stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
e9aeadc04084353889b1c9dbf4487f5316f4421e
git.stella-ops.org/docs/features/checked/attestor/canonical-graph-signature-deterministic-verdicts.md
master e9aeadc040 save checkpoint
2026-02-14 09:11:48 +02:00

2.8 KiB
Raw Blame History

Canonical Graph Signature (CGS) / Deterministic Verdicts

Module

Attestor

Status

VERIFIED

Description

Deterministic Merkle tree builder, content-addressed IDs, and canonical JSON serialization produce same-inputs-same-output verdicts with verifiable digests.

Implementation Details

  • Deterministic Merkle Tree: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Merkle/DeterministicMerkleTreeBuilder.cs (with .Helpers, .Proof partials) -- implements IMerkleTreeBuilder. Builds Merkle trees with deterministic leaf ordering for canonical graph signatures.
  • Merkle Proof: MerkleProof.cs, MerkleProofStep.cs -- inclusion proof model. MerkleTreeWithProofs.cs -- tree with generated proofs.
  • Content-Addressed IDs: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Identifiers/ContentAddressedIdGenerator.cs (with .Graph partial) -- generates deterministic SHA-256 IDs from content. Types: ArtifactId.cs, EvidenceId.cs, ProofBundleId.cs, VexVerdictId.cs, ReasoningId.cs, GraphRevisionId.cs.
  • Canonical JSON: __Libraries/StellaOps.Attestor.ProofChain/Json/Rfc8785JsonCanonicalizer.cs (with .DecimalPoint, .NumberSerialization, .StringNormalization, .WriteMethods) -- RFC 8785 JCS ensuring deterministic serialization.
  • Verdict Receipt: Statements/VerdictReceiptPayload.cs, VerdictReceiptStatement.cs -- verdict receipts with deterministic content.
  • Verdict Decision: Statements/VerdictDecision.cs, VerdictInputs.cs, VerdictOutputs.cs -- verdict computation model.
  • Proof Hashing: __Libraries/StellaOps.Attestor.ProofChain/ProofHashing.cs -- SHA-256 hashing utilities.
  • Tests: __Tests/StellaOps.Attestor.ProofChain.Tests/MerkleTreeBuilderTests.cs, ContentAddressedIdTests.cs, ContentAddressedIdGeneratorTests.cs, JsonCanonicalizerTests.cs

E2E Test Plan

  • Build a Merkle tree from 10 evidence items via DeterministicMerkleTreeBuilder and verify the root hash is deterministic (build twice, compare roots)
  • Generate an inclusion proof for a specific leaf and verify MerkleProof validates against the root
  • Generate ContentAddressedId for identical content twice and verify IDs match
  • Generate IDs for different content and verify they differ
  • Canonicalize a JSON object with out-of-order keys via Rfc8785JsonCanonicalizer and verify key ordering matches RFC 8785
  • Create a VerdictReceiptPayload from identical inputs twice and verify the serialized output is byte-for-byte identical
  • Build a GraphRevisionId from a proof graph state and verify it changes when graph content changes

Verification

Check Result
Tier 0 - Source Verification PASS
Tier 1 - Build + Code Review PASS
Tier 2 - Behavioral Verification PASS
Verified Date 2026-02-13
Run ID run-001