save checkpoint

docs/features/checked/attestor/cross-attestation-chain-linking.md

@@ -0,0 +1,41 @@
+# Cross-Attestation Chain Linking (SBOM->VEX->Policy)
+
+## Module
+Attestor
+
+## Status
+VERIFIED
+
+## Description
+Cross-attestation linking via in-toto layout references with link types (DependsOn/Supersedes/Aggregates), DAG validation with cycle detection, chain query API (GET /attestations?chain=true, upstream/downstream traversal with depth limit), and chain visualization endpoint supporting Mermaid/DOT/JSON formats.
+
+## Implementation Details
+- **Attestation Chain Builder**: `src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/Chain/AttestationChainBuilder.cs` -- builds attestation chains from link references.
+- **Attestation Chain Validator**: `Chain/AttestationChainValidator.cs` -- validates chain integrity including DAG validation and cycle detection.
+- **Attestation Link**: `Chain/AttestationLink.cs` -- represents a link between two attestations with link type.
+- **Attestation Link Resolver**: `Chain/AttestationLinkResolver.cs` -- implements `IAttestationLinkResolver`. Resolves upstream/downstream links with depth limits.
+- **In-Memory Link Store**: `Chain/InMemoryAttestationLinkStore.cs` -- in-memory storage for attestation links.
+- **Chain Model**: `Chain/AttestationChain.cs` -- full chain model for traversal.
+- **In-Toto Materials**: `Chain/InTotoStatementMaterials.cs` -- material references in in-toto statements for cross-linking.
+- **Chain Query Service**: `StellaOps.Attestor.WebService/Services/ChainQueryService.cs`, `IChainQueryService.cs` -- API service for chain queries.
+- **Chain API**: `WebService/Controllers/ChainController.cs` -- REST endpoints for chain traversal and visualization. `WebService/Models/ChainApiModels.cs` -- API models.
+- **Tests**: `StellaOps.Attestor.Core.Tests/Chain/AttestationChainBuilderTests.cs`, `AttestationChainValidatorTests.cs`, `AttestationLinkResolverTests.cs`, `ChainResolverDirectionalTests.cs`, `InMemoryAttestationLinkStoreTests.cs`
+
+## E2E Test Plan
+- [ ] Build an attestation chain SBOM -> VEX -> Policy via `AttestationChainBuilder` with DependsOn links and verify the chain connects all three
+- [ ] Validate the chain via `AttestationChainValidator` and verify DAG validation passes (no cycles)
+- [ ] Create a circular chain (A -> B -> C -> A) and verify `AttestationChainValidator` detects the cycle
+- [ ] Resolve upstream links from a Policy attestation via `AttestationLinkResolver` with depth limit 2 and verify VEX and SBOM are returned
+- [ ] Resolve downstream links from an SBOM attestation and verify VEX and Policy are returned
+- [ ] Query chain via `ChainController` GET endpoint with `chain=true` and verify the response contains the full chain
+- [ ] Request chain visualization in Mermaid format and verify valid Mermaid diagram output
+
+## Verification
+
+| Check | Result |
+|-------|--------|
+| Tier 0 - Source Verification | PASS |
+| Tier 1 - Build + Code Review | PASS |
+| Tier 2 - Behavioral Verification | PASS |
+| Verified Date | 2026-02-13 |
+| Run ID | run-001 |