stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
main
git.stella-ops.org/docs/features/checked/attestor/deterministic-verdict-serialization.md
master e9aeadc040 save checkpoint
2026-02-14 09:11:48 +02:00

2.7 KiB
Raw Permalink Blame History

Deterministic verdict serialization (canonical JSON / JCS)

Module

Attestor

Status

VERIFIED

Description

RFC 8785 (JCS) canonical JSON serializer ensures deterministic, byte-stable verdict serialization for reproducible signing.

Implementation Details

  • RFC 8785 Canonicalizer: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Json/Rfc8785JsonCanonicalizer.cs -- full RFC 8785 implementation with partials for decimal, number, string, and write operations.
  • Verdict Receipt Payload: __Libraries/StellaOps.Attestor.ProofChain/Statements/VerdictReceiptPayload.cs -- verdict payload serialized canonically for signing.
  • Verdict Decision: Statements/VerdictDecision.cs, VerdictInputs.cs, VerdictOutputs.cs -- verdict computation components serialized deterministically.
  • Verdict Summary: Predicates/VerdictSummary.cs -- summary predicate for verdict output.
  • Proof Chain Signer: Signing/ProofChainSigner.cs -- signs canonical verdict payloads.
  • DSSE Canonicalizer: StellaOps.Attestor.Core/Submission/IDsseCanonicalizer.cs, Infrastructure/Submission/DefaultDsseCanonicalizer.cs -- canonicalizes DSSE payloads before signing.
  • Canonical JSON Serializer (Core): StellaOps.Attestor.Core/Serialization/CanonicalJsonSerializer.cs -- core canonical JSON serializer.
  • Verdict Ledger: __Libraries/StellaOps.Attestor.VerdictLedger/VerdictLedgerEntry.cs, VerdictLedgerService.cs -- ledger entries use canonical serialization.
  • Tests: __Tests/StellaOps.Attestor.ProofChain.Tests/JsonCanonicalizerTests.cs, __Tests/StellaOps.Attestor.Tests/VerdictLedgerHashTests.cs, StellaOps.Attestor.Core.Tests/Serialization/CanonicalJsonSerializerTests.cs

E2E Test Plan

  • Serialize a VerdictReceiptPayload to canonical JSON and verify key ordering matches RFC 8785
  • Serialize the same verdict twice and verify byte-for-byte equality
  • Sign a canonical verdict via ProofChainSigner and verify the signature covers the canonical bytes
  • Verify a signed verdict: re-canonicalize the payload and confirm the hash matches the signed hash
  • Serialize a verdict with various data types (strings, numbers, booleans, nulls, arrays, objects) and verify each type follows RFC 8785 rules
  • Store a verdict in VerdictLedgerService and verify the ledger hash matches the canonical hash
  • Canonicalize via DefaultDsseCanonicalizer and verify it produces identical output to Rfc8785JsonCanonicalizer

Verification

Check Result
Tier 0 - Source Verification PASS
Tier 1 - Build + Code Review PASS
Tier 2 - Behavioral Verification PASS
Verified Date 2026-02-13
Run ID run-001