# Pack Run Evidence and Provenance

## Module
TaskRunner

## Status
IMPLEMENTED

## Description
Evidence capture and provenance writing for pack runs, including attestation service for DSSE-signed provenance records.

## Implementation Details
- **Attestation service**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Attestation/IPackRunAttestationService.cs` -- DSSE-signed attestation contract
- **Attestation model**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Attestation/PackRunAttestation.cs` -- attestation record for pack runs
- **Evidence snapshot service**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Evidence/IPackRunEvidenceSnapshotService.cs` -- evidence snapshot capture
- **Evidence snapshot model**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Evidence/PackRunEvidenceSnapshot.cs` -- snapshot data model
- **Evidence store**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Evidence/IPackRunEvidenceStore.cs` -- evidence persistence contract
- **Redaction guard**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Evidence/IPackRunRedactionGuard.cs` -- sensitive data redaction
- **Bundle import evidence**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Evidence/BundleImportEvidence.cs`, `IBundleImportEvidenceService.cs` -- air-gap bundle import evidence
- **Provenance writer interface**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Execution/IPackRunProvenanceWriter.cs` -- provenance writing contract
- **Provenance manifest factory**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Execution/ProvenanceManifestFactory.cs` -- creates SLSA-compatible provenance manifests
- **Filesystem provenance writer**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Infrastructure/Execution/FilesystemPackRunProvenanceWriter.cs`
- **Postgres evidence store**: `src/TaskRunner/__Libraries/StellaOps.TaskRunner.Persistence/Postgres/Repositories/PostgresPackRunEvidenceStore.cs`
- **Tests**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Tests/PackRunAttestationTests.cs`, `PackRunEvidenceSnapshotTests.cs`, `PackRunProvenanceWriterTests.cs`, `BundleImportEvidenceTests.cs`
- **Source**: Feature matrix scan

## E2E Test Plan
- [ ] Verify DSSE-signed attestations are generated per pack run
- [ ] Test evidence snapshot captures all execution artifacts
- [ ] Verify provenance manifest includes SLSA-compatible metadata
- [ ] Test redaction guard strips sensitive data from evidence
- [ ] Verify bundle import evidence records air-gap import provenance