git.stella-ops.org/docs/features/checked/attestor/content-addressed-identifiers.md

Content-Addressed Identifiers (ArtifactId, EvidenceId, ProofBundleId)

Module

Attestor

Status

VERIFIED

Description

Full content-addressed ID system with types for ArtifactId, EvidenceId, ReasoningId, VexVerdictId, ProofBundleId, plus a content-addressed ID generator and SHA256 parser.

Implementation Details

• ID Generator: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Identifiers/ContentAddressedIdGenerator.cs (with .Graph partial) -- implements IContentAddressedIdGenerator. Generates SHA-256 content-addressed IDs from canonical JSON content.
• Base Types: ContentAddressedId.cs -- base record type. GenericContentAddressedId.cs -- generic typed variant.
• Typed ID Records:
  • ArtifactId.cs -- identifies attestation artifacts
  • EvidenceId.cs -- identifies evidence items
  • ProofBundleId.cs -- identifies proof bundles
  • VexVerdictId.cs -- identifies VEX verdicts
  • ReasoningId.cs -- identifies reasoning chains
  • SbomEntryId.cs -- identifies SBOM entries
  • TrustAnchorId.cs -- identifies trust anchors
  • GraphRevisionId.cs -- identifies graph revision state
• SHA-256 Parser: Sha256IdParser.cs -- parses and validates sha256:<64-hex-chars> format.
• Proof Hashing: __Libraries/StellaOps.Attestor.ProofChain/ProofHashing.cs -- SHA-256 hashing utilities.
• Tests: __Tests/StellaOps.Attestor.ProofChain.Tests/ContentAddressedIdTests.cs, ContentAddressedIdGeneratorTests.cs

E2E Test Plan

• Generate an ArtifactId from content via ContentAddressedIdGenerator and verify the output matches sha256:<64-hex-chars> format
• Generate IDs for identical content twice and verify they are equal
• Generate IDs for different content and verify they differ
• Parse a valid sha256:abc123... string via Sha256IdParser and verify successful parsing
• Attempt to parse an invalid ID (wrong prefix, wrong length) and verify parser rejects it
• Generate EvidenceId, ProofBundleId, VexVerdictId, ReasoningId for same content and verify they produce the same hash but are distinct types
• Generate a GraphRevisionId from a proof graph state, modify the graph, regenerate, and verify the ID changes
• Verify SbomEntryId produces deterministic IDs for identical SBOM component content

Verification

Check	Result
Tier 0 - Source Verification	PASS
Tier 1 - Build + Code Review	PASS
Tier 2 - Behavioral Verification	PASS
Verified Date	2026-02-13
Run ID	run-001