Single Canonical Verdict Attestation per Subject

Module

Attestor

IMPLEMENTED

VerdictBuilder service produces signed verdict attestations with DSSE envelopes, enabling single canonical verdict per artifact.

Verdict Receipt Statement: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/VerdictReceiptStatement.cs -- in-toto statement wrapping the single canonical verdict for a subject.
Verdict Receipt Payload: Statements/VerdictReceiptPayload.cs -- payload with decision, inputs, outputs, and rationale.
Verdict Decision: Statements/VerdictDecision.cs -- the canonical decision (Pass/Fail/Warn).
Statement Builder: Builders/StatementBuilder.cs -- builds the verdict statement with subject binding.
Proof Subject: Builders/ProofSubject.cs -- binds the verdict to a single artifact digest (subject).
DSSE Signing: Signing/ProofChainSigner.cs -- signs the canonical verdict into a DSSE envelope.
Content-Addressed ID: Identifiers/ContentAddressedIdGenerator.cs -- generates a unique content-addressed ID for the verdict.
Verdict Ledger: __Libraries/StellaOps.Attestor.VerdictLedger/VerdictLedgerService.cs -- ensures single canonical verdict per subject in the ledger.
Trust Verdict Service: __Libraries/StellaOps.Attestor.TrustVerdict/Services/ -- trust verdict service managing canonical verdicts.
Tests: __Tests/StellaOps.Attestor.ProofChain.Tests/VerdictCanonicalTests.cs

Create a verdict for a subject digest via StatementBuilder and sign it; verify the DSSE envelope binds to exactly one subject
Verify the verdict content-addressed ID is deterministic for the same decision and inputs
Create a second verdict for the same subject and verify the canonical verdict is the latest one
Query the verdict ledger for a subject and verify only one canonical verdict is returned
Verify the canonical verdict contains complete inputs and outputs for auditability
Create verdicts for different subjects and verify each subject has its own canonical verdict
Verify the DSSE signature binds the verdict to the immutable artifact digest