# OCI Delta Attestation Service

## Module
Attestor

## Status
VERIFIED

## Description
OCI-native delta attestation pipeline that computes security state deltas between image versions and attaches signed delta attestations as OCI referrers. Enables incremental security validation without full re-scan.

## Implementation Details
- **Delta Verdict Predicate**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/DeltaVerdictPredicate.cs` (with `.Budget`) -- predicate capturing the security state delta between two image versions (new findings, resolved findings, unchanged findings).
- **Delta Verdict Change**: `Predicates/DeltaVerdictChange.cs` -- individual change entry in a delta verdict.
- **Delta Finding Key**: `Predicates/DeltaFindingKey.cs` -- unique key identifying a finding across delta comparisons.
- **Delta Verdict Statement**: `Statements/DeltaVerdictStatement.cs` -- in-toto statement wrapping the delta verdict predicate.
- **Verdict Delta Summary**: `Predicates/VerdictDeltaSummary.cs` -- summary statistics for the delta (counts of new, resolved, changed findings).
- **Verdict Finding Change**: `Predicates/VerdictFindingChange.cs` -- detailed finding change with before/after states.
- **Verdict Rule Change**: `Predicates/VerdictRuleChange.cs` -- policy rule changes between versions.
- **OCI Attachment**: `__Libraries/StellaOps.Attestor.Oci/Services/OrasAttestationAttacher.cs` -- attaches signed delta attestations as OCI referrers to image digests.
- **Change Trace**: `__Libraries/StellaOps.Attestor.ProofChain/ChangeTrace/ChangeTraceAttestationService.cs` (with `.Helpers`, `.Mapping`) -- creates change trace attestations tracking modifications over time.
- **DSSE Signing**: `Signing/ProofChainSigner.cs` -- signs delta attestations into DSSE envelopes for OCI attachment.
- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/DeltaVerdictTests.cs`

## E2E Test Plan
- [ ] Compute a delta verdict between two image versions with known finding changes and verify `DeltaVerdictPredicate` captures new, resolved, and unchanged findings
- [ ] Create a `DeltaVerdictStatement` and sign it; attach as OCI referrer via `OrasAttestationAttacher` and verify attachment
- [ ] Verify `VerdictDeltaSummary` correctly counts: 3 new, 2 resolved, 5 unchanged findings
- [ ] Verify `DeltaFindingKey` uniquely identifies findings across delta comparisons (same CVE + component = same key)
- [ ] Create a delta with `VerdictRuleChange` entries (policy rule added/removed) and verify rule changes are tracked
- [ ] Verify delta with `.Budget` partial: create a delta that exceeds the uncertainty budget and verify the budget violation is captured
- [ ] Verify incremental validation: fetch a previous delta attestation from OCI, compute a new delta from the previous state, and verify chain continuity

## Verification

| Check | Result |
|-------|--------|
| Tier 0 - Source Verification | PASS |
| Tier 1 - Build + Code Review | PASS |
| Tier 2 - Behavioral Verification | PASS |
| Verified Date | 2026-02-13 |
| Run ID | run-001 |