# Security State Snapshot (Content-Addressed Release Bundle)

## Module
Attestor

## Status
VERIFIED

## Description
Versioned, content-addressed snapshot bundles that capture SBOM graph, reachability graph, VEX claim set, policies, data-feed identifiers, and toolchain versions as digests for a release evaluation.

## Implementation Details
- **Attestation Bundler**: `src/Attestor/__Libraries/StellaOps.Attestor.Bundling/AttestationBundler.cs` -- bundles multiple attestation artifacts into a versioned snapshot bundle.
- **Release Evidence Pack Builder**: `__Libraries/StellaOps.Attestor.EvidencePack/ReleaseEvidencePackBuilder.cs` -- builds release evidence packs containing SBOM, VEX, policy, and verdict data.
- **Pack Manifest**: `__Libraries/StellaOps.Attestor.EvidencePack/Models/ReleaseEvidencePackManifest.cs` -- manifest with SHA-256 digests of every included artifact.
- **Content-Addressed IDs**: `__Libraries/StellaOps.Attestor.ProofChain/Identifiers/ContentAddressedIdGenerator.cs` -- generates content-addressed IDs for each snapshot component.
- **Graph Root Attestor**: `__Libraries/StellaOps.Attestor.GraphRoot/GraphRootAttestor.cs` -- attests SBOM graph and reachability graph Merkle roots.
- **Proof Spine**: `__Libraries/StellaOps.Attestor.ProofChain/Assembly/ProofSpineRequest.cs`, `ProofSpineResult.cs` -- assembles snapshot components into a proof spine.
- **DSSE Signing**: `Signing/ProofChainSigner.cs` -- signs the snapshot bundle.
- **Verdict Receipt**: `Statements/VerdictReceiptPayload.cs` -- captures the security state at evaluation time.
- **Tests**: `__Tests/StellaOps.Attestor.EvidencePack.Tests/`

## E2E Test Plan
- [ ] Build a security state snapshot via `AttestationBundler` with SBOM, VEX, policy, and reachability data; verify all components are included
- [ ] Verify each component has a content-addressed ID and the manifest lists all digests
- [ ] Attest the SBOM graph and reachability graph roots via `GraphRootAttestor` and verify they are included in the snapshot
- [ ] Assemble the snapshot into a proof spine and verify the Merkle root covers all components
- [ ] Sign the snapshot bundle and verify the DSSE envelope is valid
- [ ] Create a second snapshot with one modified component and verify the content-addressed IDs differ
- [ ] Verify offline verification: export the snapshot, import in an air-gapped environment, and verify all signatures

## Verification

| Check | Result |
|-------|--------|
| Tier 0 - Source Verification | PASS |
| Tier 1 - Build + Code Review | PASS |
| Tier 2 - Behavioral Verification | PASS |
| Verified Date | 2026-02-13 |
| Run ID | run-001 |