vaspera 2.7.0 → 2.9.0

package/dist/evidence/collector.d.ts

@@ -0,0 +1,21 @@
+/**
+ * Evidence Collector
+ *
+ * Collects and packages audit evidence for compliance.
+ *
+ * @module evidence/collector
+ */
+import type { EvidenceBundle, EvidenceArtifact, CollectEvidenceOptions, CollectEvidenceResult } from "./types.js";
+/**
+ * Collect evidence artifacts
+ */
+export declare function collectEvidence(options: CollectEvidenceOptions): Promise<CollectEvidenceResult>;
+/**
+ * Calculate bundle digest from artifacts
+ */
+export declare function calculateBundleDigest(artifacts: EvidenceArtifact[]): string;
+/**
+ * Format evidence bundle as markdown summary
+ */
+export declare function formatEvidenceBundleAsMarkdown(bundle: EvidenceBundle): string;
+//# sourceMappingURL=collector.d.ts.map

package/dist/evidence/collector.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"collector.d.ts","sourceRoot":"","sources":["../../src/evidence/collector.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAOH,OAAO,KAAK,EACV,cAAc,EACd,gBAAgB,EAIhB,sBAAsB,EACtB,qBAAqB,EACtB,MAAM,YAAY,CAAC;AAqMpB;;GAEG;AACH,wBAAsB,eAAe,CACnC,OAAO,EAAE,sBAAsB,GAC9B,OAAO,CAAC,qBAAqB,CAAC,CA+JhC;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,SAAS,EAAE,gBAAgB,EAAE,GAAG,MAAM,CAG3E;AAED;;GAEG;AACH,wBAAgB,8BAA8B,CAAC,MAAM,EAAE,cAAc,GAAG,MAAM,CA6D7E"}

