# Signal Normalization Pipeline

## Module
Attestor

## Status
VERIFIED

## Description
Signal normalization exists through the existing scoring engine and determinization evidence system, handling CVSS, KEV, EPSS, and other signal providers.

## Implementation Details
- **Evidence Predicate**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/EvidencePredicate.cs` -- evidence predicate capturing normalized signal data (CVSS scores, KEV status, EPSS probability).
- **Finding Summary**: `Predicates/FindingSummary.cs` -- summary of a finding with normalized severity from multiple signal sources.
- **Scan Context Info**: `Predicates/ScanContextInfo.cs` -- scanner context capturing which signal providers contributed data.
- **Verdict Inputs**: `Statements/VerdictInputs.cs` -- records normalized signals as inputs to verdict decisions.
- **Verdict Decision**: `Statements/VerdictDecision.cs` -- decision incorporating normalized signal data.
- **Statement Builder**: `Builders/StatementBuilder.cs` -- builds attestations capturing normalized signal data.
- **Content-Addressed IDs**: `Identifiers/ContentAddressedIdGenerator.cs` -- generates deterministic IDs from normalized signal payloads.
- **RFC 8785 Canonicalizer**: `Json/Rfc8785JsonCanonicalizer.cs` -- deterministic serialization of signal data.
- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/SignalNormalizationTests.cs`

## E2E Test Plan
- [ ] Create an `EvidencePredicate` with CVSS v3.1, CVSS v4.0, and EPSS data and verify all signals are captured
- [ ] Normalize a finding with multiple signal sources and verify `FindingSummary` produces a consistent severity
- [ ] Verify `ScanContextInfo` captures the signal providers (NVD, CISA KEV, EPSS) and their versions
- [ ] Build a verdict with normalized signals as `VerdictInputs` and verify the decision references all signal sources
- [ ] Canonicalize signal data via `Rfc8785JsonCanonicalizer` and verify deterministic output
- [ ] Generate a content-addressed ID from normalized signals and verify it is deterministic
- [ ] Verify signal normalization handles missing signals gracefully (e.g., no EPSS data available)

## Verification

| Check | Result |
|-------|--------|
| Tier 0 - Source Verification | PASS |
| Tier 1 - Build + Code Review | PASS |
| Tier 2 - Behavioral Verification | PASS |
| Verified Date | 2026-02-13 |
| Run ID | run-001 |