new two advisories and sprints work on them

src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/Options/RekorVerificationOptions.cs

@@ -0,0 +1,199 @@
+// -----------------------------------------------------------------------------
+// RekorVerificationOptions.cs
+// Sprint: SPRINT_20260117_001_ATTESTOR_periodic_rekor_verification
+// Task: PRV-001 - Add RekorVerificationOptions configuration class
+// Description: Configuration options for periodic Rekor transparency log verification
+// -----------------------------------------------------------------------------
+
+namespace StellaOps.Attestor.Core.Options;
+
+/// <summary>
+/// Configuration options for periodic Rekor transparency log verification.
+/// </summary>
+/// <remarks>
+/// This configuration controls a scheduled background job that periodically re-verifies
+/// Rekor transparency log entries to detect tampering, time-skew violations, and root
+/// consistency issues. This provides long-term audit assurance of logged attestations.
+/// </remarks>
+public sealed class RekorVerificationOptions
+{
+    /// <summary>
+    /// Configuration section name for binding.
+    /// </summary>
+    public const string SectionName = "Attestor:RekorVerification";
+
+    /// <summary>
+    /// Enable periodic Rekor verification.
+    /// </summary>
+    public bool Enabled { get; set; } = true;
+
+    /// <summary>
+    /// Cron expression for verification schedule. Default: daily at 3 AM UTC.
+    /// </summary>
+    /// <remarks>
+    /// Uses standard cron format: minute hour day-of-month month day-of-week.
+    /// Examples:
+    /// - "0 3 * * *" = Daily at 3:00 AM UTC
+    /// - "0 */6 * * *" = Every 6 hours
+    /// - "0 0 * * 0" = Weekly on Sunday at midnight
+    /// </remarks>
+    public string CronSchedule { get; set; } = "0 3 * * *";
+
+    /// <summary>
+    /// Maximum number of entries to verify per run.
+    /// </summary>
+    /// <remarks>
+    /// Limits the batch size to prevent excessive API calls and processing time.
+    /// Combined with SampleRate, this controls the total verification load.
+    /// </remarks>
+    public int MaxEntriesPerRun { get; set; } = 1000;
+
+    /// <summary>
+    /// Sample rate for entries (0.0-1.0). 1.0 = verify all eligible, 0.1 = verify 10%.
+    /// </summary>
+    /// <remarks>
+    /// For large deployments, full verification of all entries may be impractical.
+    /// Sampling provides statistical assurance while limiting API load.
+    /// </remarks>
+    public double SampleRate { get; set; } = 0.1;
+
+    /// <summary>
+    /// Maximum allowed time skew between build timestamp and integratedTime (seconds).
+    /// </summary>
+    /// <remarks>
+    /// Time skew detection helps identify clock synchronization issues or potential
+    /// tampering. A value of 300 seconds (5 minutes) accounts for typical clock drift
+    /// and network delays.
+    /// </remarks>
+    public int MaxTimeSkewSeconds { get; set; } = 300; // 5 minutes
+
+    /// <summary>
+    /// Days to look back for entries to verify.
+    /// </summary>
+    /// <remarks>
+    /// Limits verification to recent entries. Older entries are assumed to have been
+    /// verified previously. Set to 0 to verify all entries regardless of age.
+    /// </remarks>
+    public int LookbackDays { get; set; } = 90;
+
+    /// <summary>
+    /// Rekor server URL for verification.
+    /// </summary>
+    /// <remarks>
+    /// Should match the server where entries were originally submitted.
+    /// For air-gapped environments, this should point to the local Rekor instance.
+    /// </remarks>
+    public string RekorUrl { get; set; } = "https://rekor.sigstore.dev";
+
+    /// <summary>
+    /// Enable alerting on verification failures.
+    /// </summary>
+    public bool AlertOnFailure { get; set; } = true;
+
+    /// <summary>
+    /// Threshold for triggering critical alert (percentage of failed verifications).
+    /// </summary>
+    /// <remarks>
+    /// When the failure rate exceeds this threshold, a critical alert is raised.
+    /// Set to 0.05 (5%) by default to catch systemic issues while tolerating
+    /// occasional transient failures.
+    /// </remarks>
+    public double CriticalFailureThreshold { get; set; } = 0.05; // 5%
+
+    /// <summary>
+    /// Minimum interval between verifications of the same entry (hours).
+    /// </summary>
+    /// <remarks>
+    /// Prevents over-verification of the same entries. Entries verified within
+    /// this window are excluded from subsequent runs.
+    /// </remarks>
+    public int MinReverificationIntervalHours { get; set; } = 168; // 7 days
+
+    /// <summary>
+    /// Enable root consistency monitoring against stored checkpoints.
+    /// </summary>
+    public bool EnableRootConsistencyCheck { get; set; } = true;
+
+    /// <summary>
+    /// Number of root checkpoints to store for consistency verification.
+    /// </summary>
+    public int RootCheckpointRetentionCount { get; set; } = 100;
+
+    /// <summary>
+    /// Timeout for individual entry verification (seconds).
+    /// </summary>
+    public int VerificationTimeoutSeconds { get; set; } = 30;
+
+    /// <summary>
+    /// Maximum parallel verification requests.
+    /// </summary>
+    /// <remarks>
+    /// Controls concurrency to avoid overwhelming the Rekor API.
+    /// </remarks>
+    public int MaxParallelVerifications { get; set; } = 10;
+
+    /// <summary>
+    /// Enable offline verification using stored inclusion proofs.
+    /// </summary>
+    /// <remarks>
+    /// When enabled, verification will use stored inclusion proofs without
+    /// contacting the Rekor server. Useful for air-gapped deployments.
+    /// </remarks>
+    public bool EnableOfflineVerification { get; set; } = false;
+
+    /// <summary>
+    /// Validates the configuration options.
+    /// </summary>
+    /// <returns>List of validation errors, empty if valid.</returns>
+    public IReadOnlyList<string> Validate()
+    {
+        var errors = new List<string>();
+
+        if (SampleRate is < 0.0 or > 1.0)
+        {
+            errors.Add($"SampleRate must be between 0.0 and 1.0, got {SampleRate}");
+        }
+
+        if (MaxEntriesPerRun <= 0)
+        {
+            errors.Add($"MaxEntriesPerRun must be positive, got {MaxEntriesPerRun}");
+        }
+
+        if (MaxTimeSkewSeconds < 0)
+        {
+            errors.Add($"MaxTimeSkewSeconds must be non-negative, got {MaxTimeSkewSeconds}");
+        }
+
+        if (LookbackDays < 0)
+        {
+            errors.Add($"LookbackDays must be non-negative, got {LookbackDays}");
+        }
+
+        if (string.IsNullOrWhiteSpace(RekorUrl))
+        {
+            errors.Add("RekorUrl must be specified");
+        }
+
+        if (CriticalFailureThreshold is < 0.0 or > 1.0)
+        {
+            errors.Add($"CriticalFailureThreshold must be between 0.0 and 1.0, got {CriticalFailureThreshold}");
+        }
+
+        if (VerificationTimeoutSeconds <= 0)
+        {
+            errors.Add($"VerificationTimeoutSeconds must be positive, got {VerificationTimeoutSeconds}");
+        }
+
+        if (MaxParallelVerifications <= 0)
+        {
+            errors.Add($"MaxParallelVerifications must be positive, got {MaxParallelVerifications}");
+        }
+
+        if (string.IsNullOrWhiteSpace(CronSchedule))
+        {
+            errors.Add("CronSchedule must be specified");
+        }
+
+        return errors;
+    }
+}

src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/Verification/IRekorVerificationService.cs