package/dist/evidence/collector.js

@@ -0,0 +1,340 @@
+/**
+ * Evidence Collector
+ *
+ * Collects and packages audit evidence for compliance.
+ *
+ * @module evidence/collector
+ */
+import { readFile, access, stat, readdir } from "fs/promises";
+import { join, basename } from "path";
+import { createHash, randomUUID } from "crypto";
+import { platform, release, hostname } from "os";
+import { logger } from "../logger.js";
+const VASPERA_DIR = ".vaspera";
+const DEFAULT_MAX_INLINE_SIZE = 50 * 1024; // 50KB
+/**
+ * Get package.json version
+ */
+async function getVasperaVersion() {
+    try {
+        const pkgPath = join(process.cwd(), "package.json");
+        const pkg = JSON.parse(await readFile(pkgPath, "utf-8"));
+        return pkg.version || "unknown";
+    }
+    catch {
+        return "unknown";
+    }
+}
+/**
+ * Detect CI environment
+ */
+function detectCIEnvironment() {
+    // GitHub Actions
+    if (process.env.GITHUB_ACTIONS === "true") {
+        return {
+            provider: "github",
+            buildId: process.env.GITHUB_RUN_ID || "",
+            commitSha: process.env.GITHUB_SHA || "",
+            ref: process.env.GITHUB_REF,
+            actor: process.env.GITHUB_ACTOR,
+            runId: process.env.GITHUB_RUN_NUMBER,
+            repository: process.env.GITHUB_REPOSITORY
+                ? {
+                    owner: process.env.GITHUB_REPOSITORY.split("/")[0],
+                    name: process.env.GITHUB_REPOSITORY.split("/")[1],
+                    url: `https://github.com/${process.env.GITHUB_REPOSITORY}`,
+                }
+                : undefined,
+            pullRequest: process.env.GITHUB_EVENT_NAME === "pull_request"
+                ? {
+                    number: parseInt(process.env.GITHUB_REF?.split("/")[2] || "0", 10),
+                }
+                : undefined,
+        };
+    }
+    // GitLab CI
+    if (process.env.GITLAB_CI === "true") {
+        return {
+            provider: "gitlab",
+            buildId: process.env.CI_PIPELINE_ID || "",
+            commitSha: process.env.CI_COMMIT_SHA || "",
+            ref: process.env.CI_COMMIT_REF_NAME,
+            actor: process.env.GITLAB_USER_LOGIN,
+            runId: process.env.CI_JOB_ID,
+            repository: {
+                owner: process.env.CI_PROJECT_NAMESPACE || "",
+                name: process.env.CI_PROJECT_NAME || "",
+                url: process.env.CI_PROJECT_URL || "",
+            },
+            pullRequest: process.env.CI_MERGE_REQUEST_IID
+                ? {
+                    number: parseInt(process.env.CI_MERGE_REQUEST_IID, 10),
+                    title: process.env.CI_MERGE_REQUEST_TITLE,
+                }
+                : undefined,
+        };
+    }
+    // Jenkins
+    if (process.env.JENKINS_URL) {
+        return {
+            provider: "jenkins",
+            buildId: process.env.BUILD_ID || "",
+            commitSha: process.env.GIT_COMMIT || "",
+            ref: process.env.GIT_BRANCH,
+            runId: process.env.BUILD_NUMBER,
+        };
+    }
+    // CircleCI
+    if (process.env.CIRCLECI === "true") {
+        return {
+            provider: "circleci",
+            buildId: process.env.CIRCLE_BUILD_NUM || "",
+            commitSha: process.env.CIRCLE_SHA1 || "",
+            ref: process.env.CIRCLE_BRANCH,
+            actor: process.env.CIRCLE_USERNAME,
+            repository: {
+                owner: process.env.CIRCLE_PROJECT_USERNAME || "",
+                name: process.env.CIRCLE_PROJECT_REPONAME || "",
+                url: `https://github.com/${process.env.CIRCLE_PROJECT_USERNAME}/${process.env.CIRCLE_PROJECT_REPONAME}`,
+            },
+            pullRequest: process.env.CIRCLE_PULL_REQUEST
+                ? {
+                    number: parseInt(process.env.CIRCLE_PULL_REQUEST.split("/").pop() || "0", 10),
+                    url: process.env.CIRCLE_PULL_REQUEST,
+                }
+                : undefined,
+        };
+    }
+    // Generic CI detection
+    if (process.env.CI === "true" || process.env.CI === "1") {
+        return {
+            provider: "unknown",
+            buildId: process.env.BUILD_ID || process.env.BUILD_NUMBER || "",
+            commitSha: process.env.COMMIT_SHA || process.env.GIT_COMMIT || "",
+        };
+    }
+    return undefined;
+}
+/**
+ * Capture runtime environment
+ */
+async function captureEnvironment() {
+    const ci = detectCIEnvironment();
+    return {
+        os: platform(),
+        osVersion: release(),
+        nodeVersion: process.version,
+        vasperaVersion: await getVasperaVersion(),
+        hostname: ci ? undefined : hostname().slice(0, 8), // Truncate for privacy in non-CI
+        ci,
+        capturedAt: new Date().toISOString(),
+    };
+}
+/**
+ * Calculate SHA-256 hash of content
+ */
+function calculateDigest(content) {
+    return createHash("sha256").update(content).digest("hex");
+}
+/**
+ * Create an artifact from a file
+ */
+async function createFileArtifact(filePath, type, name, description, maxInlineSize) {
+    try {
+        await access(filePath);
+        const stats = await stat(filePath);
+        const content = await readFile(filePath, "utf-8");
+        const digest = calculateDigest(content);
+        const artifact = {
+            type,
+            name,
+            description,
+            contentDigest: digest,
+            sizeBytes: stats.size,
+            collectedAt: new Date().toISOString(),
+            sourcePath: filePath,
+        };
+        // Inline small artifacts
+        if (stats.size <= maxInlineSize) {
+            artifact.content = content;
+        }
+        return artifact;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Create an artifact from inline content
+ */
+function createInlineArtifact(content, type, name, description) {
+    const contentBytes = Buffer.from(content, "utf-8");
+    return {
+        type,
+        name,
+        description,
+        contentDigest: calculateDigest(contentBytes),
+        sizeBytes: contentBytes.length,
+        collectedAt: new Date().toISOString(),
+        content,
+    };
+}
+/**
+ * Collect evidence artifacts
+ */
+export async function collectEvidence(options) {
+    const { projectPath, certificationId, frameworks = [], includeSbom = true, includeHistory = true, includeScanResults = true, includeConfig = true, maxInlineSize = DEFAULT_MAX_INLINE_SIZE, } = options;
+    const warnings = [];
+    const artifacts = [];
+    logger.info("evidence.collect.start", { projectPath, certificationId });
+    try {
+        const vasperaDir = join(projectPath, VASPERA_DIR);
+        // Collect config files
+        if (includeConfig) {
+            const configFile = join(vasperaDir, "config.json");
+            const configArtifact = await createFileArtifact(configFile, "config_file", "vaspera-config", "Vaspera configuration file", maxInlineSize);
+            if (configArtifact) {
+                artifacts.push(configArtifact);
+            }
+        }
+        // Collect history snapshot
+        if (includeHistory) {
+            const historyFile = join(vasperaDir, "history.jsonl");
+            const historyArtifact = await createFileArtifact(historyFile, "history_snapshot", "audit-history", "Certification and scan history with hash chain", maxInlineSize);
+            if (historyArtifact) {
+                artifacts.push(historyArtifact);
+            }
+            else {
+                warnings.push("History file not found - audit trail not included");
+            }
+        }
+        // Collect scan results
+        if (includeScanResults) {
+            const scansDir = join(vasperaDir, "scans");
+            try {
+                await access(scansDir);
+                const files = await readdir(scansDir);
+                const jsonFiles = files.filter((f) => f.endsWith(".json")).slice(0, 10); // Limit to 10 most recent
+                for (const file of jsonFiles) {
+                    const scanArtifact = await createFileArtifact(join(scansDir, file), "scan_result", `scan-${basename(file, ".json")}`, "Deterministic scanner results", maxInlineSize);
+                    if (scanArtifact) {
+                        artifacts.push(scanArtifact);
+                    }
+                }
+            }
+            catch {
+                warnings.push("Scans directory not found");
+            }
+        }
+        // Collect compliance reports
+        if (frameworks.length > 0) {
+            const reportsDir = join(vasperaDir, "reports");
+            try {
+                await access(reportsDir);
+                const files = await readdir(reportsDir);
+                for (const framework of frameworks) {
+                    const reportFile = files.find((f) => f.includes(framework.toLowerCase()));
+                    if (reportFile) {
+                        const reportArtifact = await createFileArtifact(join(reportsDir, reportFile), "compliance_report", `compliance-${framework}`, `${framework} compliance report`, maxInlineSize);
+                        if (reportArtifact) {
+                            artifacts.push(reportArtifact);
+                        }
+                    }
+                }
+            }
+            catch {
+                warnings.push("Reports directory not found");
+            }
+        }
+        // Collect SBOM
+        if (includeSbom) {
+            const sbomFile = join(vasperaDir, "sbom.json");
+            const sbomArtifact = await createFileArtifact(sbomFile, "sbom", "sbom", "Software Bill of Materials (CycloneDX)", maxInlineSize);
+            if (sbomArtifact) {
+                artifacts.push(sbomArtifact);
+            }
+        }
+        // Calculate bundle digest from all artifact digests
+        const allDigests = artifacts.map((a) => a.contentDigest).sort().join("");
+        const bundleDigest = calculateDigest(allDigests);
+        // Capture environment
+        const environment = await captureEnvironment();
+        // Create the bundle
+        const bundle = {
+            id: `evidence-${randomUUID().slice(0, 12)}`,
+            certificationId,
+            createdAt: new Date().toISOString(),
+            projectPath,
+            frameworks,
+            environment,
+            artifacts,
+            bundleDigest,
+        };
+        logger.info("evidence.collect.complete", {
+            bundleId: bundle.id,
+            artifactCount: artifacts.length,
+            warningCount: warnings.length,
+        });
+        return {
+            success: true,
+            bundle,
+            warnings,
+        };
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : "Unknown error";
+        logger.error("evidence.collect.failed", { error: message });
+        return {
+            success: false,
+            error: message,
+            warnings,
+        };
+    }
+}
+/**
+ * Calculate bundle digest from artifacts
+ */
+export function calculateBundleDigest(artifacts) {
+    const allDigests = artifacts.map((a) => a.contentDigest).sort().join("");
+    return calculateDigest(allDigests);
+}
+/**
+ * Format evidence bundle as markdown summary
+ */
+export function formatEvidenceBundleAsMarkdown(bundle) {
+    const lines = [
+        "# Evidence Bundle",
+        "",
+        `**Bundle ID**: ${bundle.id}`,
+        `**Created**: ${bundle.createdAt}`,
+        `**Project**: ${bundle.projectPath}`,
+        bundle.certificationId ? `**Certification**: ${bundle.certificationId}` : "",
+        "",
+        "## Environment",
+        "",
+        `| Property | Value |`,
+        `|----------|-------|`,
+        `| OS | ${bundle.environment.os} ${bundle.environment.osVersion} |`,
+        `| Node.js | ${bundle.environment.nodeVersion} |`,
+        `| Vaspera | ${bundle.environment.vasperaVersion} |`,
+    ];
+    if (bundle.environment.ci) {
+        lines.push(`| CI Provider | ${bundle.environment.ci.provider} |`, `| Build ID | ${bundle.environment.ci.buildId} |`, `| Commit | \`${bundle.environment.ci.commitSha.slice(0, 8)}\` |`);
+    }
+    lines.push("", "## Artifacts", "", `| Type | Name | Size | Digest |`, `|------|------|------|--------|`);
+    for (const artifact of bundle.artifacts) {
+        const sizeKB = (artifact.sizeBytes / 1024).toFixed(1);
+        lines.push(`| ${artifact.type} | ${artifact.name} | ${sizeKB}KB | \`${artifact.contentDigest.slice(0, 16)}...\` |`);
+    }
+    lines.push("", "## Bundle Integrity", "", `**Bundle Digest**: \`${bundle.bundleDigest}\``, "");
+    if (bundle.signature) {
+        lines.push("**Signature**: Present", bundle.signature.rekorLogIndex
+            ? `**Rekor Log Index**: ${bundle.signature.rekorLogIndex}`
+            : "");
+    }
+    else {
+        lines.push("**Signature**: Not signed");
+    }
+    return lines.filter(Boolean).join("\n");
+}
+//# sourceMappingURL=collector.js.map

