save checkpoint

docs/features/checked/scanner/offline-slice-bundle-export-import.md

@@ -0,0 +1,38 @@
+# Offline Slice Bundle Export/Import (OCI Layout)
+
+## Module
+Scanner
+
+## Status
+VERIFIED
+
+## Description
+Offline distribution of reachability slices via OCI layout tar.gz bundles including all referenced artifacts (graphs, SBOMs), with integrity verification on import. Targets <100MB for typical scans.
+
+## Implementation Details
+- **Offline Bundle Service**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage.Oci/Offline/OfflineBundleService.cs` - `OfflineBundleService` exports and imports reachability slices as OCI layout tar.gz bundles with all referenced artifacts
+- **Evidence Bundle Export**:
+  - `src/Scanner/StellaOps.Scanner.WebService/Services/IEvidenceBundleExporter.cs` - `IEvidenceBundleExporter` interface for exporting evidence bundles
+  - `src/Scanner/StellaOps.Scanner.WebService/Services/EvidenceBundleExporter.cs` - `EvidenceBundleExporter` exports scan evidence as portable bundles
+- **OCI Slice Services**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage.Oci/SlicePushService.cs` - Push slices to OCI registries
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage.Oci/SlicePullService.cs` - Pull slices from OCI registries
+
+## E2E Test Plan
+- [ ] Export a reachability slice bundle as an OCI layout tar.gz file and verify it contains all referenced artifacts (graphs, SBOMs)
+- [ ] Import the exported bundle into a disconnected instance and verify integrity verification passes
+- [ ] Verify the exported bundle size stays under 100MB for typical scans
+- [ ] Verify tampered bundles fail integrity verification on import
+- [ ] Verify the imported bundle's reachability data is usable for offline vulnerability analysis
+
+---
+
+## Verification
+
+| Check | Result |
+|-------|--------|
+| Tier 0 - Source files exist | PASS |
+| Tier 1 - Build + code review | PASS |
+| Tier 2 - Integration tests | PASS |
+| Verified | 2026-02-13T18:10:00Z |