# FindingEvidence Composition API Endpoint

## Module
Scanner

## Status
IMPLEMENTED

## Description
REST API endpoint that composes per-finding evidence bundles by aggregating SBOM slices, reachability proofs, VEX documents, and attestation chains into a unified evidence response. EvidenceCompositionService orchestrates multi-source evidence assembly on demand.

## Implementation Details
- **Evidence Composition Service**:
  - `src/Scanner/StellaOps.Scanner.WebService/Services/IEvidenceCompositionService.cs` - `IEvidenceCompositionService` interface
  - `src/Scanner/StellaOps.Scanner.WebService/Services/EvidenceCompositionService.cs` - Orchestrates multi-source evidence assembly (SBOM slices, reachability, VEX, attestations)
  - `src/Scanner/StellaOps.Scanner.WebService/Services/EvidenceCompositionService.cs` - `EvidenceCompositionOptions` for configuring evidence sources
- **Evidence Endpoints**:
  - `src/Scanner/StellaOps.Scanner.WebService/Endpoints/EvidenceEndpoints.cs` - `EvidenceEndpoints` for listing and querying evidence
  - `src/Scanner/StellaOps.Scanner.WebService/Endpoints/ReachabilityEvidenceEndpoints.cs` - Reachability-specific evidence endpoints
  - `src/Scanner/StellaOps.Scanner.WebService/Endpoints/DeltaEvidenceEndpoints.cs` - Delta evidence endpoints
- **Evidence Export**:
  - `src/Scanner/StellaOps.Scanner.WebService/Services/IEvidenceBundleExporter.cs` - Evidence bundle export interface
  - `src/Scanner/StellaOps.Scanner.WebService/Services/EvidenceBundleExporter.cs` - Exports evidence bundles in multiple formats

## E2E Test Plan
- [ ] Call the evidence composition endpoint for a specific finding and verify a unified evidence response is returned
- [ ] Verify the response includes SBOM slice data for the affected component
- [ ] Verify the response includes reachability proof when reachability analysis was performed
- [ ] Verify the response includes VEX document references when VEX data is available
- [ ] Verify the response includes attestation chain verification status
- [ ] Verify evidence bundle export works in supported formats