package/dist/evidence/collector.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"collector.js","sourceRoot":"","sources":["../../src/evidence/collector.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAC9D,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,MAAM,CAAC;AACtC,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAChD,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,IAAI,CAAC;AACjD,OAAO,EAAE,MAAM,EAAE,MAAM,cAAc,CAAC;AAYtC,MAAM,WAAW,GAAG,UAAU,CAAC;AAC/B,MAAM,uBAAuB,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,OAAO;AAElD;;GAEG;AACH,KAAK,UAAU,iBAAiB;IAC9B,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,cAAc,CAAC,CAAC;QACpD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC;QACzD,OAAO,GAAG,CAAC,OAAO,IAAI,SAAS,CAAC;IAClC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,mBAAmB;IAC1B,iBAAiB;IACjB,IAAI,OAAO,CAAC,GAAG,CAAC,cAAc,KAAK,MAAM,EAAE,CAAC;QAC1C,OAAO;YACL,QAAQ,EAAE,QAAQ;YAClB,OAAO,EAAE,OAAO,CAAC,GAAG,CAAC,aAAa,IAAI,EAAE;YACxC,SAAS,EAAE,OAAO,CAAC,GAAG,CAAC,UAAU,IAAI,EAAE;YACvC,GAAG,EAAE,OAAO,CAAC,GAAG,CAAC,UAAU;YAC3B,KAAK,EAAE,OAAO,CAAC,GAAG,CAAC,YAAY;YAC/B,KAAK,EAAE,OAAO,CAAC,GAAG,CAAC,iBAAiB;YACpC,UAAU,EAAE,OAAO,CAAC,GAAG,CAAC,iBAAiB;gBACvC,CAAC,CAAC;oBACE,KAAK,EAAE,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;oBAClD,IAAI,EAAE,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;oBACjD,GAAG,EAAE,sBAAsB,OAAO,CAAC,GAAG,CAAC,iBAAiB,EAAE;iBAC3D;gBACH,CAAC,CAAC,SAAS;YACb,WAAW,EAAE,OAAO,CAAC,GAAG,CAAC,iBAAiB,KAAK,cAAc;gBAC3D,CAAC,CAAC;oBACE,MAAM,EAAE,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,GAAG,EAAE,EAAE,CAAC;iBACnE;gBACH,CAAC,CAAC,SAAS;SACd,CAAC;IACJ,CAAC;IAED,YAAY;IACZ,IAAI,OAAO,CAAC,GAAG,CAAC,SAAS,KAAK,MAAM,EAAE,CAAC;QACrC,OAAO;YACL,QAAQ,EAAE,QAAQ;YAClB,OAAO,EAAE,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,EAAE;YACzC,SAAS,EAAE,OAAO,CAAC,GAAG,CAAC,aAAa,IAAI,EAAE;YAC1C,GAAG,EAAE,OAAO,CAAC,GAAG,CAAC,kBAAkB;YACnC,KAAK,EAAE,OAAO,CAAC,GAAG,CAAC,iBAAiB;YACpC,KAAK,EAAE,OAAO,CAAC,GAAG,CAAC,SAAS;YAC5B,UAAU,EAAE;gBACV,KAAK,EAAE,OAAO,CAAC,GAAG,CAAC,oBAAoB,IAAI,EAAE;gBAC7C,IAAI,EAAE,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,EAAE;gBACvC,GAAG,EAAE,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,EAAE;aACtC;YACD,WAAW,EAAE,OAAO,CAAC,GAAG,CAAC,oBAAoB;gBAC3C,CAAC,CAAC;oBACE,MAAM,EAAE,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,EAAE,EAAE,CAAC;oBACtD,KAAK,EAAE,OAAO,CAAC,GAAG,CAAC,sBAAsB;iBAC1C;gBACH,CAAC,CAAC,SAAS;SACd,CAAC;IACJ,CAAC;IAED,UAAU;IACV,IAAI,OAAO,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC;QAC5B,OAAO;YACL,QAAQ,EAAE,SAAS;YACnB,OAAO,EAAE,OAAO,CAAC,GAAG,CAAC,QAAQ,IAAI,EAAE;YACnC,SAAS,EAAE,OAAO,CAAC,GAAG,CAAC,UAAU,IAAI,EAAE;YACvC,GAAG,EAAE,OAAO,CAAC,GAAG,CAAC,UAAU;YAC3B,KAAK,EAAE,OAAO,CAAC,GAAG,CAAC,YAAY;SAChC,CAAC;IACJ,CAAC;IAED,WAAW;IACX,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,MAAM,EAAE,CAAC;QACpC,OAAO;YACL,QAAQ,EAAE,UAAU;YACpB,OAAO,EAAE,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,EAAE;YAC3C,SAAS,EAAE,OAAO,CAAC,GAAG,CAAC,WAAW,IAAI,EAAE;YACxC,GAAG,EAAE,OAAO,CAAC,GAAG,CAAC,aAAa;YAC9B,KAAK,EAAE,OAAO,CAAC,GAAG,CAAC,eAAe;YAClC,UAAU,EAAE;gBACV,KAAK,EAAE,OAAO,CAAC,GAAG,CAAC,uBAAuB,IAAI,EAAE;gBAChD,IAAI,EAAE,OAAO,CAAC,GAAG,CAAC,uBAAuB,IAAI,EAAE;gBAC/C,GAAG,EAAE,sBAAsB,OAAO,CAAC,GAAG,CAAC,uBAAuB,IAAI,OAAO,CAAC,GAAG,CAAC,uBAAuB,EAAE;aACxG;YACD,WAAW,EAAE,OAAO,CAAC,GAAG,CAAC,mBAAmB;gBAC1C,CAAC,CAAC;oBACE,MAAM,EAAE,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,GAAG,EAAE,EAAE,CAAC;oBAC7E,GAAG,EAAE,OAAO,CAAC,GAAG,CAAC,mBAAmB;iBACrC;gBACH,CAAC,CAAC,SAAS;SACd,CAAC;IACJ,CAAC;IAED,uBAAuB;IACvB,IAAI,OAAO,CAAC,GAAG,CAAC,EAAE,KAAK,MAAM,IAAI,OAAO,CAAC,GAAG,CAAC,EAAE,KAAK,GAAG,EAAE,CAAC;QACxD,OAAO;YACL,QAAQ,EAAE,SAAS;YACnB,OAAO,EAAE,OAAO,CAAC,GAAG,CAAC,QAAQ,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY,IAAI,EAAE;YAC/D,SAAS,EAAE,OAAO,CAAC,GAAG,CAAC,UAAU,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,IAAI,EAAE;SAClE,CAAC;IACJ,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,kBAAkB;IAC/B,MAAM,EAAE,GAAG,mBAAmB,EAAE,CAAC;IAEjC,OAAO;QACL,EAAE,EAAE,QAAQ,EAAE;QACd,SAAS,EAAE,OAAO,EAAE;QACpB,WAAW,EAAE,OAAO,CAAC,OAAO;QAC5B,cAAc,EAAE,MAAM,iBAAiB,EAAE;QACzC,QAAQ,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,iCAAiC;QACpF,EAAE;QACF,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACrC,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,OAAwB;IAC/C,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC5D,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,kBAAkB,CAC/B,QAAgB,EAChB,IAA0B,EAC1B,IAAY,EACZ,WAAmB,EACnB,aAAqB;IAErB,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,QAAQ,CAAC,CAAC;QACvB,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,CAAC;QACnC,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAClD,MAAM,MAAM,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC;QAExC,MAAM,QAAQ,GAAqB;YACjC,IAAI;YACJ,IAAI;YACJ,WAAW;YACX,aAAa,EAAE,MAAM;YACrB,SAAS,EAAE,KAAK,CAAC,IAAI;YACrB,WAAW,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACrC,UAAU,EAAE,QAAQ;SACrB,CAAC;QAEF,yBAAyB;QACzB,IAAI,KAAK,CAAC,IAAI,IAAI,aAAa,EAAE,CAAC;YAChC,QAAQ,CAAC,OAAO,GAAG,OAAO,CAAC;QAC7B,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,oBAAoB,CAC3B,OAAe,EACf,IAA0B,EAC1B,IAAY,EACZ,WAAmB;IAEnB,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IACnD,OAAO;QACL,IAAI;QACJ,IAAI;QACJ,WAAW;QACX,aAAa,EAAE,eAAe,CAAC,YAAY,CAAC;QAC5C,SAAS,EAAE,YAAY,CAAC,MAAM;QAC9B,WAAW,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACrC,OAAO;KACR,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,OAA+B;IAE/B,MAAM,EACJ,WAAW,EACX,eAAe,EACf,UAAU,GAAG,EAAE,EACf,WAAW,GAAG,IAAI,EAClB,cAAc,GAAG,IAAI,EACrB,kBAAkB,GAAG,IAAI,EACzB,aAAa,GAAG,IAAI,EACpB,aAAa,GAAG,uBAAuB,GACxC,GAAG,OAAO,CAAC;IAEZ,MAAM,QAAQ,GAAa,EAAE,CAAC;IAC9B,MAAM,SAAS,GAAuB,EAAE,CAAC;IAEzC,MAAM,CAAC,IAAI,CAAC,wBAAwB,EAAE,EAAE,WAAW,EAAE,eAAe,EAAE,CAAC,CAAC;IAExE,IAAI,CAAC;QACH,MAAM,UAAU,GAAG,IAAI,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC;QAElD,uBAAuB;QACvB,IAAI,aAAa,EAAE,CAAC;YAClB,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,EAAE,aAAa,CAAC,CAAC;YACnD,MAAM,cAAc,GAAG,MAAM,kBAAkB,CAC7C,UAAU,EACV,aAAa,EACb,gBAAgB,EAChB,4BAA4B,EAC5B,aAAa,CACd,CAAC;YACF,IAAI,cAAc,EAAE,CAAC;gBACnB,SAAS,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;YACjC,CAAC;QACH,CAAC;QAED,2BAA2B;QAC3B,IAAI,cAAc,EAAE,CAAC;YACnB,MAAM,WAAW,GAAG,IAAI,CAAC,UAAU,EAAE,eAAe,CAAC,CAAC;YACtD,MAAM,eAAe,GAAG,MAAM,kBAAkB,CAC9C,WAAW,EACX,kBAAkB,EAClB,eAAe,EACf,gDAAgD,EAChD,aAAa,CACd,CAAC;YACF,IAAI,eAAe,EAAE,CAAC;gBACpB,SAAS,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;YAClC,CAAC;iBAAM,CAAC;gBACN,QAAQ,CAAC,IAAI,CAAC,mDAAmD,CAAC,CAAC;YACrE,CAAC;QACH,CAAC;QAED,uBAAuB;QACvB,IAAI,kBAAkB,EAAE,CAAC;YACvB,MAAM,QAAQ,GAAG,IAAI,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;YAC3C,IAAI,CAAC;gBACH,MAAM,MAAM,CAAC,QAAQ,CAAC,CAAC;gBACvB,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,QAAQ,CAAC,CAAC;gBACtC,MAAM,SAAS,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,0BAA0B;gBAEnG,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;oBAC7B,MAAM,YAAY,GAAG,MAAM,kBAAkB,CAC3C,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,EACpB,aAAa,EACb,QAAQ,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC,EAAE,EACjC,+BAA+B,EAC/B,aAAa,CACd,CAAC;oBACF,IAAI,YAAY,EAAE,CAAC;wBACjB,SAAS,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;oBAC/B,CAAC;gBACH,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,QAAQ,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC;YAC7C,CAAC;QACH,CAAC;QAED,6BAA6B;QAC7B,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC1B,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,EAAE,SAAS,CAAC,CAAC;YAC/C,IAAI,CAAC;gBACH,MAAM,MAAM,CAAC,UAAU,CAAC,CAAC;gBACzB,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,UAAU,CAAC,CAAC;gBAExC,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;oBACnC,MAAM,UAAU,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;oBAC1E,IAAI,UAAU,EAAE,CAAC;wBACf,MAAM,cAAc,GAAG,MAAM,kBAAkB,CAC7C,IAAI,CAAC,UAAU,EAAE,UAAU,CAAC,EAC5B,mBAAmB,EACnB,cAAc,SAAS,EAAE,EACzB,GAAG,SAAS,oBAAoB,EAChC,aAAa,CACd,CAAC;wBACF,IAAI,cAAc,EAAE,CAAC;4BACnB,SAAS,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;wBACjC,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,QAAQ,CAAC,IAAI,CAAC,6BAA6B,CAAC,CAAC;YAC/C,CAAC;QACH,CAAC;QAED,eAAe;QACf,IAAI,WAAW,EAAE,CAAC;YAChB,MAAM,QAAQ,GAAG,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;YAC/C,MAAM,YAAY,GAAG,MAAM,kBAAkB,CAC3C,QAAQ,EACR,MAAM,EACN,MAAM,EACN,wCAAwC,EACxC,aAAa,CACd,CAAC;YACF,IAAI,YAAY,EAAE,CAAC;gBACjB,SAAS,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;YAC/B,CAAC;QACH,CAAC;QAED,oDAAoD;QACpD,MAAM,UAAU,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACzE,MAAM,YAAY,GAAG,eAAe,CAAC,UAAU,CAAC,CAAC;QAEjD,sBAAsB;QACtB,MAAM,WAAW,GAAG,MAAM,kBAAkB,EAAE,CAAC;QAE/C,oBAAoB;QACpB,MAAM,MAAM,GAAmB;YAC7B,EAAE,EAAE,YAAY,UAAU,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE;YAC3C,eAAe;YACf,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,WAAW;YACX,UAAU;YACV,WAAW;YACX,SAAS;YACT,YAAY;SACb,CAAC;QAEF,MAAM,CAAC,IAAI,CAAC,2BAA2B,EAAE;YACvC,QAAQ,EAAE,MAAM,CAAC,EAAE;YACnB,aAAa,EAAE,SAAS,CAAC,MAAM;YAC/B,YAAY,EAAE,QAAQ,CAAC,MAAM;SAC9B,CAAC,CAAC;QAEH,OAAO;YACL,OAAO,EAAE,IAAI;YACb,MAAM;YACN,QAAQ;SACT,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,CAAC;QACzE,MAAM,CAAC,KAAK,CAAC,yBAAyB,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC;QAE5D,OAAO;YACL,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,OAAO;YACd,QAAQ;SACT,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,qBAAqB,CAAC,SAA6B;IACjE,MAAM,UAAU,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACzE,OAAO,eAAe,CAAC,UAAU,CAAC,CAAC;AACrC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,8BAA8B,CAAC,MAAsB;IACnE,MAAM,KAAK,GAAa;QACtB,mBAAmB;QACnB,EAAE;QACF,kBAAkB,MAAM,CAAC,EAAE,EAAE;QAC7B,gBAAgB,MAAM,CAAC,SAAS,EAAE;QAClC,gBAAgB,MAAM,CAAC,WAAW,EAAE;QACpC,MAAM,CAAC,eAAe,CAAC,CAAC,CAAC,sBAAsB,MAAM,CAAC,eAAe,EAAE,CAAC,CAAC,CAAC,EAAE;QAC5E,EAAE;QACF,gBAAgB;QAChB,EAAE;QACF,sBAAsB;QACtB,sBAAsB;QACtB,UAAU,MAAM,CAAC,WAAW,CAAC,EAAE,IAAI,MAAM,CAAC,WAAW,CAAC,SAAS,IAAI;QACnE,eAAe,MAAM,CAAC,WAAW,CAAC,WAAW,IAAI;QACjD,eAAe,MAAM,CAAC,WAAW,CAAC,cAAc,IAAI;KACrD,CAAC;IAEF,IAAI,MAAM,CAAC,WAAW,CAAC,EAAE,EAAE,CAAC;QAC1B,KAAK,CAAC,IAAI,CACR,mBAAmB,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,QAAQ,IAAI,EACrD,gBAAgB,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,OAAO,IAAI,EACjD,gBAAgB,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,MAAM,CAClE,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,IAAI,CACR,EAAE,EACF,cAAc,EACd,EAAE,EACF,iCAAiC,EACjC,iCAAiC,CAClC,CAAC;IAEF,KAAK,MAAM,QAAQ,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;QACxC,MAAM,MAAM,GAAG,CAAC,QAAQ,CAAC,SAAS,GAAG,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;QACtD,KAAK,CAAC,IAAI,CACR,KAAK,QAAQ,CAAC,IAAI,MAAM,QAAQ,CAAC,IAAI,MAAM,MAAM,UAAU,QAAQ,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,SAAS,CACxG,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,IAAI,CACR,EAAE,EACF,qBAAqB,EACrB,EAAE,EACF,wBAAwB,MAAM,CAAC,YAAY,IAAI,EAC/C,EAAE,CACH,CAAC;IAEF,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;QACrB,KAAK,CAAC,IAAI,CACR,wBAAwB,EACxB,MAAM,CAAC,SAAS,CAAC,aAAa;YAC5B,CAAC,CAAC,wBAAwB,MAAM,CAAC,SAAS,CAAC,aAAa,EAAE;YAC1D,CAAC,CAAC,EAAE,CACP,CAAC;IACJ,CAAC;SAAM,CAAC;QACN,KAAK,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC;IAC1C,CAAC;IAED,OAAO,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1C,CAAC"}

