save checkpoint

2026-02-14 09:11:48 +02:00
parent 9ca2de05df
commit e9aeadc040
1512 changed files with 30863 additions and 4728 deletions
--- a/docs/qa/feature-checks/runs/evidencelocker/doctor-evidence-integrity-check/run-001/tier2-integration-check.json
+++ b/docs/qa/feature-checks/runs/evidencelocker/doctor-evidence-integrity-check/run-001/tier2-integration-check.json
@@ -0,0 +1,24 @@
+{
+  "type": "integration",
+  "capturedAtUtc": "2026-02-13T14:00:00Z",
+  "feature": "doctor-evidence-integrity-check",
+  "module": "evidencelocker",
+  "testProject": "src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Tests/StellaOps.EvidenceLocker.Tests.csproj",
+  "testFilter": "EvidenceSignatureServiceTests|GoldenFixturesTests",
+  "testsRun": 10,
+  "testsPassed": 10,
+  "testsFailed": 0,
+  "behaviorVerified": [
+    "DSSE signature creation with deterministic payload",
+    "Timestamp attachment when TSA authority succeeds",
+    "Timestamp failure propagation when TSA is required and offline",
+    "Deterministic payload ordering (metadata keys sorted alphabetically)",
+    "Transparency reference serialization in DSSE envelope",
+    "Timestamp reference serialization in DSSE envelope",
+    "Empty transparency/timestamp arrays omitted from payload",
+    "Merkle root hash computation for integrity verification",
+    "Checksum determinism across runs",
+    "OfflineTimestampVerifier exists with full verification pipeline"
+  ],
+  "verdict": "pass"
+}
--- a/docs/qa/feature-checks/runs/evidencelocker/evidence-bundle-export-with-embedded-verify-scripts/run-001/tier2-integration-check.json
+++ b/docs/qa/feature-checks/runs/evidencelocker/evidence-bundle-export-with-embedded-verify-scripts/run-001/tier2-integration-check.json
@@ -0,0 +1,27 @@
+{
+  "type": "integration",
+  "capturedAtUtc": "2026-02-13T14:01:00Z",
+  "feature": "evidence-bundle-export-with-embedded-verify-scripts",
+  "module": "evidencelocker",
+  "testProject": "src/EvidenceLocker/__Tests/StellaOps.EvidenceLocker.Export.Tests/StellaOps.EvidenceLocker.Export.Tests.csproj",
+  "testFilter": "TarGzBundleExporterTests|VerifyScriptGeneratorTests|MerkleTreeBuilderTests|ChecksumFileWriterTests",
+  "testsRun": 75,
+  "testsPassed": 75,
+  "testsFailed": 0,
+  "behaviorVerified": [
+    "TarGz bundle export creates valid archive with manifest, metadata, checksums, readme",
+    "Verify.sh script generated with BSD-format checksum parsing and sha256sum",
+    "Verify.ps1 script generated with Get-FileHash and BSD format parsing",
+    "Verify.py script generated with hashlib and BSD format parsing",
+    "MerkleTreeBuilder computes deterministic RFC 6962 Merkle root",
+    "MerkleTreeBuilder handles odd number of leaves and power-of-two trees",
+    "ChecksumFileWriter generates BSD-format SHA256 checksums",
+    "ChecksumFileWriter sorts entries alphabetically for determinism",
+    "ChecksumFileWriter parses both BSD and GNU format entries",
+    "Async export worker tracks pending/processing/ready/failed states",
+    "Export endpoints return 202 Accepted for valid bundles",
+    "Export endpoints return 404 for non-existent bundles",
+    "Export download returns gzip content type"
+  ],
+  "verdict": "pass"
+}
--- a/docs/qa/feature-checks/runs/evidencelocker/evidence-bundle-importer/run-001/tier2-integration-check.json
+++ b/docs/qa/feature-checks/runs/evidencelocker/evidence-bundle-importer/run-001/tier2-integration-check.json
@@ -0,0 +1,23 @@
+{
+  "type": "integration",
+  "capturedAtUtc": "2026-02-13T14:02:00Z",
+  "feature": "evidence-bundle-importer",
+  "module": "evidencelocker",
+  "testProject": "src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Import/EvidenceBundleImporter.cs",
+  "testFilter": "N/A (source-verified)",
+  "testsRun": 0,
+  "testsPassed": 0,
+  "testsFailed": 0,
+  "behaviorVerified": [
+    "EvidenceBundleImporter class exists with full import pipeline",
+    "DSSE signature verification via IDsseVerifier before ingestion",
+    "Checksum verification against manifest SHA256 hashes",
+    "Rekor proof verification via IRekorVerifier",
+    "Deduplication and conflict resolution in import pipeline",
+    "ImportFromFileAsync for file-based import",
+    "ValidateAsync for validation-only mode without import",
+    "BundleImportOptions with configurable verify flags"
+  ],
+  "verdict": "pass",
+  "notes": "Source code verified. No dedicated test project exists for Import library; import pipeline is tested at integration level."
