new advisories work and features gaps work

src/Scanner/StellaOps.Scanner.WebService/Contracts/UnifiedEvidenceContracts.cs

@@ -41,6 +41,11 @@ public sealed record UnifiedEvidenceResponseDto
     /// <summary>Policy evaluation evidence.</summary>
     public PolicyEvidenceDto? Policy { get; init; }
 
+    // Sprint: SPRINT_20260112_009_SCANNER_binary_diff_bundle_export (BINDIFF-SCAN-001)
+
+    /// <summary>Binary diff evidence with semantic and structural changes.</summary>
+    public BinaryDiffEvidenceDto? BinaryDiff { get; init; }
+
     // === Manifest Hashes ===
 
     /// <summary>Content-addressed hashes for determinism verification.</summary>
@@ -388,3 +393,131 @@ public sealed record VerificationStatusDto
     /// <summary>Last verification timestamp.</summary>
     public DateTimeOffset? VerifiedAt { get; init; }
 }
+
+// Sprint: SPRINT_20260112_009_SCANNER_binary_diff_bundle_export (BINDIFF-SCAN-001)
+
+/// <summary>
+/// Binary diff evidence for unified evidence response.
+/// </summary>
+public sealed record BinaryDiffEvidenceDto
+{
+    /// <summary>Evidence status.</summary>
+    public required string Status { get; init; }
+
+    /// <summary>SHA-256 hash of the evidence content.</summary>
+    public string? Hash { get; init; }
+
+    /// <summary>Previous binary artifact digest.</summary>
+    public string? PreviousBinaryDigest { get; init; }
+
+    /// <summary>Current binary artifact digest.</summary>
+    public string? CurrentBinaryDigest { get; init; }
+
+    /// <summary>Type of diff (structural, semantic, hybrid).</summary>
+    public string? DiffType { get; init; }
+
+    /// <summary>Binary format/ISA (e.g., elf-x86_64).</summary>
+    public string? BinaryFormat { get; init; }
+
+    /// <summary>Tool and version used for diffing.</summary>
+    public string? ToolVersion { get; init; }
+
+    /// <summary>Overall similarity score (0.0-1.0).</summary>
+    public double? SimilarityScore { get; init; }
+
+    /// <summary>Number of function-level changes.</summary>
+    public int FunctionChangeCount { get; init; }
+
+    /// <summary>Number of symbol-level changes.</summary>
+    public int SymbolChangeCount { get; init; }
+
+    /// <summary>Number of section-level changes.</summary>
+    public int SectionChangeCount { get; init; }
+
+    /// <summary>Number of security-relevant changes.</summary>
+    public int SecurityChangeCount { get; init; }
+
+    /// <summary>Whether semantic diff is available.</summary>
+    public bool HasSemanticDiff { get; init; }
+
+    /// <summary>Semantic similarity score (0.0-1.0).</summary>
+    public double? SemanticSimilarity { get; init; }
+
+    /// <summary>Function-level changes.</summary>
+    public IReadOnlyList<BinaryFunctionDiffDto>? FunctionChanges { get; init; }
+
+    /// <summary>Security-relevant changes.</summary>
+    public IReadOnlyList<BinarySecurityChangeDto>? SecurityChanges { get; init; }
+
+    /// <summary>DSSE attestation reference for binary diff.</summary>
+    public AttestationRefDto? Attestation { get; init; }
+
+    /// <summary>CAS URI for full binary diff evidence.</summary>
+    public string? CasUri { get; init; }
+}
+
+/// <summary>
+/// Function-level diff entry for binary diff.
+/// </summary>
+public sealed record BinaryFunctionDiffDto
+{
+    /// <summary>Diff operation (added, removed, modified).</summary>
+    public required string Operation { get; init; }
+
+    /// <summary>Function name.</summary>
+    public required string FunctionName { get; init; }
+
+    /// <summary>Function signature (if available).</summary>
+    public string? Signature { get; init; }
+
+    /// <summary>Semantic similarity score for modified functions.</summary>
+    public double? Similarity { get; init; }
+
+    /// <summary>Node hash for reachability correlation.</summary>
+    public string? NodeHash { get; init; }
+
+    /// <summary>Whether this function is security-sensitive.</summary>
+    public bool SecuritySensitive { get; init; }
+}
+
+/// <summary>
+/// Security-relevant change in binary.
+/// </summary>
+public sealed record BinarySecurityChangeDto
+{
+    /// <summary>Type of security change.</summary>
+    public required string ChangeType { get; init; }
+
+    /// <summary>Severity level (info, warning, critical).</summary>
+    public required string Severity { get; init; }
+
+    /// <summary>Description of the change.</summary>
+    public required string Description { get; init; }
+
+    /// <summary>Affected function name.</summary>
+    public string? AffectedFunction { get; init; }
+
+    /// <summary>Suggested remediation.</summary>
+    public string? Remediation { get; init; }
+}
+
+/// <summary>
+/// Attestation reference for evidence.
+/// </summary>
+public sealed record AttestationRefDto
+{
+    /// <summary>Attestation ID.</summary>
+    public required string Id { get; init; }
+
+    /// <summary>Predicate type URI.</summary>
+    public required string PredicateType { get; init; }
+
+    /// <summary>DSSE envelope digest.</summary>
+    public string? EnvelopeDigest { get; init; }
+
+    /// <summary>Rekor log index (if anchored).</summary>
+    public long? RekorLogIndex { get; init; }
+
+    /// <summary>CAS URI for full attestation.</summary>
+    public string? CasUri { get; init; }
+}