# 29-Nov-2025 · SBOM to VEX Proof Pipeline Blueprint

**Why now:** The Docs ladder needs a canonical blueprint tying SBOM ingestion to VEX proofs with DSSE/Rekor integration, to unblock downstream module dossier updates.

## Scope
- Describe DSSE → Rekor v2 → VEX linkage with offline verification steps.
- Capture diagram/stub scripts for proof generation and verification.
- Define inputs.lock/idempotency rules and chain hash recipe.

## Required artefacts (MVP for DONE)
- Diagram placeholder (`docs/diagrams/sbom-vex-blueprint.svg` reserved) and script stub path `docs/scripts/sbom-vex/verify.sh` (offline, deterministic sorting/hashes).
- Cross-links in `docs/modules/platform/architecture-overview.md` and sprint row 16 completion evidence.

## Determinism & Offline
- Sorted canonical inputs before hashing; UTC timestamps only when unavoidable, otherwise derive from content.
- No network calls; use bundled Rekor root + mirror snapshot for verification examples.

## Next actions
- Land the stub diagram/script placeholders and log completion in the sprint Execution Log.