# Proof Chain Database Schema (PostgreSQL Persistence)

## Module
Attestor

## Status
IMPLEMENTED

## Description
PostgreSQL-backed persistence layer for proof chain data with 5 core tables (sbom_entries, dsse_envelopes, spines, trust_anchors, rekor_entries), EF Core entity mappings, and IProofChainRepository abstraction.

## Implementation Details
- **DbContext**: `src/Attestor/__Libraries/StellaOps.Attestor.Persistence/ProofChainDbContext.cs` -- EF Core DbContext with tenant-scoped queries, RLS policy application, and schema isolation.
- **Entities**:
  - `Entities/DsseEnvelopeEntity.cs` -- persisted DSSE envelope with tenant_id, payload hash, created/updated timestamps.
  - `Entities/RekorEntryEntity.cs` -- persisted Rekor log entry with log index, integrated time, inclusion proof.
  - `Entities/SbomEntryEntity.cs` -- persisted SBOM entry with format, version, component count.
  - `Entities/SpineEntity.cs` -- persisted proof spine with Merkle root, segment count, linked evidence IDs.
  - `Entities/TrustAnchorEntity.cs` -- persisted trust anchor with key material, expiry, and trust level.
  - `Entities/VerdictLedgerEntry.cs` -- persisted verdict ledger entry with decision, timestamp, and proof references.
  - `Entities/AuditLogEntity.cs` -- audit log with operation type and content hash.
- **Repositories**:
  - `Repositories/IProofChainRepository.cs` -- repository abstraction for CRUD operations on all proof chain entities.
  - `Repositories/IVerdictLedgerRepository.cs` -- repository for verdict ledger queries (by subject, by time range).
  - `Repositories/PostgresVerdictLedgerRepository.cs` -- PostgreSQL implementation with optimized queries and tenant scoping.
- **Migrations**: `Migrations/` -- EF Core migrations defining schema, indexes, RLS policies, and constraints.
- **Services**: `Services/` -- data access services for higher-level operations.
- **Performance**: `Perf/` -- performance configurations (connection pooling, query optimization).
- **Tests**: `__Tests/StellaOps.Attestor.Persistence.Tests/`

## E2E Test Plan
- [ ] Create and persist a `DsseEnvelopeEntity` via `IProofChainRepository` and verify retrieval by ID
- [ ] Persist a `RekorEntryEntity` with log index and inclusion proof; retrieve and verify all fields
- [ ] Persist a `SpineEntity` with Merkle root and verify the root hash is stored correctly
- [ ] Create a `TrustAnchorEntity` and verify it is retrievable by key fingerprint
- [ ] Create `VerdictLedgerEntry` records via `PostgresVerdictLedgerRepository` and query by subject digest; verify correct results
- [ ] Verify tenant isolation: create entities for tenant A and verify they are not visible to tenant B
- [ ] Run migrations on an empty database and verify all 5 tables are created with correct columns, indexes, and constraints
- [ ] Verify JSONB columns store and retrieve complex predicate payloads correctly