# SPDX 3.0.1 Writer with Build Attestation and Canonical Persistence

## Module
Attestor

## Status
IMPLEMENTED

## Description
SPDX 3.0 writer with build profile support, dedicated SPDX3 library for bidirectional build attestation mapping, combined document building with attestation/profile support, and canonical persistence.

## Implementation Details
- **SPDX Writer**: `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Writers/SpdxWriter.cs` (with 40+ partials: `.Convert`, `.ConvertLite`, `.Document`, `.Packages`, `.PackageConvert`, `.Relationships`, `.RelationshipMap`, `.Licensing`, `.LicensingCollect`, `.LicenseConvert`, `.Hashing`, `.Signatures`, `.Profiles`, `.Agents`, `.Builds`, `.Assessments`, `.AiPackage`, `.DatasetPackage`, `.Vulnerabilities`, `.Extensions`, `.ExternalIds`, `.ExternalRefs`, `.FileElement`, `.Snippets`, `.Imports`, `.Helpers`, `.MapHelpers`, `.IdBuilders`, `.IdValidation`, `.NamespaceMap`, `.CollectIds`, `.CreationInfo`) -- comprehensive SPDX 3.0.1 writer.
- **SPDX3 Build Attestation Mapper**: `__Libraries/StellaOps.Attestor.Spdx3/BuildAttestationMapper.cs` (with `.MapFromSpdx3`, `.MapToSpdx3`) -- bidirectional mapping between SPDX3 build profiles and internal attestation models.
- **Build Models**: `BuildAttestationPayload.cs`, `BuildInvocation.cs`, `BuildMaterial.cs`, `BuildMetadata.cs`, `BuilderInfo.cs`, `ConfigSource.cs` -- build attestation data models.
- **Combined Document Builder**: `CombinedDocumentBuilder.cs` (with `.Attestation`, `.Build`, `.Profiles`) -- builds combined SPDX3 documents with attestation and profile support.
- **Combined Document Extensions**: `CombinedDocumentExtensions.cs` -- extension methods for combined documents.
- **DSSE SPDX3 Signer**: `DsseSpdx3Signer.cs` (with `.Encoding`, `.SignAsync`, `.SignBuildProfile`, `.Verify`) -- DSSE signing for SPDX3 documents.
- **Build Relationship Builder**: `BuildRelationshipBuilder.cs` (with `.Linking`) -- builds SPDX3 build relationships.
- **SPDX3 Serializer**: `ISpdx3Serializer.cs` -- serializer interface for canonical SPDX3 output.
- **Tests**: `__Tests/StellaOps.Attestor.Spdx3.Tests/`, `__Tests/StellaOps.Attestor.StandardPredicates.Tests/SpdxWriterTests.cs`

## E2E Test Plan
- [ ] Write an SPDX 3.0.1 document via `SpdxWriter` with packages, relationships, and licensing; verify well-formed output
- [ ] Map a build attestation to SPDX3 via `BuildAttestationMapper.MapToSpdx3` and verify build profile data
- [ ] Map an SPDX3 build profile back via `.MapFromSpdx3` and verify round-trip fidelity
- [ ] Build a combined document via `CombinedDocumentBuilder` with both SBOM and attestation profiles
- [ ] Sign the SPDX3 document via `DsseSpdx3Signer.SignBuildProfile` and verify the DSSE envelope
- [ ] Verify the signed document via `DsseSpdx3Signer.Verify` and confirm signature validity
- [ ] Write SPDX3 with AI package and dataset package profiles and verify profile-specific data is included
- [ ] Verify canonical persistence: serialize the same document twice and confirm byte-identical output