# Rekor Entry Events with Reanalysis Hints

## Module
Attestor

## Status
VERIFIED

## Description
Deterministic Rekor entry events (EntryLogged, EntryQueued, InclusionVerified, EntryFailed) with reanalysis hints (CVE IDs, product keys, artifact digests, scope) for policy reanalysis triggers.

## Implementation Details
- **Rekor Entry Event**: `src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/Rekor/RekorEntryEvent.cs` -- event model with type (EntryLogged, EntryQueued, InclusionVerified, EntryFailed), payload, and reanalysis hints (CVE IDs, product keys, artifact digests, scope).
- **Rekor Submission Response**: `Rekor/RekorSubmissionResponse.cs` -- response from Rekor submission containing log index and entry UUID.
- **Rekor Receipt**: `Rekor/RekorReceipt.cs` -- receipt from Rekor with verification data.
- **Rekor Proof Response**: `Rekor/RekorProofResponse.cs` -- proof response with inclusion proof data.
- **Rekor Sync Background Service**: `Rekor/RekorSyncBackgroundService.cs` -- background service that emits events during sync operations.
- **Checkpoint Divergence Detector**: `Rekor/CheckpointDivergenceDetector.cs` -- detects checkpoint divergence and emits failure events.
- **Rekor Inclusion Verification Result**: `Rekor/RekorInclusionVerificationResult.cs` -- result of verifying a Rekor entry's inclusion.
- **Queue**: `StellaOps.Attestor.Core/Queue/IRekorSubmissionQueue.cs` -- queue for managing entry submissions with event emission.
- **Persistence**: `__Libraries/StellaOps.Attestor.Persistence/Entities/RekorEntryEntity.cs` -- persisted Rekor entry with event history.
- **Tests**: `__Tests/StellaOps.Attestor.Core.Tests/RekorEntryEventTests.cs`

## E2E Test Plan
- [ ] Submit an attestation to Rekor and verify an `EntryLogged` event is emitted with the log index
- [ ] Queue a submission and verify an `EntryQueued` event is emitted before actual submission
- [ ] Verify inclusion of a Rekor entry and confirm an `InclusionVerified` event is emitted
- [ ] Simulate a submission failure and verify an `EntryFailed` event is emitted with error details
- [ ] Verify reanalysis hints contain CVE IDs, product keys, and artifact digests from the submitted attestation
- [ ] Verify the event scope field correctly narrows the reanalysis trigger (e.g., scope="component:openssl" only triggers reanalysis for openssl-related policies)
- [ ] Verify `RekorSyncBackgroundService` emits events during sync operations (new entries found, checkpoint updates)
- [ ] Persist events via `RekorEntryEntity` and verify event history is retrievable

## Verification

| Check | Result |
|-------|--------|
| Tier 0 - Source Verification | PASS |
| Tier 1 - Build + Code Review | PASS |
| Tier 2 - Behavioral Verification | PASS |
| Verified Date | 2026-02-13 |
| Run ID | run-001 |