# Release Evidence Pack (Audit Pack)

## Module
Attestor

## Status
VERIFIED

## Description
Portable, verifiable audit bundles with manifest (digests of every included file), SBOM inputs, VEX docs, policy bundles, exceptions, findings, verdict, and explanation. Supports offline verification and tamper detection.

## Implementation Details
- **Release Evidence Pack Builder**: `src/Attestor/__Libraries/StellaOps.Attestor.EvidencePack/ReleaseEvidencePackBuilder.cs` -- builds complete release evidence packs containing all attestation artifacts.
- **Release Evidence Pack Manifest**: `Models/ReleaseEvidencePackManifest.cs` -- manifest listing all included files with their SHA-256 digests for tamper detection.
- **Release Evidence Pack Serializer**: `ReleaseEvidencePackSerializer.cs` -- serializes evidence packs to a portable format (ZIP/tar with manifest).
- **Verification Replay Log**: `Models/VerificationReplayLog.cs` -- log of verification steps for replay and audit.
- **Verification Replay Log Builder**: `Services/VerificationReplayLogBuilder.cs` -- builds verification replay logs from pipeline execution.
- **Replay Log Serializer Context**: `Services/ReplayLogSerializerContext.cs` -- serializer context for replay logs.
- **Templates**: `Templates/VERIFY.md.template`, `verify-unix.template`, `verify.ps1.template` -- verification instruction templates included in the pack for offline verification.
- **Attestation Bundler**: `__Libraries/StellaOps.Attestor.Bundling/AttestationBundler.cs` -- bundles individual attestations into the evidence pack.
- **Sigstore Bundle Verifier**: `__Libraries/StellaOps.Attestor.Bundle/SigstoreBundleVerifier.cs` -- verifies Sigstore bundles within the evidence pack.
- **Tests**: `__Tests/StellaOps.Attestor.EvidencePack.Tests/`

## E2E Test Plan
- [ ] Build a release evidence pack via `ReleaseEvidencePackBuilder` with SBOM, VEX, policy bundle, findings, and verdict; verify all artifacts are included
- [ ] Verify the `ReleaseEvidencePackManifest` lists all files with correct SHA-256 digests
- [ ] Serialize the evidence pack via `ReleaseEvidencePackSerializer` and verify the output is a portable archive
- [ ] Tamper with one file in the archive and verify manifest digest verification detects the tampering
- [ ] Build a `VerificationReplayLog` and verify it captures all verification steps in order
- [ ] Verify the evidence pack includes verification instruction templates (VERIFY.md, verify-unix, verify.ps1) for offline verification
- [ ] Import a previously exported evidence pack and verify all attestation signatures are valid
- [ ] Verify `SigstoreBundleVerifier` validates Sigstore bundles within the evidence pack

## Verification

| Check | Result |
|-------|--------|
| Tier 0 - Source Verification | PASS |
| Tier 1 - Build + Code Review | PASS |
| Tier 2 - Behavioral Verification | PASS |
| Verified Date | 2026-02-13 |
| Run ID | run-001 |