save checkpoint

docs/features/checked/attestor/build-attestation-mapping.md

@@ -0,0 +1,44 @@
+# Build Attestation Mapping (SPDX 3.0.1 Build Profile)
+
+## Module
+Attestor
+
+## Status
+VERIFIED
+
+## Description
+Build attestation mapping to/from SPDX 3.0.1 is implemented with bidirectional mappers, build material, metadata, and invocation models.
+
+## Implementation Details
+- **BuildAttestationMapper**: `src/Attestor/__Libraries/StellaOps.Attestor.Spdx3/BuildAttestationMapper.cs` -- orchestrates bidirectional mapping. `IBuildAttestationMapper.cs` -- interface.
+  - `BuildAttestationMapper.MapToSpdx3.cs` -- maps internal build attestation to SPDX 3.0.1 build profile format
+  - `BuildAttestationMapper.MapFromSpdx3.cs` -- maps SPDX 3.0.1 build profile to internal format
+- **Build Attestation Payload**: `BuildAttestationPayload.cs` -- internal build attestation model.
+- **Build Material**: `BuildMaterial.cs` -- input materials (source code, dependencies, config files) with digests.
+- **Build Metadata**: `BuildMetadata.cs` -- build timestamp, build ID, reproducibility info.
+- **Build Invocation**: `BuildInvocation.cs` -- build command, parameters, environment.
+- **Builder Info**: `BuilderInfo.cs` -- builder identity (CI system, version).
+- **Config Source**: `ConfigSource.cs` -- build configuration source references.
+- **Build Relationships**: `BuildRelationshipBuilder.cs` (with `.Linking` partial) -- builds SPDX 3.0.1 relationships between build elements.
+- **DSSE Signing**: `DsseSpdx3Signer.cs` (with `.SignBuildProfile` partial) -- signs build profiles as DSSE envelopes.
+- **Combined Document**: `CombinedDocumentBuilder.cs` (with `.Build`, `.Attestation`, `.Profiles` partials) -- builds combined SPDX documents with build attestation profiles.
+- **Tests**: `__Libraries/__Tests/StellaOps.Attestor.Spdx3.Tests/BuildAttestationMapperTests.cs`, `BuildProfileValidatorTests.cs`, `CombinedDocumentBuilderTests.cs`
+
+## E2E Test Plan
+- [ ] Create a `BuildAttestationPayload` with materials, metadata, and invocation, map to SPDX 3.0.1 via `MapToSpdx3`, and verify the output contains correct build profile elements
+- [ ] Map an SPDX 3.0.1 document with build profile back to internal format via `MapFromSpdx3` and verify round-trip fidelity
+- [ ] Create build materials with SHA-256 digests and verify they appear as SPDX 3.0.1 build inputs with correct hash references
+- [ ] Create `BuildInvocation` with build command and parameters and verify they map to SPDX 3.0.1 build invocation fields
+- [ ] Use `BuildRelationshipBuilder` to link build elements and verify SPDX relationships are correctly typed
+- [ ] Sign a build profile via `DsseSpdx3Signer.SignBuildProfile` and verify the DSSE envelope is valid
+- [ ] Build a combined SPDX document with SBOM + build attestation profile via `CombinedDocumentBuilder` and verify both profiles are present
+
+## Verification
+
+| Check | Result |
+|-------|--------|
+| Tier 0 - Source Verification | PASS |
+| Tier 1 - Build + Code Review | PASS |
+| Tier 2 - Behavioral Verification | PASS |
+| Verified Date | 2026-02-13 |
+| Run ID | run-001 |