# Doctor Evidence Integrity Check (DSSE + Rekor + Hash Verification)

## Module
EvidenceLocker

## Status
IMPLEMENTED

## Description
Doctor health check that validates DSSE signature validity, Rekor inclusion (or offline ledger), and evidence hash consistency using canonical JSON, with deterministic and offline-friendly output.

## Implementation Details
- **Modules**: `src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/`, `src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Core/`
- **Key Classes**:
  - `EvidenceSignatureService` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Signing/EvidenceSignatureService.cs`) - validates DSSE signatures on evidence bundles
  - `Rfc3161TimestampAuthorityClient` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Signing/Rfc3161TimestampAuthorityClient.cs`) - RFC 3161 timestamp verification for Rekor receipts
  - `NullTimestampAuthorityClient` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Signing/NullTimestampAuthorityClient.cs`) - no-op timestamp client for offline mode
  - `MerkleTreeCalculator` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Core/Builders/MerkleTreeCalculator.cs`) - recomputes Merkle tree hashes for integrity verification
  - `EvidenceAuditLogger` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.WebService/Audit/EvidenceAuditLogger.cs`) - logs integrity check results
  - `OfflineTimestampVerifier` (`src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Timestamping/Verification/OfflineTimestampVerifier.cs`) - verifies timestamps offline without network access
- **Interfaces**: `IEvidenceSignatureService`, `ITimestampAuthorityClient`
- **Source**: SPRINT_20260112_004_LB_doctor_evidence_integrity_checks.md

## E2E Test Plan
- [ ] Run doctor integrity check on a valid evidence bundle and verify DSSE signature, Rekor inclusion, and hash consistency all pass
- [ ] Tamper with an evidence bundle payload and verify `EvidenceSignatureService` detects the DSSE signature mismatch
- [ ] Verify `MerkleTreeCalculator` recomputes the Merkle root and detects a modified evidence item
- [ ] Verify `OfflineTimestampVerifier` validates timestamps without network access using bundled Rekor receipts
- [ ] Verify `Rfc3161TimestampAuthorityClient` validates RFC 3161 timestamps against the authority
- [ ] Verify integrity check output is deterministic: same bundle produces identical check results across runs