# Proof-Driven Moats: Architecture Specification **Version:** 1.0.0 **Status:** Design **Owner:** Platform Architecture **Last Updated:** 2025-12-23 --- ## Executive Summary This document specifies the architecture for **Proof-Driven Moats**, a dual capability that establishes StellaOps as best-in-class for vulnerability assessment accuracy: 1. **Patch-Aware Backport Detector**: Automated detection of distro backports with cryptographic proof, eliminating false positives from version-string mismatches. 2. **Regional Crypto & Offline Audit Packs**: Jurisdiction-compliant attestation bundles with multi-profile signing (eIDAS, FIPS, GOST, SM, PQC). --- ## 1. Strategic Goals ### 1.1 Business Objectives - **Eliminate backport false positives** without human intervention - **Provide cryptographic proof** for every vulnerability verdict - **Enable global deployment** with regional crypto compliance - **Support air-gapped environments** with sealed audit packs - **Establish competitive moat** through binary-level analysis ### 1.2 Technical Objectives - **Deterministic, reproducible proofs** with canonical hashing - **Pluggable crypto profiles** for jurisdiction compliance - **Four-tier backport detection**: distro feeds → changelog → patches → binary - **Offline-first design** with embedded trust anchors - **PostgreSQL-backed storage** with efficient querying --- ## 2. System Architecture ### 2.1 High-Level Component Diagram ``` ┌─────────────────────────────────────────────────────────────────┐ │ PROOF-DRIVEN MOATS │ └─────────────────────────────────────────────────────────────────┘ │ │ ┌─────────────────────┴─────────────────────┐ │ │ ▼ ▼ ┌──────────────────┐ ┌──────────────────────┐ │ BACKPORT │ │ REGIONAL CRYPTO & │ │ DETECTOR │ │ AUDIT PACKS │ └──────────────────┘ └──────────────────────┘ │ │ │ │ ┌─────┴─────┐ ┌────────┴────────┐ │ │ │ │ ▼ ▼ ▼ ▼ ┌─────┐ ┌─────────┐ ┌──────────┐ ┌──────────────┐ │Feedser│ │SourceIntel│ │MultiProfile│ │ AuditBundle │ │ │ │ │ │ Signer │ │ Packager │ └─────┘ └─────────┘ └──────────┘ └──────────────┘ │ │ │ │ │ │ │ │ ▼ ▼ ▼ ▼ ┌─────────────────────────────────────────────────────────────────┐ │ PROOF CHAIN INFRASTRUCTURE │ │ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ │ │ │ProofBlob │ │ProofLedger│ │ProofStore│ │ProofVerify│ │ │ └──────────┘ └──────────┘ └──────────┘ └──────────┘ │ └─────────────────────────────────────────────────────────────────┘ │ ▼ ┌──────────────────┐ │ PostgreSQL │ │ (scanner, │ │ concelier, │ │ attestor) │ └──────────────────┘ ``` ### 2.2 Module Responsibilities | Module | Responsibility | Owner | |--------|----------------|-------| | **Feedser** | Upstream patch extraction and HunkSig generation | New module | | **SourceIntel** | Changelog and patch header parsing | Concelier library | | **BinaryFingerprint** | Binary-level vulnerability fingerprinting | Scanner library | | **ProofChain** | Proof blob creation, storage, verification | Attestor library | | **MultiProfileSigner** | Pluggable crypto with regional profiles | Cryptography library | | **AuditBundlePackager** | Sealed audit pack generation | ExportCenter | | **VEX Integration** | Proof-carrying VEX statements | Excititor | --- ## 3. Backport Detector Architecture ### 3.1 Four-Tier Detection System ``` Tier 1: Distro Security Feeds (EXISTING ✓) ├─ RHEL CSAF/RHSA ├─ SUSE CSAF ├─ Ubuntu USN ├─ Debian DSA └─ Alpine secdb Confidence: 0.95-0.99 Tier 2: Source Changelog Parsing (NEW) ├─ debian/changelog CVE mentions ├─ RPM %changelog CVE mentions └─ Alpine APKBUILD secfixes Confidence: 0.75-0.85 Tier 3: Patch Header Analysis (NEW) ├─ debian/patches/* DEP-3 headers ├─ RPM .spec patch references └─ Patch filename CVE patterns Confidence: 0.80-0.90 Tier 4: Binary Fingerprinting (NEW - OPTIONAL) ├─ Function normalized hash ├─ Basic-block multiset hash └─ Control-flow graph hash Confidence: 0.85-0.95 ``` ### 3.2 Decision Algorithm ```python def decide_cve_status(cve_id, package, installed_version, evidences): """Deterministic, ordered decision algorithm with proof generation.""" proof = ProofBlob() # Step 1: Check Tier 1 (distro feeds) for feed_evidence in evidences.filter(tier=1).sort_by_confidence(): if feed_evidence.state == "not_affected" and feed_evidence.confidence >= 0.9: proof.add(feed_evidence) return VerdictWithProof("NOT_AFFECTED", proof, confidence=feed_evidence.confidence) if feed_evidence.state == "fixed": if version_compare(installed_version, feed_evidence.fixed_version) >= 0: proof.add(feed_evidence) return VerdictWithProof("FIXED", proof, confidence=feed_evidence.confidence) # Step 2: Check Tier 2 (changelog) for changelog_evidence in evidences.filter(tier=2).sort_by_confidence(): if cve_id in changelog_evidence.cve_mentions: if version_compare(installed_version, changelog_evidence.version) >= 0: proof.add(changelog_evidence) return VerdictWithProof("FIXED", proof, confidence=changelog_evidence.confidence) # Step 3: Check Tier 3 (patches) for patch_evidence in evidences.filter(tier=3).sort_by_confidence(): if cve_id in patch_evidence.cve_references: proof.add(patch_evidence) return VerdictWithProof("FIXED", proof, confidence=patch_evidence.confidence) # Step 4: Check Tier 4 (binary fingerprints) for binary_evidence in evidences.filter(tier=4): if binary_evidence.fingerprint_match and not binary_evidence.vulnerable_match: proof.add(binary_evidence) return VerdictWithProof("FIXED", proof, confidence=binary_evidence.confidence) # Default: vulnerable proof.add_note("No fix evidence found across all tiers") return VerdictWithProof("VULNERABLE", proof, confidence=0.95) ``` ### 3.3 Data Flow ``` ┌──────────────┐ │ Feedser │ ← Pulls upstream patches from GitHub/GitLab └──────┬───────┘ │ Extracts HunkSig ▼ ┌──────────────────────┐ │ Patch Signature DB │ (concelier.source_patch_sig) └──────────────────────┘ │ │ Referenced by ▼ ┌──────────────────────┐ ┌──────────────┐ │ SourceIntel Parser │ ←───→ │ Scanner │ └──────────────────────┘ └──────┬───────┘ │ │ │ Generates │ Extracts BuildID ▼ ▼ ┌──────────────────────┐ ┌─────────────────┐ │ ProofBlob │ │ Binary │ │ (evidence bundle) │ │ Fingerprints │ └──────────────────────┘ └─────────────────┘ │ │ │ │ └──────────┬───────────────────┘ │ Both feed into ▼ ┌──────────────┐ │ VEX with │ │ proof_ref │ └──────────────┘ │ ▼ ┌──────────────┐ │ DSSE Sign │ │ Multi-Profile│ └──────────────┘ ``` --- ## 4. Regional Crypto Architecture ### 4.1 Pluggable Crypto Abstraction ```csharp // Core abstraction (StellaOps.Cryptography) public interface IContentSigner { string KeyId { get; } SignatureProfile Profile { get; } Task SignAsync(ReadOnlyMemory payload, CancellationToken ct); } public interface IContentVerifier { Task VerifyAsync( ReadOnlyMemory payload, Signature signature, CancellationToken ct); } public enum SignatureProfile { EdDsa, // Baseline (Ed25519) EcdsaP256, // FIPS 186-4 RsaPss, // FIPS 186-4 Gost2012, // GOST R 34.10-2012 SM2, // GM/T 0003.2-2012 Eidas, // ETSI TS 119 312 Dilithium, // NIST PQC (optional) Falcon // NIST PQC (optional) } // Multi-profile signing public class MultiProfileSigner : IContentSigner { private readonly IReadOnlyList _signers; public async Task SignAllAsync( ReadOnlyMemory payload, CancellationToken ct) { var signatures = new List(); foreach (var signer in _signers) { var result = await signer.SignAsync(payload, ct); signatures.Add(result.Signature); } return new MultiSignatureResult(signatures); } } ``` ### 4.2 Profile Implementations Each profile is a separate NuGet package: - `StellaOps.Cryptography.Profiles.EdDsa` - Baseline (libsodium) - `StellaOps.Cryptography.Profiles.Ecdsa` - FIPS (System.Security.Cryptography) - `StellaOps.Cryptography.Profiles.Rsa` - FIPS (System.Security.Cryptography) - `StellaOps.Cryptography.Profiles.Gost` - Russia (BouncyCastle or CryptoPro) - `StellaOps.Cryptography.Profiles.SM` - China (BouncyCastle) - `StellaOps.Cryptography.Profiles.Eidas` - EU (DSS library) - `StellaOps.Cryptography.Profiles.Pqc` - Post-quantum (liboqs) ### 4.3 Configuration-Driven Selection ```yaml # etc/cryptography.yaml signing: profiles: - profile: EdDsa keyId: "stella-ed25519-2024" enabled: true - profile: EcdsaP256 keyId: "stella-ecdsa-p256-2024" enabled: true kms: provider: "azure-keyvault" keyName: "stellaops-ecdsa" - profile: Gost2012 keyId: "stella-gost-2024" enabled: false # Enable for Russian deployments - profile: SM2 keyId: "stella-sm2-2024" enabled: false # Enable for Chinese deployments - profile: Eidas keyId: "stella-eidas-2024" enabled: false # Enable for EU qualified signatures certificate: "/etc/stellaops/certs/eidas-qscd.pem" verification: allowedProfiles: - EdDsa - EcdsaP256 - Gost2012 - SM2 - Eidas trustAnchors: - path: "/etc/stellaops/trust/root-ca.pem" - path: "/etc/stellaops/trust/eidas-tsl.xml" ``` --- ## 5. ProofBlob Specification ### 5.1 Data Model ```csharp // StellaOps.Attestor.ProofChain public sealed record ProofBlob { public required string ProofId { get; init; } // sha256:... public required string SubjectId { get; init; } // CVE-XXXX-YYYY + PURL public required ProofBlobType Type { get; init; } public required DateTimeOffset CreatedAt { get; init; } // Evidence entries public required IReadOnlyList Evidences { get; init; } // Computation details public required string Method { get; init; } // "distro_feed" | "changelog" | "patch_header" | "binary_match" public required double Confidence { get; init; } // 0.0-1.0 // Provenance public required string ToolVersion { get; init; } public required string SnapshotId { get; init; } // Computed hash (excludes this field) public string? ProofHash { get; init; } } public sealed record ProofEvidence { public required string EvidenceId { get; init; } public required EvidenceType Type { get; init; } public required string Source { get; init; } public required DateTimeOffset Timestamp { get; init; } public required JsonDocument Data { get; init; } public required string DataHash { get; init; } // sha256 of canonical JSON } public enum ProofBlobType { BackportFixed, // Distro backported the fix NotAffected, // Package not affected by CVE Vulnerable, // Confirmed vulnerable Unknown // Insufficient evidence } public enum EvidenceType { DistroAdvisory, // Tier 1 ChangelogMention, // Tier 2 PatchHeader, // Tier 3 BinaryFingerprint, // Tier 4 VersionComparison, // Supporting evidence BuildCatalog // Build ID mapping } ``` ### 5.2 Canonical Hashing ```csharp public static class ProofHashing { public static string ComputeProofHash(ProofBlob blob) { // Clone without ProofHash field var normalized = blob with { ProofHash = null }; // Canonicalize (sorted keys, stable ordering) var canonical = CanonJson.Canonicalize(normalized); // SHA-256 var hash = SHA256.HashData(canonical); return "sha256:" + Convert.ToHexString(hash).ToLowerInvariant(); } public static ProofBlob WithHash(ProofBlob blob) { var hash = ComputeProofHash(blob); return blob with { ProofHash = hash }; } } ``` ### 5.3 Storage Schema ```sql -- concelier.backport_proof CREATE TABLE concelier.backport_proof ( proof_id TEXT PRIMARY KEY, -- sha256:... subject_id TEXT NOT NULL, -- CVE-XXXX-YYYY:pkg:rpm/... proof_type TEXT NOT NULL, -- backport_fixed | not_affected | vulnerable method TEXT NOT NULL, -- distro_feed | changelog | patch_header | binary_match confidence NUMERIC(5,4) NOT NULL, -- 0.0-1.0 -- Provenance tool_version TEXT NOT NULL, snapshot_id TEXT NOT NULL, created_at TIMESTAMPTZ NOT NULL DEFAULT now(), -- Proof blob (JSONB) proof_blob JSONB NOT NULL, -- Indexes CONSTRAINT backport_proof_confidence_check CHECK (confidence >= 0 AND confidence <= 1) ); CREATE INDEX idx_backport_proof_subject ON