stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

compose and authority fixes. finish sprints.

Browse Source
This commit is contained in:
master
2026-02-17 21:59:47 +02:00
parent fb46a927ad
commit 49cdebe2f1
187 changed files with 23189 additions and 1439 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
docs/modules/binary-index/hybrid-diff-stack.md
View File

@@ -1,6 +1,6 @@
# Hybrid Diff Stack Architecture (Source -> Symbols -> Normalized Bytes)
> Status: Planned (advisory translation, 2026-02-16)
> Status: Implemented in BinaryIndex DeltaSig (2026-02-16)
> Module: BinaryIndex with cross-module contracts (Symbols, EvidenceLocker, Policy, Attestor, ReleaseOrchestrator)
## 1. Objective
@@ -13,23 +13,36 @@ binary truth at the same time:
- Binary-level patching: normalization-first per-symbol deltas.
- Release evidence: DSSE-signed contract consumed by policy and replay.
## 2. Current implementation baseline
## 2. Implementation baseline (2026-02-16)
Implemented today:
Implemented in `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.DeltaSig/`:
- ELF normalization passes and deterministic delta hash generation.
- DeltaSig predicate contracts (v1 and v2) with CLI author/sign/verify flows.
- Symbol manifest model with debug id, code id, source paths, and line data.
- Hybrid artifact contracts: `semantic_edit_script`, `symbol_map`,
`symbol_patch_plan`, and `patch_manifest` (`HybridDiffContracts.cs`).
- Deterministic artifact composer with digest linking and manifest generation
(`HybridDiffComposer.cs`).
- DeltaSig generation now emits function deltas from symbol-map/signature
boundaries (address, section, size) instead of placeholder derivations.
- DeltaSig predicates include optional `hybridDiff` evidence bundle with linked
digests (`Attestation/DeltaSigPredicate.cs`, `DeltaSigService.cs`).
- Verifier fail-closed checks for hybrid artifact digest/linkage mismatches and
boundary/hash reconciliation in dry verification (`DeltaSigService.VerifyAsync`).
- Policy hooks for hybrid evidence requirements, AST anchor requirements,
namespace restrictions, and patch-manifest byte budgets
(`DeltaSigPolicyOptions`, `DeltaSigService.EvaluatePolicy`).
- Binary resolution API evidence (VulnResolutionResponse.Evidence) now projects
deterministic hybridDiff payloads for both live lookups and cache hits so
the Web evidence drawer can render semantic edit counts, symbol patch plans,
manifest summaries, and digest chains from a single response.
Gaps for full advisory scope:
Current constraints:
- No AST semantic edit script artifact pipeline in current release workflow.
- No canonical builder output for source-range to symbol-address map as a
first-class build artifact contract.
- No end-to-end "source edits -> symbol patch plan -> normalized deltas"
bundle schema consumed by release policy.
- Existing function delta composition still contains placeholder address/size
behavior in parts of DeltaSig generation.
- Source semantic edits are deterministic text/symbol heuristics, not a full
language-specific AST adapter.
- Symbol maps come from provided build manifests/maps when available; otherwise
deterministic fallback maps are synthesized from signatures.
- Delta application dry-run remains boundary/hash level verification; byte-level
patch replay engine integration is still a separate Attestor/Doctor concern.
## 3. Target contracts
@@ -161,3 +174,5 @@ Execution is tracked in:
- `docs/modules/binary-index/deltasig-v2-schema.md`
- `docs/modules/scanner/binary-diff-attestation.md`
- `docs/modules/evidence-locker/guides/evidence-pack-schema.md`