# Binary Diff Predicate / DSSE Attestation for Patch Detection

## Module
Attestor

## Status
IMPLEMENTED

## Description
Complete BinaryDiff predicate implementation with DSSE signing/verification, schema validation, normalization, and serialization for patch detection attestations.

## Implementation Details
- **BinaryDiff Predicate Builder**: `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/BinaryDiff/BinaryDiffPredicateBuilder.cs` (with `.Build` partial) -- implements `IBinaryDiffPredicateBuilder` to construct binary diff predicates from diff findings.
- **BinaryDiff Predicate Serializer**: `BinaryDiffPredicateSerializer.cs` (with `.Normalize` partial) -- implements `IBinaryDiffPredicateSerializer` for deterministic serialization with normalization.
- **DSSE Signing**: `BinaryDiffDsseSigner.cs` -- signs binary diff predicates as DSSE envelopes.
- **DSSE Verification**: `BinaryDiffDsseVerifier.cs` (with `.Helpers` partial) -- implements `IBinaryDiffDsseVerifier` for verifying signed binary diff attestations.
- **Schema Validation**: `BinaryDiffSchema.cs` (with `.SchemaJson` partial) -- JSON schema for binary diff predicates. `BinaryDiffSchemaValidationResult.cs` -- validation result model.
- **Models**: `BinaryDiffModels.cs` -- core diff models. `BinaryDiffSectionModels.cs` -- section-level diff models (ELF/PE sections). `BinaryDiffFinding.cs` -- individual diff finding. `BinaryDiffOptions.cs` -- configuration.
- **Metadata**: `BinaryDiffMetadataBuilder.cs` -- builds metadata for diff predicates.
- **DI Registration**: `ServiceCollectionExtensions.cs` -- registers all BinaryDiff services.
- **Tests**: `__Tests/StellaOps.Attestor.StandardPredicates.Tests/BinaryDiff/` -- `BinaryDiffPredicateBuilderTests.cs`, `BinaryDiffPredicateSerializerTests.cs`, `BinaryDiffDsseSignerTests.cs`, `BinaryDiffSchemaValidationTests.cs`

## E2E Test Plan
- [ ] Build a binary diff predicate from a set of `BinaryDiffFinding` entries via `BinaryDiffPredicateBuilder` and verify the predicate contains all findings
- [ ] Serialize the predicate via `BinaryDiffPredicateSerializer` and verify normalization produces deterministic output (serialize twice, compare bytes)
- [ ] Sign the serialized predicate via `BinaryDiffDsseSigner` and verify the DSSE envelope is well-formed
- [ ] Verify the signed envelope via `BinaryDiffDsseVerifier` and confirm verification passes
- [ ] Tamper with the signed envelope payload and verify `BinaryDiffDsseVerifier` returns failure
- [ ] Validate a predicate against the JSON schema via `BinaryDiffSchema` and verify it passes
- [ ] Create a predicate with section-level diffs (`BinaryDiffSectionModels`) for ELF `.text` and `.rodata` sections and verify section details are preserved
- [ ] Create a predicate missing required fields and verify schema validation catches the error