feat: Implement EvidenceBundleAttestationBuilder with unit tests for claims generation and tenant validation

src/Concelier/StellaOps.Concelier.WebService/Program.cs

@@ -54,6 +54,7 @@ using StellaOps.Concelier.Storage.Mongo;
 using StellaOps.Concelier.Storage.Mongo.Advisories;
 using StellaOps.Concelier.Storage.Mongo.Aliases;
 using StellaOps.Provenance.Mongo;
+using StellaOps.Concelier.Core.Attestation;
 
 var builder = WebApplication.CreateBuilder(args);
 
@@ -112,6 +113,7 @@ builder.Services.AddSingleton<IAdvisoryObservationQueryService, AdvisoryObservat
 builder.Services.AddSingleton<AdvisoryChunkBuilder>();
 builder.Services.AddSingleton<IAdvisoryChunkCache, AdvisoryChunkCache>();
 builder.Services.AddSingleton<IAdvisoryAiTelemetry, AdvisoryAiTelemetry>();
+builder.Services.AddSingleton<EvidenceBundleAttestationBuilder>();
 
 var features = concelierOptions.Features ?? new ConcelierOptions.FeaturesOptions();
 
@@ -762,6 +764,7 @@ var advisoryEvidenceEndpoint = app.MapGet("/vuln/evidence/advisories/{advisoryKe
     string advisoryKey,
     HttpContext context,
     [FromServices] IAdvisoryRawService rawService,
+    [FromServices] EvidenceBundleAttestationBuilder attestationBuilder,
     CancellationToken cancellationToken) =>
 {
     ApplyNoCache(context.Response);
@@ -807,6 +810,8 @@ var advisoryEvidenceEndpoint = app.MapGet("/vuln/evidence/advisories/{advisoryKe
 
     var responseKey = recordResponses[0].Document.AdvisoryKey ?? canonicalKey;
     var response = new AdvisoryEvidenceResponse(responseKey, recordResponses);
+    // TODO: Attach attestation metadata when Evidence Bundle tarball is available per tenant/advisory.
+    // The builder is registered for future use once bundle paths are discoverable from evidence storage.
     return JsonResult(response);
 });
 if (authorityConfigured)