Add receipt input JSON and SHA256 hash for CVSS policy scoring tests

- Introduced a new JSON fixture `receipt-input.json` containing base, environmental, and threat metrics for CVSS scoring.
- Added corresponding SHA256 hash file `receipt-input.sha256` to ensure integrity of the JSON fixture.

docs/modules/scanner/design/README.md

@@ -16,6 +16,8 @@ This directory contains deep technical designs for current and upcoming analyzer
 ## OS ecosystem designs
 - `macos-analyzer.md` — Homebrew, pkgutil, `.app` bundle plan.
 - `windows-analyzer.md` — MSI, WinSxS, Chocolatey, registry collectors.
+- `cdx17-cbom-contract.md` — deterministic CycloneDX 1.7 + CBOM export profile (ordering, hashes, downgrade rules).
+- `slsa-source-track.md` — deterministic SLSA Source Track capture (repo/ref/commit, tree hash, invocation hash, provenance DSSE, CAS paths).
 
 ## Demand & dashboards
 - `../../benchmarks/scanner/windows-macos-demand.md` — demand tracker.

docs/modules/scanner/design/cdx17-cbom-contract.md

@@ -0,0 +1,47 @@
+# CycloneDX 1.7 + CBOM Export Contract (SC2)
+
+Scope: Defines the deterministic export profile for CycloneDX 1.7 BOMs enriched with Cloud BOM (CBOM) signals that Scanner emits and Replay consumes. Covers ordering, required fields, CBOM properties, hash/DSSE anchoring, and downgrade rules to 1.6.
+
+## Profile
+- `bomFormat: CycloneDX`, `specVersion: 1.7`, `version: 1`, `serialNumber: urn:uuid:` (v4, lower-case, fixed length).
+- Canonicalization: JSON with lexicographic object keys, stable array ordering, UTF-8, no insignificant whitespace when hashing. Use BLAKE3-256 primary hash and SHA-256 secondary.
+- Timestamps: UTC ISO-8601 `Z`; strip milliseconds unless non-zero.
+- Hash fields: `metadata.component.hashes[*]`, component hashes; attach `properties` `evidence:hash` for CAS subject; include DSSE envelope digest in `metadata.properties` (`provenance.dsse`).
+
+## Required sections
+- **metadata.component**: root application/service with `type`, `name`, `version`, `purl`, hashes, and `evidence.properties` (`evidence:source`, `evidence:hash`).
+- **metadata.properties** (CBOM + provenance):
+  - `source.repo`, `source.ref`, `build.id`, `build.invocation.hash`, `provenance.dsse`.
+- **metadata.tools**: at least one entry with `vendor`, `name`, `version`; include `properties` for deterministic seeds if applicable.
+- **services[]**: CBOM ingress/egress per service using `properties` namespaced `cbom:*` (e.g., `cbom:ingress`, `cbom:egress`, `cbom:data.classification`).
+- **components[]**: libraries/artifacts with `type`, `name`, `version`, `purl`, `hashes`. Optional CBOM properties allowed (`cbom:region`, `cbom:provider`).
+- **vulnerabilities[]**: must carry both CVSS v4 (`method: CVSSv4`) and v3.1 ratings when available; include `properties` `evidence:source`, `evidence:proof-id`, `evidence:hash`.
+
+## Ordering rules
+1. Top-level keys: `bomFormat`, `specVersion`, `serialNumber`, `version`, `metadata`, `services`, `components`, `vulnerabilities`.
+2. Arrays sorted by `name` then `purl` (components/services) and by `id` for vulnerabilities.
+3. Hash lists sorted by `alg`; properties sorted by `name`.
+4. Ratings sorted by `method` (CVSSv4 first, then CVSSv3.1, then others).
+
+## Deterministic hashing
+- Compute `bomHash` = BLAKE3-256 over canonical JSON; record in DSSE subject.
+- For downgrade tests, also compute SHA-256 and record in `hashes.txt` (see fixtures).
+
+## Downgrade to 1.6
+- Remove CBOM namespaced properties; preserve non-CBOM properties.
+- Drop CVSS v4 ratings; keep v3.1 and mark `x-stellaops:cvss4-dropped: true` in `vulnerabilities[].properties` for audit.
+- Preserve component/service ordering; recompute hashes; record downgrade hash alongside 1.7 hash (`hashes.txt`).
+
+## Evidence linkage
+- Every `evidence:hash` must reference a CAS object (BLAKE3 URI or sha256) present in replay bundle manifests.
+- `provenance.dsse` must point to DSSE envelope hash for the build/provenance statement; verifier should fail closed when missing.
+
+## CI expectations
+- Validate against CycloneDX 1.7 JSON schema.
+- Determinism check: render BOM twice → identical hashes and ordering.
+- Verify fixture hashes in `docs/modules/scanner/fixtures/cdx17-cbom/hashes.txt`.
+
+## Fixtures
+- 1.7 reference: `docs/modules/scanner/fixtures/cdx17-cbom/sample-cdx17-cbom.json`.
+- 1.6 downgrade: `docs/modules/scanner/fixtures/cdx17-cbom/sample-cdx16.json`.
+- Hashes: `docs/modules/scanner/fixtures/cdx17-cbom/hashes.txt` (BLAKE3, SHA256 for both).

