# SBOM→VEX Chain Hash Recipe (Stub)

Use with sprint task 6 (SBOM-VEX-GAPS-300-013).

- Inputs: sorted SBOM documents, VEX statements, DSSE envelopes, Rekor bundle snapshot.
- Hashing: deterministic ordering (UTF-8, LF), SHA-256 over concatenated canonical JSON.
- Chain: derive cumulative hash for (SBOM → DSSE → Rekor → VEX) and store in proof manifest.
- Offline: no network; bundle Rekor root + snapshot; include `inputs.lock` with tool versions.

Example (stub):

```bash
sbom_files=(sbom.json)
vex_files=(vex.json)
dsse=envelope.dsse
rekor=rekor-bundle.json

cat "${sbom_files[@]}" | jq -S . > /tmp/sbom.canon
cat "${vex_files[@]}" | jq -S . > /tmp/vex.canon
cat "$dsse" | jq -S . > /tmp/dsse.canon
cat "$rekor" | jq -S . > /tmp/rekor.canon

cat /tmp/sbom.canon /tmp/dsse.canon /tmp/rekor.canon /tmp/vex.canon | sha256sum | awk '{print $1}' > proof.chainhash
echo "chain-hash: $(cat proof.chainhash)"
```