concelier.backport_proof(subject_id); CREATE INDEX idx_backport_proof_method ON concelier.backport_proof(method); CREATE INDEX idx_backport_proof_created ON concelier.backport_proof(created_at DESC); CREATE INDEX idx_backport_proof_confidence ON concelier.backport_proof(confidence DESC); -- GIN index for JSONB queries CREATE INDEX idx_backport_proof_blob ON concelier.backport_proof USING GIN(proof_blob); ``` --- ## 6. Audit Bundle Specification ### 6.1 Bundle Structure ``` audit-bundle-{artifact-digest}.stella.bundle.tgz ├── manifest.json # Bundle manifest ├── manifest.dsse.json # DSSE envelope with multi-sig ├── evidence/ │ ├── sbom.spdx.json # SPDX 3.0.1 SBOM │ ├── sbom.cdx.json # CycloneDX 1.6 SBOM │ ├── vex-statements.json # OpenVEX statements │ ├── reachability-graph.json # Call graph + paths │ ├── policy-ledger.json # Policy evaluation ledger │ └── proofs/ │ ├── {proof-id-1}.json # ProofBlob 1 │ ├── {proof-id-2}.json # ProofBlob 2 │ └── ... ├── attestations/ │ ├── sbom.dsse.json # SBOM attestation │ ├── vex.dsse.json # VEX attestation │ ├── reachability.dsse.json # Reachability attestation │ ├── verdict.dsse.json # Policy verdict attestation │ └── proofs.dsse.json # Proof chain attestation ├── replay/ │ ├── scan-manifest.json # Scan parameters │ ├── feed-snapshots.json # Feed snapshot IDs │ ├── policy-versions.json # Policy versions used │ └── seeds.json # Deterministic seeds ├── trust/ │ ├── tuf-root.json # TUF root for offline verification │ ├── certificates.pem # Certificate chain │ ├── crls.pem # Certificate Revocation Lists │ └── timestamps.rfc3161 # RFC 3161 timestamp tokens └── meta.json # Bundle metadata ``` ### 6.2 Manifest Schema ```json { "$schema": "https://stellaops.dev/schemas/audit-bundle-manifest/v1", "version": "1.0.0", "bundleId": "sha256:abc123...", "createdAt": "2025-12-23T10:00:00Z", "generator": { "name": "StellaOps ExportCenter", "version": "1.5.0" }, "subject": { "artifactDigest": "sha256:def456...", "artifactPurl": "pkg:oci/myapp@sha256:def456...?repository_url=ghcr.io/myorg", "scanId": "01234567-89ab-cdef-0123-456789abcdef" }, "contents": { "sbom": { "formats": ["spdx-3.0.1", "cyclonedx-1.6"], "digests": { "sbom.spdx.json": "sha256:...", "sbom.cdx.json": "sha256:..." } }, "vex": { "statementCount": 42, "digest": "sha256:..." }, "reachability": { "nodeCount": 1523, "edgeCount": 8741, "digest": "sha256:..." }, "proofs": { "proofCount": 15, "digests": [ "sha256:proof1...", "sha256:proof2...", "..." ] } }, "signatures": [ { "profile": "EdDsa", "keyId": "stella-ed25519-2024", "algorithm": "Ed25519", "digest": "sha256:sig1..." }, { "profile": "EcdsaP256", "keyId": "stella-ecdsa-p256-2024", "algorithm": "ES256", "digest": "sha256:sig2..." }, { "profile": "Gost2012", "keyId": "stella-gost-2024", "algorithm": "GOST3410-2012-256", "digest": "sha256:sig3..." } ], "replay": { "deterministic": true, "snapshotIds": { "concelier": "sha256:feed123...", "excititor": "sha256:vex456...", "policy": "sha256:pol789..." }, "seed": "base64encodedSeed==" }, "trust": { "tufRoot": "sha256:tuf123...", "certificateChainDigest": "sha256:certs456...", "crlDigest": "sha256:crl789...", "timestampDigest": "sha256:ts012..." } } ``` --- ## 7. Module Implementations ### 7.1 Feedser Module **Location:** `src/Feedser/` **Purpose:** Extract upstream patches and generate patch signatures (HunkSig). **Components:** - `StellaOps.Feedser.Core` - Orchestration and scheduling - `StellaOps.Feedser.PatchExtractor` - CVE→commit mapping via OSV - `StellaOps.Feedser.HunkSig` - Patch signature generation - `StellaOps.Feedser.Storage.Postgres` - Equivalence map storage **Key Operations:** 1. Query OSV for CVE→commit mappings 2. Fetch commit diffs from Git repositories 3. Extract and normalize patch hunks 4. Compute HunkSig (hash of normalized hunks) 5. Store in `concelier.source_patch_sig` ### 7.2 SourceIntel Library **Location:** `src/Concelier/__Libraries/StellaOps.Concelier.SourceIntel/` **Purpose:** Parse source package metadata for CVE mentions. **Components:** - `ChangelogParser` - Parse Debian/RPM changelogs - `PatchHeaderParser` - Parse patch files for CVE references - `CveExtractor` - Extract CVE-XXXX-YYYY patterns - `ConfidenceScorer` - Compute confidence based on context **Supported Formats:** - Debian: `debian/changelog`, `debian/patches/*` - RPM: `%changelog`, `.spec` patches - Alpine: `APKBUILD` secfixes section ### 7.3 BinaryFingerprint Library **Location:** `src/Scanner/__Libraries/StellaOps.Scanner.BinaryFingerprint/` **Purpose:** Generate and match vulnerability fingerprints at binary level. **Components:** - `BuildIdExtractor` - Extract ELF/PE build IDs - `Disassembler` - Disassemble functions (via Capstone or similar) - `FunctionNormalizer` - Normalize disassembly (strip addresses, etc.) - `CfgExtractor` - Extract control flow graphs - `FingerprintComputer` - Compute function/CFG hashes - `FingerprintMatcher` - Query-time matching - `ValidationHarness` - Validate against test corpus **Fingerprint Types:** 1. **Function Normalized Hash** - Hash of normalized instruction sequence 2. **Basic-Block Multiset** - Multiset of basic block hashes (order-independent) 3. **CFG Hash** - Hash of canonical CFG representation --- ## 8. Implementation Phases ### Phase 1: Foundation (Sprints 7200-7201) **Duration:** 4-5 sprints **Goal:** Basic automated backport detection with proof **Deliverables:** - Cryptography abstraction layer - ProofBlob data model and storage - Source intelligence parsers (Tier 2/3) - Feedser patch extraction (basic) - Proof-carrying VEX integration - Alpine APK comparator **Success Criteria:** - Tier 1-3 backport detection operational - ProofBlobs generated and stored - VEX statements include proof references - 50+ test cases passing per distro ### Phase 2: Regional Crypto (Sprints 7202-7203) **Duration:** 3-4 sprints **Goal:** Jurisdiction-compliant audit packs **Deliverables:** - Multi-profile signer implementation - eIDAS/ETSI profile - FIPS profile (ECDSA + RSA-PSS) - GOST profile (BouncyCastle) - SM profile (BouncyCastle) - TUF root embedding - CRL/OCSP embedding - Audit bundle packager **Success Criteria:** - Multi-signature DSSE envelopes working - All profiles validated against test vectors - Offline verification working - Audit bundles < 50MB for typical scans ### Phase 3: Binary Moat (Sprints 7204-7206) **Duration:** 4-5 sprints **Goal:** Universal backport detection via binary analysis **Deliverables:** - Binary fingerprinting factory - Disassembler integration (Capstone) - CFG extraction - Fingerprint validation harness - Query-time matching engine - Test corpus (vulnerable/fixed/benign) **Success Criteria:** - >90% precision on test corpus - >85% recall on known vulnerabilities - <1% false positive rate - Query latency <100ms p95 ### Phase 4: Production Hardening (Sprints 7207-7208) **Duration:** 2-3 sprints **Goal:** Production readiness and optimization **Deliverables:** - Performance optimization - Comprehensive test coverage - Operational runbooks - Monitoring dashboards - CLI commands - Documentation **Success Criteria:** - All acceptance tests passing - Performance benchmarks met - Documentation complete - Ready for production deployment --- ## 9. Success Metrics ### 9.1 Functional Metrics | Metric | Target | Measurement | |--------|--------|-------------| | **False Positive Reduction** | >90% | Before/after comparison on test corpus | | **Proof Coverage** | >95% | % of verdicts with proof blobs | | **Tier 1 Detection** | >99% | % using distro feeds | | **Tier 2 Detection** | >75% | % using changelog | | **Tier 3 Detection** | >80% | % using patches | | **Tier 4 Detection** | >85% | % using binary fingerprints | ### 9.2 Performance Metrics | Metric | Target | Measurement | |--------|--------|-------------| | **Proof Generation** | <500ms p95 | Time to generate ProofBlob | | **Multi-Sign** | <2s p95 | Time to sign with 3 profiles | | **Bundle Creation** | <10s p95 | Time to create audit bundle | | **Fingerprint Match** | <100ms p95 | Query time for fingerprint | | **Bundle Size** | <50MB p95 | Compressed bundle size | ### 9.3 Quality Metrics | Metric | Target | Measurement | |--------|--------|-------------| | **Test Coverage** | >90% | Line coverage | | **Determinism** | 100% | Reproducible outputs | | **Offline Capability** | 100% | No network calls in sealed mode | | **Crypto Compliance** | 100% | All profiles pass validation | --- ## 10. Risks and Mitigations ### 10.1 Technical Risks | Risk | Impact | Likelihood | Mitigation | |------|--------|------------|------------| | **Binary fingerprinting FP rate** | High | Medium | Extensive validation harness, confidence scoring | | **Distro-specific edge cases** | Medium | High | Comprehensive test corpus, distro validation | | **Crypto library compatibility** | Medium | Low | Abstraction layer, fallback implementations | | **Performance degradation** | Medium | Medium | Caching, incremental computation, profiling | ### 10.2 Operational Risks | Risk | Impact | Likelihood | Mitigation | |------|--------|------------|------------| | **Database growth** | High | High | Retention policies, partitioning, archival | | **Feedser downtime** | Medium | Medium | Cached patches, graceful degradation | | **Key rotation complexity** | Medium | Low | Automated rotation, clear procedures | | **Bundle distribution costs** | Low | Medium | Compression, deduplication, CDN | --- ## 11. Dependencies ### 11.1 Internal Dependencies - **Scanner Module**: Binary analysis, SBOM generation - **Concelier Module**: Distro feed ingestion, merge logic - **Excititor Module**: VEX statement generation - **Attestor Module**: DSSE signing, Rekor anchoring - **ExportCenter Module**: Bundle packaging, distribution ### 11.2 External Dependencies | Dependency | Purpose | License | Risk | |------------|---------|---------|------| | **OSV API** | CVE→commit mapping | Public | Rate limits, availability | | **BouncyCastle** | GOST/SM crypto | MIT | Maintenance, updates | | **Capstone** | Disassembler | BSD | Native dependency | | **libsodium** | EdDSA signing | ISC | Well-maintained | | **liboqs** | Post-quantum (optional) | MIT | Experimental | --- ## 12. References ### 12.1 Product Advisories - `docs/product-advisories/23-Dec-2026 - Proof‑Driven Moats Stella Ops Can Ship.md` - `docs/product-advisories/23-Dec-2026 - Binary Mapping as Attestable Proof.md` - `docs/product-advisories/archived/22-Dec-2025 - Getting Distro Backport Logic Right.md` ### 12.2 Standards - **DSSE:** https://github.com/secure-systems-lab/dsse - **in-toto:** https://in-toto.io/ - **OpenVEX:** https://github.com/openvex/spec - **TUF:** https://theupdateframework.io/ - **RFC 3161:** Time-Stamp Protocol (TSP) - **ETSI TS 119 312:** Electronic Signatures and Infrastructures (ESI) - **FIPS 186-4:** Digital Signature Standard (DSS) ### 12.3 Related Documentation - `docs/07_HIGH_LEVEL_ARCHITECTURE.md` - `docs/modules/concelier/architecture.md` - `docs/modules/scanner/architecture.md` - `docs/modules/attestor/architecture.md` - `docs/modules/excititor/architecture.md` --- ## Appendix A: Glossary - **ProofBlob**: A cryptographically signed evidence bundle proving a vulnerability verdict - **HunkSig**: Hash of normalized patch hunks for equivalence matching - **Multi-Profile Signer**: Crypto abstraction that produces multiple signatures with different algorithms - **Audit Bundle**: Sealed package containing all evidence and attestations for offline replay - **Tier 1-4**: Four-level hierarchy of backport detection methods - **BuildID**: Unique identifier embedded in ELF/PE binaries (`.note.gnu.build-id`) --- **END OF DOCUMENT**