stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
fa4823f46c4bc090294580a9136fb6b0e11e50f9
git.stella-ops.org/docs/features/unchecked/attestor/signed-delta-verdicts.md

2.5 KiB
Raw Blame History

Signed delta-verdicts (cryptographically bound verdicts per policy evaluation)

Module

Attestor

Status

IMPLEMENTED

Description

Delta verdict model and predicate types implement signed, cryptographically bound verdicts tracking changes between policy evaluations.

Implementation Details

  • Delta Verdict Predicate: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/DeltaVerdictPredicate.cs (with .Budget) -- predicate capturing security state changes between evaluations.
  • Delta Verdict Change: Predicates/DeltaVerdictChange.cs -- individual change entry (new finding, resolved finding, status change).
  • Delta Finding Key: Predicates/DeltaFindingKey.cs -- unique key identifying a finding across evaluations.
  • Delta Verdict Statement: Statements/DeltaVerdictStatement.cs -- in-toto statement wrapping the delta verdict.
  • Verdict Delta Summary: Predicates/VerdictDeltaSummary.cs -- summary counts (new, resolved, unchanged, changed).
  • Verdict Finding Change: Predicates/VerdictFindingChange.cs -- detailed finding change with before/after states.
  • Verdict Rule Change: Predicates/VerdictRuleChange.cs -- policy rule changes between evaluations.
  • Change Trace: ChangeTrace/ChangeTraceAttestationService.cs (with .Helpers, .Mapping) -- creates attestations tracking changes over time.
  • DSSE Signing: Signing/ProofChainSigner.cs -- cryptographically signs delta verdicts into DSSE envelopes.
  • Content-Addressed IDs: Identifiers/ContentAddressedIdGenerator.cs -- generates deterministic IDs for delta verdicts.
  • Tests: __Tests/StellaOps.Attestor.ProofChain.Tests/DeltaVerdictTests.cs

E2E Test Plan

  • Create a DeltaVerdictPredicate with 3 new findings, 2 resolved, and 1 status change; sign into DSSE envelope
  • Verify VerdictDeltaSummary correctly counts all change categories
  • Verify DeltaFindingKey uniquely identifies findings across evaluations (same CVE + component = same key)
  • Verify VerdictFindingChange captures before/after states for changed findings
  • Verify VerdictRuleChange captures policy rule additions/removals between evaluations
  • Verify the DSSE signature via ProofChainSigner.Verification and confirm cryptographic binding
  • Create a change trace attestation via ChangeTraceAttestationService linking the delta to its parent evaluations
  • Verify delta with budget: create a delta that exceeds the uncertainty budget and verify the violation is captured in .Budget