# Hash-stable proofs (deterministic attestation outputs)

## Module
Attestor

## Status
VERIFIED

## Description
Determinism is enforced and tested at multiple levels: attestation type determinism, DSSE envelope determinism, canonical payload determinism, with dedicated benchmark harness.

## Implementation Details
- **RFC 8785 Canonicalizer**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Json/Rfc8785JsonCanonicalizer.cs` (with `.DecimalPoint`, `.NumberSerialization`, `.StringNormalization`, `.WriteMethods`) -- deterministic JSON serialization per RFC 8785 (JCS). Ensures identical logical JSON always produces identical byte output.
- **Content-Addressed ID Generator**: `Identifiers/ContentAddressedIdGenerator.cs` (with `.Graph`) -- generates SHA-256-based IDs from canonicalized content, guaranteeing hash stability.
- **Deterministic Merkle Tree**: `Merkle/DeterministicMerkleTreeBuilder.cs` (with `.Helpers`, `.Proof`) -- builds Merkle trees with deterministic leaf ordering and hash computation.
- **DSSE Envelope**: `Signing/DsseEnvelope.cs` -- deterministic envelope structure with canonical payload encoding.
- **Proof Chain Signer**: `Signing/ProofChainSigner.cs` (with `.Verification`) -- deterministic signing ensuring same payload + key = same signature.
- **Statement Builder**: `Builders/StatementBuilder.cs` (with `.Extended`) -- builds in-toto statements with deterministic field ordering.
- **Predicate Schema Validator**: `Json/PredicateSchemaValidator.cs` (with `.Validators`, `.DeltaValidators`) -- validates predicates conform to schemas ensuring structural consistency.
- **SBOM Canonicalizer**: `__Libraries/StellaOps.Attestor.StandardPredicates/Canonicalization/SbomCanonicalizer.Elements.cs` -- deterministic SBOM element ordering.
- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/DeterminismTests.cs`, `Rfc8785JsonCanonicalizerTests.cs`

## E2E Test Plan
- [ ] Serialize the same predicate twice via `Rfc8785JsonCanonicalizer` and verify byte-identical output
- [ ] Generate a `ContentAddressedId` from a predicate, serialize/deserialize the predicate, regenerate the ID, and verify they match
- [ ] Build two DSSE envelopes from the same payload and key, verify the envelopes are byte-identical
- [ ] Build a `DeterministicMerkleTreeBuilder` tree from leaves in different insertion orders and verify the root hash is identical
- [ ] Create an in-toto statement via `StatementBuilder`, serialize with JCS, re-parse, re-serialize, and verify byte-identical output
- [ ] Canonicalize an SBOM via `SbomCanonicalizer` with components in random order and verify the output is sorted deterministically
- [ ] Run the determinism benchmark harness and verify zero hash mismatches across 1000+ iterations

## Verification

| Check | Result |
|-------|--------|
| Tier 0 - Source Verification | PASS |
| Tier 1 - Build + Code Review | PASS |
| Tier 2 - Behavioral Verification | PASS |
| Verified Date | 2026-02-13 |
| Run ID | run-001 |