# Evidence Bundle Export with Embedded Verify Scripts

## Module
EvidenceLocker

## Status
IMPLEMENTED

## Description
Standardized evidence-bundle tar.gz export format with embedded verify.sh (POSIX) and verify.ps1 (PowerShell) scripts, bundled public keys for offline verification, Merkle root verification (RFC 6962), BSD-format SHA256 checksums, and async export worker for large bundles with status tracking (pending/processing/ready/failed).

## Implementation Details
- **Modules**: `src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Export/`, `src/EvidenceLocker/StellaOps.EvidenceLocker/Api/`
- **Key Classes**:
  - `TarGzBundleExporter` (`src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Export/TarGzBundleExporter.cs`) - creates tar.gz bundles with embedded verify scripts and checksums
  - `VerifyScriptGenerator` (`src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Export/VerifyScriptGenerator.cs`) - generates verify.sh (POSIX) and verify.ps1 (PowerShell) scripts
  - `MerkleTreeBuilder` (`src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Export/MerkleTreeBuilder.cs`) - builds Merkle tree for bundle integrity (RFC 6962)
  - `ChecksumFileWriter` (`src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Export/ChecksumFileWriter.cs`) - writes BSD-format SHA256 checksums
  - `BundleManifest` (`src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Export/Models/BundleManifest.cs`) - manifest model for bundle contents
  - `BundleMetadata` (`src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Export/Models/BundleMetadata.cs`) - metadata model for bundle export
  - `ExportEndpoints` (`src/EvidenceLocker/StellaOps.EvidenceLocker/Api/ExportEndpoints.cs`) - REST endpoints for export operations
  - `ExportJobService` (`src/EvidenceLocker/StellaOps.EvidenceLocker/Api/ExportJobService.cs`) - async export worker with status tracking
- **Interfaces**: `IEvidenceBundleExporter`, `IBundleDataProvider`, `IExportJobService`
- **Source**: SPRINT_20260106_003_003_EVIDENCE_export_bundle.md

## E2E Test Plan
- [ ] Export an evidence bundle via `ExportEndpoints` and verify the tar.gz contains verify.sh, verify.ps1, checksums, and public keys
- [ ] Extract the bundle and run the embedded verify.sh script to confirm it validates checksums and Merkle root
- [ ] Verify `MerkleTreeBuilder` produces RFC 6962-compliant Merkle tree with correct root hash
- [ ] Verify `ChecksumFileWriter` writes BSD-format SHA256 checksums matching each file in the bundle
- [ ] Submit a large bundle export and verify `ExportJobService` tracks status through pending/processing/ready states
- [ ] Verify the exported bundle can be verified offline using only the embedded scripts and bundled public keys