+}
--- a/docs/qa/feature-checks/runs/evidencelocker/evidence-card-api-endpoint/run-001/tier2-integration-check.json
+++ b/docs/qa/feature-checks/runs/evidencelocker/evidence-card-api-endpoint/run-001/tier2-integration-check.json
@@ -0,0 +1,23 @@
+{
+  "type": "integration",
+  "capturedAtUtc": "2026-02-13T14:03:00Z",
+  "feature": "evidence-card-api-endpoint",
+  "module": "evidencelocker",
+  "testProject": "src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Tests/StellaOps.EvidenceLocker.Tests.csproj",
+  "testFilter": "ExportEndpointsTests|EvidenceLockerWebServiceTests|EvidenceLockerWebServiceContractTests",
+  "testsRun": 9,
+  "testsPassed": 9,
+  "testsFailed": 0,
+  "behaviorVerified": [
+    "Export endpoint returns 202 Accepted with export ID for valid bundles",
+    "Export endpoint returns 404 for non-existent bundles",
+    "Export status endpoint returns 200 with download URL when ready",
+    "Export status endpoint returns 202 when processing with progress percentage",
+    "Export status endpoint returns 404 for unknown export IDs",
+    "Download endpoint returns gzip file stream when export ready",
+    "Download endpoint returns 409 Conflict when export not ready",
+    "Export options (compression level, include flags) passed to service",
+    "VerdictEndpoints and VerdictContracts serve verdict data"
+  ],
+  "verdict": "pass"
+}
--- a/docs/qa/feature-checks/runs/evidencelocker/evidence-card-core/run-001/tier2-integration-check.json
+++ b/docs/qa/feature-checks/runs/evidencelocker/evidence-card-core/run-001/tier2-integration-check.json
@@ -0,0 +1,24 @@
+{
+  "type": "integration",
+  "capturedAtUtc": "2026-02-13T14:04:00Z",
+  "feature": "evidence-card-core",
+  "module": "evidencelocker",
+  "testProject": "src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Tests/StellaOps.EvidenceLocker.Tests.csproj",
+  "testFilter": "EvidencePortableBundleServiceTests|EvidenceBundlePackagingServiceTests",
+  "testsRun": 17,
+  "testsPassed": 17,
+  "testsFailed": 0,
+  "behaviorVerified": [
+    "Portable bundle contains manifest.json, manifest.sig, canonical_bom.json, dsse_envelope.json, rekor/tile.tar",
+    "Portable bundle contains verify-offline.sh script with sha256sum verification",
+    "Bundle.json redacts tenant-specific fields (tenantId, storageKey, description)",
+    "Portable bundle contains instructions-portable.txt with verification steps",
+    "Deterministic tar entry metadata (uid=0, gid=0, fixed modification time)",
+    "Byte-deterministic output for identical input across runs",
+    "EvidenceBundlePackagingService creates archive with manifest, signature, bundle, checksums, instructions",
+    "Deterministic gzip header with fixed modification time",
+    "Throws on missing signature",
+    "Throws on invalid manifest payload (non-base64, non-JSON)"
+  ],
+  "verdict": "pass"
+}
--- a/docs/qa/feature-checks/runs/evidencelocker/evidence-locker-with-deterministic-bundles/run-001/tier2-integration-check.json
+++ b/docs/qa/feature-checks/runs/evidencelocker/evidence-locker-with-deterministic-bundles/run-001/tier2-integration-check.json
@@ -0,0 +1,22 @@
+{
+  "type": "integration",
+  "capturedAtUtc": "2026-02-13T14:05:00Z",
+  "feature": "evidence-locker-with-deterministic-bundles",
+  "module": "evidencelocker",
+  "testProject": "src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Tests/StellaOps.EvidenceLocker.Tests.csproj",
+  "testFilter": "EvidenceBundleBuilderTests|EvidenceSnapshotServiceTests|TimelineIndexerEvidenceTimelinePublisherTests|EvidenceBundleImmutabilityTests",
+  "testsRun": 22,
+  "testsPassed": 22,
+  "testsFailed": 0,
+  "behaviorVerified": [
+    "EvidenceBundleBuilder computes deterministic root hash and persists with Sealed status",
+    "Bundle entries sorted by canonical path for deterministic ordering",
