# Proof-Carrying Security Decisions (Proof Chain)

## Module
Attestor

## Status
VERIFIED

## Description
The ProofChain library is the core of the system with graph, signing, verification, merkle proofs, content-addressed IDs, DSSE, Rekor integration, predicates, statements, and a web service for querying. Every security decision carries linked proof.

## Implementation Details
- **Proof Graph**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Graph/InMemoryProofGraphService.cs` (with `.Mutation`, `.Queries`, `.Subgraph`) -- graph linking verdicts to reasoning to evidence nodes.
- **DSSE Signing**: `Signing/ProofChainSigner.cs` (with `.Verification`) -- signs all security decisions into DSSE envelopes.
- **Verification Pipeline**: `Verification/VerificationPipeline.cs` (with `.Verify`) -- multi-step verification pipeline for proof chains.
- **Verification Steps**: `Verification/DsseSignatureVerificationStep.cs`, `IdRecomputationVerificationStep.cs`, `RekorInclusionVerificationStep.cs`, `TrustAnchorVerificationStep.cs`, `AIArtifactVerificationStep.cs` -- individual verification steps.
- **Content-Addressed IDs**: `Identifiers/ContentAddressedIdGenerator.cs` (with `.Graph`), `ArtifactId.cs`, `EvidenceId.cs`, `ProofBundleId.cs`, `ReasoningId.cs`, `VexVerdictId.cs` -- SHA-256 IDs linking all artifacts.
- **Merkle Proofs**: `Merkle/DeterministicMerkleTreeBuilder.cs` (with `.Helpers`, `.Proof`) -- Merkle inclusion proofs for evidence chains.
- **Rekor Integration**: `Rekor/EnhancedRekorProofBuilder.cs` (with `.Build`, `.Validate`) -- Rekor transparency log integration.
- **Predicates**: 93+ predicate files in `Predicates/` -- all predicate types.
- **Statements**: 46 statement files in `Statements/` -- all in-toto statement types.
- **Web Service**: `StellaOps.Attestor.WebService/Controllers/ProofsController.cs`, `VerifyController.cs`, `BundlesController.cs`, `ChainController.cs` -- REST API for proof chain operations.
- **Receipts**: `Receipts/VerificationReceipt.cs`, `VerificationCheck.cs`, `VerificationContext.cs` -- machine-verifiable verification receipts.
- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/`

## E2E Test Plan
- [ ] Create a complete proof chain: evidence -> reasoning -> verdict, sign each into DSSE envelopes, and verify the chain via `VerificationPipeline`
- [ ] Verify each step in the pipeline: `DsseSignatureVerificationStep` (signature valid), `IdRecomputationVerificationStep` (IDs match), `TrustAnchorVerificationStep` (anchor valid)
- [ ] Query the proof graph from a verdict to all supporting evidence via `InMemoryProofGraphService.Queries` and verify the complete chain
- [ ] Generate content-addressed IDs for all artifacts and verify they are deterministic and unique
- [ ] Build Merkle proofs for evidence in the chain and verify inclusion
- [ ] Submit the proof chain to Rekor and verify `RekorInclusionVerificationStep` passes
- [ ] Query proofs via `ProofsController` REST API and verify the response contains linked proof chains
- [ ] Verify via `VerifyController` and confirm a `VerificationReceipt` with all checks passing is returned

## Verification

| Check | Result |
|-------|--------|
| Tier 0 - Source Verification | PASS |
| Tier 1 - Build + Code Review | PASS |
| Tier 2 - Behavioral Verification | PASS |
| Verified Date | 2026-02-13 |
| Run ID | run-001 |