# Concelier Advisory Evidence Attestation ## Purpose - Describe how Concelier returns attestation claims for advisory evidence bundles so downstream services (Advisory AI, Attestor, Console) can verify provenance. ## Endpoint - `GET /vuln/evidence/advisories/{advisoryKey}` - Authentication/tenant headers follow standard Concelier rules (`X-Stella-Tenant` or `tenant` query; authority policies apply). - Response payload: `AdvisoryEvidenceResponse { advisoryKey, records[], attestation? }` ## Attestation parameters (query) - `bundlePath` (required to enable attestation): Relative or absolute path to evidence bundle tar.gz. Relative paths are resolved under the configured evidence root (`concelier:evidence:root`). Paths outside this root are rejected. - `manifestPath` (optional): Defaults to sibling `manifest.json` next to the bundle. - `transparencyPath` (optional): Defaults to sibling `transparency.json` next to the bundle. - `pipelineVersion` (optional): Defaults to `concelier:evidence:pipelineVersion` (e.g., `git:`). ## Behavior - When `bundlePath` is omitted, the endpoint returns evidence records only (attestation is `null`). - When provided, Concelier builds claims via `EvidenceBundleAttestationBuilder` using the manifest and optional transparency payload; tenant must be lowercase per scope note. - Path safety: All resolved files must live under the evidence root; traversal attempts or missing files silently skip attestation (response remains valid without claims). ## Configuration - `concelier:evidence:root` (default `out/evidence/bundles`, resolved absolute). - `concelier:evidence:defaultManifestFileName` (default `manifest.json`). - `concelier:evidence:defaultTransparencyFileName` (default `transparency.json`). - `concelier:evidence:pipelineVersion` (default `git:unknown`). ## References - Evidence Locker attestation scope: `docs/modules/evidence-locker/attestation-scope-note.md`. - Implementation: `src/Concelier/StellaOps.Concelier.WebService/Program.cs`, `StellaOps.Concelier.Core/Attestation/EvidenceBundleAttestationBuilder.cs`.