new advisories work and features gaps work

2026-01-14 18:39:19 +02:00
parent 95d5898650
commit 15aeac8e8b
148 changed files with 16731 additions and 554 deletions
--- a/docs/modules/policy/contracts/reachability-input-contract.md
+++ b/docs/modules/policy/contracts/reachability-input-contract.md
@@ -465,8 +465,113 @@ PolicyEngine:

 ---

+## 11. Node Hash and Path Gating Extensions
+
+Sprint: SPRINT_20260112_008_DOCS_path_witness_contracts (PW-DOC-004)
+
+### 11.1 Extended ReachabilityInput Fields
+
+The following fields extend `ReachabilityInput` for path-level gating:
+
+```csharp
+public sealed record ReachabilityInput
+{
+    // ... existing fields ...
+
+    /// <summary>Canonical path hash computed from entry to sink.</summary>
+    public string? PathHash { get; init; }
+
+    /// <summary>Top-K node hashes along the path.</summary>
+    public ImmutableArray<string> NodeHashes { get; init; }
+
+    /// <summary>Entry point node hash.</summary>
+    public string? EntryNodeHash { get; init; }
+
+    /// <summary>Sink (vulnerable symbol) node hash.</summary>
+    public string? SinkNodeHash { get; init; }
+
+    /// <summary>When runtime evidence was observed (UTC).</summary>
+    public DateTimeOffset? RuntimeEvidenceAt { get; init; }
+
+    /// <summary>Whether path was observed at runtime.</summary>
+    public bool ObservedAtRuntime { get; init; }
+}
+```
+
+### 11.2 Node Hash Computation
+
+Node hashes are computed using the canonical recipe:
+
+```
+nodeHash = SHA256(normalize(purl) + ":" + normalize(symbol))
+```
+
+See `docs/contracts/witness-v1.md` for normalization rules.
+
+### 11.3 Policy DSL Access
+
+The following fields are exposed in policy evaluation context:
+
+| DSL Path | Type | Description |
+|----------|------|-------------|
+| `reachability.pathHash` | string | Canonical path hash |
+| `reachability.nodeHashes` | array | Top-K node hashes |
+| `reachability.entryNodeHash` | string | Entry point node hash |
+| `reachability.sinkNodeHash` | string | Sink node hash |
+| `reachability.runtimeEvidenceAt` | datetime | Runtime observation timestamp |
+| `reachability.observedAtRuntime` | boolean | Whether confirmed at runtime |
+| `reachability.runtimeEvidenceAge` | duration | Age of runtime evidence |
+
+### 11.4 Path Gating Examples
+
+Block paths confirmed at runtime:
+
+```yaml
+match:
+  reachability:
+    pathHash:
+      exists: true
+    observedAtRuntime: true
+action: block
+```
+
+Require fresh runtime evidence:
+
+```yaml
+match:
+  reachability:
+    runtimeEvidenceAge:
+      gt: 24h
+action: warn
+message: "Runtime evidence is stale"
+```
+
+Block specific node patterns:
+
+```yaml
+match:
+  reachability:
+    nodeHashes:
+      contains_any:
+        - "sha256:critical-auth-node..."
+action: block
+```
+
+### 11.5 Runtime Evidence Freshness
+
+Runtime evidence age is computed as:
+
+```
+runtimeEvidenceAge = now() - runtimeEvidenceAt
+```
+
+Freshness thresholds can be configured per environment in `DeterminizationOptions`.
+
+---
+
 ## Changelog

 | Version | Date | Changes |
 |---------|------|---------|
+| 1.1.0 | 2026-01-14 | Added node hash, path gating, and runtime evidence fields (SPRINT_20260112_008) |
 | 1.0.0 | 2025-12-19 | Initial release |