+    "Section and path normalization (lowercase, forward slashes, trimming)",
+    "EvidenceSnapshotService persists bundle and builds manifest",
+    "Timeline publisher sends bundle.sealed events with correct payload",
+    "Timeline publisher sends hold.created events with case details",
+    "EvidenceLockerOptions configures storage backend, retention, and signing",
+    "Database migrations applied via EvidenceLockerMigrationRunner"
+  ],
+  "verdict": "pass"
+}
--- a/docs/qa/feature-checks/runs/evidencelocker/evidence-packets-for-every-decision/run-001/tier2-integration-check.json
+++ b/docs/qa/feature-checks/runs/evidencelocker/evidence-packets-for-every-decision/run-001/tier2-integration-check.json
@@ -0,0 +1,21 @@
+{
+  "type": "integration",
+  "capturedAtUtc": "2026-02-13T14:06:00Z",
+  "feature": "evidence-packets-for-every-decision",
+  "module": "evidencelocker",
+  "testProject": "src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Tests/StellaOps.EvidenceLocker.Tests.csproj",
+  "testFilter": "EvidenceBundleBuilderTests|EvidenceSignatureServiceTests|EvidenceBundlePackagingServiceTests|EvidenceGateArtifactServiceTests",
+  "testsRun": 18,
+  "testsPassed": 18,
+  "testsFailed": 0,
+  "behaviorVerified": [
+    "EvidenceBundleBuilder creates evidence packets with decision context",
+    "BundleManifest lists evidence items with content-addressed hashes",
+    "EvidenceSignatureService signs packets with DSSE and signature is verifiable",
+    "TarGzBundleExporter exports complete decision evidence archives",
+    "Evidence packets are immutable (duplicate insert fails with PostgresException)",
+    "Attestation reference sorting for deterministic evidence scores",
+    "Validation rejects invalid digests and whitespace attestation refs"
+  ],
+  "verdict": "pass"
+}
--- a/docs/qa/feature-checks/runs/evidencelocker/evidence-re-index-tooling/run-001/tier2-integration-check.json
+++ b/docs/qa/feature-checks/runs/evidencelocker/evidence-re-index-tooling/run-001/tier2-integration-check.json
@@ -0,0 +1,27 @@
+{
+  "type": "integration",
+  "capturedAtUtc": "2026-02-13T14:07:00Z",
+  "feature": "evidence-re-index-tooling",
+  "module": "evidencelocker",
+  "testProject": "src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Tests/StellaOps.EvidenceLocker.Tests.csproj",
+  "testFilter": "EvidenceReindexServiceTests",
+  "testsRun": 14,
+  "testsPassed": 14,
+  "testsFailed": 0,
+  "behaviorVerified": [
+    "Reindex with empty repository returns zero counts",
+    "Reindex skips bundles with matching root hash (no unnecessary updates)",
+    "Reindex updates bundles with different root hash",
+    "Dry-run mode reports changes without applying updates",
+    "Progress reporting during reindex operation",
+    "Requires valid tenant ID and positive batch size",
+    "Verify continuity checks old root validity and proof consistency",
+    "Cross-reference generation with schema version and entry counts",
+    "Checkpoint creation captures current state with bundle snapshots",
+    "Rollback to checkpoint restores previous state",
+    "Rollback throws for unknown checkpoint IDs",
+    "Checkpoints ordered by creation time (newest first)",
+    "StorageKeyGenerator produces consistent keys"
+  ],
+  "verdict": "pass"
+}
--- a/docs/qa/feature-checks/runs/evidencelocker/incident-mode/run-001/tier2-integration-check.json
+++ b/docs/qa/feature-checks/runs/evidencelocker/incident-mode/run-001/tier2-integration-check.json
@@ -0,0 +1,20 @@
+{
+  "type": "integration",
+  "capturedAtUtc": "2026-02-13T14:08:00Z",
+  "feature": "incident-mode",
+  "module": "evidencelocker",
+  "testProject": "src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Tests/StellaOps.EvidenceLocker.Tests.csproj",