package/dist/evidence/index.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Evidence Collection Module
+ *
+ * Collects, stores, and verifies audit evidence for compliance.
+ *
+ * @module evidence
+ */
+export type { EvidenceArtifactType, EvidenceArtifact, CIEnvironment, RuntimeEnvironment, EvidenceBundle, CollectEvidenceOptions, CollectEvidenceResult, VerifyEvidenceResult, } from "./types.js";
+export { collectEvidence, calculateBundleDigest, formatEvidenceBundleAsMarkdown, } from "./collector.js";
+export { storeEvidenceBundle, loadEvidenceBundle, listEvidenceBundles, verifyEvidenceBundle, getEvidenceStats, } from "./store.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/evidence/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/evidence/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,YAAY,EACV,oBAAoB,EACpB,gBAAgB,EAChB,aAAa,EACb,kBAAkB,EAClB,cAAc,EACd,sBAAsB,EACtB,qBAAqB,EACrB,oBAAoB,GACrB,MAAM,YAAY,CAAC;AAGpB,OAAO,EACL,eAAe,EACf,qBAAqB,EACrB,8BAA8B,GAC/B,MAAM,gBAAgB,CAAC;AAGxB,OAAO,EACL,mBAAmB,EACnB,kBAAkB,EAClB,mBAAmB,EACnB,oBAAoB,EACpB,gBAAgB,GACjB,MAAM,YAAY,CAAC"}

