save checkpoint

2026-02-14 09:11:48 +02:00
parent 9ca2de05df
commit e9aeadc040
1512 changed files with 30863 additions and 4728 deletions
--- a/docs/features/checked/attestor/signal-normalization-pipeline.md
+++ b/docs/features/checked/attestor/signal-normalization-pipeline.md
@@ -0,0 +1,40 @@
+# Signal Normalization Pipeline
+
+## Module
+Attestor
+
+## Status
+VERIFIED
+
+## Description
+Signal normalization exists through the existing scoring engine and determinization evidence system, handling CVSS, KEV, EPSS, and other signal providers.
+
+## Implementation Details
+- **Evidence Predicate**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/EvidencePredicate.cs` -- evidence predicate capturing normalized signal data (CVSS scores, KEV status, EPSS probability).
+- **Finding Summary**: `Predicates/FindingSummary.cs` -- summary of a finding with normalized severity from multiple signal sources.
+- **Scan Context Info**: `Predicates/ScanContextInfo.cs` -- scanner context capturing which signal providers contributed data.
+- **Verdict Inputs**: `Statements/VerdictInputs.cs` -- records normalized signals as inputs to verdict decisions.
+- **Verdict Decision**: `Statements/VerdictDecision.cs` -- decision incorporating normalized signal data.
+- **Statement Builder**: `Builders/StatementBuilder.cs` -- builds attestations capturing normalized signal data.
+- **Content-Addressed IDs**: `Identifiers/ContentAddressedIdGenerator.cs` -- generates deterministic IDs from normalized signal payloads.
+- **RFC 8785 Canonicalizer**: `Json/Rfc8785JsonCanonicalizer.cs` -- deterministic serialization of signal data.
+- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/SignalNormalizationTests.cs`
+
+## E2E Test Plan
+- [ ] Create an `EvidencePredicate` with CVSS v3.1, CVSS v4.0, and EPSS data and verify all signals are captured
+- [ ] Normalize a finding with multiple signal sources and verify `FindingSummary` produces a consistent severity
+- [ ] Verify `ScanContextInfo` captures the signal providers (NVD, CISA KEV, EPSS) and their versions
+- [ ] Build a verdict with normalized signals as `VerdictInputs` and verify the decision references all signal sources
+- [ ] Canonicalize signal data via `Rfc8785JsonCanonicalizer` and verify deterministic output
+- [ ] Generate a content-addressed ID from normalized signals and verify it is deterministic
+- [ ] Verify signal normalization handles missing signals gracefully (e.g., no EPSS data available)
+
+## Verification
+
+| Check | Result |
+|-------|--------|
+| Tier 0 - Source Verification | PASS |
+| Tier 1 - Build + Code Review | PASS |
+| Tier 2 - Behavioral Verification | PASS |
+| Verified Date | 2026-02-13 |
+| Run ID | run-001 |