semi implemented and features implemented save checkpoint

docs/features/unchecked/reachgraph/cve-to-symbol-mapping-service.md

@@ -0,0 +1,30 @@
+# CVE-to-Symbol Mapping Service
+
+## Module
+ReachGraph
+
+## Status
+IMPLEMENTED
+
+## Description
+CVE-to-symbol mapping service with controller endpoint and service interface for reachability analysis in the ReachGraph module.
+
+## Implementation Details
+- **ICveSymbolMappingService interface**: `src/__Libraries/StellaOps.Reachability.Core/CveMapping/ICveSymbolMappingService.cs` -- `GetMappingsForCveAsync`, `GetMappingsForPackageAsync`, `SearchBySymbolAsync`, `AddOrUpdateMappingAsync`, `AnalyzePatchAsync`, `EnrichFromOsvAsync`, `GetStatsAsync`
+- **CveSymbolMappingService**: `src/__Libraries/StellaOps.Reachability.Core/CveMapping/CveSymbolMappingService.cs` -- core implementation
+- **CveMappingController**: `src/ReachGraph/StellaOps.ReachGraph.WebService/Controllers/CveMappingController.cs` -- REST API at `v1/cve-mappings` with endpoints: GET `{cveId}`, GET `by-package?purl=`, GET `by-symbol?symbol=`, POST (upsert), POST `analyze-patch`, POST `{cveId}/enrich`, GET `stats`; rate limiting (`reachgraph-read`/`reachgraph-write`); response caching (1h for reads, 5m for stats)
+- **CveSymbolMapping model**: `src/__Libraries/StellaOps.Reachability.Core/CveMapping/CveSymbolMapping.cs` -- CVE-to-symbol mapping with PURL, `VulnerableSymbol`, `MappingSource` (OSV/NVD/Manual/PatchAnalysis/Vendor), confidence score, `VulnerabilityType`, affected/fixed versions
+- **VulnerableSymbol**: `src/__Libraries/StellaOps.Reachability.Core/CveMapping/VulnerableSymbol.cs` -- symbol with canonical ID, file path, line range
+- **Patch analysis**: `src/__Libraries/StellaOps.Reachability.Core/CveMapping/IPatchSymbolExtractor.cs`, `FunctionBoundaryDetector.cs`, `GitDiffExtractor.cs`, `UnifiedDiffParser.cs` -- extract vulnerable symbols from commits/patches
+- **OSV enrichment**: `src/__Libraries/StellaOps.Reachability.Core/CveMapping/IOsvEnricher.cs`, `OsvEnricher.cs` -- enrich mappings from OSV database
+- **Tests**: `src/ReachGraph/__Tests/StellaOps.ReachGraph.WebService.Tests/ReachGraphApiIntegrationTests.cs`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify GET `v1/cve-mappings/{cveId}` returns symbol mappings with PURL, confidence, and evidence URI
+- [ ] Test GET `by-package?purl=` returns all CVE mappings for a given package
+- [ ] Verify GET `by-symbol?symbol=&language=` searches by symbol name with optional language filter
+- [ ] Test POST upsert creates/updates mappings idempotently
+- [ ] Verify POST `analyze-patch` extracts vulnerable symbols from diff content
+- [ ] Test POST `{cveId}/enrich` retrieves and persists OSV-sourced mappings
+- [ ] Verify GET `stats` returns corpus statistics (total mappings, unique CVEs/packages, average confidence)

docs/features/unchecked/reachgraph/reachability-analysis-with-call-graph-evidence.md

@@ -0,0 +1,30 @@
+# Reachability Analysis with Call Graph Evidence
+
+## Module
+ReachGraph
+
+## Status
+IMPLEMENTED
+
+## Description
+Reachability analysis is implemented with a dedicated ReachGraph backend service, frontend reachability explanation views, and witness path components showing call graph evidence traces.
+
+## Implementation Details
+- **ReachGraphController**: `src/ReachGraph/StellaOps.ReachGraph.WebService/Controllers/ReachGraphController.cs` -- REST API at `v1/reachgraphs` with slice queries supporting call graph evidence; GET `{digest}/slice` with `q` (package), `cve`, `entrypoint`, `file` query parameters
+- **IReachGraphSliceService**: `src/ReachGraph/StellaOps.ReachGraph.WebService/Services/IReachGraphSliceService.cs` -- `SliceByPackageAsync`, `SliceByCveAsync` (returns `CveSliceResponse` with `Sinks` and `Paths`), `SliceByEntrypointAsync`, `SliceByFileAsync`
+- **ReachGraphSliceService**: `src/ReachGraph/StellaOps.ReachGraph.WebService/Services/ReachGraphSliceService.cs` -- cached slice computation with `IReachGraphCache`
+- **ReachabilityPath model**: `src/ReachGraph/StellaOps.ReachGraph.WebService/Models/ReachGraphContracts.cs` -- `Entrypoint`, `Sink`, `Hops` (call chain), `Edges` (graph edges showing evidence trace)
+- **CveSliceResponse**: `src/ReachGraph/StellaOps.ReachGraph.WebService/Models/ReachGraphContracts.cs` -- extends `SliceQueryResponse` with `Sinks` and `Paths` for call graph evidence
+- **IReachabilityIndex**: `src/__Libraries/StellaOps.Reachability.Core/IReachabilityIndex.cs` -- unified facade with `QueryStaticAsync`, `QueryRuntimeAsync`, `QueryHybridAsync` combining static call graph with runtime evidence
+- **EvidenceUriBuilder**: `src/__Libraries/StellaOps.Reachability.Core/EvidenceUriBuilder.cs` -- builds URIs for evidence artifacts
+- **Frontend**: reachability explanation views and witness path components in `src/Web/`
+- **Tests**: `src/ReachGraph/__Tests/StellaOps.ReachGraph.WebService.Tests/ReachGraphApiIntegrationTests.cs`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify CVE slice returns reachability paths with entrypoint-to-sink hops
+- [ ] Test call graph evidence trace includes edge types and evidence URIs
+- [ ] Verify package slice shows upstream/downstream reachability with configurable depth
+- [ ] Test entrypoint slice traces all paths from a given entrypoint
+- [ ] Verify file-based slice returns reachability for symbols in a specific file
+- [ ] Test frontend reachability explanation view renders witness paths correctly

