# Four-Tier Backport Detection System

## Module
Attestor

## Status
VERIFIED

## Description
A four-tier evidence collection system for backport detection: Tier 1 (Distro Advisories, 0.98 confidence), Tier 2 (Changelog Mentions, 0.80), Tier 3 (Patch Headers + HunkSig, 0.85-0.90), Tier 4 (Binary Fingerprints, 0.55-0.85). BackportProofService orchestrates queries across all tiers and combines evidence into cryptographic ProofBlobs.

## Implementation Details
- **BackportProofGenerator**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Generators/BackportProofGenerator.cs` -- orchestrator for multi-tier detection with partials:
  - `.Tier1` -- Distro advisory matching (0.98 confidence)
  - `.Tier2` -- Advisory-level evidence (0.90-0.95)
  - `.Tier3` -- Changelog/patch header matching (0.80-0.85)
  - `.Tier3Signature` -- HunkSig binary signature matching
  - `.Tier4` -- Binary fingerprint comparison (0.55-0.85)
  - `.Confidence` -- confidence scoring with multi-source bonus
  - `.CombineEvidence` -- evidence aggregation across tiers
  - `.Status` -- detection status tracking
  - `.VulnerableUnknown` -- unknown vulnerability handling
- **Evidence Summary**: `Generators/EvidenceSummary.cs` -- aggregated evidence from all tiers.
- **Proof Blob**: `Models/ProofBlob.cs` -- cryptographic proof container with SHA-256 hash.
- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/BackportProofGeneratorTests.cs`

## E2E Test Plan
- [ ] Run Tier 1 detection with a known distro advisory match and verify 0.98 confidence
- [ ] Run Tier 2 detection with changelog evidence and verify 0.80 confidence
- [ ] Run Tier 3 detection with patch header matching and verify 0.85-0.90 confidence
- [ ] Run Tier 3 Signature detection with HunkSig binary comparison and verify confidence range
- [ ] Run Tier 4 detection with binary fingerprint comparison and verify 0.55-0.85 confidence
- [ ] Run all four tiers and verify `CombineEvidence` produces an aggregated result with multi-source bonus
- [ ] Verify the combined evidence is wrapped in a cryptographic `ProofBlob` with valid SHA-256 hash
- [ ] Test with a package having no backport evidence across all tiers and verify appropriate `VulnerableUnknown` handling

## Verification

| Check | Result |
|-------|--------|
| Tier 0 - Source Verification | PASS |
| Tier 1 - Build + Code Review | PASS |
| Tier 2 - Behavioral Verification | PASS |
| Verified Date | 2026-02-13 |
| Run ID | run-001 |