# Smart-Diff System (Semantic Security Delta, Binary Diff Predicates) ## Module Attestor ## Status VERIFIED ## Description Smart-diff computing semantic security deltas between SBOM versions with material risk change detection, reachability-aware gating, delta verdict generation, SARIF output, and CLI commands. Binary diff as signed predicates with schema validation, DSSE verification, normalization, and finding extraction. ## Implementation Details - **SBOM Delta Predicate**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/SbomDeltaPredicate.cs` -- SBOM-level semantic delta. - **SBOM Delta Component**: `Predicates/SbomDeltaComponent.cs` -- component-level change tracking. - **Delta Verdict Predicate**: `Predicates/DeltaVerdictPredicate.cs` (with `.Budget`) -- verdict delta with budget integration. - **Binary Diff Predicate Builder**: `__Libraries/StellaOps.Attestor.StandardPredicates/BinaryDiff/BinaryDiffPredicateBuilder.cs` (with `.Build`) -- builds binary diff predicates. `IBinaryDiffPredicateBuilder.cs` -- interface. - **Binary Diff Serializer**: `BinaryDiff/BinaryDiffPredicateSerializer.cs` (with `.Normalize`) -- serializes with normalization. `IBinaryDiffPredicateSerializer.cs` -- interface. - **Binary Diff Finding**: `BinaryDiff/BinaryDiffFinding.cs` -- individual finding from binary diff analysis. - **Binary Diff Section Models**: `BinaryDiff/BinaryDiffSectionModels.cs` -- section-level diff models. - **Binary Diff Schema**: `BinaryDiff/BinaryDiffSchema.SchemaJson.cs` -- embedded JSON schema. `BinaryDiffSchemaValidationResult.cs` -- validation result. - **Binary Diff DSSE Verifier**: `BinaryDiff/BinaryDiffDsseVerifier.cs` (with `.Helpers`) -- DSSE verification. `IBinaryDiffDsseVerifier.cs` -- interface. - **Change Trace**: `__Libraries/StellaOps.Attestor.ProofChain/ChangeTrace/ChangeTraceAttestationService.cs` -- change trace attestations for smart-diff events. - **Tests**: `__Tests/StellaOps.Attestor.StandardPredicates.Tests/BinaryDiffTests.cs`, `__Tests/StellaOps.Attestor.ProofChain.Tests/SbomDeltaTests.cs` ## E2E Test Plan - [ ] Compute a semantic SBOM delta between two versions and verify `SbomDeltaPredicate` captures added/removed/changed components - [ ] Build a binary diff predicate via `BinaryDiffPredicateBuilder` and verify findings are extracted - [ ] Validate the binary diff against `BinaryDiffSchema` and verify schema compliance - [ ] Sign the binary diff into a DSSE envelope and verify via `BinaryDiffDsseVerifier` - [ ] Normalize a binary diff via `BinaryDiffPredicateSerializer.Normalize` and verify deterministic output - [ ] Generate a delta verdict from the smart-diff and verify material risk changes are flagged - [ ] Create a change trace attestation for the smart-diff event and verify it links to before/after versions - [ ] Verify `BinaryDiffFinding` captures function name, offset, and change type for each diff finding ## Verification | Check | Result | |-------|--------| | Tier 0 - Source Verification | PASS | | Tier 1 - Build + Code Review | PASS | | Tier 2 - Behavioral Verification | PASS | | Verified Date | 2026-02-13 | | Run ID | run-001 |