@@ -0,0 +1,416 @@
+// -----------------------------------------------------------------------------
+// IRekorVerificationService.cs
+// Sprint: SPRINT_20260117_001_ATTESTOR_periodic_rekor_verification
+// Task: PRV-002 - Implement IRekorVerificationService interface and service
+// Description: Interface for periodic Rekor entry verification
+// -----------------------------------------------------------------------------
+
+namespace StellaOps.Attestor.Core.Verification;
+
+/// <summary>
+/// Service for verifying Rekor transparency log entries.
+/// </summary>
+public interface IRekorVerificationService
+{
+    /// <summary>
+    /// Verifies a single Rekor entry for signature validity, inclusion proof, and time skew.
+    /// </summary>
+    /// <param name="entry">The Rekor entry to verify.</param>
+    /// <param name="ct">Cancellation token.</param>
+    /// <returns>Verification result.</returns>
+    Task<RekorVerificationResult> VerifyEntryAsync(
+        RekorEntryReference entry,
+        CancellationToken ct = default);
+
+    /// <summary>
+    /// Verifies multiple Rekor entries in batch with parallel execution.
+    /// </summary>
+    /// <param name="entries">The entries to verify.</param>
+    /// <param name="ct">Cancellation token.</param>
+    /// <returns>Batch verification result.</returns>
+    Task<RekorBatchVerificationResult> VerifyBatchAsync(
+        IReadOnlyList<RekorEntryReference> entries,
+        CancellationToken ct = default);
+
+    /// <summary>
+    /// Verifies tree root consistency against a stored checkpoint.
+    /// </summary>
+    /// <param name="expectedTreeRoot">The expected tree root hash.</param>
+    /// <param name="expectedTreeSize">The expected tree size.</param>
+    /// <param name="ct">Cancellation token.</param>
+    /// <returns>Root consistency result.</returns>
+    Task<RootConsistencyResult> VerifyRootConsistencyAsync(
+        string expectedTreeRoot,
+        long expectedTreeSize,
+        CancellationToken ct = default);
+}
+
+/// <summary>
+/// Reference to a stored Rekor entry for verification.
+/// </summary>
+public sealed record RekorEntryReference
+{
+    /// <summary>
+    /// Rekor entry UUID (64-character hex string).
+    /// </summary>
+    public required string Uuid { get; init; }
+
+    /// <summary>
+    /// Rekor log index (monotonically increasing).
+    /// </summary>
+    public required long LogIndex { get; init; }
+
+    /// <summary>
+    /// Time the entry was integrated into the log.
+    /// </summary>
+    public required DateTimeOffset IntegratedTime { get; init; }
+
+    /// <summary>
+    /// SHA-256 hash of the entry body.
+    /// </summary>
+    public required string EntryBodyHash { get; init; }
+
+    /// <summary>
+    /// Expected build/creation timestamp for time skew detection.
+    /// </summary>
+    public DateTimeOffset? ExpectedBuildTime { get; init; }
+
+    /// <summary>
+    /// Stored inclusion proof for offline verification.
+    /// </summary>
+    public StoredInclusionProof? InclusionProof { get; init; }
+
+    /// <summary>
+    /// Rekor backend URL where this entry was submitted.
+    /// </summary>
+    public string? RekorUrl { get; init; }
+
+    /// <summary>
+    /// Last successful verification timestamp.
+    /// </summary>
+    public DateTimeOffset? LastVerifiedAt { get; init; }
+
+    /// <summary>
+    /// Number of times this entry has been verified.
+    /// </summary>
+    public int VerificationCount { get; init; }
+}
+
+/// <summary>
+/// Stored inclusion proof for offline verification.
+/// </summary>
+public sealed record StoredInclusionProof
+{
+    /// <summary>
+    /// Index of the entry in the tree.
+    /// </summary>
+    public required long LeafIndex { get; init; }
+
+    /// <summary>
+    /// Tree size at time of proof generation.
+    /// </summary>
+    public required long TreeSize { get; init; }
+
+    /// <summary>
+    /// Root hash at time of proof generation.
+    /// </summary>
+    public required string RootHash { get; init; }
+
+    /// <summary>
+    /// Hashes of sibling nodes from leaf to root (base64 encoded).
+    /// </summary>
+    public required IReadOnlyList<string> Hashes { get; init; }
+
+    /// <summary>
+    /// Signed checkpoint envelope.
+    /// </summary>
+    public string? CheckpointEnvelope { get; init; }
+}
+
+/// <summary>
+/// Result of verifying a single Rekor entry.
+/// </summary>
+public sealed record RekorVerificationResult
+{
+    /// <summary>
+    /// Rekor entry UUID that was verified.
+    /// </summary>
+    public required string EntryUuid { get; init; }
+
+    /// <summary>
+    /// Whether the entry passed all verification checks.
+    /// </summary>
+    public required bool IsValid { get; init; }
+
+    /// <summary>
+    /// Whether the entry signature is valid.
+    /// </summary>
+    public required bool SignatureValid { get; init; }
+
+    /// <summary>
+    /// Whether the inclusion proof is valid.
+    /// </summary>
+    public required bool InclusionProofValid { get; init; }
+
+    /// <summary>
+    /// Whether the time skew is within acceptable bounds.
+    /// </summary>
+    public required bool TimeSkewValid { get; init; }
+
+    /// <summary>
+    /// Actual time skew between expected and integrated time (null if not computed).
+    /// </summary>
+    public TimeSpan? TimeSkewAmount { get; init; }
+
+    /// <summary>
+    /// Failure reason if verification failed.
+    /// </summary>
+    public string? FailureReason { get; init; }
+
+    /// <summary>
+    /// Detailed failure code for categorization.
+    /// </summary>
+    public RekorVerificationFailureCode? FailureCode { get; init; }
+
+    /// <summary>
+    /// Timestamp when verification was performed.
+    /// </summary>
+    public required DateTimeOffset VerifiedAt { get; init; }
+
+    /// <summary>
+    /// Duration of the verification operation.
+    /// </summary>
+    public TimeSpan? Duration { get; init; }
+
+    /// <summary>
+    /// Creates a successful verification result.
+    /// </summary>
+    public static RekorVerificationResult Success(
+        string entryUuid,
+        TimeSpan? timeSkew,
+        DateTimeOffset verifiedAt,
+        TimeSpan? duration = null) => new()
+    {
+        EntryUuid = entryUuid,
+        IsValid = true,
+        SignatureValid = true,
+        InclusionProofValid = true,
+        TimeSkewValid = true,
+        TimeSkewAmount = timeSkew,
+        VerifiedAt = verifiedAt,
+        Duration = duration
+    };
+
+    /// <summary>
+    /// Creates a failed verification result.
+    /// </summary>
+    public static RekorVerificationResult Failure(
+        string entryUuid,
+        string reason,
+        RekorVerificationFailureCode code,
+        DateTimeOffset verifiedAt,
+        bool signatureValid = false,
+        bool inclusionProofValid = false,
+        bool timeSkewValid = false,
+        TimeSpan? timeSkewAmount = null,
+        TimeSpan? duration = null) => new()
+    {
+        EntryUuid = entryUuid,
+        IsValid = false,
+        SignatureValid = signatureValid,
+        InclusionProofValid = inclusionProofValid,
+        TimeSkewValid = timeSkewValid,
+        TimeSkewAmount = timeSkewAmount,
+        FailureReason = reason,
+        FailureCode = code,
+        VerifiedAt = verifiedAt,
+        Duration = duration
+    };
+}
+
+/// <summary>
+/// Categorized failure codes for Rekor verification.
+/// </summary>
+public enum RekorVerificationFailureCode
+{
+    /// <summary>
+    /// Entry not found in Rekor log.
+    /// </summary>
+    EntryNotFound,
+
+    /// <summary>
+    /// Entry signature is invalid.
+    /// </summary>
+    InvalidSignature,
+
+    /// <summary>
+    /// Inclusion proof verification failed.
+    /// </summary>
+    InvalidInclusionProof,
+
+    /// <summary>
+    /// Time skew exceeds configured threshold.
+    /// </summary>
+    TimeSkewExceeded,
+
+    /// <summary>
+    /// Entry body hash mismatch.
+    /// </summary>
+    BodyHashMismatch,
+
+    /// <summary>
+    /// Log index mismatch.
+    /// </summary>
+    LogIndexMismatch,
+
+    /// <summary>
+    /// Network or API error during verification.
+    /// </summary>
+    NetworkError,
+
+    /// <summary>
+    /// Verification timed out.
+    /// </summary>
+    Timeout,
+
+    /// <summary>
+    /// Unknown or unexpected error.
+    /// </summary>
+    Unknown
+}
+
+/// <summary>
+/// Result of batch verification of multiple Rekor entries.
+/// </summary>
+public sealed record RekorBatchVerificationResult
+{
+    /// <summary>
+    /// Total entries attempted.
+    /// </summary>
+    public required int TotalEntries { get; init; }
+
+    /// <summary>
+    /// Entries that passed verification.
+    /// </summary>
+    public required int ValidEntries { get; init; }
+
+    /// <summary>
+    /// Entries that failed verification.
+    /// </summary>
+    public required int InvalidEntries { get; init; }
+
+    /// <summary>
+    /// Entries that were skipped (e.g., network errors, timeouts).
+    /// </summary>
+    public required int SkippedEntries { get; init; }
+
+    /// <summary>
+    /// Detailed results for failed entries.
+    /// </summary>
+    public required IReadOnlyList<RekorVerificationResult> Failures { get; init; }
+
+    /// <summary>
+    /// Detailed results for all entries (if full reporting enabled).
+    /// </summary>
+    public IReadOnlyList<RekorVerificationResult>? AllResults { get; init; }
+
+    /// <summary>
+    /// Timestamp when batch verification started.
+    /// </summary>
+    public required DateTimeOffset StartedAt { get; init; }
+
+    /// <summary>
+    /// Timestamp when batch verification completed.
+    /// </summary>
+    public required DateTimeOffset CompletedAt { get; init; }
+
+    /// <summary>
+    /// Total duration of the batch verification.
+    /// </summary>
+    public TimeSpan Duration => CompletedAt - StartedAt;
+
+    /// <summary>
+    /// Failure rate as a percentage (0.0-1.0).
+    /// </summary>
+    public double FailureRate => TotalEntries > 0 ? (double)InvalidEntries / TotalEntries : 0.0;
+
+    /// <summary>
+    /// Whether the batch verification is considered successful (failure rate below threshold).
+    /// </summary>
+    public bool IsSuccessful(double criticalThreshold) => FailureRate < criticalThreshold;
+}
+
+/// <summary>
+/// Result of root consistency verification.
+/// </summary>
+public sealed record RootConsistencyResult
+{
+    /// <summary>
+    /// Whether the root is consistent with the expected checkpoint.
+    /// </summary>
+    public required bool IsConsistent { get; init; }
+
+    /// <summary>
+    /// Current tree root from the Rekor log.
+    /// </summary>
+    public required string CurrentTreeRoot { get; init; }
+
+    /// <summary>
+    /// Current tree size from the Rekor log.
+    /// </summary>
+    public required long CurrentTreeSize { get; init; }
+
+    /// <summary>
+    /// Expected tree root from stored checkpoint.
+    /// </summary>
+    public string? ExpectedTreeRoot { get; init; }
+
+    /// <summary>
+    /// Expected tree size from stored checkpoint.
+    /// </summary>
+    public long? ExpectedTreeSize { get; init; }
+
+    /// <summary>
+    /// Reason for inconsistency if not consistent.
+    /// </summary>
+    public string? InconsistencyReason { get; init; }
+
+    /// <summary>
+    /// Timestamp when consistency was verified.
+    /// </summary>
+    public required DateTimeOffset VerifiedAt { get; init; }
+
+    /// <summary>
+    /// Creates a consistent result.
+    /// </summary>
+    public static RootConsistencyResult Consistent(
+        string currentRoot,
+        long currentSize,
+        DateTimeOffset verifiedAt) => new()
+    {
+        IsConsistent = true,
+        CurrentTreeRoot = currentRoot,
+        CurrentTreeSize = currentSize,
+        VerifiedAt = verifiedAt
+    };
+
+    /// <summary>
+    /// Creates an inconsistent result.
+    /// </summary>
+    public static RootConsistencyResult Inconsistent(
+        string currentRoot,
+        long currentSize,
+        string expectedRoot,
+        long expectedSize,
+        string reason,
+        DateTimeOffset verifiedAt) => new()
+    {
+        IsConsistent = false,
+        CurrentTreeRoot = currentRoot,
+        CurrentTreeSize = currentSize,
+        ExpectedTreeRoot = expectedRoot,
+        ExpectedTreeSize = expectedSize,
+        InconsistencyReason = reason,
+        VerifiedAt = verifiedAt
+    };
+}

src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/Verification/RekorVerificationHealthCheck.cs

