain from SBOM to VEX verdict.
+/// </summary>
+public sealed record ProofSpine(
+    string SpineId,
+    string ArtifactId,
+    string VulnerabilityId,
+    string PolicyProfileId,
+    IReadOnlyList<ProofSegment> Segments,
+    string Verdict,
+    string VerdictReason,
+    string RootHash,
+    string ScanRunId,
+    DateTimeOffset CreatedAt,
+    string? SupersededBySpineId);
+
+/// <summary>
+/// A single evidence segment in the proof chain.
+/// </summary>
+public sealed record ProofSegment(
+    string SegmentId,
+    ProofSegmentType SegmentType,
+    int Index,
+    string InputHash,
+    string ResultHash,
+    string? PrevSegmentHash,
+    DsseEnvelope Envelope,
+    string ToolId,
+    string ToolVersion,
+    ProofSegmentStatus Status,
+    DateTimeOffset CreatedAt);
+
+public sealed record GuardCondition(
+    string Name,
+    string Type,
+    string Value,
+    bool Passed);
+
+/// <summary>
+/// Segment types in execution order.
+/// </summary>
+public enum ProofSegmentType
+{
+    SbomSlice = 1,
+    Match = 2,
+    Reachability = 3,
+    GuardAnalysis = 4,
+    RuntimeObservation = 5,
+    PolicyEval = 6
+}
+
+/// <summary>
+/// Verification status of a segment.
+/// </summary>
+public enum ProofSegmentStatus
+{
+    Pending = 0,
+    Verified = 1,
+    Partial = 2,
+    Invalid = 3,
+    Untrusted = 4
+}

src/Scanner/__Libraries/StellaOps.Scanner.ProofSpine/StellaOps.Scanner.ProofSpine.csproj

@@ -0,0 +1,17 @@
+<?xml version='1.0' encoding='utf-8'?>
+<Project Sdk="Microsoft.NET.Sdk">
+  <PropertyGroup>
+    <TargetFramework>net10.0</TargetFramework>
+    <LangVersion>preview</LangVersion>
+    <Nullable>enable</Nullable>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <TreatWarningsAsErrors>false</TreatWarningsAsErrors>
+  </PropertyGroup>
+  <ItemGroup>
+    <PackageReference Include="Microsoft.Extensions.Options" Version="10.0.0" />
+  </ItemGroup>
+  <ItemGroup>
+    <ProjectReference Include="../../../__Libraries/StellaOps.Cryptography/StellaOps.Cryptography.csproj" />
+    <ProjectReference Include="../../../__Libraries/StellaOps.Replay.Core/StellaOps.Replay.Core.csproj" />
+  </ItemGroup>
+</Project>

src/Scanner/__Libraries/StellaOps.Scanner.Storage/TASKS.md

@@ -0,0 +1,5 @@
+# Scanner Storage Local Tasks
+
+| Task ID | Sprint | Status | Notes |
+| --- | --- | --- | --- |
+| `PROOFSPINE-3100-DB` | `docs/implplan/SPRINT_3100_0001_0001_proof_spine_system.md` | DOING | Add Postgres migrations and repository for ProofSpine persistence (`proof_spines`, `proof_segments`, `proof_spine_history`). |