stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
e9aeadc04084353889b1c9dbf4487f5316f4421e
git.stella-ops.org/docs/features/checked/attestor/deterministic-evidence-graph-with-hash-addressed-nodes.md
master e9aeadc040 save checkpoint
2026-02-14 09:11:48 +02:00

2.7 KiB
Raw Blame History

Deterministic Evidence Graph with Hash-Addressed Nodes

Module

Attestor

Status

VERIFIED

Description

Content-addressed proof graph with typed nodes/edges, subgraph extraction, mutation operations, and content-addressed ID generation for all identifiers (ArtifactId, EvidenceId, ProofBundleId, VexVerdictId, etc.).

Implementation Details

  • Proof Graph Service: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Graph/InMemoryProofGraphService.cs -- implements IProofGraphService with partials:
    • .Mutation -- add/remove nodes and edges
    • .Queries -- query nodes by type, find paths, get neighbors
    • .Subgraph -- extract subgraphs rooted at a specific node
  • Graph Models: ProofGraphNode.cs (typed via ProofGraphNodeType), ProofGraphEdge.cs (typed via ProofGraphEdgeType), ProofGraphPath.cs, ProofGraphSubgraph.cs
  • Content-Addressed IDs: Identifiers/ContentAddressedIdGenerator.cs (with .Graph) -- generates deterministic node/edge IDs from content. Types: ArtifactId, EvidenceId, ProofBundleId, VexVerdictId, ReasoningId, GraphRevisionId, TrustAnchorId, SbomEntryId.
  • Graph Root Attestation: src/Attestor/__Libraries/StellaOps.Attestor.GraphRoot/ -- GraphRootAttestor.cs (implements IGraphRootAttestor), Sha256MerkleRootComputer.cs (implements IMerkleRootComputer). Models: GraphRootAttestation.cs, GraphRootPredicate.cs, GraphRootResults.cs.
  • Tests: __Tests/StellaOps.Attestor.ProofChain.Tests/ContentAddressedIdGeneratorTests.cs, __Tests/StellaOps.Attestor.GraphRoot.Tests/GraphRootAttestorTests.cs, Sha256MerkleRootComputerTests.cs

E2E Test Plan

  • Add 5 nodes of different types (Evidence, Verdict, Policy, Artifact) to InMemoryProofGraphService and verify each gets a unique content-addressed ID
  • Add edges between nodes and verify edge IDs are deterministic based on source, target, and type
  • Query nodes by type and verify correct filtering
  • Find a path between two nodes via graph queries and verify ProofGraphPath contains the correct sequence
  • Extract a subgraph rooted at an evidence node and verify it contains only reachable nodes and edges
  • Remove a node via mutation and verify all connected edges are also removed
  • Compute graph root attestation via GraphRootAttestor and verify GraphRootPredicate contains the Merkle root of all node IDs
  • Add identical content as a node twice and verify deduplication (same content-addressed ID)

Verification

Check Result
Tier 0 - Source Verification PASS
Tier 1 - Build + Code Review PASS
Tier 2 - Behavioral Verification PASS
Verified Date 2026-02-13
Run ID run-001