# RichGraph Attestation Service (stella.ops/richgraph@v1 predicate)

## Module
Attestor

## Status
VERIFIED

## Description
Generates DSSE-signed attestations capturing the full evidence graph (nodes, edges, paths) for a scan result. Uses the stella.ops/richgraph@v1 in-toto predicate type to attest the complete dependency and evidence graph topology.

## Implementation Details
- **Proof Graph Service**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Graph/InMemoryProofGraphService.cs` (with `.Mutation`, `.Queries`, `.Subgraph`) -- in-memory graph service providing the richgraph data (nodes, edges, paths).
- **Graph Node**: `Graph/ProofGraphNode.cs` -- typed graph node with content-addressed ID and metadata.
- **Graph Edge**: `Graph/ProofGraphEdge.cs` -- directed edge with type metadata.
- **Node Types**: `Graph/ProofGraphNodeType.cs` -- node type enum (Evidence, Verdict, Policy, Artifact).
- **Edge Types**: `Graph/ProofGraphEdgeType.cs` -- edge type enum for relationship semantics.
- **Graph Subgraph**: `Graph/ProofGraphSubgraph.cs` -- extracted subgraph for attestation scope.
- **Graph Path**: `Graph/ProofGraphPath.cs` -- traversal path within the richgraph.
- **Statement Builder**: `Builders/StatementBuilder.cs` (with `.Extended`) -- builds in-toto statements with the richgraph predicate type.
- **DSSE Signing**: `Signing/ProofChainSigner.cs` (with `.Verification`) -- signs richgraph attestations.
- **Graph Root Attestor**: `__Libraries/StellaOps.Attestor.GraphRoot/GraphRootAttestor.cs` -- attests Merkle roots over the graph for integrity.
- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/ProofGraphTests.cs`

## E2E Test Plan
- [ ] Build a richgraph via `InMemoryProofGraphService` with Evidence, Verdict, and Artifact nodes connected by typed edges
- [ ] Create an in-toto statement with predicate type `stella.ops/richgraph@v1` via `StatementBuilder.Extended` wrapping the graph data
- [ ] Sign the richgraph attestation via `ProofChainSigner` and verify the DSSE envelope structure
- [ ] Extract a subgraph via `ProofGraphSubgraph` for a specific scan result and verify the attestation scopes to that subgraph
- [ ] Verify all graph paths from entrypoint to vulnerable sink are captured in the richgraph predicate
- [ ] Attest the Merkle root of the richgraph via `GraphRootAttestor` and verify integrity
- [ ] Verify the richgraph DSSE signature via `ProofChainSigner.Verification`

## Verification

| Check | Result |
|-------|--------|
| Tier 0 - Source Verification | PASS |
| Tier 1 - Build + Code Review | PASS |
| Tier 2 - Behavioral Verification | PASS |
| Verified Date | 2026-02-13 |
| Run ID | run-001 |