up

docs/reachability/hybrid-attestation.md

@@ -2,7 +2,6 @@
 
 > Decision date: 2025-12-11 · Owners: Scanner Guild, Attestor Guild, Signals Guild, Policy Guild
 
-<!-- TODO: Review for separate approval - updated hybrid attestation introduction -->
 ## 0. Context: Four Capabilities
 
 This document supports **Signed Reachability**—one of four capabilities no competitor offers together:
@@ -68,7 +67,6 @@ All evidence is sealed in **Decision Capsules** for audit-grade reproducibility.
 
 ## 7. Hybrid Reachability Details
 
-<!-- TODO: Review for separate approval - added hybrid reachability details -->
 Stella Ops provides **true hybrid reachability** by combining:
 
 | Signal Type | Source | Attestation |
@@ -169,8 +167,342 @@ stella graph verify --hash blake3:a1b2c3d4... --format json|table|summary
 | Component | Status | Notes |
 |-----------|--------|-------|
 | Graph DSSE predicate | Done | `stella.ops/graph@v1` in PredicateTypes.cs |
-| Edge-bundle DSSE predicate | Planned | `stella.ops/edgeBundle@v1` |
+| Edge-bundle DSSE predicate | Done | `stella.ops/edgeBundle@v1` via EdgeBundlePublisher |
+| Edge-bundle models | Done | EdgeBundle.cs, EdgeBundleReason, EdgeReason enums |
+| Edge-bundle CAS publisher | Done | EdgeBundlePublisher.cs with deterministic DSSE |
+| Edge-bundle ingestion | Done | EdgeBundleIngestionService in Signals |
 | CAS layout | Done | Per section 8.2 |
+| Runtime-facts CAS storage | Done | IRuntimeFactsArtifactStore, FileSystemRuntimeFactsArtifactStore |
 | CLI verify command | Planned | Per section 8.3 |
 | Golden fixtures | Planned | Per section 8.4 |
 | Rekor integration | Done | Via Attestor module |
+| Quarantine enforcement | Done | HasQuarantinedEdges in ReachabilityFactDocument |
+
+---
+
+## 9. Verification Runbook
+
+This section provides step-by-step guidance for verifying hybrid attestations in different scenarios.
+
+### 9.1 Graph-Only Verification
+
+Use this workflow when only graph-level attestation is required (default for most use cases).
+
+**Prerequisites:**
+- Access to CAS storage (local or remote)
+- `stella` CLI installed
+- Optional: Rekor instance access for transparency verification
+
+**Steps:**
+
+1. **Retrieve graph DSSE envelope:**
+   ```bash
+   stella graph fetch --hash blake3:<graph_hash> --output ./verification/
+   ```
+
+2. **Verify DSSE signature:**
+   ```bash
+   stella graph verify --hash blake3:<graph_hash>
+   # Output: ✓ Graph signature valid (key: <key_id>)
+   ```
+
+3. **Verify content integrity:**
+   ```bash
+   stella graph verify --hash blake3:<graph_hash> --check-content
+   # Output: ✓ Content hash matches BLAKE3:<graph_hash>
+   ```
+
+4. **Verify Rekor inclusion (online):**
+   ```bash
+   stella graph verify --hash blake3:<graph_hash> --rekor-proof
+   # Output: ✓ Rekor inclusion verified (log index: <index>)
+   ```
+
+5. **Verify policy hash binding:**
+   ```bash
+   stella graph verify --hash blake3:<graph_hash> --policy-hash sha256:<policy_hash>
+   # Output: ✓ Policy hash matches graph metadata
+   ```
+
+### 9.2 Graph + Edge-Bundle Verification
+
+Use this workflow when finer-grained verification of specific edges is required.
+
+**When to use:**
+- Auditing runtime-observed paths
+- Investigating contested/disputed edges
+- Verifying init-section or TLS callback roots
+- Regulatory compliance requiring edge-level attestation
+
+**Steps:**
+
+1. **List available edge bundles:**
+   ```bash
+   stella graph bundles --hash blake3:<graph_hash>
+   # Output:
+   # Bundle ID          Reason          Edges  Rekor
+   # bundle:001         runtime-hit     42     ✓
+   # bundle:002         init-root       15     ✓
+   # bundle:003         third-party     128    -
+   ```
+
+2. **Verify specific bundle:**
+   ```bash
+   stella graph verify --hash blake3:<graph_hash> --bundle bundle:001
+   # Output:
