# Provenance/Attestation Pipelines (End-to-End)

## Module
Attestor

## Status
VERIFIED

## Description
End-to-end attestation pipeline covering build provenance (SLSA), SBOM attestation, VEX attestation, verdict attestation, OCI referrer attachment, and sealed audit pack export/import.

## Implementation Details
- **Pipeline Models**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Pipeline/` -- pipeline orchestration:
  - `ProofChainRequest.cs` -- pipeline request with artifact digest, evidence sources, and options.
  - `ProofChainResult.cs` -- pipeline result with generated attestations, proof spine, and Merkle root.
  - `PipelineSubject.cs` -- subject being attested through the pipeline.
  - `RekorEntry.cs` -- Rekor transparency log entry from pipeline output.
- **SLSA Provenance**: `__Libraries/StellaOps.Attestor.StandardPredicates/Parsers/SlsaProvenancePredicateParser.cs` (with `.ExtractMetadata`, `.Validation`) -- parses SLSA build provenance.
- **SPDX3 Build Attestation**: `__Libraries/StellaOps.Attestor.Spdx3/BuildAttestationMapper.cs` (with `.MapFromSpdx3`, `.MapToSpdx3`) -- maps build attestations.
- **VEX Integration**: `__Libraries/StellaOps.Attestor.ProofChain/Generators/VexProofIntegrator.cs` (with `.Helpers`, `.Metadata`) -- integrates VEX into pipeline.
- **Attestation Bundling**: `__Libraries/StellaOps.Attestor.Bundling/AttestationBundler.cs` -- bundles pipeline outputs.
- **OCI Attachment**: `__Libraries/StellaOps.Attestor.Oci/Services/OrasAttestationAttacher.cs` -- attaches pipeline outputs as OCI referrers.
- **Evidence Pack**: `__Libraries/StellaOps.Attestor.EvidencePack/ReleaseEvidencePackBuilder.cs` -- builds sealed audit packs from pipeline outputs.
- **Submission Service**: `StellaOps.Attestor.Core/Submission/IAttestorSubmissionService.cs` -- validates and routes pipeline submissions.
- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/PipelineTests.cs`

## E2E Test Plan
- [ ] Run the full pipeline via `ProofChainRequest` with SBOM, scan results, and VEX data; verify `ProofChainResult` contains all attestations
- [ ] Verify SLSA provenance is parsed and included in the pipeline output
- [ ] Verify VEX attestation is integrated into the verdict via `VexProofIntegrator`
- [ ] Verify all pipeline attestations are signed into DSSE envelopes
- [ ] Verify pipeline outputs are bundled via `AttestationBundler` into a single verifiable bundle
- [ ] Attach pipeline outputs to an OCI image via `OrasAttestationAttacher` and verify referrer discovery
- [ ] Export pipeline outputs as a sealed evidence pack via `ReleaseEvidencePackBuilder` and verify manifest integrity
- [ ] Verify `AttestorSubmissionService` rejects invalid pipeline inputs with appropriate error messages

## Verification

| Check | Result |
|-------|--------|
| Tier 0 - Source Verification | PASS |
| Tier 1 - Build + Code Review | PASS |
| Tier 2 - Behavioral Verification | PASS |
| Verified Date | 2026-02-13 |
| Run ID | run-001 |