stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

save checkpoint

Browse Source
This commit is contained in:
master
2026-02-14 09:11:48 +02:00
parent 9ca2de05df
commit e9aeadc040
1512 changed files with 30863 additions and 4728 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
docs/features/checked/attestor/signed-delta-verdicts.md Normal file
View File

@@ -0,0 +1,43 @@
# Signed delta-verdicts (cryptographically bound verdicts per policy evaluation)
## Module
Attestor
## Status
VERIFIED
## Description
Delta verdict model and predicate types implement signed, cryptographically bound verdicts tracking changes between policy evaluations.
## Implementation Details
- **Delta Verdict Predicate**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/DeltaVerdictPredicate.cs` (with `.Budget`) -- predicate capturing security state changes between evaluations.
- **Delta Verdict Change**: `Predicates/DeltaVerdictChange.cs` -- individual change entry (new finding, resolved finding, status change).
- **Delta Finding Key**: `Predicates/DeltaFindingKey.cs` -- unique key identifying a finding across evaluations.
- **Delta Verdict Statement**: `Statements/DeltaVerdictStatement.cs` -- in-toto statement wrapping the delta verdict.
- **Verdict Delta Summary**: `Predicates/VerdictDeltaSummary.cs` -- summary counts (new, resolved, unchanged, changed).
- **Verdict Finding Change**: `Predicates/VerdictFindingChange.cs` -- detailed finding change with before/after states.
- **Verdict Rule Change**: `Predicates/VerdictRuleChange.cs` -- policy rule changes between evaluations.
- **Change Trace**: `ChangeTrace/ChangeTraceAttestationService.cs` (with `.Helpers`, `.Mapping`) -- creates attestations tracking changes over time.
- **DSSE Signing**: `Signing/ProofChainSigner.cs` -- cryptographically signs delta verdicts into DSSE envelopes.
- **Content-Addressed IDs**: `Identifiers/ContentAddressedIdGenerator.cs` -- generates deterministic IDs for delta verdicts.
- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/DeltaVerdictTests.cs`
## E2E Test Plan
- [ ] Create a `DeltaVerdictPredicate` with 3 new findings, 2 resolved, and 1 status change; sign into DSSE envelope
- [ ] Verify `VerdictDeltaSummary` correctly counts all change categories
- [ ] Verify `DeltaFindingKey` uniquely identifies findings across evaluations (same CVE + component = same key)
- [ ] Verify `VerdictFindingChange` captures before/after states for changed findings
- [ ] Verify `VerdictRuleChange` captures policy rule additions/removals between evaluations
- [ ] Verify the DSSE signature via `ProofChainSigner.Verification` and confirm cryptographic binding
- [ ] Create a change trace attestation via `ChangeTraceAttestationService` linking the delta to its parent evaluations
- [ ] Verify delta with budget: create a delta that exceeds the uncertainty budget and verify the violation is captured in `.Budget`
## Verification
| Check | Result |
|-------|--------|
| Tier 0 - Source Verification | PASS |
| Tier 1 - Build + Code Review | PASS |
| Tier 2 - Behavioral Verification | PASS |
| Verified Date | 2026-02-13 |
| Run ID | run-001 |