# Canonical Graph Signature (CGS) / Deterministic Verdicts

## Module
Attestor

## Status
VERIFIED

## Description
Deterministic Merkle tree builder, content-addressed IDs, and canonical JSON serialization produce same-inputs-same-output verdicts with verifiable digests.

## Implementation Details
- **Deterministic Merkle Tree**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Merkle/DeterministicMerkleTreeBuilder.cs` (with `.Helpers`, `.Proof` partials) -- implements `IMerkleTreeBuilder`. Builds Merkle trees with deterministic leaf ordering for canonical graph signatures.
- **Merkle Proof**: `MerkleProof.cs`, `MerkleProofStep.cs` -- inclusion proof model. `MerkleTreeWithProofs.cs` -- tree with generated proofs.
- **Content-Addressed IDs**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Identifiers/ContentAddressedIdGenerator.cs` (with `.Graph` partial) -- generates deterministic SHA-256 IDs from content. Types: `ArtifactId.cs`, `EvidenceId.cs`, `ProofBundleId.cs`, `VexVerdictId.cs`, `ReasoningId.cs`, `GraphRevisionId.cs`.
- **Canonical JSON**: `__Libraries/StellaOps.Attestor.ProofChain/Json/Rfc8785JsonCanonicalizer.cs` (with `.DecimalPoint`, `.NumberSerialization`, `.StringNormalization`, `.WriteMethods`) -- RFC 8785 JCS ensuring deterministic serialization.
- **Verdict Receipt**: `Statements/VerdictReceiptPayload.cs`, `VerdictReceiptStatement.cs` -- verdict receipts with deterministic content.
- **Verdict Decision**: `Statements/VerdictDecision.cs`, `VerdictInputs.cs`, `VerdictOutputs.cs` -- verdict computation model.
- **Proof Hashing**: `__Libraries/StellaOps.Attestor.ProofChain/ProofHashing.cs` -- SHA-256 hashing utilities.
- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/MerkleTreeBuilderTests.cs`, `ContentAddressedIdTests.cs`, `ContentAddressedIdGeneratorTests.cs`, `JsonCanonicalizerTests.cs`

## E2E Test Plan
- [ ] Build a Merkle tree from 10 evidence items via `DeterministicMerkleTreeBuilder` and verify the root hash is deterministic (build twice, compare roots)
- [ ] Generate an inclusion proof for a specific leaf and verify `MerkleProof` validates against the root
- [ ] Generate `ContentAddressedId` for identical content twice and verify IDs match
- [ ] Generate IDs for different content and verify they differ
- [ ] Canonicalize a JSON object with out-of-order keys via `Rfc8785JsonCanonicalizer` and verify key ordering matches RFC 8785
- [ ] Create a `VerdictReceiptPayload` from identical inputs twice and verify the serialized output is byte-for-byte identical
- [ ] Build a `GraphRevisionId` from a proof graph state and verify it changes when graph content changes

## Verification

| Check | Result |
|-------|--------|
| Tier 0 - Source Verification | PASS |
| Tier 1 - Build + Code Review | PASS |
| Tier 2 - Behavioral Verification | PASS |
| Verified Date | 2026-02-13 |
| Run ID | run-001 |