stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
d0f2cc3b2cf0dfa4b1ea69737ad5ebd02089fbc6
git.stella-ops.org/docs/features/checked/attestor/graph-revision-id.md
master e9aeadc040 save checkpoint
2026-02-14 09:11:48 +02:00

2.7 KiB
Raw Blame History

Graph Revision ID (Merkle root over SBOM + edges + policies + tool versions)

Module

Attestor

Status

VERIFIED

Description

Content-addressed graph revision IDs and Merkle root computation are implemented via the GraphRoot library with dedicated attestor, models, and SHA-256-based Merkle root computation.

Implementation Details

  • Merkle Root Computer: src/Attestor/__Libraries/StellaOps.Attestor.GraphRoot/Sha256MerkleRootComputer.cs -- computes SHA-256 Merkle roots over sorted leaf hashes (SBOM components, edges, policies, tool versions). Implements IMerkleRootComputer.cs.
  • Graph Root Attestor: GraphRootAttestor.cs -- creates DSSE-signed in-toto attestations of computed Merkle roots. Implements IGraphRootAttestor.cs.
  • Graph Root Predicate: Models/GraphRootPredicate.cs -- in-toto predicate containing the Merkle root hash, graph type, leaf count, and computation timestamp.
  • Attestation Request: Models/GraphRootAttestationRequest.cs -- request model specifying which graph type and leaves to include.
  • Attestation Result: Models/GraphRootResults.cs -- result containing the signed attestation envelope and Merkle root.
  • Graph Type: GraphType.cs -- enum: ResolvedExecutionGraph, ReachabilityGraph, DependencyGraph, ProofSpine, EvidenceGraph.
  • Options: GraphRootAttestorOptions.cs -- configuration for signing key, predicate type URI.
  • DI Registration: GraphRootServiceCollectionExtensions.cs -- registers graph root services.
  • Content-Addressed IDs: __Libraries/StellaOps.Attestor.ProofChain/Identifiers/ContentAddressedIdGenerator.Graph.cs -- generates graph-scoped content-addressed IDs.
  • Tests: __Tests/StellaOps.Attestor.GraphRoot.Tests/

E2E Test Plan

  • Compute a Merkle root via Sha256MerkleRootComputer over a set of SBOM component hashes and verify the root is deterministic (same inputs = same root)
  • Change one leaf hash and verify the Merkle root changes
  • Create a GraphRootAttestationRequest for a ReachabilityGraph and verify GraphRootAttestor produces a signed DSSE envelope with the correct predicate type
  • Verify GraphRootPredicate contains the expected Merkle root, leaf count, and graph type
  • Compute roots for two different GraphType values with the same leaves and verify the roots differ (graph type is included in hashing)
  • Recompute a Merkle root from the same inputs and verify it matches the attested value (offline verification)
  • Verify the DSSE envelope signature via the verification pipeline

Verification

Check Result
Tier 0 - Source Verification PASS
Tier 1 - Build + Code Review PASS
Tier 2 - Behavioral Verification PASS
Verified Date 2026-02-13
Run ID run-001