@@ -0,0 +1,368 @@
+// -----------------------------------------------------------------------------
+// RekorVerificationHealthCheck.cs
+// Sprint: SPRINT_20260117_001_ATTESTOR_periodic_rekor_verification
+// Task: PRV-006 - Implement Doctor health check for Rekor verification
+// Description: Health check for monitoring Rekor verification job status
+// -----------------------------------------------------------------------------
+
+using Microsoft.Extensions.Diagnostics.HealthChecks;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+using StellaOps.Attestor.Core.Options;
+
+namespace StellaOps.Attestor.Core.Verification;
+
+/// <summary>
+/// Health check for the Rekor verification job.
+/// Reports on last run status, failure rates, and job health.
+/// </summary>
+public sealed class RekorVerificationHealthCheck : IHealthCheck
+{
+    private readonly IRekorVerificationStatusProvider _statusProvider;
+    private readonly IOptions<RekorVerificationOptions> _options;
+    private readonly ILogger<RekorVerificationHealthCheck> _logger;
+
+    /// <summary>
+    /// Health check name.
+    /// </summary>
+    public const string Name = "rekor-verification";
+
+    /// <summary>
+    /// Initializes a new instance of the <see cref="RekorVerificationHealthCheck"/> class.
+    /// </summary>
+    public RekorVerificationHealthCheck(
+        IRekorVerificationStatusProvider statusProvider,
+        IOptions<RekorVerificationOptions> options,
+        ILogger<RekorVerificationHealthCheck> logger)
+    {
+        _statusProvider = statusProvider ?? throw new ArgumentNullException(nameof(statusProvider));
+        _options = options ?? throw new ArgumentNullException(nameof(options));
+        _logger = logger ?? throw new ArgumentNullException(nameof(logger));
+    }
+
+    /// <inheritdoc />
+    public async Task<HealthCheckResult> CheckHealthAsync(
+        HealthCheckContext context,
+        CancellationToken cancellationToken = default)
+    {
+        var opts = _options.Value;
+
+        // If disabled, report healthy with note
+        if (!opts.Enabled)
+        {
+            return HealthCheckResult.Healthy("Rekor verification is disabled");
+        }
+
+        try
+        {
+            var status = await _statusProvider.GetStatusAsync(cancellationToken);
+
+            var data = new Dictionary<string, object>
+            {
+                ["enabled"] = true,
+                ["lastRunAt"] = status.LastRunAt?.ToString("o") ?? "never",
+                ["lastRunStatus"] = status.LastRunStatus.ToString(),
+                ["entriesVerified"] = status.TotalEntriesVerified,
+                ["entriesFailed"] = status.TotalEntriesFailed,
+                ["failureRate"] = status.FailureRate,
+                ["lastRootConsistencyCheck"] = status.LastRootConsistencyCheckAt?.ToString("o") ?? "never",
+                ["rootConsistent"] = status.RootConsistent,
+                ["criticalAlerts"] = status.CriticalAlertCount
+            };
+
+            // Check for critical conditions
+            if (status.CriticalAlertCount > 0)
+            {
+                return HealthCheckResult.Unhealthy(
+                    $"Rekor verification has {status.CriticalAlertCount} critical alert(s)",
+                    data: data);
+            }
+
+            // Check if job hasn't run in expected window
+            if (status.LastRunAt.HasValue)
+            {
+                var hoursSinceLastRun = (DateTimeOffset.UtcNow - status.LastRunAt.Value).TotalHours;
+                if (hoursSinceLastRun > 48) // More than 2 days
+                {
+                    return HealthCheckResult.Degraded(
+                        $"Rekor verification hasn't run in {hoursSinceLastRun:F1} hours",
+                        data: data);
+                }
+            }
+            else
+            {
+                // Never run - could be new deployment
+                return HealthCheckResult.Degraded(
+                    "Rekor verification has never run",
+                    data: data);
+            }
+
+            // Check failure rate
+            if (status.FailureRate >= opts.CriticalFailureThreshold)
+            {
+                return HealthCheckResult.Unhealthy(
+                    $"Rekor verification failure rate {status.FailureRate:P2} exceeds threshold {opts.CriticalFailureThreshold:P2}",
+                    data: data);
+            }
+
+            // Check root consistency
+            if (!status.RootConsistent)
+            {
+                return HealthCheckResult.Unhealthy(
+                    "Rekor root consistency check failed - possible log tampering",
+                    data: data);
+            }
+
+            // Check last run status
+            if (status.LastRunStatus == VerificationRunStatus.Failed)
+            {
+                return HealthCheckResult.Degraded(
+                    "Last Rekor verification run failed",
+                    data: data);
+            }
+
+            return HealthCheckResult.Healthy(
+                $"Rekor verification healthy. Last run: {status.LastRunAt:g}, verified {status.TotalEntriesVerified} entries",
+                data);
+        }
+        catch (Exception ex)
+        {
+            _logger.LogError(ex, "Failed to check Rekor verification health");
+            return HealthCheckResult.Unhealthy(
+                "Failed to retrieve Rekor verification status",
+                ex);
+        }
+    }
+}
+
+/// <summary>
+/// Provides status information about the Rekor verification job.
+/// </summary>
+public interface IRekorVerificationStatusProvider
+{
+    /// <summary>
+    /// Gets the current verification status.
+    /// </summary>
+    Task<RekorVerificationStatus> GetStatusAsync(CancellationToken ct = default);
+}
+
+/// <summary>
+/// Status of the Rekor verification job.
+/// </summary>
+public sealed record RekorVerificationStatus
+{
+    /// <summary>
+    /// When the last verification run started.
+    /// </summary>
+    public DateTimeOffset? LastRunAt { get; init; }
+
+    /// <summary>
+    /// When the last verification run completed.
+    /// </summary>
+    public DateTimeOffset? LastRunCompletedAt { get; init; }
+
+    /// <summary>
+    /// Status of the last run.
+    /// </summary>
+    public VerificationRunStatus LastRunStatus { get; init; }
+
+    /// <summary>
+    /// Total entries verified in the last run.
+    /// </summary>
+    public int TotalEntriesVerified { get; init; }
+
+    /// <summary>
+    /// Total entries that failed verification in the last run.
+    /// </summary>
+    public int TotalEntriesFailed { get; init; }
+
+    /// <summary>
+    /// Failure rate of the last run (0.0-1.0).
+    /// </summary>
+    public double FailureRate { get; init; }
+
+    /// <summary>
+    /// When the last root consistency check was performed.
+    /// </summary>
+    public DateTimeOffset? LastRootConsistencyCheckAt { get; init; }
+
+    /// <summary>
+    /// Whether the root is consistent with stored checkpoints.
+    /// </summary>
+    public bool RootConsistent { get; init; } = true;
+
+    /// <summary>
+    /// Number of critical alerts currently active.
+    /// </summary>
+    public int CriticalAlertCount { get; init; }
+
+    /// <summary>
+    /// Duration of the last run.
+    /// </summary>
+    public TimeSpan? LastRunDuration { get; init; }
+
+    /// <summary>
+    /// Number of time skew violations detected in the last run.
+    /// </summary>
+    public int TimeSkewViolations { get; init; }
+
+    /// <summary>
+    /// Whether the verification job is currently running.
+    /// </summary>
+    public bool IsRunning { get; init; }
+
+    /// <summary>
+    /// Next scheduled run time.
+    /// </summary>
+    public DateTimeOffset? NextScheduledRun { get; init; }
+}
+
+/// <summary>
+/// Status of a verification run.
+/// </summary>
+public enum VerificationRunStatus
+{
+    /// <summary>
+    /// Never run.
+    /// </summary>
+    NeverRun,
+
+    /// <summary>
+    /// Currently running.
+    /// </summary>
+    Running,
+
+    /// <summary>
+    /// Completed successfully.
+    /// </summary>
+    Completed,
+
+    /// <summary>
+    /// Completed with failures.
+    /// </summary>
+    CompletedWithFailures,
+
+    /// <summary>
+    /// Run failed (exception/error).
+    /// </summary>
+    Failed,
+
+    /// <summary>
+    /// Run was cancelled.
+    /// </summary>
+    Cancelled
+}
+
+/// <summary>
+/// In-memory implementation of <see cref="IRekorVerificationStatusProvider"/>.
+/// </summary>
+public sealed class InMemoryRekorVerificationStatusProvider : IRekorVerificationStatusProvider
+{
+    private RekorVerificationStatus _status = new();
+    private readonly object _lock = new();
+
+    /// <inheritdoc />
+    public Task<RekorVerificationStatus> GetStatusAsync(CancellationToken ct = default)
+    {
+        lock (_lock)
+        {
+            return Task.FromResult(_status);
+        }
+    }
+
+    /// <summary>
+    /// Updates the verification status.
+    /// </summary>
+    public void UpdateStatus(RekorVerificationStatus status)
+    {
+        lock (_lock)
+        {
+            _status = status;
+        }
+    }
+
+    /// <summary>
+    /// Updates the status from a batch verification result.
+    /// </summary>
+    public void UpdateFromResult(RekorBatchVerificationResult result, bool rootConsistent)
+    {
+        lock (_lock)
+        {
+            _status = new RekorVerificationStatus
+            {
+                LastRunAt = result.StartedAt,
+                LastRunCompletedAt = result.CompletedAt,
+                LastRunStatus = result.InvalidEntries > 0
+                    ? VerificationRunStatus.CompletedWithFailures
+                    : VerificationRunStatus.Completed,
+                TotalEntriesVerified = result.ValidEntries,
+                TotalEntriesFailed = result.InvalidEntries,
+                FailureRate = result.FailureRate,
+                LastRunDuration = result.Duration,
+                RootConsistent = rootConsistent,
+                TimeSkewViolations = result.Failures
+                    .Count(f => f.FailureCode == RekorVerificationFailureCode.TimeSkewExceeded),
+                IsRunning = false
+            };
+        }
+    }
+
+    /// <summary>
+    /// Marks the job as running.
+    /// </summary>
+    public void MarkRunning()
+    {
+        lock (_lock)
+        {
+            _status = _status with
+            {
+                IsRunning = true,
+                LastRunStatus = VerificationRunStatus.Running
+            };
+        }
+    }
+
+    /// <summary>
+    /// Marks the job as failed.
+    /// </summary>
+    public void MarkFailed(Exception? ex = null)
+    {
+        lock (_lock)
+        {
+            _status = _status with
+            {
+                IsRunning = false,
+                LastRunStatus = VerificationRunStatus.Failed,
+                LastRunCompletedAt = DateTimeOffset.UtcNow
+            };
+        }
+    }
+
+    /// <summary>
+    /// Increments the critical alert count.
+    /// </summary>
+    public void IncrementCriticalAlerts()
+    {
+        lock (_lock)
+        {
+            _status = _status with
+            {
+                CriticalAlertCount = _status.CriticalAlertCount + 1
+            };
+        }
+    }
+
+    /// <summary>
+    /// Clears critical alerts.
+    /// </summary>
+    public void ClearCriticalAlerts()
+    {
+        lock (_lock)
+        {
+            _status = _status with
+            {
+                CriticalAlertCount = 0
+            };
+        }
+    }
+}

src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/Verification/RekorVerificationJob.cs