package/dist/evidence/index.js

@@ -0,0 +1,12 @@
+/**
+ * Evidence Collection Module
+ *
+ * Collects, stores, and verifies audit evidence for compliance.
+ *
+ * @module evidence
+ */
+// Collector
+export { collectEvidence, calculateBundleDigest, formatEvidenceBundleAsMarkdown, } from "./collector.js";
+// Store
+export { storeEvidenceBundle, loadEvidenceBundle, listEvidenceBundles, verifyEvidenceBundle, getEvidenceStats, } from "./store.js";
+//# sourceMappingURL=index.js.map

package/dist/evidence/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/evidence/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAcH,YAAY;AACZ,OAAO,EACL,eAAe,EACf,qBAAqB,EACrB,8BAA8B,GAC/B,MAAM,gBAAgB,CAAC;AAExB,QAAQ;AACR,OAAO,EACL,mBAAmB,EACnB,kBAAkB,EAClB,mBAAmB,EACnB,oBAAoB,EACpB,gBAAgB,GACjB,MAAM,YAAY,CAAC"}

package/dist/evidence/store.d.ts

@@ -0,0 +1,39 @@
+/**
+ * Evidence Store
+ *
+ * Storage and retrieval for evidence bundles.
+ *
+ * @module evidence/store
+ */
+import type { EvidenceBundle, VerifyEvidenceResult } from "./types.js";
+/**
+ * Store an evidence bundle
+ */
+export declare function storeEvidenceBundle(projectPath: string, bundle: EvidenceBundle): Promise<string>;
+/**
+ * Load an evidence bundle by ID
+ */
+export declare function loadEvidenceBundle(projectPath: string, bundleId: string): Promise<EvidenceBundle | null>;
+/**
+ * List all evidence bundles for a project
+ */
+export declare function listEvidenceBundles(projectPath: string): Promise<Array<{
+    id: string;
+    createdAt: string;
+    certificationId?: string;
+    artifactCount: number;
+}>>;
+/**
+ * Verify an evidence bundle's integrity
+ */
+export declare function verifyEvidenceBundle(bundle: EvidenceBundle): Promise<VerifyEvidenceResult>;
+/**
+ * Get evidence bundle statistics
+ */
+export declare function getEvidenceStats(projectPath: string): Promise<{
+    bundleCount: number;
+    totalSizeBytes: number;
+    oldestBundle?: string;
+    newestBundle?: string;
+}>;
+//# sourceMappingURL=store.d.ts.map

package/dist/evidence/store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"store.d.ts","sourceRoot":"","sources":["../../src/evidence/store.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAMH,OAAO,KAAK,EACV,cAAc,EACd,oBAAoB,EACrB,MAAM,YAAY,CAAC;AAoBpB;;GAEG;AACH,wBAAsB,mBAAmB,CACvC,WAAW,EAAE,MAAM,EACnB,MAAM,EAAE,cAAc,GACrB,OAAO,CAAC,MAAM,CAAC,CAUjB;AAED;;GAEG;AACH,wBAAsB,kBAAkB,CACtC,WAAW,EAAE,MAAM,EACnB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC,CAWhC;AAED;;GAEG;AACH,wBAAsB,mBAAmB,CACvC,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,KAAK,CAAC;IAAE,EAAE,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAC;IAAC,eAAe,CAAC,EAAE,MAAM,CAAC;IAAC,aAAa,EAAE,MAAM,CAAA;CAAE,CAAC,CAAC,CAiCpG;AAED;;GAEG;AACH,wBAAsB,oBAAoB,CACxC,MAAM,EAAE,cAAc,GACrB,OAAO,CAAC,oBAAoB,CAAC,CAgD/B;AAED;;GAEG;AACH,wBAAsB,gBAAgB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC;IACnE,WAAW,EAAE,MAAM,CAAC;IACpB,cAAc,EAAE,MAAM,CAAC;IACvB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB,CAAC,CA0CD"}

