doctor enhancements, setup, enhancements, ui functionality and design consolidation and , test projects fixes , product advisory attestation/rekor and delta verfications enhancements

2026-01-19 09:02:59 +02:00
parent 8c4bf54aed
commit 17419ba7c4
809 changed files with 170738 additions and 12244 deletions
--- a/docs/schemas/binary-index/delta-sig-v1.schema.json
+++ b/docs/schemas/binary-index/delta-sig-v1.schema.json
@@ -0,0 +1,147 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://stella.dev/schemas/binary-index/delta-sig-v1.schema.json",
+  "title": "Stella Ops Delta Signature Predicate v1",
+  "description": "JSON Schema for delta-sig predicate used in binary patch verification. Enables offline CI gate validation per advisory requirements.",
+  "type": "object",
+  "required": [
+    "predicateType",
+    "subject",
+    "original_hash",
+    "patched_hash",
+    "diff_method",
+    "similarity_score",
+    "confidence",
+    "call_ngram_hash",
+    "bom_ref",
+    "architecture",
+    "lifter",
+    "computed_at"
+  ],
+  "properties": {
+    "predicateType": {
+      "type": "string",
+      "const": "stella.dev/delta-sig/v1",
+      "description": "Predicate type URI identifying this as a Stella delta signature"
+    },
+    "subject": {
+      "type": "object",
+      "description": "Subject function identification",
+      "required": ["func_id"],
+      "properties": {
+        "func_id": {
+          "$ref": "#/$defs/func_id",
+          "description": "Function identifier in format: module:bom-ref:offset:canonical-IR-hash"
+        },
+        "name": {
+          "type": "string",
+          "description": "Human-readable function name (optional)"
+        },
+        "demangled": {
+          "type": "string",
+          "description": "Demangled C++/Rust symbol name (optional)"
+        }
+      }
+    },
+    "original_hash": {
+      "$ref": "#/$defs/hash_value",
+      "description": "Hash of the original (unpatched) function's canonical IR with algorithm prefix"
+    },
+    "patched_hash": {
+      "$ref": "#/$defs/hash_value",
+      "description": "Hash of the patched function's canonical IR with algorithm prefix"
+    },
+    "diff_method": {
+      "type": "string",
+      "description": "Method used to compute the semantic diff",
+      "enum": [
+        "semantic-ir",
+        "cfg-structural",
+        "call-ngram",
+        "instruction-sequence",
+        "composite"
+      ]
+    },
+    "proof_ref": {
+      "type": "string",
+      "description": "Reference to the full diff proof (rekor entry ID, sha256, or blake3 digest)",
+      "pattern": "^(rekor|sha256|blake3):[a-fA-F0-9]{64,128}$"
+    },
+    "similarity_score": {
+      "type": "number",
+      "description": "Similarity score between original and patched functions [0.0, 1.0]",
+      "minimum": 0,
+      "maximum": 1
+    },
+    "confidence": {
+      "type": "number",
+      "description": "Match confidence score [0.0, 1.0]",
+      "minimum": 0,
+      "maximum": 1
+    },
+    "call_ngram_hash": {
+      "$ref": "#/$defs/hash_value",
+      "description": "Call-ngram fingerprint for cross-compiler resilience"
+    },
+    "bom_ref": {
+      "type": "string",
+      "description": "CycloneDX/SPDX bom-ref linking to SBOM component"
+    },
+    "architecture": {
+      "type": "string",
+      "description": "Target architecture",
+      "examples": ["x86-64", "arm64", "arm32", "riscv64", "mips64"]
+    },
+    "lifter": {
+      "type": "string",
+      "description": "IR lifter used for binary analysis",
+      "examples": ["B2R2", "Ghidra", "BinaryNinja", "Iced", "Capstone", "angr"]
+    },
+    "ir_version": {
+      "type": "string",
+      "description": "IR representation version for cache invalidation",
+      "default": "v1.0.0",
+      "pattern": "^v[0-9]+\\.[0-9]+\\.[0-9]+$"
+    },
+    "computed_at": {
+      "type": "string",
+      "description": "ISO 8601 timestamp when signature was computed",
+      "format": "date-time"
+    }
+  },
+  "additionalProperties": false,
+  "$defs": {
+    "func_id": {
+      "type": "string",
+      "description": "Function identifier in format: module:bom-ref:offset:canonical-IR-hash",
+      "pattern": "^[^:]+:[^:]+:0x[a-fA-F0-9]+:[a-f0-9]{64}$"
+    },
+    "hash_value": {
+      "type": "string",
+      "description": "Hash value with algorithm prefix",
+      "pattern": "^(sha256|sha384|sha512|blake3):[a-f0-9]{64,128}$"
+    }
+  },
+  "examples": [
+    {
+      "predicateType": "stella.dev/delta-sig/v1",
+      "subject": {
+        "func_id": "libssl.so.3:pkg:deb/openssl@3.0.2:0x12345:abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234",
+        "name": "SSL_read",
+        "demangled": "SSL_read"
+      },
+      "original_hash": "sha256:1111111111111111111111111111111111111111111111111111111111111111",
+      "patched_hash": "sha256:2222222222222222222222222222222222222222222222222222222222222222",
+      "diff_method": "semantic-ir",
+      "proof_ref": "rekor:3333333333333333333333333333333333333333333333333333333333333333",
+      "similarity_score": 0.95,
+      "confidence": 0.98,
+      "call_ngram_hash": "blake3:4444444444444444444444444444444444444444444444444444444444444444",
+      "bom_ref": "pkg:deb/debian/openssl@3.0.2-0ubuntu1.10",
+      "architecture": "x86-64",
+      "lifter": "B2R2",
+      "ir_version": "v1.0.0",
+      "computed_at": "2026-01-18T12:00:00Z"
+    }
+  ]
+}