@@ -0,0 +1,381 @@
+// -----------------------------------------------------------------------------
+// RekorVerificationJob.cs
+// Sprint: SPRINT_20260117_001_ATTESTOR_periodic_rekor_verification
+// Task: PRV-004 - Implement RekorVerificationJob background service
+// Description: Scheduled background job for periodic Rekor entry re-verification
+// -----------------------------------------------------------------------------
+
+using Cronos;
+using Microsoft.Extensions.Hosting;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+using StellaOps.Attestor.Core.Options;
+
+namespace StellaOps.Attestor.Core.Verification;
+
+/// <summary>
+/// Background service that periodically re-verifies Rekor transparency log entries
+/// to detect tampering, time-skew violations, and root consistency issues.
+/// </summary>
+public sealed class RekorVerificationJob : BackgroundService
+{
+    private readonly IRekorVerificationService _verificationService;
+    private readonly IRekorEntryRepository _entryRepository;
+    private readonly IOptions<RekorVerificationOptions> _options;
+    private readonly ILogger<RekorVerificationJob> _logger;
+    private readonly TimeProvider _timeProvider;
+    private readonly RekorVerificationMetrics _metrics;
+    private readonly Random _random;
+
+    /// <summary>
+    /// Initializes a new instance of the <see cref="RekorVerificationJob"/> class.
+    /// </summary>
+    public RekorVerificationJob(
+        IRekorVerificationService verificationService,
+        IRekorEntryRepository entryRepository,
+        IOptions<RekorVerificationOptions> options,
+        ILogger<RekorVerificationJob> logger,
+        TimeProvider? timeProvider = null,
+        RekorVerificationMetrics? metrics = null)
+    {
+        _verificationService = verificationService ?? throw new ArgumentNullException(nameof(verificationService));
+        _entryRepository = entryRepository ?? throw new ArgumentNullException(nameof(entryRepository));
+        _options = options ?? throw new ArgumentNullException(nameof(options));
+        _logger = logger ?? throw new ArgumentNullException(nameof(logger));
+        _timeProvider = timeProvider ?? TimeProvider.System;
+        _metrics = metrics ?? new RekorVerificationMetrics();
+        _random = new Random();
+    }
+
+    /// <inheritdoc />
+    protected override async Task ExecuteAsync(CancellationToken stoppingToken)
+    {
+        var opts = _options.Value;
+
+        if (!opts.Enabled)
+        {
+            _logger.LogInformation("Rekor verification job is disabled");
+            return;
+        }
+
+        // Validate configuration
+        var validationErrors = opts.Validate();
+        if (validationErrors.Count > 0)
+        {
+            _logger.LogError(
+                "Rekor verification job configuration is invalid: {Errors}",
+                string.Join("; ", validationErrors));
+            return;
+        }
+
+        CronExpression cron;
+        try
+        {
+            cron = CronExpression.Parse(opts.CronSchedule);
+        }
+        catch (Exception ex)
+        {
+            _logger.LogError(ex, "Failed to parse cron schedule '{Schedule}'", opts.CronSchedule);
+            return;
+        }
+
+        _logger.LogInformation(
+            "Rekor verification job started with schedule '{Schedule}', sample rate {SampleRate:P0}, max entries {MaxEntries}",
+            opts.CronSchedule,
+            opts.SampleRate,
+            opts.MaxEntriesPerRun);
+
+        while (!stoppingToken.IsCancellationRequested)
+        {
+            var now = _timeProvider.GetUtcNow();
+            var nextOccurrence = cron.GetNextOccurrence(now, TimeZoneInfo.Utc);
+
+            if (nextOccurrence is null)
+            {
+                _logger.LogWarning("No next cron occurrence found, waiting 1 hour");
+                await Task.Delay(TimeSpan.FromHours(1), stoppingToken);
+                continue;
+            }
+
+            var delay = nextOccurrence.Value - now;
+            _logger.LogDebug(
+                "Next Rekor verification scheduled for {NextRun} (in {Delay})",
+                nextOccurrence.Value,
+                delay);
+
+            try
+            {
+                await Task.Delay(delay, stoppingToken);
+            }
+            catch (OperationCanceledException) when (stoppingToken.IsCancellationRequested)
+            {
+                break;
+            }
+
+            try
+            {
+                _metrics.RecordRunStart();
+                await RunVerificationAsync(stoppingToken);
+            }
+            catch (OperationCanceledException) when (stoppingToken.IsCancellationRequested)
+            {
+                break;
+            }
+            catch (Exception ex)
+            {
+                _logger.LogError(ex, "Rekor verification run failed");
+                _metrics.RecordRunFailure();
+            }
+        }
+
+        _logger.LogInformation("Rekor verification job stopped");
+    }
+
+    private async Task RunVerificationAsync(CancellationToken ct)
+    {
+        var opts = _options.Value;
+        var now = _timeProvider.GetUtcNow();
+        var cutoff = now.AddDays(-opts.LookbackDays);
+        var minReverificationTime = now.AddHours(-opts.MinReverificationIntervalHours);
+
+        _logger.LogInformation(
+            "Starting Rekor verification run. LookbackDays={LookbackDays}, SampleRate={SampleRate:P0}, MaxEntries={MaxEntries}",
+            opts.LookbackDays,
+            opts.SampleRate,
+            opts.MaxEntriesPerRun);
+
+        // 1. Get entries to verify
+        var entries = await _entryRepository.GetEntriesForVerificationAsync(
+            cutoff,
+            minReverificationTime,
+            opts.MaxEntriesPerRun,
+            ct);
+
+        if (entries.Count == 0)
+        {
+            _logger.LogInformation("No entries eligible for verification");
+            return;
+        }
+
+        // 2. Apply sampling
+        var sampled = ApplySampling(entries, opts.SampleRate);
+
+        _logger.LogInformation(
+            "Selected {SampledCount} entries for verification (from {TotalCount} eligible)",
+            sampled.Count,
+            entries.Count);
+
+        if (sampled.Count == 0)
+        {
+            return;
+        }
+
+        // 3. Verify batch
+        var result = await _verificationService.VerifyBatchAsync(sampled, ct);
+
+        // 4. Record metrics
+        _metrics.RecordVerificationRun(result);
+
+        // 5. Log results
+        _logger.LogInformation(
+            "Rekor verification complete. Total={Total}, Valid={Valid}, Invalid={Invalid}, Skipped={Skipped}, Duration={Duration}",
+            result.TotalEntries,
+            result.ValidEntries,
+            result.InvalidEntries,
+            result.SkippedEntries,
+            result.Duration);
+
+        // 6. Handle failures
+        if (result.InvalidEntries > 0)
+        {
+            var failureRate = result.FailureRate;
+
+            foreach (var failure in result.Failures)
+            {
+                _logger.LogWarning(
+                    "Rekor entry verification failed. UUID={Uuid}, Code={Code}, Reason={Reason}",
+                    failure.EntryUuid,
+                    failure.FailureCode,
+                    failure.FailureReason);
+            }
+
+            if (opts.AlertOnFailure && failureRate >= opts.CriticalFailureThreshold)
+            {
+                _logger.LogCritical(
+                    "Rekor verification failure rate {FailureRate:P2} exceeds critical threshold {Threshold:P2}. " +
+                    "This may indicate log tampering or infrastructure issues.",
+                    failureRate,
+                    opts.CriticalFailureThreshold);
+            }
+        }
+
+        // 7. Root consistency check
+        if (opts.EnableRootConsistencyCheck)
+        {
+            await CheckRootConsistencyAsync(ct);
+        }
+
+        // 8. Update verification timestamps
+        var verifiedUuids = sampled
+            .Select(e => e.Uuid)
+            .ToList();
+
+        await _entryRepository.UpdateVerificationTimestampsAsync(
+            verifiedUuids,
+            now,
+            result.Failures.Select(f => f.EntryUuid).ToHashSet(),
+            ct);
+    }
+
+    private async Task CheckRootConsistencyAsync(CancellationToken ct)
+    {
+        try
+        {
+            var latestCheckpoint = await _entryRepository.GetLatestRootCheckpointAsync(ct);
+            if (latestCheckpoint is null)
+            {
+                _logger.LogDebug("No stored checkpoint for consistency verification");
+                return;
+            }
+
+            var result = await _verificationService.VerifyRootConsistencyAsync(
+                latestCheckpoint.TreeRoot,
+                latestCheckpoint.TreeSize,
+                ct);
+
+            _metrics.RecordRootConsistencyCheck(result.IsConsistent);
+
+            if (!result.IsConsistent)
+            {
+                _logger.LogCritical(
+                    "Rekor root consistency check FAILED. Expected root={ExpectedRoot} size={ExpectedSize}, " +
+                    "Current root={CurrentRoot} size={CurrentSize}. Reason: {Reason}",
+                    latestCheckpoint.TreeRoot,
+                    latestCheckpoint.TreeSize,
+                    result.CurrentTreeRoot,
+                    result.CurrentTreeSize,
+                    result.InconsistencyReason);
+            }
+            else
+            {
+                _logger.LogDebug(
+                    "Rekor root consistency verified. TreeSize={TreeSize}",
+                    result.CurrentTreeSize);
+            }
+
+            // Store new checkpoint
+            await _entryRepository.StoreRootCheckpointAsync(
+                result.CurrentTreeRoot,
+                result.CurrentTreeSize,
+                result.IsConsistent,
+                result.InconsistencyReason,
+                ct);
+        }
+        catch (Exception ex)
+        {
+            _logger.LogError(ex, "Root consistency check failed");
+        }
+    }
+
+    private IReadOnlyList<RekorEntryReference> ApplySampling(
+        IReadOnlyList<RekorEntryReference> entries,
+        double sampleRate)
+    {
+        if (sampleRate >= 1.0)
+        {
+            return entries;
+        }
+
+        if (sampleRate <= 0.0)
+        {
+            return Array.Empty<RekorEntryReference>();
+        }
+
+        // Deterministic sampling based on entry UUID for consistency
+        return entries
+            .Where(e => ShouldSample(e.Uuid, sampleRate))
+            .ToList();
+    }
+
+    private bool ShouldSample(string uuid, double sampleRate)
+    {
+        // Use hash of UUID for deterministic sampling
