# Console Forensics and Evidence Review

This document describes how the Console supports forensic review of decisions: timelines, evidence viewing, attestation verification, and audit exports.

## Timeline Explorer

The timeline view should enable:

- Filtering by tenant, artifact, finding, and time window
- Drill-down from a verdict to its evidence objects (SBOM slice, VEX observation/linkset, reachability proof, policy explain trace)
- Visibility into operator actions (triage actions, exceptions, approvals) as append-only events

## Evidence Viewer

Evidence viewing should prioritize:

- Clear provenance (issuer identity, timestamps, digests)
- Verification state (signature verified/failed/unknown)
- Deterministic identifiers so auditors can replay and compare

## Attestation Verification

When presenting attestations (DSSE/in-toto):

- Display verification status and key identity
- Link to transparency log proof when configured
- Allow exporting the DSSE envelope and the referenced artifacts

## Export / Verify Workflows

Exports are the bridge between online and offline review:

- Exports should be deterministic (stable ordering, UTC timestamps).
- Export bundles should include integrity metadata (digests) so offline reviewers can verify without trusting a live service.

## References

- Console operator guide: `docs/15_UI_GUIDE.md`
- Offline Kit: `docs/24_OFFLINE_KIT.md`
- Vulnerability Explorer guide (triage model): `docs/20_VULNERABILITY_EXPLORER_GUIDE.md`