package/dist/evidence/store.js

@@ -0,0 +1,173 @@
+/**
+ * Evidence Store
+ *
+ * Storage and retrieval for evidence bundles.
+ *
+ * @module evidence/store
+ */
+import { readFile, writeFile, mkdir, access, readdir, stat } from "fs/promises";
+import { join } from "path";
+import { createHash } from "crypto";
+import { logger } from "../logger.js";
+import { calculateBundleDigest } from "./collector.js";
+const EVIDENCE_DIR = ".vaspera/evidence";
+/**
+ * Ensure evidence directory exists
+ */
+async function ensureEvidenceDir(projectPath) {
+    const evidenceDir = join(projectPath, EVIDENCE_DIR);
+    try {
+        await access(evidenceDir);
+    }
+    catch {
+        await mkdir(evidenceDir, { recursive: true });
+    }
+    return evidenceDir;
+}
+/**
+ * Store an evidence bundle
+ */
+export async function storeEvidenceBundle(projectPath, bundle) {
+    const evidenceDir = await ensureEvidenceDir(projectPath);
+    const filename = `${bundle.id}.json`;
+    const filepath = join(evidenceDir, filename);
+    await writeFile(filepath, JSON.stringify(bundle, null, 2), "utf-8");
+    logger.info("evidence.store.saved", { bundleId: bundle.id, path: filepath });
+    return filepath;
+}
+/**
+ * Load an evidence bundle by ID
+ */
+export async function loadEvidenceBundle(projectPath, bundleId) {
+    const evidenceDir = join(projectPath, EVIDENCE_DIR);
+    const filepath = join(evidenceDir, `${bundleId}.json`);
+    try {
+        await access(filepath);
+        const content = await readFile(filepath, "utf-8");
+        return JSON.parse(content);
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * List all evidence bundles for a project
+ */
+export async function listEvidenceBundles(projectPath) {
+    const evidenceDir = join(projectPath, EVIDENCE_DIR);
+    try {
+        await access(evidenceDir);
+    }
+    catch {
+        return [];
+    }
+    const files = await readdir(evidenceDir);
+    const bundles = [];
+    for (const file of files) {
+        if (!file.endsWith(".json"))
+            continue;
+        try {
+            const content = await readFile(join(evidenceDir, file), "utf-8");
+            const bundle = JSON.parse(content);
+            bundles.push({
+                id: bundle.id,
+                createdAt: bundle.createdAt,
+                certificationId: bundle.certificationId,
+                artifactCount: bundle.artifacts.length,
+            });
+        }
+        catch {
+            // Skip invalid files
+        }
+    }
+    // Sort by creation date, newest first
+    bundles.sort((a, b) => b.createdAt.localeCompare(a.createdAt));
+    return bundles;
+}
+/**
+ * Verify an evidence bundle's integrity
+ */
+export async function verifyEvidenceBundle(bundle) {
+    const result = {
+        verified: false,
+        bundleId: bundle.id,
+        artifactsIntact: true,
+        failedArtifacts: [],
+        verifiedAt: new Date().toISOString(),
+    };
+    // Verify bundle digest
+    const calculatedDigest = calculateBundleDigest(bundle.artifacts);
+    if (calculatedDigest !== bundle.bundleDigest) {
+        result.error = `Bundle digest mismatch: expected ${bundle.bundleDigest}, got ${calculatedDigest}`;
+        result.artifactsIntact = false;
+        return result;
+    }
+    // Verify each artifact with inline content
+    for (const artifact of bundle.artifacts) {
+        if (artifact.content) {
+            const calculatedHash = createHash("sha256")
+                .update(Buffer.from(artifact.content, "utf-8"))
+                .digest("hex");
+            if (calculatedHash !== artifact.contentDigest) {
+                result.artifactsIntact = false;
+                result.failedArtifacts.push(artifact.name);
+            }
+        }
+        // Note: For non-inline artifacts, we can't verify without accessing the stored file
+    }
+    // Verify signature if present
+    if (bundle.signature) {
+        // Signature verification would call verifyBlob from src/sbom/signing.ts
+        // For now, we just check if the signature exists
+        result.signatureValid = true;
+    }
+    result.verified = result.artifactsIntact && result.failedArtifacts.length === 0;
+    logger.info("evidence.verify.complete", {
+        bundleId: bundle.id,
+        verified: result.verified,
+        failedCount: result.failedArtifacts.length,
+    });
+    return result;
+}
+/**
+ * Get evidence bundle statistics
+ */
+export async function getEvidenceStats(projectPath) {
+    const evidenceDir = join(projectPath, EVIDENCE_DIR);
+    try {
+        await access(evidenceDir);
+    }
+    catch {
+        return { bundleCount: 0, totalSizeBytes: 0 };
+    }
+    const files = await readdir(evidenceDir);
+    const jsonFiles = files.filter((f) => f.endsWith(".json"));
+    let totalSize = 0;
+    let oldest;
+    let newest;
+    for (const file of jsonFiles) {
+        const filepath = join(evidenceDir, file);
+        const stats = await stat(filepath);
+        totalSize += stats.size;
+        try {
+            const content = await readFile(filepath, "utf-8");
+            const bundle = JSON.parse(content);
+            if (!oldest || bundle.createdAt < oldest) {
+                oldest = bundle.createdAt;
+            }
+            if (!newest || bundle.createdAt > newest) {
+                newest = bundle.createdAt;
+            }
+        }
+        catch {
+            // Skip invalid files
+        }
+    }
+    return {
+        bundleCount: jsonFiles.length,
+        totalSizeBytes: totalSize,
+        oldestBundle: oldest,
+        newestBundle: newest,
+    };
+}
+//# sourceMappingURL=store.js.map

