save checkpoint

2026-02-14 09:11:48 +02:00
parent 9ca2de05df
commit e9aeadc040
1512 changed files with 30863 additions and 4728 deletions
--- a/docs/features/checked/taskrunner/pack-run-evidence-and-provenance.md
+++ b/docs/features/checked/taskrunner/pack-run-evidence-and-provenance.md
@@ -0,0 +1,32 @@
+# Pack Run Evidence and Provenance
+
+## Module
+TaskRunner
+
+## Status
+IMPLEMENTED
+
+## Description
+Evidence capture and provenance writing for pack runs, including attestation service for DSSE-signed provenance records.
+
+## Implementation Details
+- **Attestation service**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Attestation/IPackRunAttestationService.cs` -- DSSE-signed attestation contract
+- **Attestation model**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Attestation/PackRunAttestation.cs` -- attestation record for pack runs
+- **Evidence snapshot service**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Evidence/IPackRunEvidenceSnapshotService.cs` -- evidence snapshot capture
+- **Evidence snapshot model**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Evidence/PackRunEvidenceSnapshot.cs` -- snapshot data model
+- **Evidence store**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Evidence/IPackRunEvidenceStore.cs` -- evidence persistence contract
+- **Redaction guard**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Evidence/IPackRunRedactionGuard.cs` -- sensitive data redaction
+- **Bundle import evidence**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Evidence/BundleImportEvidence.cs`, `IBundleImportEvidenceService.cs` -- air-gap bundle import evidence
+- **Provenance writer interface**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Execution/IPackRunProvenanceWriter.cs` -- provenance writing contract
+- **Provenance manifest factory**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Execution/ProvenanceManifestFactory.cs` -- creates SLSA-compatible provenance manifests
+- **Filesystem provenance writer**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Infrastructure/Execution/FilesystemPackRunProvenanceWriter.cs`
+- **Postgres evidence store**: `src/TaskRunner/__Libraries/StellaOps.TaskRunner.Persistence/Postgres/Repositories/PostgresPackRunEvidenceStore.cs`
+- **Tests**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Tests/PackRunAttestationTests.cs`, `PackRunEvidenceSnapshotTests.cs`, `PackRunProvenanceWriterTests.cs`, `BundleImportEvidenceTests.cs`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify DSSE-signed attestations are generated per pack run
+- [ ] Test evidence snapshot captures all execution artifacts
+- [ ] Verify provenance manifest includes SLSA-compatible metadata
+- [ ] Test redaction guard strips sensitive data from evidence
+- [ ] Verify bundle import evidence records air-gap import provenance