1.7 KiB
1.7 KiB
Hybrid Diff Patching (Source + Symbols + Binary)
Purpose
This document captures the product-level blueprint for hybrid diff patching:
- Source semantic edits (AST-level intent).
- Build-time symbol mapping (source ranges to binary symbols and addresses).
- Normalized binary deltas (stable and compact byte patches).
- Signed evidence bundle for policy gating and replay.
The goal is to make release decisions auditable at function granularity while remaining deterministic and offline-capable.
Review outcome (2026-02-16)
The advisory blueprint is implemented in the BinaryIndex DeltaSig pipeline.
Implemented in this sprint:
- Deterministic semantic edit scripts and source anchors.
- Canonical symbol-map contracts with build-id linkage (manifest-backed and deterministic fallback modes).
- Deterministic
symbol_patch_planandpatch_manifestartifacts tied to function-level deltas and digest-linked evidence. - DeltaSig predicate embedding of the full hybrid evidence chain.
- Fail-closed hybrid verifier checks for digest/linkage/boundary mismatches.
- Policy gates for hybrid presence, AST anchors, namespace protection, and patch byte budgets.
Known constraints:
- Semantic edits currently use deterministic text/symbol heuristics rather than language-specific AST adapters.
- Full byte-level patch replay execution remains a follow-on integration concern for Attestor/Doctor runtime workflows.
Canonical module dossier
Detailed contracts, phased implementation, and policy hooks are defined in:
docs/modules/binary-index/hybrid-diff-stack.md
Execution sprint
Implementation planning for this advisory is tracked in:
docs/implplan/SPRINT_20260216_001_BinaryIndex_hybrid_diff_patch_pipeline.md