stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

save checkpoint

Browse Source
This commit is contained in:
master
2026-02-14 09:11:48 +02:00
parent 9ca2de05df
commit e9aeadc040
1512 changed files with 30863 additions and 4728 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
docs/features/checked/attestor/verdict-delta-taxonomy.md Normal file
View File

@@ -0,0 +1,45 @@
# Verdict Delta Taxonomy
## Module
Attestor
## Status
VERIFIED
## Description
Decision delta taxonomy tracking policy outcome changes (PASS to FAIL) and explanation drivers between baselines.
## Implementation Details
- **Delta Verdict Predicate**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/DeltaVerdictPredicate.cs` (with `.Budget`) -- predicate capturing verdict changes between two baselines, including budget-related delta analysis.
- **Delta Verdict Change**: `Predicates/DeltaVerdictChange.cs` -- individual verdict change record (e.g., PASS->FAIL, FAIL->PASS) with the change driver.
- **Delta Finding Key**: `Predicates/DeltaFindingKey.cs` -- key identifying the specific finding whose verdict changed (CVE + component PURL).
- **Verdict Delta Predicate**: `Predicates/VerdictDeltaPredicate.cs` -- top-level predicate for verdict delta attestations.
- **Verdict Delta Summary**: `Predicates/VerdictDeltaSummary.cs` -- summary statistics of verdict changes (added, removed, changed counts).
- **Verdict Finding Change**: `Predicates/VerdictFindingChange.cs` -- detailed change record for a specific finding's verdict transition.
- **Verdict Rule Change**: `Predicates/VerdictRuleChange.cs` -- records policy rule changes that drove the verdict transition.
- **Verdict Summary**: `Predicates/VerdictSummary.cs` -- summary of the overall verdict state at a point in time.
- **Delta Verdict Statement**: `Statements/DeltaVerdictStatement.cs` -- in-toto statement wrapping the delta verdict predicate.
- **Change Trace Attestation Service**: `ChangeTrace/ChangeTraceAttestationService.cs` (with `.Helpers`, `.Mapping`) -- service that generates change trace attestations including verdict deltas.
- **Change Trace Delta Entry**: `Predicates/ChangeTraceDeltaEntry.cs` -- entry in the change trace capturing a single delta event.
- **Trust Delta Record**: `Predicates/TrustDeltaRecord.cs` -- records trust score changes between baselines.
- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/`
## E2E Test Plan
- [ ] Create a `DeltaVerdictPredicate` comparing two baselines where one CVE changed from PASS to FAIL; verify the `DeltaVerdictChange` captures the transition
- [ ] Verify `VerdictDeltaSummary` correctly counts: 1 added finding, 2 removed findings, 1 changed verdict
- [ ] Create a delta where a policy rule change drove the verdict transition and verify `VerdictRuleChange` identifies the rule
- [ ] Generate a change trace via `ChangeTraceAttestationService` with verdict deltas and verify the attestation includes all delta entries
- [ ] Verify `DeltaFindingKey` uniqueness: two changes for the same CVE+PURL are correctly correlated
- [ ] Create a delta with budget impact (`.Budget`) and verify the budget-related delta fields are populated
- [ ] Build a `DeltaVerdictStatement` and verify it is a valid in-toto statement with the correct predicate type URI
- [ ] Compare two identical baselines and verify the delta predicate reports zero changes
## Verification
| Check | Result |
|-------|--------|
| Tier 0 - Source Verification | PASS |
| Tier 1 - Build + Code Review | PASS |
| Tier 2 - Behavioral Verification | PASS |
| Verified Date | 2026-02-13 |
| Run ID | run-001 |