semi implemented and features implemented save checkpoint

docs/features/unchecked/attestor/patch-oracle.md

@@ -0,0 +1,33 @@
+# Patch Oracle (Binary Diff for CVE Function Identification)
+
+## Module
+Attestor
+
+## Status
+IMPLEMENTED
+
+## Description
+Patch verification orchestration with patch signature storage and binary diff predicate building is implemented, enabling CVE function identification through patch comparison.
+
+## Implementation Details
+- **Binary Diff Predicate Builder**: `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/BinaryDiff/BinaryDiffPredicateBuilder.cs` (with `.Build`) -- builds binary diff predicates comparing patched vs unpatched binaries to identify CVE-affected functions. Implements `IBinaryDiffPredicateBuilder.cs`.
+- **Binary Diff Predicate Serializer**: `BinaryDiff/BinaryDiffPredicateSerializer.cs` (with `.Normalize`) -- serializes binary diff predicates with deterministic normalization. Implements `IBinaryDiffPredicateSerializer.cs`.
+- **Binary Diff Finding**: `BinaryDiff/BinaryDiffFinding.cs` -- individual diff finding (function added/removed/changed, offset, size).
+- **Binary Diff Section Models**: `BinaryDiff/BinaryDiffSectionModels.cs` -- section-level diff models (text, data, rodata sections).
+- **Binary Diff Metadata Builder**: `BinaryDiff/BinaryDiffMetadataBuilder.cs` -- builds metadata for binary diff comparisons (tool version, binary architecture, compiler info).
+- **Binary Diff Schema**: `BinaryDiff/BinaryDiffSchema.SchemaJson.cs` -- embedded JSON schema for binary diff predicates.
+- **Binary Diff Schema Validation**: `BinaryDiff/BinaryDiffSchemaValidationResult.cs` -- validation result model.
+- **Binary Diff DSSE Verifier**: `BinaryDiff/BinaryDiffDsseVerifier.cs` (with `.Helpers`) -- verifies DSSE-signed binary diff attestations. Implements `IBinaryDiffDsseVerifier.cs`.
+- **Backport Tier 3 Signature**: `__Libraries/StellaOps.Attestor.ProofChain/Generators/BackportProofGenerator.Tier3Signature.cs` -- uses binary diff/HunkSig for backport detection.
+- **Binary Fingerprint Evidence**: `Generators/BinaryFingerprintEvidenceGenerator.cs` (with `.Helpers`) -- generates fingerprint evidence for binary comparison.
+- **Tests**: `__Tests/StellaOps.Attestor.StandardPredicates.Tests/BinaryDiffTests.cs`
+
+## E2E Test Plan
+- [ ] Build a binary diff predicate via `BinaryDiffPredicateBuilder` comparing a patched and unpatched binary; verify the diff identifies changed functions
+- [ ] Verify `BinaryDiffFinding` entries capture function name, offset, and change type (added/removed/modified)
+- [ ] Serialize a binary diff predicate via `BinaryDiffPredicateSerializer` and verify deterministic output (same diff = same bytes)
+- [ ] Validate a binary diff predicate against `BinaryDiffSchema` and verify schema compliance
+- [ ] Sign a binary diff predicate into a DSSE envelope and verify it via `BinaryDiffDsseVerifier`
+- [ ] Build metadata via `BinaryDiffMetadataBuilder` and verify tool version, architecture, and compiler info are captured
+- [ ] Tamper with a signed binary diff attestation and verify `BinaryDiffDsseVerifier` rejects it
+- [ ] Verify `BinaryDiffSectionModels` captures diffs at the section level (text, data, rodata)