stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

save checkpoint

Browse Source
This commit is contained in:
master
2026-02-14 09:11:48 +02:00
parent 9ca2de05df
commit e9aeadc040
1512 changed files with 30863 additions and 4728 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
docs/features/checked/attestor/smart-diff-system.md Normal file
View File

@@ -0,0 +1,43 @@
# Smart-Diff System (Semantic Security Delta, Binary Diff Predicates)
## Module
Attestor
## Status
VERIFIED
## Description
Smart-diff computing semantic security deltas between SBOM versions with material risk change detection, reachability-aware gating, delta verdict generation, SARIF output, and CLI commands. Binary diff as signed predicates with schema validation, DSSE verification, normalization, and finding extraction.
## Implementation Details
- **SBOM Delta Predicate**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/SbomDeltaPredicate.cs` -- SBOM-level semantic delta.
- **SBOM Delta Component**: `Predicates/SbomDeltaComponent.cs` -- component-level change tracking.
- **Delta Verdict Predicate**: `Predicates/DeltaVerdictPredicate.cs` (with `.Budget`) -- verdict delta with budget integration.
- **Binary Diff Predicate Builder**: `__Libraries/StellaOps.Attestor.StandardPredicates/BinaryDiff/BinaryDiffPredicateBuilder.cs` (with `.Build`) -- builds binary diff predicates. `IBinaryDiffPredicateBuilder.cs` -- interface.
- **Binary Diff Serializer**: `BinaryDiff/BinaryDiffPredicateSerializer.cs` (with `.Normalize`) -- serializes with normalization. `IBinaryDiffPredicateSerializer.cs` -- interface.
- **Binary Diff Finding**: `BinaryDiff/BinaryDiffFinding.cs` -- individual finding from binary diff analysis.
- **Binary Diff Section Models**: `BinaryDiff/BinaryDiffSectionModels.cs` -- section-level diff models.
- **Binary Diff Schema**: `BinaryDiff/BinaryDiffSchema.SchemaJson.cs` -- embedded JSON schema. `BinaryDiffSchemaValidationResult.cs` -- validation result.
- **Binary Diff DSSE Verifier**: `BinaryDiff/BinaryDiffDsseVerifier.cs` (with `.Helpers`) -- DSSE verification. `IBinaryDiffDsseVerifier.cs` -- interface.
- **Change Trace**: `__Libraries/StellaOps.Attestor.ProofChain/ChangeTrace/ChangeTraceAttestationService.cs` -- change trace attestations for smart-diff events.
- **Tests**: `__Tests/StellaOps.Attestor.StandardPredicates.Tests/BinaryDiffTests.cs`, `__Tests/StellaOps.Attestor.ProofChain.Tests/SbomDeltaTests.cs`
## E2E Test Plan
- [ ] Compute a semantic SBOM delta between two versions and verify `SbomDeltaPredicate` captures added/removed/changed components
- [ ] Build a binary diff predicate via `BinaryDiffPredicateBuilder` and verify findings are extracted
- [ ] Validate the binary diff against `BinaryDiffSchema` and verify schema compliance
- [ ] Sign the binary diff into a DSSE envelope and verify via `BinaryDiffDsseVerifier`
- [ ] Normalize a binary diff via `BinaryDiffPredicateSerializer.Normalize` and verify deterministic output
- [ ] Generate a delta verdict from the smart-diff and verify material risk changes are flagged
- [ ] Create a change trace attestation for the smart-diff event and verify it links to before/after versions
- [ ] Verify `BinaryDiffFinding` captures function name, offset, and change type for each diff finding
## Verification
| Check | Result |
|-------|--------|
| Tier 0 - Source Verification | PASS |
| Tier 1 - Build + Code Review | PASS |
| Tier 2 - Behavioral Verification | PASS |
| Verified Date | 2026-02-13 |
| Run ID | run-001 |