docs/modules/scanner/design/slsa-source-track.md

@@ -0,0 +1,60 @@
+# SLSA Source Track Capture (SC3)
+
+Status: Draft · Date: 2025-12-03
+Scope: Define deterministic capture of SLSA Source Track data for replay bundles and CycloneDX 1.7 + CBOM exports. Aligns Scanner record/replay with provenance signals (build-id, repo/ref, provenance DSSE).
+
+## Objectives
+- Persist source provenance required by SLSA 1.2 Source Track: repo URI, resolved ref, digest of checked-out tree, invocation hash, builder ID, and reproducible build inputs.
+- Make data replayable offline: no network fetch; hashes + DSSE envelope paths must resolve locally.
+- Keep ordering/hashes deterministic: canonical JSON (sorted keys), BLAKE3-256 primary hash, SHA-256 secondary.
+
+## Minimal fields (per build)
+- `source.repo`: canonical URI (https, ssh); normalized to lower-case host; trailing slash stripped.
+- `source.ref`: fully qualified ref (`refs/heads/main`, tag, or immutable commit).
+- `source.commit`: 40-hex commit digest.
+- `source.treeHash`: BLAKE3-256 of source tree snapshot (stable archive); optional SHA-256 mirror.
+- `build.invocation.hash`: BLAKE3-256 of normalized invocation (args/env/tool versions); also store `build.invocation.dsse` hash when signed.
+- `builder.id`: URI for builder identity (SLSA-style).
+- `provenance.dsse`: SHA-256 of DSSE envelope for provenance statement (e.g., in-toto SLSA provenance v1.0). Optionally include BLAKE3 and CAS URI.
+
+## JSON shape (suggested)
+```json
+{
+  "source": {
+    "repo": "https://example.invalid/demo",
+    "ref": "refs/tags/v1.0.0",
+    "commit": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
+    "treeHash": "b3:1111...",
+    "builderId": "https://builder.stellaops.local/scanner",
+    "invocationHash": "b3:2222...",
+    "invocationDsse": "sha256:3333...",
+    "provenance": {
+      "dsse": "sha256:4444...",
+      "cas": "cas://provenance/demo/v1.0.0.dsse"
+    }
+  }
+}
+```
+
+## Where to store
+- CycloneDX 1.7 + CBOM: encode under `metadata.properties` using namespaced keys:
+  - `source.repo`, `source.ref`, `source.commit`, `source.tree.hash`, `builder.id`, `build.invocation.hash`, `build.invocation.dsse`, `provenance.dsse`, `provenance.cas`.
+- Replay manifest: add `source` block mirroring the JSON shape above; include hashes in manifest subject list.
+- CAS: store provenance DSSE envelope under `cas://provenance/{component}/{version}.dsse`; store tree snapshot tarball under `cas://source/{commit}.tar.gz`.
+
+## Determinism rules
+- Canonical JSON (lexicographic keys, UTF-8, no pretty-print) before hashing.
+- Timestamps in provenance statements must be UTC `Z`; strip milliseconds unless non-zero.
+- All hashes recorded with algorithm prefix (`b3:` for BLAKE3-256, `sha256:` for SHA-256).
+
+## Verification
+- Verifier MUST: (1) schema-check fields are present; (2) recompute `treeHash` from tree tarball; (3) recompute `build.invocation.hash` from normalized invocation file; (4) verify DSSE envelope hash matches `provenance.dsse` and signature keys; (5) ensure repo/ref/commit are consistent (ref→commit mapping known or provided in bundle).
+- Fail closed on any mismatch; never fetch network.
+
+## Fixtures
+- `docs/modules/scanner/fixtures/cdx17-cbom/source-track.sample.json` — deterministic example with placeholder hashes.
+- Future: add CAS tarball + invocation file under `tests/reachability/fixtures/source-track/` with recomputation script.
+
+## TODO (outside this doc)
+- Implement `scripts/scanner/verify_source_track.py` to validate source-track blocks and CAS payloads offline.
+- Extend replay manifest schema to include `source` block; add determinism tests in Scanner replay suite once manifest contract lands.