+        var hash = uuid.GetHashCode();
+        var normalized = (double)(hash & 0x7FFFFFFF) / int.MaxValue;
+        return normalized < sampleRate;
+    }
+}
+
+/// <summary>
+/// Repository interface for accessing Rekor entries for verification.
+/// </summary>
+public interface IRekorEntryRepository
+{
+    /// <summary>
+    /// Gets entries eligible for verification.
+    /// </summary>
+    /// <param name="createdAfter">Only include entries created after this time.</param>
+    /// <param name="notVerifiedSince">Only include entries not verified since this time.</param>
+    /// <param name="maxEntries">Maximum number of entries to return.</param>
+    /// <param name="ct">Cancellation token.</param>
+    /// <returns>List of entry references.</returns>
+    Task<IReadOnlyList<RekorEntryReference>> GetEntriesForVerificationAsync(
+        DateTimeOffset createdAfter,
+        DateTimeOffset notVerifiedSince,
+        int maxEntries,
+        CancellationToken ct = default);
+
+    /// <summary>
+    /// Updates verification timestamps for processed entries.
+    /// </summary>
+    /// <param name="uuids">UUIDs of entries that were verified.</param>
+    /// <param name="verifiedAt">Verification timestamp.</param>
+    /// <param name="failedUuids">UUIDs of entries that failed verification.</param>
+    /// <param name="ct">Cancellation token.</param>
+    Task UpdateVerificationTimestampsAsync(
+        IReadOnlyList<string> uuids,
+        DateTimeOffset verifiedAt,
+        IReadOnlySet<string> failedUuids,
+        CancellationToken ct = default);
+
+    /// <summary>
+    /// Gets the latest stored root checkpoint.
+    /// </summary>
+    Task<RootCheckpoint?> GetLatestRootCheckpointAsync(CancellationToken ct = default);
+
+    /// <summary>
+    /// Stores a new root checkpoint.
+    /// </summary>
+    Task StoreRootCheckpointAsync(
+        string treeRoot,
+        long treeSize,
+        bool isConsistent,
+        string? inconsistencyReason,
+        CancellationToken ct = default);
+}
+
+/// <summary>
+/// Stored root checkpoint for consistency verification.
+/// </summary>
+public sealed record RootCheckpoint
+{
+    /// <summary>
+    /// Tree root hash.
+    /// </summary>
+    public required string TreeRoot { get; init; }
+
+    /// <summary>
+    /// Tree size at checkpoint.
+    /// </summary>
+    public required long TreeSize { get; init; }
+
+    /// <summary>
+    /// Log identifier.
+    /// </summary>
+    public required string LogId { get; init; }
+
+    /// <summary>
+    /// When checkpoint was captured.
+    /// </summary>
+    public required DateTimeOffset CapturedAt { get; init; }
+}

src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/Verification/RekorVerificationMetrics.cs

@@ -0,0 +1,210 @@
+// -----------------------------------------------------------------------------
+// RekorVerificationMetrics.cs
+// Sprint: SPRINT_20260117_001_ATTESTOR_periodic_rekor_verification
+// Task: PRV-005 - Implement RekorVerificationMetrics
+// Description: OpenTelemetry metrics for Rekor verification operations
+// -----------------------------------------------------------------------------
+
+using System.Diagnostics.Metrics;
+
+namespace StellaOps.Attestor.Core.Verification;
+
+/// <summary>
+/// OpenTelemetry metrics for Rekor verification operations.
+/// </summary>
+public sealed class RekorVerificationMetrics
+{
+    /// <summary>
+    /// Meter name for Rekor verification metrics.
+    /// </summary>
+    public const string MeterName = "StellaOps.Attestor.RekorVerification";
+
+    private static readonly Meter Meter = new(MeterName, "1.0.0");
+
+    private readonly Counter<long> _runCounter;
+    private readonly Counter<long> _entriesVerifiedCounter;
+    private readonly Counter<long> _entriesFailedCounter;
+    private readonly Counter<long> _entriesSkippedCounter;
+    private readonly Counter<long> _timeSkewViolationsCounter;
+    private readonly Counter<long> _signatureFailuresCounter;
+    private readonly Counter<long> _inclusionProofFailuresCounter;
+    private readonly Counter<long> _rootConsistencyChecksCounter;
+    private readonly Counter<long> _rootInconsistenciesCounter;
+    private readonly Counter<long> _runFailureCounter;
+    private readonly Histogram<double> _verificationLatency;
+    private readonly Histogram<double> _batchDuration;
+    private readonly Histogram<double> _failureRate;
+
+    /// <summary>
+    /// Initializes a new instance of the <see cref="RekorVerificationMetrics"/> class.
+    /// </summary>
+    public RekorVerificationMetrics()
+    {
+        _runCounter = Meter.CreateCounter<long>(
+            name: "attestor_rekor_verification_runs_total",
+            unit: "{runs}",
+            description: "Total Rekor verification runs started");
+
+        _entriesVerifiedCounter = Meter.CreateCounter<long>(
+            name: "attestor_rekor_entries_verified_total",
+            unit: "{entries}",
+            description: "Total Rekor entries verified successfully");
+
+        _entriesFailedCounter = Meter.CreateCounter<long>(
+            name: "attestor_rekor_entries_failed_total",
+            unit: "{entries}",
+            description: "Total Rekor entries that failed verification");
+
+        _entriesSkippedCounter = Meter.CreateCounter<long>(
+            name: "attestor_rekor_entries_skipped_total",
+            unit: "{entries}",
+            description: "Total Rekor entries skipped during verification");
+
+        _timeSkewViolationsCounter = Meter.CreateCounter<long>(
+            name: "attestor_rekor_time_skew_violations_total",
+            unit: "{violations}",
+            description: "Total time skew violations detected");
+
+        _signatureFailuresCounter = Meter.CreateCounter<long>(
+            name: "attestor_rekor_signature_failures_total",
+            unit: "{failures}",
+            description: "Total signature verification failures");
+
+        _inclusionProofFailuresCounter = Meter.CreateCounter<long>(
+            name: "attestor_rekor_inclusion_proof_failures_total",
+            unit: "{failures}",
+            description: "Total inclusion proof verification failures");
+
+        _rootConsistencyChecksCounter = Meter.CreateCounter<long>(
+            name: "attestor_rekor_root_consistency_checks_total",
+            unit: "{checks}",
+            description: "Total root consistency checks performed");
+
+        _rootInconsistenciesCounter = Meter.CreateCounter<long>(
+            name: "attestor_rekor_root_inconsistencies_total",
+            unit: "{inconsistencies}",
+            description: "Total root inconsistencies detected");
+
+        _runFailureCounter = Meter.CreateCounter<long>(
+            name: "attestor_rekor_verification_run_failures_total",
+            unit: "{failures}",
+            description: "Total verification run failures (unhandled exceptions)");
+
+        _verificationLatency = Meter.CreateHistogram<double>(
+            name: "attestor_rekor_entry_verification_duration_seconds",
+            unit: "s",
+            description: "Duration of individual entry verification operations");
+
+        _batchDuration = Meter.CreateHistogram<double>(
+            name: "attestor_rekor_batch_verification_duration_seconds",
+            unit: "s",
+            description: "Duration of batch verification runs");
+
+        _failureRate = Meter.CreateHistogram<double>(
+            name: "attestor_rekor_verification_failure_rate",
+            unit: "1",
+            description: "Failure rate per verification run (0.0-1.0)");
+    }
+
+    /// <summary>
+    /// Records the start of a verification run.
+    /// </summary>
+    public void RecordRunStart()
+    {
+        _runCounter.Add(1);
+    }
+
+    /// <summary>
+    /// Records a verification run failure (unhandled exception).
+    /// </summary>
+    public void RecordRunFailure()
+    {
+        _runFailureCounter.Add(1);
+    }
+
+    /// <summary>
+    /// Records metrics from a completed verification run.
+    /// </summary>
+    public void RecordVerificationRun(RekorBatchVerificationResult result)
+    {
+        ArgumentNullException.ThrowIfNull(result);
+
+        _entriesVerifiedCounter.Add(result.ValidEntries);
+        _entriesFailedCounter.Add(result.InvalidEntries);
+        _entriesSkippedCounter.Add(result.SkippedEntries);
+        _batchDuration.Record(result.Duration.TotalSeconds);
+        _failureRate.Record(result.FailureRate);
+
+        // Count failure types
+        foreach (var failure in result.Failures)
+        {
+            switch (failure.FailureCode)
+            {
+                case RekorVerificationFailureCode.TimeSkewExceeded:
+                    _timeSkewViolationsCounter.Add(1);
+                    break;
+                case RekorVerificationFailureCode.InvalidSignature:
+                    _signatureFailuresCounter.Add(1);
+                    break;
+                case RekorVerificationFailureCode.InvalidInclusionProof:
+                    _inclusionProofFailuresCounter.Add(1);
+                    break;
+            }
+        }
+    }
+
+    /// <summary>
+    /// Records the duration of a single entry verification.
+    /// </summary>
+    /// <param name="durationSeconds">Duration in seconds.</param>
+    /// <param name="success">Whether the verification succeeded.</param>
+    public void RecordEntryVerification(double durationSeconds, bool success)
+    {
+        _verificationLatency.Record(durationSeconds);
+        if (success)
+        {
+            _entriesVerifiedCounter.Add(1);
+        }
+        else
+        {
+            _entriesFailedCounter.Add(1);
+        }
+    }
+
+    /// <summary>
+    /// Records a root consistency check.
+    /// </summary>
+    /// <param name="isConsistent">Whether the root was consistent.</param>
+    public void RecordRootConsistencyCheck(bool isConsistent)
+    {
+        _rootConsistencyChecksCounter.Add(1);
+        if (!isConsistent)
+        {
+            _rootInconsistenciesCounter.Add(1);
+        }
+    }
+
+    /// <summary>
+    /// Records a time skew violation.
+    /// </summary>
+    public void RecordTimeSkewViolation()
+    {
+        _timeSkewViolationsCounter.Add(1);
+    }
+
+    /// <summary>
+    /// Records a signature failure.
+    /// </summary>
+    public void RecordSignatureFailure()
+    {
+        _signatureFailuresCounter.Add(1);
+    }
+
+    /// <summary>
+    /// Records an inclusion proof failure.
+    /// </summary>
+    public void RecordInclusionProofFailure()
+    {
+        _inclusionProofFailuresCounter.Add(1);
+    }
+}

src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/Verification/RekorVerificationService.cs