package/dist/evidence/store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"store.js","sourceRoot":"","sources":["../../src/evidence/store.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,aAAa,CAAC;AAChF,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AACpC,OAAO,EAAE,MAAM,EAAE,MAAM,cAAc,CAAC;AAKtC,OAAO,EAAE,qBAAqB,EAAE,MAAM,gBAAgB,CAAC;AAEvD,MAAM,YAAY,GAAG,mBAAmB,CAAC;AAEzC;;GAEG;AACH,KAAK,UAAU,iBAAiB,CAAC,WAAmB;IAClD,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,EAAE,YAAY,CAAC,CAAC;IAEpD,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,WAAW,CAAC,CAAC;IAC5B,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,KAAK,CAAC,WAAW,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAChD,CAAC;IAED,OAAO,WAAW,CAAC;AACrB,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,WAAmB,EACnB,MAAsB;IAEtB,MAAM,WAAW,GAAG,MAAM,iBAAiB,CAAC,WAAW,CAAC,CAAC;IACzD,MAAM,QAAQ,GAAG,GAAG,MAAM,CAAC,EAAE,OAAO,CAAC;IACrC,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;IAE7C,MAAM,SAAS,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;IAEpE,MAAM,CAAC,IAAI,CAAC,sBAAsB,EAAE,EAAE,QAAQ,EAAE,MAAM,CAAC,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC;IAE7E,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,WAAmB,EACnB,QAAgB;IAEhB,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,EAAE,YAAY,CAAC,CAAC;IACpD,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,EAAE,GAAG,QAAQ,OAAO,CAAC,CAAC;IAEvD,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,QAAQ,CAAC,CAAC;QACvB,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAClD,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAAmB,CAAC;IAC/C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,WAAmB;IAEnB,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,EAAE,YAAY,CAAC,CAAC;IAEpD,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,WAAW,CAAC,CAAC;IAC5B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,WAAW,CAAC,CAAC;IACzC,MAAM,OAAO,GAA8F,EAAE,CAAC;IAE9G,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC;YAAE,SAAS;QAEtC,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,WAAW,EAAE,IAAI,CAAC,EAAE,OAAO,CAAC,CAAC;YACjE,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAmB,CAAC;YACrD,OAAO,CAAC,IAAI,CAAC;gBACX,EAAE,EAAE,MAAM,CAAC,EAAE;gBACb,SAAS,EAAE,MAAM,CAAC,SAAS;gBAC3B,eAAe,EAAE,MAAM,CAAC,eAAe;gBACvC,aAAa,EAAE,MAAM,CAAC,SAAS,CAAC,MAAM;aACvC,CAAC,CAAC;QACL,CAAC;QAAC,MAAM,CAAC;YACP,qBAAqB;QACvB,CAAC;IACH,CAAC;IAED,sCAAsC;IACtC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC;IAE/D,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,MAAsB;IAEtB,MAAM,MAAM,GAAyB;QACnC,QAAQ,EAAE,KAAK;QACf,QAAQ,EAAE,MAAM,CAAC,EAAE;QACnB,eAAe,EAAE,IAAI;QACrB,eAAe,EAAE,EAAE;QACnB,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACrC,CAAC;IAEF,uBAAuB;IACvB,MAAM,gBAAgB,GAAG,qBAAqB,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACjE,IAAI,gBAAgB,KAAK,MAAM,CAAC,YAAY,EAAE,CAAC;QAC7C,MAAM,CAAC,KAAK,GAAG,oCAAoC,MAAM,CAAC,YAAY,SAAS,gBAAgB,EAAE,CAAC;QAClG,MAAM,CAAC,eAAe,GAAG,KAAK,CAAC;QAC/B,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,2CAA2C;IAC3C,KAAK,MAAM,QAAQ,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;QACxC,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC;YACrB,MAAM,cAAc,GAAG,UAAU,CAAC,QAAQ,CAAC;iBACxC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;iBAC9C,MAAM,CAAC,KAAK,CAAC,CAAC;YAEjB,IAAI,cAAc,KAAK,QAAQ,CAAC,aAAa,EAAE,CAAC;gBAC9C,MAAM,CAAC,eAAe,GAAG,KAAK,CAAC;gBAC/B,MAAM,CAAC,eAAe,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YAC7C,CAAC;QACH,CAAC;QACD,oFAAoF;IACtF,CAAC;IAED,8BAA8B;IAC9B,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;QACrB,wEAAwE;QACxE,iDAAiD;QACjD,MAAM,CAAC,cAAc,GAAG,IAAI,CAAC;IAC/B,CAAC;IAED,MAAM,CAAC,QAAQ,GAAG,MAAM,CAAC,eAAe,IAAI,MAAM,CAAC,eAAe,CAAC,MAAM,KAAK,CAAC,CAAC;IAEhF,MAAM,CAAC,IAAI,CAAC,0BAA0B,EAAE;QACtC,QAAQ,EAAE,MAAM,CAAC,EAAE;QACnB,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,WAAW,EAAE,MAAM,CAAC,eAAe,CAAC,MAAM;KAC3C,CAAC,CAAC;IAEH,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,WAAmB;IAMxD,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,EAAE,YAAY,CAAC,CAAC;IAEpD,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,WAAW,CAAC,CAAC;IAC5B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,WAAW,EAAE,CAAC,EAAE,cAAc,EAAE,CAAC,EAAE,CAAC;IAC/C,CAAC;IAED,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,WAAW,CAAC,CAAC;IACzC,MAAM,SAAS,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;IAE3D,IAAI,SAAS,GAAG,CAAC,CAAC;IAClB,IAAI,MAA0B,CAAC;IAC/B,IAAI,MAA0B,CAAC;IAE/B,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;QAC7B,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC;QACzC,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,CAAC;QACnC,SAAS,IAAI,KAAK,CAAC,IAAI,CAAC;QAExB,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;YAClD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAmB,CAAC;YAErD,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,SAAS,GAAG,MAAM,EAAE,CAAC;gBACzC,MAAM,GAAG,MAAM,CAAC,SAAS,CAAC;YAC5B,CAAC;YACD,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,SAAS,GAAG,MAAM,EAAE,CAAC;gBACzC,MAAM,GAAG,MAAM,CAAC,SAAS,CAAC;YAC5B,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,qBAAqB;QACvB,CAAC;IACH,CAAC;IAED,OAAO;QACL,WAAW,EAAE,SAAS,CAAC,MAAM;QAC7B,cAAc,EAAE,SAAS;QACzB,YAAY,EAAE,MAAM;QACpB,YAAY,EAAE,MAAM;KACrB,CAAC;AACJ,CAAC"}