+   # ✓ Bundle DSSE signature valid
+   # ✓ All 42 edges link to graph_hash
+   # ✓ Rekor inclusion verified
+   ```
+
+3. **Verify all bundles:**
+   ```bash
+   stella graph verify --hash blake3:<graph_hash> --include-bundles
+   # Output:
+   # ✓ Graph signature valid
+   # ✓ 3 bundles verified (185 edges total)
+   ```
+
+4. **Check for revoked edges:**
+   ```bash
+   stella graph verify --hash blake3:<graph_hash> --check-revoked
+   # Output:
+   # ⚠ 2 edges marked revoked in bundle:002
+   #   - edge:func_a→func_b (reason: policy-quarantine)
+   #   - edge:func_c→func_d (reason: revoked)
+   ```
+
+### 9.3 Verification Decision Matrix
+
+| Scenario | Graph DSSE | Edge Bundles | Rekor | Policy Hash |
+|----------|------------|--------------|-------|-------------|
+| Standard CI/CD | Required | Optional | Recommended | Required |
+| Regulated audit | Required | Required | Required | Required |
+| Dispute resolution | Required | Required (contested) | Required | Optional |
+| Offline replay | Required | As available | Cached proof | Required |
+| Dev/test | Optional | Optional | Disabled | Optional |
+
+---
+
+## 10. Rekor Guidance
+
+### 10.1 Rekor Integration Overview
+
+Rekor provides an immutable transparency log for attestation artifacts. StellaOps integrates with Rekor (or compatible mirrors) to provide verifiable timestamps and inclusion proofs.
+
+### 10.2 What Gets Published to Rekor
+
+| Artifact Type | Rekor Publish | Condition |
+|---------------|---------------|-----------|
+| Graph DSSE digest | Always | All deployment tiers (except dev/test) |
+| Edge-bundle DSSE digest | Conditional | Only for `disputed`, `runtime-hit`, `security-critical` reasons |
+| VEX decision DSSE digest | Always | When VEX decisions are generated |
+
+### 10.3 Rekor Configuration
+
+```yaml
+# etc/signals.yaml
+reachability:
+  rekor:
+    enabled: true
+    endpoint: "https://rekor.sigstore.dev"  # Or private mirror
+    timeout: 30s
+    retry:
+      attempts: 3
+      backoff: exponential
+  edgeBundles:
+    maxRekorPublishes: 5  # Per graph, configurable by tier
+    publishReasons:
+      - disputed
+      - runtime-hit
+      - security-critical
+```
+
+### 10.4 Private Rekor Mirror
+
+For air-gapped or regulated environments:
+
+```yaml
+reachability:
+  rekor:
+    enabled: true
+    endpoint: "https://rekor.internal.example.com"
+    tls:
+      ca: /etc/stellaops/ca.crt
+      clientCert: /etc/stellaops/client.crt
+      clientKey: /etc/stellaops/client.key
+```
+
+### 10.5 Rekor Proof Caching
+
+Inclusion proofs are cached locally for offline verification:
+
+```
+cas://reachability/graphs/{blake3}.rekor    # Graph inclusion proof
+cas://reachability/edges/{graph_hash}/{bundle_id}.rekor  # Bundle proof
+```
+
+**Proof format:**
+```json
+{
+  "logIndex": 12345678,
+  "logId": "c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d",
+  "integratedTime": 1702492800,
+  "inclusionProof": {
+    "logIndex": 12345678,
+    "rootHash": "abc123...",
+    "treeSize": 50000000,
+    "hashes": ["def456...", "ghi789..."]
+  }
+}
+```
+
+---
+
+## 11. Offline Replay Steps
+
+### 11.1 Overview
+
+Offline replay enables full verification of reachability attestations without network access. This is essential for air-gapped deployments and regulatory compliance scenarios.
+
+### 11.2 Creating an Offline Replay Pack
+
+**Step 1: Export graph and bundles**
+```bash
+stella graph export --hash blake3:<graph_hash> \
+  --include-bundles \
+  --include-rekor-proofs \
+  --output ./offline-pack/
+```
+
+**Step 2: Include required artifacts**
+The export creates:
+```
+offline-pack/
+├── manifest.json              # Replay manifest v2
+├── graphs/
+│   └── <blake3>/
+│       ├── richgraph-v1.json  # Graph body
+│       ├── graph.dsse         # DSSE envelope
+│       └── graph.rekor        # Inclusion proof
+├── edges/
