4-Tier Backport Evidence Resolver

Module

Concelier

VERIFIED

Multi-tier backport evidence resolution with tier precedence, distro mappings, cross-distro OVAL integration, and deterministic backport verdicts.

Modules: src/Concelier/__Libraries/StellaOps.Concelier.Merge/, src/Concelier/__Libraries/StellaOps.Concelier.BackportProof/
Key Classes:
- BackportEvidenceResolver (src/Concelier/__Libraries/StellaOps.Concelier.Merge/Backport/BackportEvidenceResolver.cs) - multi-tier evidence resolution with tier precedence logic
- BackportStatusService (src/Concelier/__Libraries/StellaOps.Concelier.BackportProof/Services/BackportStatusService.cs) - backport status lookups with version comparison
- FixIndexService (src/Concelier/__Libraries/StellaOps.Concelier.BackportProof/Services/FixIndexService.cs) - O(1) distro patch lookups via fix index
- ProvenanceScopeService (src/Concelier/__Libraries/StellaOps.Concelier.Merge/Backport/ProvenanceScopeService.cs) - provenance scope tracking for backport-aware deduplication
Persistence: ProvenanceScopeRepository (src/Concelier/__Libraries/StellaOps.Concelier.Persistence/Postgres/Repositories/ProvenanceScopeRepository.cs)
Source: Feature matrix scan

Submit a CVE with known backport status across multiple distros and verify the BackportEvidenceResolver returns correct tier-based verdict
Verify tier precedence: Tier 1 evidence (direct patch proof) overrides Tier 2/3/4 evidence
Verify cross-distro resolution: same CVE produces correct backport verdicts for Alpine, Debian, and RedHat simultaneously
Verify deterministic verdicts: identical inputs produce identical backport verdicts across repeated runs
Verify FixIndexService returns O(1) lookup performance for known distro patch entries