save checkpoint

docs/features/checked/attestor/provenance-attestation-pipelines.md

@@ -0,0 +1,45 @@
+# Provenance/Attestation Pipelines (End-to-End)
+
+## Module
+Attestor
+
+## Status
+VERIFIED
+
+## Description
+End-to-end attestation pipeline covering build provenance (SLSA), SBOM attestation, VEX attestation, verdict attestation, OCI referrer attachment, and sealed audit pack export/import.
+
+## Implementation Details
+- **Pipeline Models**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Pipeline/` -- pipeline orchestration:
+  - `ProofChainRequest.cs` -- pipeline request with artifact digest, evidence sources, and options.
+  - `ProofChainResult.cs` -- pipeline result with generated attestations, proof spine, and Merkle root.
+  - `PipelineSubject.cs` -- subject being attested through the pipeline.
+  - `RekorEntry.cs` -- Rekor transparency log entry from pipeline output.
+- **SLSA Provenance**: `__Libraries/StellaOps.Attestor.StandardPredicates/Parsers/SlsaProvenancePredicateParser.cs` (with `.ExtractMetadata`, `.Validation`) -- parses SLSA build provenance.
+- **SPDX3 Build Attestation**: `__Libraries/StellaOps.Attestor.Spdx3/BuildAttestationMapper.cs` (with `.MapFromSpdx3`, `.MapToSpdx3`) -- maps build attestations.
+- **VEX Integration**: `__Libraries/StellaOps.Attestor.ProofChain/Generators/VexProofIntegrator.cs` (with `.Helpers`, `.Metadata`) -- integrates VEX into pipeline.
+- **Attestation Bundling**: `__Libraries/StellaOps.Attestor.Bundling/AttestationBundler.cs` -- bundles pipeline outputs.
+- **OCI Attachment**: `__Libraries/StellaOps.Attestor.Oci/Services/OrasAttestationAttacher.cs` -- attaches pipeline outputs as OCI referrers.
+- **Evidence Pack**: `__Libraries/StellaOps.Attestor.EvidencePack/ReleaseEvidencePackBuilder.cs` -- builds sealed audit packs from pipeline outputs.
+- **Submission Service**: `StellaOps.Attestor.Core/Submission/IAttestorSubmissionService.cs` -- validates and routes pipeline submissions.
+- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/PipelineTests.cs`
+
+## E2E Test Plan
+- [ ] Run the full pipeline via `ProofChainRequest` with SBOM, scan results, and VEX data; verify `ProofChainResult` contains all attestations
+- [ ] Verify SLSA provenance is parsed and included in the pipeline output
+- [ ] Verify VEX attestation is integrated into the verdict via `VexProofIntegrator`
+- [ ] Verify all pipeline attestations are signed into DSSE envelopes
+- [ ] Verify pipeline outputs are bundled via `AttestationBundler` into a single verifiable bundle
+- [ ] Attach pipeline outputs to an OCI image via `OrasAttestationAttacher` and verify referrer discovery
+- [ ] Export pipeline outputs as a sealed evidence pack via `ReleaseEvidencePackBuilder` and verify manifest integrity
+- [ ] Verify `AttestorSubmissionService` rejects invalid pipeline inputs with appropriate error messages
+
+## Verification
+
+| Check | Result |
+|-------|--------|
+| Tier 0 - Source Verification | PASS |
+| Tier 1 - Build + Code Review | PASS |
+| Tier 2 - Behavioral Verification | PASS |
+| Verified Date | 2026-02-13 |
+| Run ID | run-001 |