# Signed delta-verdicts (cryptographically bound verdicts per policy evaluation)

## Module
Attestor

## Status
VERIFIED

## Description
Delta verdict model and predicate types implement signed, cryptographically bound verdicts tracking changes between policy evaluations.

## Implementation Details
- **Delta Verdict Predicate**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/DeltaVerdictPredicate.cs` (with `.Budget`) -- predicate capturing security state changes between evaluations.
- **Delta Verdict Change**: `Predicates/DeltaVerdictChange.cs` -- individual change entry (new finding, resolved finding, status change).
- **Delta Finding Key**: `Predicates/DeltaFindingKey.cs` -- unique key identifying a finding across evaluations.
- **Delta Verdict Statement**: `Statements/DeltaVerdictStatement.cs` -- in-toto statement wrapping the delta verdict.
- **Verdict Delta Summary**: `Predicates/VerdictDeltaSummary.cs` -- summary counts (new, resolved, unchanged, changed).
- **Verdict Finding Change**: `Predicates/VerdictFindingChange.cs` -- detailed finding change with before/after states.
- **Verdict Rule Change**: `Predicates/VerdictRuleChange.cs` -- policy rule changes between evaluations.
- **Change Trace**: `ChangeTrace/ChangeTraceAttestationService.cs` (with `.Helpers`, `.Mapping`) -- creates attestations tracking changes over time.
- **DSSE Signing**: `Signing/ProofChainSigner.cs` -- cryptographically signs delta verdicts into DSSE envelopes.
- **Content-Addressed IDs**: `Identifiers/ContentAddressedIdGenerator.cs` -- generates deterministic IDs for delta verdicts.
- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/DeltaVerdictTests.cs`

## E2E Test Plan
- [ ] Create a `DeltaVerdictPredicate` with 3 new findings, 2 resolved, and 1 status change; sign into DSSE envelope
- [ ] Verify `VerdictDeltaSummary` correctly counts all change categories
- [ ] Verify `DeltaFindingKey` uniquely identifies findings across evaluations (same CVE + component = same key)
- [ ] Verify `VerdictFindingChange` captures before/after states for changed findings
- [ ] Verify `VerdictRuleChange` captures policy rule additions/removals between evaluations
- [ ] Verify the DSSE signature via `ProofChainSigner.Verification` and confirm cryptographic binding
- [ ] Create a change trace attestation via `ChangeTraceAttestationService` linking the delta to its parent evaluations
- [ ] Verify delta with budget: create a delta that exceeds the uncertainty budget and verify the violation is captured in `.Budget`

## Verification

| Check | Result |
|-------|--------|
| Tier 0 - Source Verification | PASS |
| Tier 1 - Build + Code Review | PASS |
| Tier 2 - Behavioral Verification | PASS |
| Verified Date | 2026-02-13 |
| Run ID | run-001 |