git.stella-ops.org/docs/features/unchecked/attestor/trust-verdict-evidence-chain.md

Trust Verdict Evidence Chain (Merkle Proof)

Module

Attestor

Status

IMPLEMENTED

Description

Trust verdict evidence chain built as a Merkle tree for tamper-evident evidence binding, with proofs and evidence ordering for verifiable trust scoring.

Implementation Details

• Trust Evidence Merkle Builder: src/Attestor/__Libraries/StellaOps.Attestor.TrustVerdict/Evidence/TrustEvidenceMerkleBuilder.cs (with .Verify) -- builds Merkle trees over trust evidence items, providing inclusion proofs and tree-level verification. Implements ITrustEvidenceMerkleBuilder.cs.
• Trust Evidence Merkle Tree: Evidence/TrustEvidenceMerkleTree.cs -- the Merkle tree structure holding evidence nodes with root hash and leaf count.
• Trust Evidence Merkle Tree Extensions: Evidence/TrustEvidenceMerkleTreeExtensions.cs -- extension methods for tree traversal and proof extraction.
• Merkle Proof: Evidence/MerkleProof.cs -- inclusion proof for a single evidence item within the trust evidence Merkle tree.
• Trust Evidence Ordering: Evidence/TrustEvidenceOrdering.cs -- deterministic ordering of evidence items before tree construction to ensure reproducible root hashes.
• Trust Evidence Chain Predicate: Predicates/TrustEvidenceChain.cs -- predicate model containing the ordered list of evidence items and the Merkle root binding them.
• Trust Evidence Item: Predicates/TrustEvidenceItem.cs -- individual evidence item (origin verification, freshness, reputation) included in the chain.
• Trust Verdict Predicate: Predicates/TrustVerdictPredicate.cs -- the overall trust verdict that references the evidence chain Merkle root.
• Trust Verdict Service: Services/TrustVerdictService.cs (with .BuildPredicate, .Builders, .Generate, .Scoring) -- orchestrates evidence collection, chain building, and verdict generation.
• Tests: __Tests/StellaOps.Attestor.TrustVerdict.Tests/

E2E Test Plan

• Build a trust evidence chain via TrustEvidenceMerkleBuilder with 5 evidence items and verify the Merkle root is deterministic across repeated builds
• Generate an inclusion proof for a specific evidence item via TrustEvidenceMerkleBuilder and verify it against the Merkle root via .Verify
• Verify evidence ordering: create evidence items in random order, build two chains, and confirm identical Merkle roots due to TrustEvidenceOrdering
• Generate a full trust verdict via TrustVerdictService.Generate and verify TrustVerdictPredicate contains the evidence chain Merkle root
• Tamper with one evidence item after chain construction and verify the Merkle proof fails validation
• Build a chain with a single evidence item and verify the Merkle root equals the leaf hash
• Verify the TrustEvidenceChain predicate serializes to JSON with ordered evidence items and Merkle root
• Build a large chain (100+ items) and verify proof verification completes in under 50ms