# Proof Bundle API for Exploit Paths

## Module
Scanner

## Status
IMPLEMENTED

## Description
REST API (GET /triage/paths/{pathId}/proof) returning complete proof bundles aggregating reachability subgraph (nodes + edges), symbol map with source locations, VEX claims with trust scores, and computed bundle digest for integrity. Export endpoint for JSON file download.

## Implementation Details
- **Proof Bundle Storage**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Postgres/PostgresProofBundleRepository.cs` - `PostgresProofBundleRepository` stores and retrieves proof bundles for exploit paths
  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Entities/ProofBundleRow.cs` - `ProofBundleRow` database entity for proof bundle persistence
- **Proof Bundle Writer**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Core/ProofBundleWriter.cs` - `ProofBundleWriter` assembles proof bundles aggregating reachability subgraph, symbol map, VEX claims, and computes bundle digest
- **Scan Manifest**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Repositories/IScanManifestRepository.cs` - Repository for scan manifest data linked to proof bundles
- **OCI Publishing**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage.Oci/VerdictOciPublisher.cs` - Publishes proof bundles to OCI registries as attestation artifacts

## E2E Test Plan
- [ ] Generate a proof bundle for an exploit path and retrieve it via the API, verifying it contains the reachability subgraph with nodes and edges
- [ ] Verify the proof bundle includes the symbol map with source file locations
- [ ] Verify the proof bundle includes VEX claims with trust scores for each finding
- [ ] Verify the computed bundle digest provides integrity verification
- [ ] Export the proof bundle as a JSON file and verify the download contains the complete bundle
- [ ] Verify proof bundles are publishable to OCI registries as attestation artifacts