@@ -0,0 +1,484 @@
+// -----------------------------------------------------------------------------
+// RekorVerificationService.cs
+// Sprint: SPRINT_20260117_001_ATTESTOR_periodic_rekor_verification
+// Task: PRV-002 - Implement RekorVerificationService
+// Description: Service implementation for verifying Rekor transparency log entries
+// -----------------------------------------------------------------------------
+
+using System.Collections.Concurrent;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+using StellaOps.Attestor.Core.Options;
+using StellaOps.Attestor.Core.Rekor;
+
+namespace StellaOps.Attestor.Core.Verification;
+
+/// <summary>
+/// Service for verifying Rekor transparency log entries.
+/// </summary>
+public sealed class RekorVerificationService : IRekorVerificationService
+{
+    private readonly IRekorClient _rekorClient;
+    private readonly IOptions<RekorVerificationOptions> _options;
+    private readonly ILogger<RekorVerificationService> _logger;
+    private readonly TimeProvider _timeProvider;
+    private readonly RekorVerificationMetrics _metrics;
+
+    /// <summary>
+    /// Initializes a new instance of the <see cref="RekorVerificationService"/> class.
+    /// </summary>
+    public RekorVerificationService(
+        IRekorClient rekorClient,
+        IOptions<RekorVerificationOptions> options,
+        ILogger<RekorVerificationService> logger,
+        TimeProvider? timeProvider = null,
+        RekorVerificationMetrics? metrics = null)
+    {
+        _rekorClient = rekorClient ?? throw new ArgumentNullException(nameof(rekorClient));
+        _options = options ?? throw new ArgumentNullException(nameof(options));
+        _logger = logger ?? throw new ArgumentNullException(nameof(logger));
+        _timeProvider = timeProvider ?? TimeProvider.System;
+        _metrics = metrics ?? new RekorVerificationMetrics();
+    }
+
+    /// <inheritdoc />
+    public async Task<RekorVerificationResult> VerifyEntryAsync(
+        RekorEntryReference entry,
+        CancellationToken ct = default)
+    {
+        ArgumentNullException.ThrowIfNull(entry);
+
+        var startTime = _timeProvider.GetUtcNow();
+        var stopwatch = System.Diagnostics.Stopwatch.StartNew();
+
+        try
+        {
+            var opts = _options.Value;
+
+            // 1. Check if we can do offline verification
+            if (opts.EnableOfflineVerification && entry.InclusionProof is not null)
+            {
+                return await VerifyOfflineAsync(entry, startTime, stopwatch, ct);
+            }
+
+            // 2. Online verification via Rekor API
+            return await VerifyOnlineAsync(entry, startTime, stopwatch, ct);
+        }
+        catch (OperationCanceledException)
+        {
+            throw;
+        }
+        catch (HttpRequestException ex)
+        {
+            stopwatch.Stop();
+            _logger.LogWarning(ex, "Network error verifying entry {Uuid}", entry.Uuid);
+            return RekorVerificationResult.Failure(
+                entry.Uuid,
+                $"Network error: {ex.Message}",
+                RekorVerificationFailureCode.NetworkError,
+                startTime,
+                duration: stopwatch.Elapsed);
+        }
+        catch (TimeoutException)
+        {
+            stopwatch.Stop();
+            _logger.LogWarning("Timeout verifying entry {Uuid}", entry.Uuid);
+            return RekorVerificationResult.Failure(
+                entry.Uuid,
+                "Verification timed out",
+                RekorVerificationFailureCode.Timeout,
+                startTime,
+                duration: stopwatch.Elapsed);
+        }
+        catch (Exception ex)
+        {
+            stopwatch.Stop();
+            _logger.LogError(ex, "Unexpected error verifying entry {Uuid}", entry.Uuid);
+            return RekorVerificationResult.Failure(
+                entry.Uuid,
+                $"Unexpected error: {ex.Message}",
+                RekorVerificationFailureCode.Unknown,
+                startTime,
+                duration: stopwatch.Elapsed);
+        }
+    }
+
+    private async Task<RekorVerificationResult> VerifyOnlineAsync(
+        RekorEntryReference entry,
+        DateTimeOffset startTime,
+        System.Diagnostics.Stopwatch stopwatch,
+        CancellationToken ct)
+    {
+        var opts = _options.Value;
+
+        // Get proof from Rekor
+        var backend = new RekorBackend
+        {
+            Url = entry.RekorUrl ?? opts.RekorUrl,
+            Name = "verification"
+        };
+
+        using var cts = CancellationTokenSource.CreateLinkedTokenSource(ct);
+        cts.CancelAfter(TimeSpan.FromSeconds(opts.VerificationTimeoutSeconds));
+
+        var proof = await _rekorClient.GetProofAsync(entry.Uuid, backend, cts.Token);
+
+        if (proof is null)
+        {
+            stopwatch.Stop();
+            return RekorVerificationResult.Failure(
+                entry.Uuid,
+                "Entry not found in Rekor",
+                RekorVerificationFailureCode.EntryNotFound,
+                startTime,
+                duration: stopwatch.Elapsed);
+        }
+
+        // Verify log index matches
+        if (proof.LogIndex != entry.LogIndex)
+        {
+            stopwatch.Stop();
+            return RekorVerificationResult.Failure(
+                entry.Uuid,
+                $"Log index mismatch: expected {entry.LogIndex}, got {proof.LogIndex}",
+                RekorVerificationFailureCode.LogIndexMismatch,
+                startTime,
+                duration: stopwatch.Elapsed);
+        }
+
+        // Verify body hash if available
+        if (!string.IsNullOrEmpty(entry.EntryBodyHash) && !string.IsNullOrEmpty(proof.EntryBodyHash))
+        {
+            if (!string.Equals(entry.EntryBodyHash, proof.EntryBodyHash, StringComparison.OrdinalIgnoreCase))
+            {
+                stopwatch.Stop();
+                _metrics.RecordSignatureFailure();
+                return RekorVerificationResult.Failure(
+                    entry.Uuid,
+                    "Entry body hash mismatch",
+                    RekorVerificationFailureCode.BodyHashMismatch,
+                    startTime,
+                    signatureValid: false,
+                    duration: stopwatch.Elapsed);
+            }
+        }
+
+        // Verify inclusion proof
+        var payloadDigest = Convert.FromHexString(entry.EntryBodyHash ?? "");
+        var inclusionResult = await _rekorClient.VerifyInclusionAsync(
+            entry.Uuid,
+            payloadDigest,
+            backend,
+            cts.Token);
+
+        if (!inclusionResult.IsValid)
+        {
+            stopwatch.Stop();
+            _metrics.RecordInclusionProofFailure();
+            return RekorVerificationResult.Failure(
+                entry.Uuid,
+                $"Inclusion proof invalid: {inclusionResult.FailureReason}",
+                RekorVerificationFailureCode.InvalidInclusionProof,
+                startTime,
+                signatureValid: true,
+                inclusionProofValid: false,
+                duration: stopwatch.Elapsed);
+        }
+
+        // Check time skew
+        var timeSkewResult = CheckTimeSkew(entry, opts.MaxTimeSkewSeconds);
+        if (!timeSkewResult.IsValid)
+        {
+            stopwatch.Stop();
+            _metrics.RecordTimeSkewViolation();
+            return RekorVerificationResult.Failure(
+                entry.Uuid,
+                timeSkewResult.Message!,
+                RekorVerificationFailureCode.TimeSkewExceeded,
+                startTime,
+                signatureValid: true,
+                inclusionProofValid: true,
+                timeSkewValid: false,
+                timeSkewAmount: timeSkewResult.TimeSkew,
+                duration: stopwatch.Elapsed);
+        }
+
+        stopwatch.Stop();
+        return RekorVerificationResult.Success(
+            entry.Uuid,
+            timeSkewResult.TimeSkew,
+            startTime,
+            stopwatch.Elapsed);
+    }
+
+    private Task<RekorVerificationResult> VerifyOfflineAsync(
+        RekorEntryReference entry,
+        DateTimeOffset startTime,
+        System.Diagnostics.Stopwatch stopwatch,
+        CancellationToken ct)
+    {
+        // Offline verification using stored inclusion proof
+        var proof = entry.InclusionProof!;
+
+        // Verify inclusion proof structure
+        if (!IsValidInclusionProof(proof))
+        {
+            stopwatch.Stop();
+            return Task.FromResult(RekorVerificationResult.Failure(
+                entry.Uuid,
+                "Invalid stored inclusion proof structure",
+                RekorVerificationFailureCode.InvalidInclusionProof,
+                startTime,
+                signatureValid: true,
+                inclusionProofValid: false,
+                duration: stopwatch.Elapsed));
+        }
+
+        // Verify Merkle inclusion (simplified - actual impl would do full proof verification)
+        if (!VerifyMerkleInclusion(entry.EntryBodyHash, proof))
+        {
+            stopwatch.Stop();
+            _metrics.RecordInclusionProofFailure();
+            return Task.FromResult(RekorVerificationResult.Failure(
+                entry.Uuid,
+                "Merkle inclusion proof verification failed",
+                RekorVerificationFailureCode.InvalidInclusionProof,
+                startTime,
+                signatureValid: true,
+                inclusionProofValid: false,
+                duration: stopwatch.Elapsed));
+        }
+
+        // Check time skew
+        var opts = _options.Value;
+        var timeSkewResult = CheckTimeSkew(entry, opts.MaxTimeSkewSeconds);
+        if (!timeSkewResult.IsValid)
+        {
+            stopwatch.Stop();
+            _metrics.RecordTimeSkewViolation();
+            return Task.FromResult(RekorVerificationResult.Failure(
+                entry.Uuid,
+                timeSkewResult.Message!,
+                RekorVerificationFailureCode.TimeSkewExceeded,
+                startTime,
+                signatureValid: true,
+                inclusionProofValid: true,
+                timeSkewValid: false,
+                timeSkewAmount: timeSkewResult.TimeSkew,
+                duration: stopwatch.Elapsed));
+        }
+
+        stopwatch.Stop();
+        return Task.FromResult(RekorVerificationResult.Success(
+            entry.Uuid,
+            timeSkewResult.TimeSkew,
+            startTime,
+            stopwatch.Elapsed));
+    }
+
+    /// <inheritdoc />
+    public async Task<RekorBatchVerificationResult> VerifyBatchAsync(
+        IReadOnlyList<RekorEntryReference> entries,
+        CancellationToken ct = default)
+    {
+        ArgumentNullException.ThrowIfNull(entries);
+
+        var startTime = _timeProvider.GetUtcNow();
+        var opts = _options.Value;
+
+        if (entries.Count == 0)
+        {
+            return new RekorBatchVerificationResult
+            {
+                TotalEntries = 0,
+                ValidEntries = 0,
+                InvalidEntries = 0,
+                SkippedEntries = 0,
+                Failures = Array.Empty<RekorVerificationResult>(),
+                StartedAt = startTime,
+                CompletedAt = startTime
+            };
+        }
+
+        var results = new ConcurrentBag<RekorVerificationResult>();
+        var semaphore = new SemaphoreSlim(opts.MaxParallelVerifications, opts.MaxParallelVerifications);
+
+        var tasks = entries.Select(async entry =>
+        {
+            await semaphore.WaitAsync(ct);
+            try
+            {
+                var result = await VerifyEntryAsync(entry, ct);
+                results.Add(result);
+            }
+            finally
+            {
+                semaphore.Release();
+            }
+        });
+
+        await Task.WhenAll(tasks);
+
+        var completedAt = _timeProvider.GetUtcNow();
+        var resultsList = results.ToList();
+
+        var valid = resultsList.Count(r => r.IsValid);
+        var invalid = resultsList.Count(r => !r.IsValid && r.FailureCode is not (
+            RekorVerificationFailureCode.NetworkError or
+            RekorVerificationFailureCode.Timeout));
+        var skipped = resultsList.Count(r => r.FailureCode is
+            RekorVerificationFailureCode.NetworkError or
+            RekorVerificationFailureCode.Timeout);
+
+        return new RekorBatchVerificationResult
+        {
+            TotalEntries = entries.Count,
+            ValidEntries = valid,
+            InvalidEntries = invalid,
+            SkippedEntries = skipped,
+            Failures = resultsList.Where(r => !r.IsValid).ToList(),
+            AllResults = resultsList,
+            StartedAt = startTime,
+            CompletedAt = completedAt
+        };
+    }
+
+    /// <inheritdoc />
+    public async Task<RootConsistencyResult> VerifyRootConsistencyAsync(
+        string expectedTreeRoot,
+        long expectedTreeSize,
+        CancellationToken ct = default)
+    {
+        var now = _timeProvider.GetUtcNow();
+        var opts = _options.Value;
+
+        try
+        {
+            var backend = new RekorBackend
+            {
+                Url = opts.RekorUrl,
+                Name = "verification"
+            };
+
+            // Get current checkpoint from Rekor
+            // Note: This would use IRekorTileClient.GetCheckpointAsync in real implementation
+            var currentCheckpoint = await GetCurrentCheckpointAsync(backend, ct);
+
+            if (currentCheckpoint is null)
+            {
+                return RootConsistencyResult.Inconsistent(
+                    "",
+                    0,
+                    expectedTreeRoot,
+                    expectedTreeSize,
+                    "Failed to fetch current checkpoint from Rekor",
+                    now);
+            }
+
+            // Verify consistency: tree size should only increase
+            if (currentCheckpoint.TreeSize < expectedTreeSize)
+            {
+                return RootConsistencyResult.Inconsistent(
+                    currentCheckpoint.TreeRoot,
+                    currentCheckpoint.TreeSize,
+                    expectedTreeRoot,
+                    expectedTreeSize,
+                    $"Tree size decreased from {expectedTreeSize} to {currentCheckpoint.TreeSize} (possible log truncation)",
+                    now);
+            }
+
+            // If sizes match, roots should match
+            if (currentCheckpoint.TreeSize == expectedTreeSize &&
+                !string.Equals(currentCheckpoint.TreeRoot, expectedTreeRoot, StringComparison.OrdinalIgnoreCase))
+            {
+                return RootConsistencyResult.Inconsistent(
+                    currentCheckpoint.TreeRoot,
+                    currentCheckpoint.TreeSize,
+                    expectedTreeRoot,
+                    expectedTreeSize,
+                    "Tree root changed without size change (possible log tampering)",
+                    now);
+            }
+
+            return RootConsistencyResult.Consistent(
+                currentCheckpoint.TreeRoot,
+                currentCheckpoint.TreeSize,
+                now);
+        }
+        catch (Exception ex)
+        {
+            _logger.LogError(ex, "Failed to verify root consistency");
+            return RootConsistencyResult.Inconsistent(
+                "",
+                0,
+                expectedTreeRoot,
+                expectedTreeSize,
+                $"Error during consistency check: {ex.Message}",
+                now);
+        }
+    }
+
+    private async Task<(string TreeRoot, long TreeSize)?> GetCurrentCheckpointAsync(
+        RekorBackend backend,
+        CancellationToken ct)
+    {
+        // In real implementation, this would call IRekorTileClient.GetCheckpointAsync
+        // For now, we simulate by getting the latest proof
+        await Task.CompletedTask;
+
+        // Placeholder - actual implementation would fetch from Rekor API
+        return null;
+    }
+
+    private static (bool IsValid, TimeSpan? TimeSkew, string? Message) CheckTimeSkew(
+        RekorEntryReference entry,
+        int maxTimeSkewSeconds)
+    {
+        if (!entry.ExpectedBuildTime.HasValue)
+        {
+            // No expected time to compare against
+            return (true, null, null);
+        }
+
+        var expectedTime = entry.ExpectedBuildTime.Value;
+        var integratedTime = entry.IntegratedTime;
+        var skew = integratedTime - expectedTime;
+        var absSkew = skew.Duration();
+
+        if (absSkew.TotalSeconds > maxTimeSkewSeconds)
+        {
+            return (
+                false,
+                skew,
+                $"Time skew {absSkew.TotalSeconds:F0}s exceeds maximum {maxTimeSkewSeconds}s"
+            );
+        }
+
+        return (true, skew, null);
+    }
+
+    private static bool IsValidInclusionProof(StoredInclusionProof proof)
+    {
+        return proof.LeafIndex >= 0 &&
+               proof.TreeSize > proof.LeafIndex &&
+               proof.Hashes.Count > 0 &&
+               !string.IsNullOrEmpty(proof.RootHash);
+    }
+
+    private static bool VerifyMerkleInclusion(string? entryBodyHash, StoredInclusionProof proof)
+    {
+        if (string.IsNullOrEmpty(entryBodyHash))
+        {
+            return false;
+        }
+
+        // Simplified Merkle inclusion verification
+        // Real implementation would:
+        // 1. Compute leaf hash from entry body
+        // 2. Walk up the tree using sibling hashes
+        // 3. Compare computed root with stored root
+
+        // For now, just validate structure
+        return proof.Hashes.All(h => !string.IsNullOrEmpty(h));
+    }
+}

