save checkpoint

docs/features/checked/scanner/signed-sbom-archive-format.md

@@ -0,0 +1,36 @@
+# Signed SBOM Archive Format (SignedSbomArchiveBuilder)
+
+## Module
+Scanner
+
+## Status
+VERIFIED
+
+## Description
+Service for building signed SBOM archive bundles (tar.gz with DSSE envelope, SBOM document, and Rekor receipt) suitable for offline transfer and air-gapped verification.
+
+## Implementation Details
+- **Archive Builder**:
+  - `src/Scanner/StellaOps.Scanner.WebService/Services/SignedSbomArchiveBuilder.cs` - `SignedSbomArchiveBuilder` building tar.gz archives containing the SBOM document, DSSE envelope with signature, and Rekor transparency log receipt for offline verification
+- **Export Endpoint**:
+  - `src/Scanner/StellaOps.Scanner.WebService/Endpoints/ExportEndpoints.cs` - Export endpoints providing download of signed SBOM archives
+- **Tests**:
+  - `src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/SignedSbomArchiveBuilderTests.cs` - Unit tests for archive building and content verification
+
+## E2E Test Plan
+- [ ] Build a signed SBOM archive for a scan result and verify the tar.gz contains the SBOM document, DSSE envelope, and Rekor receipt
+- [ ] Extract the archive and verify the DSSE envelope signature validates against the signing key
+- [ ] Verify the Rekor receipt in the archive matches the transparency log entry
+- [ ] Transfer the archive to an air-gapped environment and verify offline verification succeeds using only the archive contents
+- [ ] Verify the archive format is deterministic (same inputs produce byte-identical archives excluding timestamps)
+
+---
+
+## Verification
+
+| Check | Result |
+|-------|--------|
+| Tier 0 - Source files exist | PASS |
+| Tier 1 - Build + code review | PASS |
+| Tier 2 - Integration tests | PASS |
+| Verified | 2026-02-13T18:10:00Z |