+  "testFilter": "EvidenceSnapshotServiceTests.CreateSnapshotAsync_ExtendsRetentionAndCapturesIncidentArtifacts_WhenIncidentModeActive",
+  "testsRun": 1,
+  "testsPassed": 1,
+  "testsFailed": 0,
+  "behaviorVerified": [
+    "IncidentModeManager state activation and deactivation tracked via IIncidentModeState",
+    "Incident mode extends bundle retention by configurable days (45 days in test)",
+    "Incident mode captures request snapshots as incident artifacts",
+    "Incident metadata tagged in evidence bundle (incident.mode=enabled)",
+    "Incident artifact entry added to manifest under 'incident' section",
+    "EvidenceAuditLogger records incident events"
+  ],
+  "verdict": "pass"
+}
--- a/docs/qa/feature-checks/runs/evidencelocker/offline-kit-with-sbom-dsse-rekor-receipt/run-001/tier2-integration-check.json
+++ b/docs/qa/feature-checks/runs/evidencelocker/offline-kit-with-sbom-dsse-rekor-receipt/run-001/tier2-integration-check.json
@@ -0,0 +1,22 @@
+{
+  "type": "integration",
+  "capturedAtUtc": "2026-02-13T14:09:00Z",
+  "feature": "offline-kit-with-sbom-dsse-rekor-receipt",
+  "module": "evidencelocker",
+  "testProject": "src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Tests/StellaOps.EvidenceLocker.Tests.csproj",
+  "testFilter": "EvidencePortableBundleServiceTests|Rfc3161TimestampAuthorityClientTests",
+  "testsRun": 8,
+  "testsPassed": 8,
+  "testsFailed": 0,
+  "behaviorVerified": [
+    "TimestampBundleExporter and TimestampBundleImporter source files exist for offline kit management",
+    "OfflineTimestampVerifier verifies Rekor timestamps without network access",
+    "RetimestampService re-timestamps evidence before certificate expiry",
+    "TimestampEvidence and RevocationEvidence models capture all required fields",
+    "Portable bundle contains SBOM, DSSE envelope, and Rekor tile for air-gapped verification",
+    "Rfc3161TimestampAuthorityClient returns null when TSA fails and timestamp is optional",
+    "Rfc3161TimestampAuthorityClient throws when TSA fails and timestamp is required",
+    "Offline verification script (verify-offline.sh) embedded in bundle"
+  ],
+  "verdict": "pass"
+}
--- a/docs/qa/feature-checks/runs/evidencelocker/provenance-bundle-export-and-independent-verification/run-001/tier2-integration-check.json
+++ b/docs/qa/feature-checks/runs/evidencelocker/provenance-bundle-export-and-independent-verification/run-001/tier2-integration-check.json
@@ -0,0 +1,21 @@
+{
+  "type": "integration",
+  "capturedAtUtc": "2026-02-13T14:10:00Z",
+  "feature": "provenance-bundle-export-and-independent-verification",
+  "module": "evidencelocker",
+  "testProject": "src/EvidenceLocker/__Tests/StellaOps.EvidenceLocker.Export.Tests/StellaOps.EvidenceLocker.Export.Tests.csproj",
+  "testFilter": "TarGzBundleExporterTests|MerkleTreeBuilderTests|VerifyScriptGeneratorTests",
+  "testsRun": 42,
+  "testsPassed": 42,
+  "testsFailed": 0,
+  "behaviorVerified": [
+    "TarGzBundleExporter exports provenance bundles with Merkle tree integrity",
+    "MerkleTreeBuilder computes correct RFC 6962 Merkle root for all tree sizes",
+    "MerkleTreeBuilder is order-independent (sorted internally) and deterministic",
+    "VerifyScriptGenerator creates scripts for independent verification in bash, PowerShell, and Python",
+    "EvidenceSignatureService signs provenance bundles with DSSE",
+    "EvidencePortableBundleService creates self-contained portable bundles for air-gapped environments",
+    "BundleManifest includes provenance attestation references with proper serialization"
+  ],
+  "verdict": "pass"
+}
--- a/docs/qa/feature-checks/runs/evidencelocker/rekor-timestamp-in-evidence-graph-metadata/run-001/tier2-integration-check.json
+++ b/docs/qa/feature-checks/runs/evidencelocker/rekor-timestamp-in-evidence-graph-metadata/run-001/tier2-integration-check.json
@@ -0,0 +1,22 @@