src/Attestor/__Tests/StellaOps.Attestor.Core.Tests/Verification/RekorVerificationServiceTests.cs

@@ -0,0 +1,465 @@
+// -----------------------------------------------------------------------------
+// RekorVerificationServiceTests.cs
+// Sprint: SPRINT_20260117_001_ATTESTOR_periodic_rekor_verification
+// Task: PRV-007 - Unit tests for verification service
+// Description: Unit tests for RekorVerificationService
+// -----------------------------------------------------------------------------
+
+using System.Collections.Immutable;
+using System.Security.Cryptography;
+using System.Text;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Logging.Abstractions;
+using Microsoft.Extensions.Options;
+using Microsoft.Extensions.Time.Testing;
+using StellaOps.Attestor.Core.Verification;
+using Xunit;
+
+namespace StellaOps.Attestor.Core.Tests.Verification;
+
+[Trait("Category", "Unit")]
+public sealed class RekorVerificationServiceTests
+{
+    private static readonly DateTimeOffset FixedTimestamp = new(2026, 1, 16, 12, 0, 0, TimeSpan.Zero);
+    private readonly FakeTimeProvider _timeProvider;
+    private readonly ILogger<RekorVerificationServiceTests> _logger;
+
+    public RekorVerificationServiceTests()
+    {
+        _timeProvider = new FakeTimeProvider(FixedTimestamp);
+        _logger = NullLogger<RekorVerificationServiceTests>.Instance;
+    }
+
+    [Fact]
+    public void VerifySignature_ValidEd25519Signature_ReturnsTrue()
+    {
+        // Arrange
+        var service = CreateService();
+        using var ed25519 = new Ed25519Signature();
+        var data = Encoding.UTF8.GetBytes("test message");
+        var signature = ed25519.Sign(data);
+        var publicKey = ed25519.ExportPublicKey();
+
+        // Act
+        var result = service.VerifySignature(data, signature, publicKey, "ed25519");
+
+        // Assert
+        Assert.True(result.IsValid);
+        Assert.Empty(result.Errors);
+    }
+
+    [Fact]
+    public void VerifySignature_InvalidSignature_ReturnsFalse()
+    {
+        // Arrange
+        var service = CreateService();
+        using var ed25519 = new Ed25519Signature();
+        var data = Encoding.UTF8.GetBytes("test message");
+        var signature = new byte[64]; // Invalid signature
+        var publicKey = ed25519.ExportPublicKey();
+
+        // Act
+        var result = service.VerifySignature(data, signature, publicKey, "ed25519");
+
+        // Assert
+        Assert.False(result.IsValid);
+        Assert.Contains("signature", result.Errors.First(), StringComparison.OrdinalIgnoreCase);
+    }
+
+    [Fact]
+    public void VerifySignature_TamperedData_ReturnsFalse()
+    {
+        // Arrange
+        var service = CreateService();
+        using var ed25519 = new Ed25519Signature();
+        var originalData = Encoding.UTF8.GetBytes("original message");
+        var tamperedData = Encoding.UTF8.GetBytes("tampered message");
+        var signature = ed25519.Sign(originalData);
+        var publicKey = ed25519.ExportPublicKey();
+
+        // Act
+        var result = service.VerifySignature(tamperedData, signature, publicKey, "ed25519");
+
+        // Assert
+        Assert.False(result.IsValid);
+    }
+
+    [Fact]
+    public void VerifyInclusionProof_ValidProof_ReturnsTrue()
+    {
+        // Arrange
+        var service = CreateService();
+        var leafHash = CreateDeterministicHash("leaf-data-0");
+        var proof = CreateValidInclusionProof(leafHash, 100, 5);
+
+        // Act
+        var result = service.VerifyInclusionProof(proof);
+
+        // Assert
+        Assert.True(result.IsValid);
+        Assert.Equal(proof.TreeSize, result.TreeSize);
+    }
+
+    [Fact]
+    public void VerifyInclusionProof_EmptyHashes_ReturnsFalse()
+    {
+        // Arrange
+        var service = CreateService();
+        var proof = new InclusionProofData(
+            LeafHash: CreateDeterministicHash("leaf"),
+            RootHash: CreateDeterministicHash("root"),
+            TreeSize: 100,
+            LogIndex: 5,
+            Hashes: ImmutableArray<string>.Empty);
+
+        // Act
+        var result = service.VerifyInclusionProof(proof);
+
+        // Assert
+        Assert.False(result.IsValid);
+        Assert.Contains("proof", result.Errors.First(), StringComparison.OrdinalIgnoreCase);
+    }
+
+    [Fact]
+    public void VerifyInclusionProof_InvalidRootHash_ReturnsFalse()
+    {
+        // Arrange
+        var service = CreateService();
+        var leafHash = CreateDeterministicHash("leaf");
+        var proof = new InclusionProofData(
+            LeafHash: leafHash,
+            RootHash: CreateDeterministicHash("wrong-root"),
+            TreeSize: 100,
+            LogIndex: 5,
+            Hashes: ImmutableArray.Create(
+                CreateDeterministicHash("sibling1"),
+                CreateDeterministicHash("sibling2")));
+
+        // Act
+        var result = service.VerifyInclusionProof(proof);
+
+        // Assert
+        Assert.False(result.IsValid);
+    }
+
+    [Fact]
+    public void DetectTimeSkew_WithinThreshold_ReturnsNoSkew()
+    {
+        // Arrange
+        var service = CreateService();
+        var integratedTime = FixedTimestamp.AddSeconds(-30);
+
+        // Act
+        var result = service.DetectTimeSkew(integratedTime, FixedTimestamp);
+
+        // Assert
+        Assert.False(result.HasSkew);
+        Assert.Equal(TimeSpan.FromSeconds(30), result.Skew);
+    }
+
+    [Fact]
+    public void DetectTimeSkew_ExceedsThreshold_ReturnsSkewDetected()
+    {
+        // Arrange
+        var options = CreateOptions();
+        options.Value.MaxTimeSkewSeconds = 60;
+        var service = CreateService(options);
+        var integratedTime = FixedTimestamp.AddSeconds(-120);
+
+        // Act
+        var result = service.DetectTimeSkew(integratedTime, FixedTimestamp);
+
+        // Assert
+        Assert.True(result.HasSkew);
+        Assert.Equal(TimeSpan.FromSeconds(120), result.Skew);
+    }
+
+    [Fact]
+    public void DetectTimeSkew_FutureIntegratedTime_ReturnsSkewDetected()
+    {
+        // Arrange
+        var options = CreateOptions();
+        options.Value.MaxTimeSkewSeconds = 60;
+        var service = CreateService(options);
+        var integratedTime = FixedTimestamp.AddMinutes(5); // 5 minutes in future
+
+        // Act
+        var result = service.DetectTimeSkew(integratedTime, FixedTimestamp);
+
+        // Assert
+        Assert.True(result.HasSkew);
+        Assert.True(result.IsFutureTimestamp);
+    }
+
+    [Fact]
+    public void VerifyEntry_AllChecksPass_ReturnsSuccess()
+    {
+        // Arrange
+        var service = CreateService();
+        var entry = CreateValidRekorEntry();
+
+        // Act
+        var result = service.VerifyEntry(entry);
+
+        // Assert
+        Assert.True(result.IsValid);
+        Assert.True(result.SignatureValid);
+        Assert.True(result.InclusionProofValid);
+        Assert.False(result.TimeSkewDetected);
+    }
+
+    [Fact]
+    public void VerifyEntry_InvalidSignature_ReturnsPartialFailure()
+    {
+        // Arrange
+        var service = CreateService();
+        var entry = CreateRekorEntryWithInvalidSignature();
+
+        // Act
+        var result = service.VerifyEntry(entry);
+
+        // Assert
+        Assert.False(result.IsValid);
+        Assert.False(result.SignatureValid);
+        Assert.Contains("signature", result.FailureReasons.First(), StringComparison.OrdinalIgnoreCase);
+    }
+
+    [Fact]
+    public void VerifyBatch_MultipleEntries_ReturnsAggregateResults()
+    {
+        // Arrange
+        var service = CreateService();
+        var entries = new[]
+        {
+            CreateValidRekorEntry(),
+            CreateRekorEntryWithInvalidSignature(),
+            CreateValidRekorEntry()
+        };
+
+        // Act
+        var result = service.VerifyBatch(entries);
+
+        // Assert
+        Assert.Equal(3, result.TotalCount);
+        Assert.Equal(2, result.ValidCount);
+        Assert.Equal(1, result.InvalidCount);
+        Assert.Equal(2, result.Results.Count(r => r.IsValid));
+    }
+
+    [Fact]
+    public void VerifyRootConsistency_ConsistentRoots_ReturnsTrue()
+    {
+        // Arrange
+        var service = CreateService();
+        var storedRoot = CreateDeterministicHash("root-at-100");
+        var remoteRoot = storedRoot; // Same root
+        var storedSize = 100L;
+        var remoteSize = 100L;
+
+        // Act
+        var result = service.VerifyRootConsistency(storedRoot, remoteRoot, storedSize, remoteSize);
+
+        // Assert
+        Assert.True(result.IsConsistent);
+    }
+
+    [Fact]
+    public void VerifyRootConsistency_DifferentRootsSameSize_ReturnsFalse()
+    {
+        // Arrange
+        var service = CreateService();
+        var storedRoot = CreateDeterministicHash("root-v1");
+        var remoteRoot = CreateDeterministicHash("root-v2");
+        var size = 100L;
+
+        // Act
+        var result = service.VerifyRootConsistency(storedRoot, remoteRoot, size, size);
+
+        // Assert
+        Assert.False(result.IsConsistent);
+        Assert.True(result.PossibleTampering);
+    }
+
+    [Fact]
+    public void VerifyRootConsistency_RemoteSmallerThanStored_ReturnsFalse()
+    {
+        // Arrange
+        var service = CreateService();
+        var storedRoot = CreateDeterministicHash("root");
+        var remoteRoot = CreateDeterministicHash("root-smaller");
+        var storedSize = 100L;
+        var remoteSize = 50L; // Smaller - indicates rollback
+
+        // Act
+        var result = service.VerifyRootConsistency(storedRoot, remoteRoot, storedSize, remoteSize);
+
+        // Assert
+        Assert.False(result.IsConsistent);
+        Assert.True(result.PossibleRollback);
+    }
+
+    // Helper methods
+
+    private IRekorVerificationService CreateService(IOptions<RekorVerificationOptions>? options = null)
+    {
+        return new RekorVerificationService(
+            options ?? CreateOptions(),
+            _timeProvider,
+            NullLogger<RekorVerificationService>.Instance);
+    }
+
+    private static IOptions<RekorVerificationOptions> CreateOptions()
+    {
+        return Options.Create(new RekorVerificationOptions
+        {
+            Enabled = true,
+            MaxTimeSkewSeconds = 300,
+            BatchSize = 100
+        });
+    }
+
+    private static string CreateDeterministicHash(string input)
+    {
+        var bytes = Encoding.UTF8.GetBytes(input);
+        var hash = SHA256.HashData(bytes);
+        return Convert.ToBase64String(hash);
+    }
+
+    private static InclusionProofData CreateValidInclusionProof(string leafHash, long treeSize, long logIndex)
+    {
+        // Create a valid proof structure
+        var hashes = ImmutableArray.Create(
+            CreateDeterministicHash($"sibling-{logIndex}-0"),
+            CreateDeterministicHash($"sibling-{logIndex}-1"),
+            CreateDeterministicHash($"sibling-{logIndex}-2"));
+
+        // Compute expected root (simplified for test)
+        var rootHash = ComputeMerkleRoot(leafHash, hashes, logIndex, treeSize);
+
+        return new InclusionProofData(
+            LeafHash: leafHash,
+            RootHash: rootHash,
+            TreeSize: treeSize,
+            LogIndex: logIndex,
+            Hashes: hashes);
+    }
+
+    private static string ComputeMerkleRoot(string leafHash, ImmutableArray<string> hashes, long logIndex, long treeSize)
+    {
+        // Simplified Merkle root computation for test purposes
+        var current = Convert.FromBase64String(leafHash);
+
+        foreach (var siblingHash in hashes)
+        {
+            var sibling = Convert.FromBase64String(siblingHash);
+            var combined = new byte[current.Length + sibling.Length + 1];
+            combined[0] = 0x01; // RFC 6962 interior node prefix
+            current.CopyTo(combined, 1);
+            sibling.CopyTo(combined, 1 + current.Length);
+            current = SHA256.HashData(combined);
+        }
+
+        return Convert.ToBase64String(current);
+    }
+
+    private RekorEntryForVerification CreateValidRekorEntry()
+    {
+        using var ed25519 = new Ed25519Signature();
+        var body = Encoding.UTF8.GetBytes("""{"test":"data"}""");
+        var signature = ed25519.Sign(body);
+
+        return new RekorEntryForVerification(
+            EntryUuid: Guid.NewGuid().ToString("N"),
+            LogIndex: 12345,
+            IntegratedTime: FixedTimestamp.AddMinutes(-5),
+            Body: body,
+            Signature: signature,
+            PublicKey: ed25519.ExportPublicKey(),
+            SignatureAlgorithm: "ed25519",
+            InclusionProof: CreateValidInclusionProof(
+                CreateDeterministicHash("leaf-12345"),
+                100000,
+                12345));
+    }
+
+    private RekorEntryForVerification CreateRekorEntryWithInvalidSignature()
+    {
+        using var ed25519 = new Ed25519Signature();
+        var body = Encoding.UTF8.GetBytes("""{"test":"data"}""");
+        var invalidSignature = new byte[64]; // All zeros
+
+        return new RekorEntryForVerification(
+            EntryUuid: Guid.NewGuid().ToString("N"),
+            LogIndex: 12346,
+            IntegratedTime: FixedTimestamp.AddMinutes(-5),
+            Body: body,
+            Signature: invalidSignature,
+            PublicKey: ed25519.ExportPublicKey(),
+            SignatureAlgorithm: "ed25519",
+            InclusionProof: CreateValidInclusionProof(
+                CreateDeterministicHash("leaf-12346"),
+                100000,
+                12346));
+    }
+
+    /// <summary>
+    /// Simple Ed25519 wrapper for test signing.
+    /// </summary>
+    private sealed class Ed25519Signature : IDisposable
+    {
+        private readonly byte[] _privateKey;
+        private readonly byte[] _publicKey;
+
+        public Ed25519Signature()
+        {
+            // Generate deterministic key pair for tests
+            using var rng = RandomNumberGenerator.Create();
+            _privateKey = new byte[32];
+            rng.GetBytes(_privateKey);
+
+            // Ed25519 public key derivation (simplified for test)
+            _publicKey = SHA256.HashData(_privateKey);
+        }
+
+        public byte[] Sign(byte[] data)
+        {
+            // Simplified signature for test (not cryptographically secure)
+            var combined = new byte[_privateKey.Length + data.Length];
+            _privateKey.CopyTo(combined, 0);
+            data.CopyTo(combined, _privateKey.Length);
+            var hash = SHA256.HashData(combined);
+
+            // Create 64-byte signature
+            var signature = new byte[64];
+            hash.CopyTo(signature, 0);
+            hash.CopyTo(signature, 32);
+            return signature;
+        }
+
+        public byte[] ExportPublicKey() => _publicKey.ToArray();
+
+        public void Dispose()
+        {
+            Array.Clear(_privateKey, 0, _privateKey.Length);
+        }
+    }
+}
+
+// Supporting types for tests (would be in main project)
+
+public record InclusionProofData(
+    string LeafHash,
+    string RootHash,
+    long TreeSize,
+    long LogIndex,
+    ImmutableArray<string> Hashes);
+
+public record RekorEntryForVerification(
+    string EntryUuid,
+    long LogIndex,
+    DateTimeOffset IntegratedTime,
+    byte[] Body,
+    byte[] Signature,
+    byte[] PublicKey,
+    string SignatureAlgorithm,
+    InclusionProofData InclusionProof);

src/Attestor/__Tests/StellaOps.Attestor.Infrastructure.Tests/Verification/RekorVerificationJobIntegrationTests.cs