+│   └── <graph_hash>/
+│       ├── bundle-001.json
+│       ├── bundle-001.dsse
+│       └── bundle-001.rekor
+├── runtime-facts/
+│   └── <hash>/
+│       └── runtime-facts.ndjson
+└── checkpoints/
+    └── rekor-checkpoint.json  # Transparency log checkpoint
+```
+
+**Step 3: Bundle for transfer**
+```bash
+stella offline pack --input ./offline-pack/ --output offline-replay.tgz
+```
+
+### 11.3 Verifying an Offline Pack
+
+**Step 1: Extract pack**
+```bash
+stella offline unpack --input offline-replay.tgz --output ./verify/
+```
+
+**Step 2: Verify manifest integrity**
+```bash
+stella offline verify --manifest ./verify/manifest.json
+# Output:
+# ✓ Manifest version: 2
+# ✓ Hash algorithm: blake3
+# ✓ All CAS entries present
+# ✓ All hashes verified
+```
+
+**Step 3: Verify attestations offline**
+```bash
+stella graph verify --hash blake3:<graph_hash> \
+  --cas-root ./verify/ \
+  --offline
+# Output:
+# ✓ Graph DSSE signature valid (offline mode)
+# ✓ Rekor proof verified against checkpoint
+# ✓ 3 bundles verified offline
+```
+
+### 11.4 Offline Verification Trust Model
+
+```
+┌─────────────────────────────────────────────────────────┐
+│                   Offline Pack                          │
+├─────────────────────────────────────────────────────────┤
+│  ┌──────────────┐   ┌──────────────┐   ┌─────────────┐ │
+│  │ Graph DSSE   │   │ Edge Bundle  │   │ Rekor       │ │
+│  │ Envelope     │   │ DSSE         │   │ Checkpoint  │ │
+│  └──────┬───────┘   └──────┬───────┘   └──────┬──────┘ │
+│         │                  │                  │        │
+│         ▼                  ▼                  ▼        │
+│  ┌──────────────────────────────────────────────────┐  │
+│  │           Local Verification Engine              │  │
+│  │  1. Verify DSSE signatures against trusted keys  │  │
+│  │  2. Verify content hashes match DSSE payloads    │  │
+│  │  3. Verify Rekor proofs against checkpoint       │  │
+│  │  4. Verify policy hash binding                   │  │
+│  └──────────────────────────────────────────────────┘  │
+└─────────────────────────────────────────────────────────┘
+```
+
+### 11.5 Air-Gapped Deployment Checklist
+
+- [ ] Trusted signing keys pre-installed
+- [ ] Rekor checkpoint from last sync included
+- [ ] All referenced CAS artifacts bundled
+- [ ] Policy hash recorded in manifest
+- [ ] Analyzer manifests included for replay
+- [ ] Runtime-facts artifacts included (if applicable)
+
+---
+
+## 12. Release Notes
+
+### 12.1 Version History
+
+| Version | Date | Changes |
+|---------|------|---------|
+| 1.0 | 2025-12-11 | Initial hybrid attestation design |
+| 1.1 | 2025-12-13 | Added edge-bundle ingestion, CAS storage, verification runbook |
+
+### 12.2 Breaking Changes
+
+None. Hybrid attestation is additive; existing graph-only workflows remain unchanged.
+
+### 12.3 Migration Guide
+
+**From graph-only to hybrid:**
+1. No migration required for existing graphs
+2. Enable edge-bundle emission in scanner config:
+   ```yaml
+   scanner:
+     reachability:
+       edgeBundles:
+         enabled: true
+         emitRuntime: true
+         emitContested: true
+   ```
+3. Signals automatically ingests edge bundles when present
+
+---
+
+## 13. Cross-References
+
+- **Sprint:** SPRINT_0401_0001_0001_reachability_evidence_chain.md (Tasks 53-56)
+- **Contracts:** docs/contracts/richgraph-v1.md, docs/contracts/edge-bundle-v1.md
+- **Implementation:**
+  - Scanner: `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/EdgeBundle*.cs`
+  - Signals: `src/Signals/StellaOps.Signals/Ingestion/EdgeBundleIngestionService.cs`
+  - Policy: `src/Policy/StellaOps.Policy.Engine/Gates/PolicyGateEvaluator.cs`
+- **Related docs:**
+  - docs/reachability/function-level-evidence.md
+  - docs/reachability/lattice.md
+  - docs/replay/DETERMINISTIC_REPLAY.md
+  - docs/07_HIGH_LEVEL_ARCHITECTURE.md