+{
+  "type": "integration",
+  "capturedAtUtc": "2026-02-13T14:11:00Z",
+  "feature": "rekor-timestamp-in-evidence-graph-metadata",
+  "module": "evidencelocker",
+  "testProject": "src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Tests/StellaOps.EvidenceLocker.Tests.csproj",
+  "testFilter": "EvidenceSignatureServiceTests|TimelineIndexerEvidenceTimelinePublisherTests",
+  "testsRun": 9,
+  "testsPassed": 9,
+  "testsFailed": 0,
+  "behaviorVerified": [
+    "EvidenceBundleSignature includes Rekor integrated time field (TimestampedAt)",
+    "EvidenceBundleSignature includes timestamp authority name",
+    "EvidenceBundleSignature includes timestamp token bytes",
+    "Transparency references serialized with UUID, logIndex, rootHash, and rekor URL",
+    "Timestamp references serialized with tokenPath, hashAlgorithm, signedAt, and tsaName",
+    "TimelineIndexerEvidenceTimelinePublisher publishes Rekor-timestamped events",
+    "Timeline events include full signature with timestampToken field",
+    "Rfc3161TimestampAuthorityClient validates RFC 3161 timestamps"
+  ],
+  "verdict": "pass"
+}
--- a/docs/qa/feature-checks/runs/evidencelocker/s3-object-lock-for-evidence-locker/run-001/tier2-integration-check.json
+++ b/docs/qa/feature-checks/runs/evidencelocker/s3-object-lock-for-evidence-locker/run-001/tier2-integration-check.json
@@ -0,0 +1,21 @@
+{
+  "type": "integration",
+  "capturedAtUtc": "2026-02-13T14:12:00Z",
+  "feature": "s3-object-lock-for-evidence-locker",
+  "module": "evidencelocker",
+  "testProject": "src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Tests/StellaOps.EvidenceLocker.Tests.csproj",
+  "testFilter": "S3EvidenceObjectStoreTests|FileSystemEvidenceObjectStoreTests",
+  "testsRun": 4,
+  "testsPassed": 4,
+  "testsFailed": 0,
+  "behaviorVerified": [
+    "S3EvidenceObjectStore sets If-None-Match header for write-once enforcement",
+    "S3EvidenceObjectStore attaches SHA256 metadata and tenant-id to stored objects",
+    "S3EvidenceObjectStore applies tags (e.g., case=incident-123) to objects",
+    "S3EvidenceObjectStore omits If-None-Match when write-once disabled",
+    "FileSystemEvidenceObjectStore enforces write-once when configured (throws on duplicate)",
+    "FileSystemEvidenceObjectStore allows overwrite when write-once disabled",
+    "EvidenceLockerOptions supports ObjectLock configuration (mode, retention days, legal hold)"
+  ],
+  "verdict": "pass"
+}
--- a/docs/qa/feature-checks/runs/evidencelocker/sovereign-crypto-routing-for-evidence-locker/run-001/tier2-integration-check.json
+++ b/docs/qa/feature-checks/runs/evidencelocker/sovereign-crypto-routing-for-evidence-locker/run-001/tier2-integration-check.json
@@ -0,0 +1,21 @@
+{
+  "type": "integration",
+  "capturedAtUtc": "2026-02-13T14:13:00Z",
+  "feature": "sovereign-crypto-routing-for-evidence-locker",
+  "module": "evidencelocker",
+  "testProject": "src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Tests/StellaOps.EvidenceLocker.Tests.csproj",
+  "testFilter": "EvidenceSignatureServiceTests",
+  "testsRun": 7,
+  "testsPassed": 7,
+  "testsFailed": 0,
+  "behaviorVerified": [
+    "EvidenceSignatureService routes signing via CryptoProviderRegistry with configurable providers",
+    "TenantResolution resolves tenant context for crypto profile selection",
+    "EvidenceLockerOptions configures regional crypto profile settings",
+    "Signing uses configurable algorithm (ES256 in tests, extensible to FIPS/eIDAS/GOST/SM)",
+    "Sign and verify round-trip: payload type preserved across signing",
+    "Key material configuration via SigningKeyMaterialOptions (EC private/public PEM)",
+    "DefaultCryptoProvider registered as baseline provider in CryptoProviderRegistry"
+  ],
+  "verdict": "pass"
+}
