stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/attestor/delta-verdict-and-change-trace-system.md

3.1 KiB
Raw Blame History

Delta Verdict and Change Trace System

Module

Attestor

Status

IMPLEMENTED

Description

Full delta computation engine with verdict predicates, change trace entries, budget tracking, VEX delta computation, attestation service, and smart diff with trust indicators. Frontend delta-verdict service and models consume the API. Delta-first comparison shows what changed since last trusted point.

Implementation Details

  • Delta Verdict Predicate: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/DeltaVerdictPredicate.cs (with .Budget partial) -- predicate for delta verdict attestations with budget impact tracking.
  • Delta Models: DeltaVerdictChange.cs -- individual change entry. DeltaFindingKey.cs -- unique finding identifier for delta tracking. VerdictDeltaSummary.cs -- summary of all changes. VerdictFindingChange.cs -- per-finding change details. VerdictRuleChange.cs -- policy rule changes.
  • Change Trace Service: __Libraries/StellaOps.Attestor.ProofChain/ChangeTrace/ChangeTraceAttestationService.cs (with .Helpers, .Mapping) -- implements IChangeTraceAttestationService. Produces change trace attestations.
  • Change Trace Predicate: Predicates/ChangeTracePredicate.cs, ChangeTracePredicateSummary.cs, ChangeTraceDeltaEntry.cs -- change trace predicate models.
  • VEX Delta: Predicates/VexDeltaPredicate.cs, VexDeltaChange.cs, VexDeltaStatement.cs, VexDeltaSummary.cs -- VEX-specific delta tracking.
  • SBOM Delta: Predicates/SbomDeltaPredicate.cs, SbomDeltaComponent.cs, SbomDeltaSummary.cs, SbomDeltaVersionChange.cs -- SBOM diff tracking.
  • Statements: Statements/DeltaVerdictStatement.cs, ChangeTraceStatement.cs -- in-toto statement wrappers.
  • Trust Delta: Predicates/TrustDeltaRecord.cs -- trust score change tracking.
  • Delta Attestation Service (Core): StellaOps.Attestor.Core/Delta/DeltaAttestationService.cs, IDeltaAttestationService.cs
  • Tests: __Tests/StellaOps.Attestor.ProofChain.Tests/Statements/DeltaVerdictStatementTests.cs, ChangeTrace/ChangeTracePredicateTests.cs, StellaOps.Attestor.Core.Tests/Delta/DeltaAttestationServiceTests.cs

E2E Test Plan

  • Generate a delta verdict between two snapshots with added, removed, and changed findings and verify DeltaVerdictPredicate categorizes each correctly
  • Verify VerdictDeltaSummary counts (added, removed, changed, unchanged) match the actual changes
  • Generate a change trace via ChangeTraceAttestationService and verify ChangeTraceDeltaEntry entries capture timestamps and change types
  • Compute a VEX delta between two VEX documents and verify VexDeltaSummary tracks status changes
  • Compute an SBOM delta between two SBOMs and verify SbomDeltaComponent captures added/removed/changed components
  • Verify budget impact tracking in DeltaVerdictPredicate.Budget by adding findings that exceed budget thresholds
  • Verify TrustDeltaRecord captures trust score changes between snapshots
  • Wrap delta verdict in DeltaVerdictStatement and verify valid in-toto statement output