# Patch-Aware Backport Detection with Proof-Carrying VEX (Tier1-4)

## Module
Attestor

## Status
VERIFIED

## Description
Full backport proof pipeline from extractors through tiered proof generation (Tier1: advisory match, Tier2: source proof, Tier3: binary proof, Tier4: signature match) with VEX integration. Patch verification orchestrator handles distro backports correctly.

## Implementation Details
- **BackportProofGenerator**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Generators/BackportProofGenerator.cs` -- orchestrator for multi-tier backport detection with partials:
  - `.Tier1` -- distro advisory matching (0.98 confidence)
  - `.Tier2` -- advisory-level evidence (0.90-0.95 confidence)
  - `.Tier3` -- changelog/patch header matching (0.80-0.85 confidence)
  - `.Tier3Signature` -- HunkSig binary signature matching
  - `.Tier4` -- binary fingerprint comparison (0.55-0.85 confidence)
  - `.Confidence` -- confidence scoring with multi-source bonus
  - `.CombineEvidence` -- evidence aggregation across all tiers
  - `.Status` -- detection status tracking
  - `.VulnerableUnknown` -- unknown vulnerability handling
- **Evidence Summary**: `Generators/EvidenceSummary.cs` -- aggregated evidence from all tiers with confidence and tier breakdown.
- **VEX Proof Integrator**: `Generators/VexProofIntegrator.cs` (with `.Helpers`, `.Metadata`) -- integrates backport detection evidence into VEX decisions, producing proof-carrying VEX.
- **VEX Verdict Proof Payload**: `Generators/VexVerdictProofPayload.cs` -- combined VEX verdict + backport proof payload.
- **Binary Fingerprint Evidence Generator**: `Generators/BinaryFingerprintEvidenceGenerator.cs` (with `.Helpers`) -- generates Tier 4 binary fingerprint evidence.
- **Fix Status Info**: `Predicates/FixStatusInfo.cs` -- tracks fix application status (patched, backported, unpatched).
- **FixChain Attestation**: `__Libraries/StellaOps.Attestor.FixChain/FixChainAttestationService.cs` -- creates attestations for confirmed fix applications.
- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/BackportProofGeneratorTests.cs`

## E2E Test Plan
- [ ] Run Tier 1 detection with a known distro advisory (e.g., Debian DSA) and verify 0.98 confidence result
- [ ] Run Tier 3 detection with patch header + HunkSig and verify 0.85-0.90 confidence
- [ ] Run Tier 4 detection with binary fingerprint comparison and verify 0.55-0.85 confidence range
- [ ] Run all four tiers and verify `CombineEvidence` produces an aggregated `EvidenceSummary` with multi-source bonus
- [ ] Integrate backport evidence into a VEX decision via `VexProofIntegrator` with status "not_affected" (backport confirmed) and verify the `VexVerdictProofPayload`
- [ ] Test `VulnerableUnknown` handling: run detection with no evidence across all tiers and verify appropriate unknown status
- [ ] Create a `FixChainAttestationService` attestation for a confirmed backport and verify it links to the backport proof
- [ ] Verify confidence scoring with multi-source bonus: Tier1 + Tier3 evidence together produces higher confidence than either alone

## Verification

| Check | Result |
|-------|--------|
| Tier 0 - Source Verification | PASS |
| Tier 1 - Build + Code Review | PASS |
| Tier 2 - Behavioral Verification | PASS |
| Verified Date | 2026-02-13 |
| Run ID | run-001 |