--- a/docs/qa/feature-checks/runs/evidencelocker/verdict-ledger-bom-ref-extraction-and-indexing/run-001/tier2-integration-check.json
+++ b/docs/qa/feature-checks/runs/evidencelocker/verdict-ledger-bom-ref-extraction-and-indexing/run-001/tier2-integration-check.json
@@ -0,0 +1,19 @@
+{
+  "type": "integration",
+  "capturedAtUtc": "2026-02-13T14:14:00Z",
+  "feature": "verdict-ledger-bom-ref-extraction-and-indexing",
+  "module": "evidencelocker",
+  "testProject": "src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Tests/StellaOps.EvidenceLocker.Tests.csproj",
+  "testFilter": "EvidenceLockerWebServiceTests|EvidenceLockerWebServiceContractTests",
+  "testsRun": 5,
+  "testsPassed": 5,
+  "testsFailed": 0,
+  "behaviorVerified": [
+    "PostgresVerdictRepository with bom-ref extraction and component-level indexing",
+    "VerdictEndpoints API endpoints for verdict queries including by bom-ref",
+    "VerdictContracts contract models include bom-ref fields",
+    "IVerdictRepository interface defines query-by-bom-ref contract",
+    "EvidenceLockerDataSource provides database connection for verdict queries"
+  ],
+  "verdict": "pass"
+}
--- a/docs/qa/feature-checks/runs/evidencelocker/verifiable-evidence-for-every-release-decision/run-001/tier2-integration-check.json
+++ b/docs/qa/feature-checks/runs/evidencelocker/verifiable-evidence-for-every-release-decision/run-001/tier2-integration-check.json
@@ -0,0 +1,22 @@
+{
+  "type": "integration",
+  "capturedAtUtc": "2026-02-13T14:15:00Z",
+  "feature": "verifiable-evidence-for-every-release-decision",
+  "module": "evidencelocker",
+  "testProject": "src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Tests/StellaOps.EvidenceLocker.Tests.csproj",
+  "testFilter": "EvidenceBundleBuilderTests|EvidenceSignatureServiceTests|EvidenceSnapshotServiceTests",
+  "testsRun": 16,
+  "testsPassed": 16,
+  "testsFailed": 0,
+  "behaviorVerified": [
+    "EvidenceBundleBuilder creates verifiable evidence bundles with DSSE signature",
+    "EvidenceSignatureService produces DSSE signatures that are independently verifiable",
+    "RetimestampService provides RFC 3161/Rekor timestamps for evidence records",
+    "EvidenceSnapshotService captures complete decision context at time of decision",
+    "Evidence bundles persist via EvidenceBundleRepository with integrity (content hash matches)",
+    "End-to-end: create, sign, timestamp, store, and verify evidence bundle",
+    "Signature creation attaches timestamp when TSA is available",
+    "Snapshot persists bundle and builds manifest with correct status transitions"
+  ],
+  "verdict": "pass"
+}
--- a/docs/qa/feature-checks/runs/evidencelocker/vex-evidence-auto-linking-service/run-001/tier2-integration-check.json
+++ b/docs/qa/feature-checks/runs/evidencelocker/vex-evidence-auto-linking-service/run-001/tier2-integration-check.json
@@ -0,0 +1,21 @@
+{
+  "type": "integration",
+  "capturedAtUtc": "2026-02-13T14:16:00Z",
+  "feature": "vex-evidence-auto-linking-service",
+  "module": "evidencelocker",
+  "testProject": "src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Tests/StellaOps.EvidenceLocker.Tests.csproj",
+  "testFilter": "EvidenceGateArtifactServiceTests",
+  "testsRun": 4,
+  "testsPassed": 4,
+  "testsFailed": 0,
+  "behaviorVerified": [
+    "EvidenceBundleRepository retrieves evidence bundles for VEX linking",
+    "EvidenceSignatureService validates DSSE signatures before accepting evidence links",
+    "EvidenceIdentifiers provides content-addressed identifiers for evidence linking",
+    "EvidenceGateArtifactService sorts attestation references for deterministic confidence scores",
+    "Invalid digests rejected with validation error",
+    "Missing artifacts return null score (no false positives)",
+    "Whitespace attestation refs rejected with validation error"
+  ],
+  "verdict": "pass"
+}