# Graph Root DSSE Attestation Service

## Module
Attestor

## Status
VERIFIED

## Description
Service for creating and verifying DSSE-wrapped in-toto attestations of Merkle graph roots. Supports multiple graph types (ResolvedExecutionGraph, ReachabilityGraph, DependencyGraph, ProofSpine, EvidenceGraph) with optional Rekor publication. Enables offline verification by comparing recomputed roots against attested values. Distinct from "Merkle Root Aggregation" and "Graph Revision IDs" which compute roots; this attests them as first-class DSSE-signed entities.

## Implementation Details
- **Graph Root Attestor**: `src/Attestor/__Libraries/StellaOps.Attestor.GraphRoot/GraphRootAttestor.cs` -- creates DSSE-signed in-toto attestations wrapping Merkle roots. Implements `IGraphRootAttestor.cs`.
- **Merkle Root Computer**: `Sha256MerkleRootComputer.cs` -- SHA-256 Merkle root computation over sorted leaf hashes. Implements `IMerkleRootComputer.cs`.
- **Graph Root Predicate**: `Models/GraphRootPredicate.cs` -- in-toto predicate containing root hash, graph type, leaf count, timestamp.
- **Attestation Request**: `Models/GraphRootAttestationRequest.cs` -- specifies graph type, leaves, and signing options.
- **Attestation Result**: `Models/GraphRootResults.cs` -- contains the signed DSSE envelope and computed root.
- **Graph Types**: `GraphType.cs` -- enum: ResolvedExecutionGraph, ReachabilityGraph, DependencyGraph, ProofSpine, EvidenceGraph.
- **DSSE Signing**: `__Libraries/StellaOps.Attestor.ProofChain/Signing/ProofChainSigner.cs` (with `.Verification`) -- signs and verifies DSSE envelopes.
- **Rekor Publication**: `StellaOps.Attestor.Core/Rekor/RekorSubmissionService.cs` -- publishes signed attestations to Rekor transparency log.
- **DI Registration**: `GraphRootServiceCollectionExtensions.cs` -- registers all graph root services.
- **Tests**: `__Tests/StellaOps.Attestor.GraphRoot.Tests/`

## E2E Test Plan
- [ ] Create a `GraphRootAttestationRequest` for each supported `GraphType` and verify `GraphRootAttestor` produces valid DSSE envelopes
- [ ] Verify the DSSE envelope contains a valid in-toto statement with predicate type matching the graph root schema
- [ ] Verify the DSSE signature over the graph root attestation using `ProofChainSigner.Verification`
- [ ] Recompute the Merkle root from the same leaves and verify it matches the root in the attested predicate (offline verification)
- [ ] Submit a graph root attestation to Rekor via `RekorSubmissionService` and verify a log entry is created
- [ ] Create attestations for two different graph types (e.g., ReachabilityGraph vs DependencyGraph) and verify they produce distinct predicates
- [ ] Modify one leaf in the input set, recompute, and verify the attested root no longer matches (tamper detection)

## Verification

| Check | Result |
|-------|--------|
| Tier 0 - Source Verification | PASS |
| Tier 1 - Build + Code Review | PASS |
| Tier 2 - Behavioral Verification | PASS |
| Verified Date | 2026-02-13 |
| Run ID | run-001 |