# Unified Evidence Endpoint (Single API for Complete Evidence Panel)

## Module
Scanner

## Status
VERIFIED

## Description
Single API endpoint that returns all evidence tabs for a finding in one call (replacing 6 separate API calls). Includes manifest hashes for determinism verification, green/red verification status, and evidence bundle download as ZIP/TAR.

## Implementation Details
- **Unified Evidence Service**:
  - `src/Scanner/StellaOps.Scanner.WebService/Services/UnifiedEvidenceService.cs` - `UnifiedEvidenceService` composing all evidence tabs (vulnerability, reachability, VEX, SBOM, policy, attestation) into a single response
  - `src/Scanner/StellaOps.Scanner.WebService/Services/IUnifiedEvidenceService.cs` - Interface for unified evidence composition
- **Evidence Endpoints**:
  - `src/Scanner/StellaOps.Scanner.WebService/Endpoints/EvidenceEndpoints.cs` - `EvidenceEndpoints` single REST endpoint returning complete evidence panel
  - `src/Scanner/StellaOps.Scanner.WebService/Endpoints/DeltaEvidenceEndpoints.cs` - Delta evidence for SmartDiff comparisons
- **Evidence Bundle Export**:
  - `src/Scanner/StellaOps.Scanner.WebService/Services/EvidenceBundleExporter.cs` - `EvidenceBundleExporter` packaging evidence as downloadable ZIP/TAR archives
- **Replay Command**:
  - `src/Scanner/StellaOps.Scanner.WebService/Services/ReplayCommandService.cs` - `ReplayCommandService` generating replay commands for determinism verification
  - `src/Scanner/StellaOps.Scanner.WebService/Contracts/ReplayCommandContracts.cs` - Replay command API contracts
- **Contracts**:
  - `src/Scanner/StellaOps.Scanner.WebService/Contracts/UnifiedEvidenceContracts.cs` - API contracts for unified evidence response with manifest hashes and verification status
- **Evidence Models**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Evidence/Models/EvidenceBundle.cs` - `EvidenceBundle` model for packaged evidence
  - `src/Scanner/__Libraries/StellaOps.Scanner.Evidence/Privacy/EvidenceRedactionService.cs` - `EvidenceRedactionService` redacting sensitive data before export
- **Tests**:
  - `src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/UnifiedEvidenceServiceTests.cs` - Unified evidence service tests
  - `src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/EvidenceCompositionServiceTests.cs` - Composition tests
  - `src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/ReplayCommandServiceTests.cs` - Replay command tests

## E2E Test Plan
- [ ] Query the unified evidence endpoint for a finding and verify all evidence tabs (vulnerability, reachability, VEX, SBOM, policy, attestation) are returned in a single response
- [ ] Verify manifest hashes are included in the response for determinism verification
- [ ] Verify green/red verification status correctly reflects whether evidence passes verification checks
- [ ] Download evidence bundle as ZIP and verify it contains all evidence artifacts
- [ ] Verify the replay command in the response can be executed to reproduce the same evidence
- [ ] Verify `EvidenceRedactionService` correctly removes sensitive data from exported evidence bundles

---

## Verification

| Check | Result |
|-------|--------|
| Tier 0 - Source files exist | PASS |
| Tier 1 - Build + code review | PASS |
| Tier 2 - Integration tests | PASS |
| Verified | 2026-02-13T18:10:00Z |