# Backport Proof Service

## Module
Attestor

## Status
VERIFIED

## Description
BackportProof library in Concelier and multi-tier BackportProofGenerator in Attestor with confidence scoring, evidence combining, and tier-based proof generation (Tier 1 through 4 plus signature variants).

## Implementation Details
- **BackportProofGenerator**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Generators/BackportProofGenerator.cs` -- orchestrates multi-tier backport proof generation. Partials:
  - `BackportProofGenerator.Tier1.cs` -- Tier 1: exact version match proofs
  - `BackportProofGenerator.Tier2.cs` -- Tier 2: advisory-level evidence
  - `BackportProofGenerator.Tier3.cs` -- Tier 3: heuristic/pattern matching
  - `BackportProofGenerator.Tier3Signature.cs` -- Tier 3 signature variant with binary signature comparison
  - `BackportProofGenerator.Tier4.cs` -- Tier 4: lowest confidence, inference-based
  - `BackportProofGenerator.Confidence.cs` -- confidence scoring across tiers using proof-strength hierarchy
  - `BackportProofGenerator.CombineEvidence.cs` -- evidence aggregation from multiple tiers
  - `BackportProofGenerator.Status.cs` -- status tracking for proof generation progress
  - `BackportProofGenerator.VulnerableUnknown.cs` -- handling of unknown vulnerability status
- **Evidence Summary**: `EvidenceSummary.cs` -- aggregated evidence output from proof generation.
- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/BackportProofGeneratorTests.cs`

## E2E Test Plan
- [ ] Generate a Tier 1 proof for a package with exact version match in advisory data and verify high confidence score (>= 0.9)
- [ ] Generate a Tier 2 proof using advisory-level evidence (CVE matches package family) and verify moderate confidence score
- [ ] Generate a Tier 3 proof using binary signature comparison and verify it includes signature match details
- [ ] Generate a Tier 4 inference-based proof and verify it has the lowest confidence score among all tiers
- [ ] Combine evidence from Tier 1 and Tier 2 via `CombineEvidence` and verify the combined confidence is higher than either individual tier
- [ ] Generate a proof for a package with `VulnerableUnknown` status and verify the generator handles it with appropriate uncertainty indicators
- [ ] Verify `EvidenceSummary` output contains entries from all applicable tiers with per-tier confidence scores
- [ ] Generate proofs for the same package twice and verify deterministic output (same confidence scores and evidence)

## Verification

| Check | Result |
|-------|--------|
| Tier 0 - Source Verification | PASS |
| Tier 1 - Build + Code Review | PASS |
| Tier 2 - Behavioral Verification | PASS |
| Verified Date | 2026-02-13 |
| Run ID | run-001 |