save checkpoint

2026-02-14 09:11:48 +02:00
parent 9ca2de05df
commit e9aeadc040
1512 changed files with 30863 additions and 4728 deletions
--- a/docs/features/checked/attestor/verdic-replay.md
+++ b/docs/features/checked/attestor/verdic-replay.md
@@ -0,0 +1,47 @@
+# Verdic Replay (Deterministic Replay)
+
+## Module
+Attestor
+
+## Status
+VERIFIED
+
+## Description
+Verdict replay service for deterministic re-execution of security decisions with input manifest resolution and verification.
+
+## Implementation Details
+- **Replay Input Artifact**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Replay/ReplayInputArtifact.cs` -- content-addressed input artifact referenced by digest for deterministic resolution during replay.
+- **Replay Prompt Template**: `Replay/ReplayPromptTemplate.cs` -- template for replay prompts that captures the original decision context and input bindings.
+- **Replay Result**: `Replay/ReplayResult.cs` -- result of a replay execution, including the replayed verdict and comparison with the original.
+- **Replay Status**: `Replay/ReplayStatus.cs` -- enum tracking replay state (Pending, Running, Completed, Failed, Diverged).
+- **Replay Verification Result**: `Replay/ReplayVerificationResult.cs` -- verification result comparing replayed output against original, detecting divergence.
+- **AI Artifact Replay Manifest**: `Replay/AIArtifactReplayManifest.cs` -- manifest for replaying AI-generated artifacts with frozen model parameters and inputs.
+- **IAIArtifactReplayer**: `Replay/IAIArtifactReplayer.cs` -- interface for replaying AI artifact generation with deterministic inputs.
+- **Verdict Receipt Payload**: `Statements/VerdictReceiptPayload.cs` -- payload containing verdict inputs, decision, and outputs for replay.
+- **Verdict Receipt Statement**: `Statements/VerdictReceiptStatement.cs` -- in-toto statement wrapping the verdict receipt for attestation.
+- **Verdict Decision**: `Statements/VerdictDecision.cs` -- the decision record (PASS/FAIL/WARN) with reasoning.
+- **Verdict Inputs**: `Statements/VerdictInputs.cs` -- captured inputs (scan results, policies, VEX state) that drove the verdict.
+- **Verdict Outputs**: `Statements/VerdictOutputs.cs` -- outputs of the verdict (actions taken, notifications sent).
+- **Verification Replay Log Builder**: `__Libraries/StellaOps.Attestor.EvidencePack/Services/VerificationReplayLogBuilder.cs` -- builds replay logs for inclusion in evidence packs.
+- **Verification Replay Log**: `EvidencePack/Models/VerificationReplayLog.cs` -- structured log of replay execution steps.
+- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/`
+
+## E2E Test Plan
+- [ ] Create a `VerdictReceiptPayload` with inputs (SBOM digest, policy rules, VEX state) and a PASS decision; serialize and verify round-trip fidelity
+- [ ] Replay the verdict using the captured `VerdictInputs` and verify the replayed decision matches the original PASS
+- [ ] Modify one input (add a new critical CVE) and replay; verify `ReplayVerificationResult` detects divergence with the original
+- [ ] Verify `ReplayStatus` transitions: Pending -> Running -> Completed for a successful replay
+- [ ] Create an `AIArtifactReplayManifest` with frozen model parameters and verify replay produces identical outputs
+- [ ] Build a `VerificationReplayLog` via `VerificationReplayLogBuilder` and verify it captures each replay step with timestamps
+- [ ] Replay a verdict with missing input artifacts and verify `ReplayStatus` is Failed with a descriptive error
+- [ ] Verify the `VerdictReceiptStatement` is a valid in-toto statement with the correct predicate type URI
+
+## Verification
+
+| Check | Result |
+|-------|--------|
+| Tier 0 - Source Verification | PASS |
+| Tier 1 - Build + Code Review | PASS |
+| Tier 2 - Behavioral Verification | PASS |
+| Verified Date | 2026-02-13 |
+| Run ID | run-001 |