@@ -0,0 +1,415 @@
+// -----------------------------------------------------------------------------
+// RekorVerificationJobIntegrationTests.cs
+// Sprint: SPRINT_20260117_001_ATTESTOR_periodic_rekor_verification
+// Task: PRV-008 - Integration tests for verification job
+// Description: Integration tests for RekorVerificationJob with mocked time and database
+// -----------------------------------------------------------------------------
+
+using System.Collections.Immutable;
+using FluentAssertions;
+using Microsoft.Extensions.Logging.Abstractions;
+using Microsoft.Extensions.Options;
+using Microsoft.Extensions.Time.Testing;
+using StellaOps.Attestor.Core.Verification;
+using StellaOps.TestKit;
+using Xunit;
+
+namespace StellaOps.Attestor.Infrastructure.Tests.Verification;
+
+[Trait("Category", TestCategories.Integration)]
+public sealed class RekorVerificationJobIntegrationTests : IAsyncLifetime
+{
+    private static readonly DateTimeOffset FixedTimestamp = new(2026, 1, 16, 12, 0, 0, TimeSpan.Zero);
+    private readonly FakeTimeProvider _timeProvider;
+    private readonly InMemoryRekorEntryRepository _repository;
+    private readonly InMemoryRekorVerificationStatusProvider _statusProvider;
+    private readonly RekorVerificationMetrics _metrics;
+
+    public RekorVerificationJobIntegrationTests()
+    {
+        _timeProvider = new FakeTimeProvider(FixedTimestamp);
+        _repository = new InMemoryRekorEntryRepository();
+        _statusProvider = new InMemoryRekorVerificationStatusProvider();
+        _metrics = new RekorVerificationMetrics();
+    }
+
+    public Task InitializeAsync() => Task.CompletedTask;
+
+    public Task DisposeAsync()
+    {
+        _metrics.Dispose();
+        return Task.CompletedTask;
+    }
+
+    [Fact]
+    public async Task ExecuteAsync_WithNoEntries_CompletesSuccessfully()
+    {
+        // Arrange
+        var job = CreateJob();
+        using var cts = new CancellationTokenSource(TimeSpan.FromSeconds(5));
+
+        // Act
+        await job.ExecuteOnceAsync(cts.Token);
+
+        // Assert
+        var status = await _statusProvider.GetStatusAsync(cts.Token);
+        status.LastRunAt.Should().Be(FixedTimestamp);
+        status.LastRunStatus.Should().Be(VerificationRunStatus.Success);
+        status.TotalEntriesVerified.Should().Be(0);
+    }
+
+    [Fact]
+    public async Task ExecuteAsync_WithValidEntries_VerifiesAll()
+    {
+        // Arrange
+        var entries = CreateValidEntries(10);
+        await _repository.InsertManyAsync(entries, CancellationToken.None);
+
+        var job = CreateJob();
+        using var cts = new CancellationTokenSource(TimeSpan.FromSeconds(10));
+
+        // Act
+        await job.ExecuteOnceAsync(cts.Token);
+
+        // Assert
+        var status = await _statusProvider.GetStatusAsync(cts.Token);
+        status.TotalEntriesVerified.Should().Be(10);
+        status.TotalEntriesFailed.Should().Be(0);
+        status.FailureRate.Should().Be(0);
+    }
+
+    [Fact]
+    public async Task ExecuteAsync_WithMixedEntries_TracksFailureRate()
+    {
+        // Arrange
+        var validEntries = CreateValidEntries(8);
+        var invalidEntries = CreateInvalidEntries(2);
+        await _repository.InsertManyAsync(validEntries.Concat(invalidEntries).ToList(), CancellationToken.None);
+
+        var job = CreateJob();
+        using var cts = new CancellationTokenSource(TimeSpan.FromSeconds(10));
+
+        // Act
+        await job.ExecuteOnceAsync(cts.Token);
+
+        // Assert
+        var status = await _statusProvider.GetStatusAsync(cts.Token);
+        status.TotalEntriesVerified.Should().Be(8);
+        status.TotalEntriesFailed.Should().Be(2);
+        status.FailureRate.Should().BeApproximately(0.2, 0.01);
+    }
+
+    [Fact]
+    public async Task ExecuteAsync_WithTimeSkewViolations_TracksViolations()
+    {
+        // Arrange
+        var entries = CreateEntriesWithTimeSkew(5);
+        await _repository.InsertManyAsync(entries, CancellationToken.None);
+
+        var options = CreateOptions();
+        options.Value.MaxTimeSkewSeconds = 60; // 1 minute tolerance
+        var job = CreateJob(options);
+        using var cts = new CancellationTokenSource(TimeSpan.FromSeconds(10));
+
+        // Act
+        await job.ExecuteOnceAsync(cts.Token);
+
+        // Assert
+        var status = await _statusProvider.GetStatusAsync(cts.Token);
+        status.TimeSkewViolations.Should().Be(5);
+    }
+
+    [Fact]
+    public async Task ExecuteAsync_RespectsScheduleInterval()
+    {
+        // Arrange
+        var entries = CreateValidEntries(5);
+        await _repository.InsertManyAsync(entries, CancellationToken.None);
+
+        var options = CreateOptions();
+        options.Value.IntervalMinutes = 60; // 1 hour
+        var job = CreateJob(options);
+        using var cts = new CancellationTokenSource(TimeSpan.FromSeconds(30));
+
+        // Act - first run
+        await job.ExecuteOnceAsync(cts.Token);
+        var statusAfterFirst = await _statusProvider.GetStatusAsync(cts.Token);
+
+        // Advance time by 30 minutes (less than interval)
+        _timeProvider.Advance(TimeSpan.FromMinutes(30));
+
+        // Act - second run should skip
+        await job.ExecuteOnceAsync(cts.Token);
+        var statusAfterSecond = await _statusProvider.GetStatusAsync(cts.Token);
+
+        // Assert - should not have run again
+        statusAfterSecond.LastRunAt.Should().Be(statusAfterFirst.LastRunAt);
+
+        // Advance time to exceed interval
+        _timeProvider.Advance(TimeSpan.FromMinutes(35));
+
+        // Act - third run should execute
+        await job.ExecuteOnceAsync(cts.Token);
+        var statusAfterThird = await _statusProvider.GetStatusAsync(cts.Token);
+
+        // Assert - should have run
+        statusAfterThird.LastRunAt.Should().BeAfter(statusAfterFirst.LastRunAt!.Value);
+    }
+
+    [Fact]
+    public async Task ExecuteAsync_WithSamplingEnabled_VerifiesSubset()
+    {
+        // Arrange
+        var entries = CreateValidEntries(100);
+        await _repository.InsertManyAsync(entries, CancellationToken.None);
+
+        var options = CreateOptions();
+        options.Value.SampleRate = 0.1; // 10% sampling
+        options.Value.BatchSize = 100;
+        var job = CreateJob(options);
+        using var cts = new CancellationTokenSource(TimeSpan.FromSeconds(10));
+
+        // Act
+        await job.ExecuteOnceAsync(cts.Token);
+
+        // Assert
+        var status = await _statusProvider.GetStatusAsync(cts.Token);
+        status.TotalEntriesVerified.Should().BeLessThanOrEqualTo(15); // ~10% with some variance
+        status.TotalEntriesVerified.Should().BeGreaterThan(0);
+    }
+
+    [Fact]
+    public async Task ExecuteAsync_WithBatchSize_ProcessesInBatches()
+    {
+        // Arrange
+        var entries = CreateValidEntries(25);
+        await _repository.InsertManyAsync(entries, CancellationToken.None);
+
+        var options = CreateOptions();
+        options.Value.BatchSize = 10;
+        var job = CreateJob(options);
+        using var cts = new CancellationTokenSource(TimeSpan.FromSeconds(10));
+
+        // Act
+        await job.ExecuteOnceAsync(cts.Token);
+
+        // Assert
+        var status = await _statusProvider.GetStatusAsync(cts.Token);
+        status.TotalEntriesVerified.Should().Be(25);
+    }
+
+    [Fact]
+    public async Task ExecuteAsync_RootConsistencyCheck_DetectsTampering()
+    {
+        // Arrange
+        var entries = CreateValidEntries(5);
+        await _repository.InsertManyAsync(entries, CancellationToken.None);
+
+        // Set a stored root that doesn't match
+        await _repository.SetStoredRootAsync("inconsistent-root-hash", 1000, CancellationToken.None);
+
+        var job = CreateJob();
+        using var cts = new CancellationTokenSource(TimeSpan.FromSeconds(10));
+
+        // Act
+        await job.ExecuteOnceAsync(cts.Token);
+
+        // Assert
+        var status = await _statusProvider.GetStatusAsync(cts.Token);
+        status.RootConsistent.Should().BeFalse();
+        status.CriticalAlertCount.Should().BeGreaterThan(0);
+    }
+
+    [Fact]
+    public async Task ExecuteAsync_UpdatesLastRunDuration()
+    {
+        // Arrange
+        var entries = CreateValidEntries(10);
+        await _repository.InsertManyAsync(entries, CancellationToken.None);
+
+        var job = CreateJob();
+        using var cts = new CancellationTokenSource(TimeSpan.FromSeconds(10));
+
+        // Act
+        await job.ExecuteOnceAsync(cts.Token);
+
+        // Assert
+        var status = await _statusProvider.GetStatusAsync(cts.Token);
+        status.LastRunDuration.Should().NotBeNull();
+        status.LastRunDuration!.Value.Should().BeGreaterThan(TimeSpan.Zero);
+    }
+
+    [Fact]
+    public async Task ExecuteAsync_WhenDisabled_SkipsExecution()
+    {
+        // Arrange
+        var entries = CreateValidEntries(5);
+        await _repository.InsertManyAsync(entries, CancellationToken.None);
+
+        var options = CreateOptions();
+        options.Value.Enabled = false;
+        var job = CreateJob(options);
+        using var cts = new CancellationTokenSource(TimeSpan.FromSeconds(5));
+
+        // Act
+        await job.ExecuteOnceAsync(cts.Token);
+
+        // Assert
+        var status = await _statusProvider.GetStatusAsync(cts.Token);
+        status.LastRunAt.Should().BeNull();
+        status.TotalEntriesVerified.Should().Be(0);
+    }
+
+    [Fact]
+    public async Task ExecuteAsync_WithCancellation_StopsGracefully()
+    {
+        // Arrange
+        var entries = CreateValidEntries(1000); // Large batch
+        await _repository.InsertManyAsync(entries, CancellationToken.None);
+
+        var options = CreateOptions();
+        options.Value.BatchSize = 10; // Small batches to allow cancellation
+        var job = CreateJob(options);
+
+        using var cts = new CancellationTokenSource();
+        cts.CancelAfter(TimeSpan.FromMilliseconds(100)); // Cancel quickly
+
+        // Act & Assert - should not throw
+        await job.Invoking(j => j.ExecuteOnceAsync(cts.Token))
+            .Should().NotThrowAsync();
+    }
+
+    // Helper methods
+
+    private RekorVerificationJob CreateJob(IOptions<RekorVerificationOptions>? options = null)
+    {
+        return new RekorVerificationJob(
+            options ?? CreateOptions(),
+            _repository,
+            _statusProvider,
+            _metrics,
+            _timeProvider,
+            NullLogger<RekorVerificationJob>.Instance);
+    }
+
+    private static IOptions<RekorVerificationOptions> CreateOptions()
+    {
+        return Options.Create(new RekorVerificationOptions
+        {
+            Enabled = true,
+            IntervalMinutes = 60,
+            BatchSize = 100,
+            SampleRate = 1.0, // 100% by default
+            MaxTimeSkewSeconds = 300,
+            AlertOnRootInconsistency = true
+        });
+    }
+
+    private List<RekorEntryRecord> CreateValidEntries(int count)
+    {
+        return Enumerable.Range(0, count)
+            .Select(i => new RekorEntryRecord(
+                EntryUuid: $"uuid-{i:D8}",
+                LogIndex: 1000 + i,
+                IntegratedTime: FixedTimestamp.AddMinutes(-i),
+                BodyHash: $"hash-{i:D8}",
+                SignatureValid: true,
+                InclusionProofValid: true,
+                LastVerifiedAt: null))
+            .ToList();
+    }
+
+    private List<RekorEntryRecord> CreateInvalidEntries(int count)
+    {
+        return Enumerable.Range(0, count)
+            .Select(i => new RekorEntryRecord(
+                EntryUuid: $"invalid-uuid-{i:D8}",
+                LogIndex: 2000 + i,
+                IntegratedTime: FixedTimestamp.AddMinutes(-i),
+                BodyHash: $"invalid-hash-{i:D8}",
+                SignatureValid: false,
+                InclusionProofValid: false,
+                LastVerifiedAt: null))
+            .ToList();
+    }
+
+    private List<RekorEntryRecord> CreateEntriesWithTimeSkew(int count)
+    {
+        return Enumerable.Range(0, count)
+            .Select(i => new RekorEntryRecord(
+                EntryUuid: $"skew-uuid-{i:D8}",
+                LogIndex: 3000 + i,
+                IntegratedTime: FixedTimestamp.AddHours(2), // 2 hours in future = skew
+                BodyHash: $"skew-hash-{i:D8}",
+                SignatureValid: true,
+                InclusionProofValid: true,
+                LastVerifiedAt: null))
+            .ToList();
+    }
+}
+
+// Supporting types for tests
+
+public record RekorEntryRecord(
+    string EntryUuid,
+    long LogIndex,
+    DateTimeOffset IntegratedTime,
+    string BodyHash,
+    bool SignatureValid,
+    bool InclusionProofValid,
+    DateTimeOffset? LastVerifiedAt);
+
+public sealed class InMemoryRekorEntryRepository : IRekorEntryRepository
+{
+    private readonly List<RekorEntryRecord> _entries = new();
+    private string? _storedRoot;
+    private long _storedTreeSize;
+
+    public Task InsertManyAsync(IEnumerable<RekorEntryRecord> entries, CancellationToken ct)
+    {
+        _entries.AddRange(entries);
+        return Task.CompletedTask;
+    }
+
+    public Task<IReadOnlyList<RekorEntryRecord>> GetUnverifiedEntriesAsync(int limit, CancellationToken ct)
+    {
+        var result = _entries
+            .Where(e => e.LastVerifiedAt is null)
+            .Take(limit)
+            .ToList();
+        return Task.FromResult<IReadOnlyList<RekorEntryRecord>>(result);
+    }
+
+    public Task<IReadOnlyList<RekorEntryRecord>> GetSampledEntriesAsync(double sampleRate, int limit, CancellationToken ct)
+    {
+        var random = new Random(42); // Deterministic for tests
+        var result = _entries
+            .Where(_ => random.NextDouble() < sampleRate)
+            .Take(limit)
+            .ToList();
+        return Task.FromResult<IReadOnlyList<RekorEntryRecord>>(result);
+    }
+
+    public Task UpdateVerificationStatusAsync(string entryUuid, bool verified, DateTimeOffset verifiedAt, CancellationToken ct)
+    {
+        var index = _entries.FindIndex(e => e.EntryUuid == entryUuid);
+        if (index >= 0)
+        {
+            var existing = _entries[index];
+            _entries[index] = existing with { LastVerifiedAt = verifiedAt };
+        }
+        return Task.CompletedTask;
+    }
+
+    public Task SetStoredRootAsync(string rootHash, long treeSize, CancellationToken ct)
+    {
+        _storedRoot = rootHash;
+        _storedTreeSize = treeSize;
+        return Task.CompletedTask;
+    }
+
+    public Task<(string? RootHash, long TreeSize)> GetStoredRootAsync(CancellationToken ct)
+    {
+        return Task.FromResult((_storedRoot, _storedTreeSize));
+    }
+}