semi implemented and features implemented save checkpoint

2026-02-08 18:00:49 +02:00
parent 04360dff63
commit 1bf6bbf395
20895 changed files with 716795 additions and 64 deletions
--- a/docs/features/unchecked/attestor/reachability-drift-detection-and-delta-evidence.md
+++ b/docs/features/unchecked/attestor/reachability-drift-detection-and-delta-evidence.md
@@ -0,0 +1,33 @@
+# Reachability Drift Detection and Delta Evidence
+
+## Module
+Attestor
+
+## Status
+IMPLEMENTED
+
+## Description
+Reachability drift predicates tracking new/removed call paths to vulnerable functions with drift analysis metadata, delta summaries between baselines, and reachability status flip tracking between scans.
+
+## Implementation Details
+- **Reachability Drift Predicate**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/ReachabilityDriftPredicate.cs` -- predicate capturing reachability status changes between scans (new paths, removed paths, unchanged paths).
+- **Drift Analysis Metadata**: `Predicates/DriftAnalysisMetadata.cs` -- metadata about the drift analysis (baseline scan ID, current scan ID, timestamp, tool). Also in `Statements/DriftAnalysisMetadata.cs`.
+- **Drift Image Reference**: `Predicates/DriftImageReference.cs` -- image reference for the baseline and current scan.
+- **Drift Predicate Summary**: `Predicates/DriftPredicateSummary.cs` -- summary of drift counts (new paths, removed paths, flipped statuses).
+- **Drift Scanner Info**: `Predicates/DriftScannerInfo.cs` -- scanner that produced the drift data. Also in `Statements/DriftScannerInfo.cs`.
+- **Drifted Sink Predicate Summary**: `Predicates/DriftedSinkPredicateSummary.cs` -- summary of drifted vulnerable sinks.
+- **Reachability Drift Payload**: `Statements/ReachabilityDriftPayload.cs` -- in-toto payload for drift data.
+- **Reachability Drift Statement**: `Statements/ReachabilityDriftStatement.cs` -- in-toto statement wrapping the drift payload.
+- **Drift Summary**: `Statements/DriftSummary.cs` -- statement-level drift summary. `DriftedSinkSummary.cs` -- per-sink drift summary.
+- **Change Trace**: `ChangeTrace/ChangeTraceAttestationService.cs` (with `.Helpers`, `.Mapping`) -- creates change trace attestations for drift events.
+- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/ReachabilityDriftTests.cs`
+
+## E2E Test Plan
+- [ ] Create a `ReachabilityDriftPredicate` with 2 new paths, 1 removed path, and verify the drift data is correct
+- [ ] Verify `DriftAnalysisMetadata` captures baseline and current scan IDs, timestamps, and tool info
+- [ ] Verify `DriftPredicateSummary` correctly counts new, removed, and unchanged paths
+- [ ] Detect a reachability status flip (Unreachable -> Reachable) between scans and verify it is flagged in the drift
+- [ ] Build a `ReachabilityDriftStatement` and sign it; verify the DSSE envelope contains the drift payload
+- [ ] Create drift data for multiple sinks and verify `DriftedSinkPredicateSummary` tracks per-sink drift
+- [ ] Create a `ChangeTraceAttestationService` attestation for the drift event and verify it links to baseline and current evidence
+- [ ] Verify `DriftImageReference` correctly identifies the container image versions being compared