docs/modules/scanner/fixtures/adapters/README.md

@@ -2,3 +2,7 @@
 - Location for mapping CSVs converting CVSS v4→v3.1, CDX 1.7→1.6, SLSA 1.2→1.0.
 - Each CSV must include BLAKE3 and SHA256 hash recorded in accompanying `hashes.txt`.
 - Adapters are pure (no network); determinism enforced in CI.
+- Files added:
+  - `mapping-cvss4-to-cvss3.csv`
+  - `mapping-slsa12-to-slsa10.csv`
+  - `mapping-cdx17-to-cdx16.csv` (placeholder empty; fill once downgrade rules freeze).

docs/modules/scanner/fixtures/adapters/hashes.txt

@@ -1 +1,3 @@
-mapping-cdx17-to-cdx16.csv: BLAKE3=<TBD> SHA256=<TBD>
+mapping-cvss4-to-cvss3.csv blake3-256=fa600b266e696fd84070d2efd8678633366edcff62c4e75e0ffeaac98816c873 sha256=072b66befac9556bc84d81e522938a222c88691db9564af6f220389562f22b0d
+mapping-slsa12-to-slsa10.csv blake3-256=b833034769f1ece239a03fb0797bab160ef02d78bb781e7d48b05552d0d27015 sha256=4a3dd0a9c4ed9d5061b8c862b35ba8147da725bf0d2968164c52298a6e1451fd
+mapping-cdx17-to-cdx16.csv blake3-256=69217a3079908094e11121d042354a7c1f55b6482ca1a51e1b250dfd1ed0eef9 sha256=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

docs/modules/scanner/fixtures/adapters/mapping-cvss4-to-cvss3.csv

@@ -0,0 +1,14 @@
+source_field,target_field,rule,notes
+AV,AV,"Network->N, Adjacent->A, Local->L, Physical->P","Preserve mapping; CVSS 4 AT handled separately"
+AC,AC,"Low->L, High->H",""
+PR,PR,"None->N, Low->L, High->H",""
+UI,UI,"None->N, Passive->P, Active->A","CVSS3 has R (Required) approximate with A"
+VC,C,"High->H, Low->L, None->N","Impact mapping: VC→Confidentiality"
+VI,I,"High->H, Low->L, None->N",""
+VA,A,"High->H, Low->L, None->N",""
+SC,S,"High->C, Low->C, None->U","Scoped impact collapses to Scope Changed/Unchanged; default Changed when SC>None"
+SI,S,"High->C, Low->C, None->U","Same as SC"
+SA,S,"High->C, Low->C, None->U","Same as SC"
+AT,N/A,"drop","Attack requirements not represented in CVSS3"
+Threat,Temporal,"map to E: NotDefined","Threat metrics not supported; set Temporal NotDefined"
+Environmental,Environmental,"map CR/IR/AR to CR/IR/AR; map MV* to unchanged"

docs/modules/scanner/fixtures/adapters/mapping-slsa12-to-slsa10.csv

@@ -0,0 +1,10 @@
+source_field,target_field,rule,notes
+builder.id,builder.id,copy,""
+builder.version,builder.version,copy,""
+invocation.configSource.uri,configSource.uri,copy,""
+invocation.configSource.digest,configSource.digest,copy,""
+materials[],materials[],copy,"Keep materials but drop integrity fields unsupported in 1.0"
+subject[],subject[],copy,""
+provenance.dsse,metadata.buildInvocationID,copy,"Use DSSE hash as buildInvocationID placeholder"
+metadata.startedOn,metadata.buildStartedOn,copy,""
+metadata.finishedOn,metadata.buildFinishedOn,copy,""

docs/modules/scanner/fixtures/cdx17-cbom/source-track.sample.json

@@ -0,0 +1,15 @@
+{
+  "source": {
+    "repo": "https://example.invalid/demo",
+    "ref": "refs/tags/v1.0.0",
+    "commit": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
+    "treeHash": "b3:1111111111111111111111111111111111111111111111111111111111111111",
+    "builderId": "https://builder.stellaops.local/scanner",
+    "invocationHash": "b3:2222222222222222222222222222222222222222222222222222222222222222",
+    "invocationDsse": "sha256:3333333333333333333333333333333333333333333333333333333333333333",
+    "provenance": {
+      "dsse": "sha256:4444444444444444444444444444444444444444444444444444444444444444",
+      "cas": "cas://provenance/demo/v1.0.0.dsse"
+    }
+  }
+}