docs/features/unchecked/reachgraph/reachability-aware-vulnerability-analysis.md

@@ -0,0 +1,34 @@
+# Reachability-Aware Vulnerability Analysis (Multi-Layer)
+
+## Module
+ReachGraph
+
+## Status
+IMPLEMENTED
+
+## Description
+Multi-layer reachability with source (Layer1/2/3), binary mapping, and runtime correlation. Lattice-based states and hybrid results combining static and runtime analysis.
+
+## Implementation Details
+- **IReachabilityIndex**: `src/__Libraries/StellaOps.Reachability.Core/IReachabilityIndex.cs` -- unified facade: `QueryStaticAsync` (Layer 1-3 source analysis), `QueryRuntimeAsync` (runtime correlation), `QueryHybridAsync` (combines static + runtime with lattice state)
+- **ReachabilityIndex**: `src/__Libraries/StellaOps.Reachability.Core/ReachabilityIndex.cs` -- default implementation combining adapters
+- **HybridReachabilityResult**: `src/__Libraries/StellaOps.Reachability.Core/HybridReachabilityResult.cs` -- hybrid result with lattice state, confidence, VEX recommendation
+- **StaticReachabilityResult**: `src/__Libraries/StellaOps.Reachability.Core/StaticReachabilityResult.cs` -- static analysis result
+- **RuntimeReachabilityResult**: `src/__Libraries/StellaOps.Reachability.Core/RuntimeReachabilityResult.cs` -- runtime observation result
+- **LatticeState enum**: `src/__Libraries/StellaOps.Reachability.Core/LatticeState.cs` -- 8-state lattice (U/SR/SU/RO/RU/CR/CU/X)
+- **ReachabilityLattice**: `src/__Libraries/StellaOps.Reachability.Core/ReachabilityLattice.cs` -- state machine with `FrozenDictionary` transitions, evidence accumulation, confidence scoring
+- **ConfidenceCalculator**: `src/__Libraries/StellaOps.Reachability.Core/ConfidenceCalculator.cs` -- confidence computation
+- **IReachGraphAdapter**: `src/__Libraries/StellaOps.Reachability.Core/IReachGraphAdapter.cs` -- adapter for ReachGraph data
+- **ISignalsAdapter**: `src/__Libraries/StellaOps.Reachability.Core/ISignalsAdapter.cs` -- adapter for runtime signals
+- **HybridQueryOptions**: `src/__Libraries/StellaOps.Reachability.Core/HybridQueryOptions.cs` -- query options for hybrid analysis
+- **Symbol infrastructure**: `src/__Libraries/StellaOps.Reachability.Core/Symbols/` -- `SymbolCanonicalizer`, `SymbolMatcher`, normalizers (DotNet, Java, Native, Script)
+- **Tests**: `src/__Libraries/__Tests/StellaOps.Reachability.Core.Tests/`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify static reachability query (Layer 1-3) returns call graph path evidence
+- [ ] Test runtime reachability query correlates observed execution with observation window
+- [ ] Verify hybrid query combines static and runtime into lattice state with confidence
+- [ ] Test multi-layer analysis transitions correctly through lattice states
+- [ ] Verify batch query for CVE vulnerability analysis returns results for all symbols
+- [ ] Test symbol canonicalization across languages (Java, .NET, native, script)

docs/features/unchecked/reachgraph/reachability-fallback-mechanisms.md

@@ -0,0 +1,28 @@
+# Reachability Fallback Mechanisms
+
+## Module
+ReachGraph
+
+## Status
+IMPLEMENTED
+
+## Description
+ReachGraph service with slice and replay capabilities for reachability analysis with deterministic replay support.
+
+## Implementation Details
+- **IReachGraphStoreService**: `src/ReachGraph/StellaOps.ReachGraph.WebService/Services/IReachGraphStoreService.cs` -- `UpsertAsync`, `GetByDigestAsync`, `ListByArtifactAsync`, `DeleteAsync` for graph storage with fallback
+- **ReachGraphStoreService**: `src/ReachGraph/StellaOps.ReachGraph.WebService/Services/ReachGraphStoreService.cs` -- coordinates between `IReachGraphRepository` (persistence), `IReachGraphCache` (caching), and `IReachGraphSignerService` (signing); supports digest-based idempotent upserts
+- **IReachGraphSliceService**: `src/ReachGraph/StellaOps.ReachGraph.WebService/Services/IReachGraphSliceService.cs` -- multi-dimensional slice queries (by-package, by-CVE, by-entrypoint, by-file) with configurable depth and direction
+- **ReachGraphSliceService**: `src/ReachGraph/StellaOps.ReachGraph.WebService/Services/ReachGraphSliceService.cs` -- cached slice computation; falls back to full graph loading when cache misses
+- **IReachGraphReplayService**: `src/ReachGraph/StellaOps.ReachGraph.WebService/Services/IReachGraphReplayService.cs` -- deterministic replay as fallback verification mechanism
+- **ReachGraphReplayService**: `src/ReachGraph/StellaOps.ReachGraph.WebService/Services/ReachGraphReplayService.cs` -- replays computation from SBOM, VEX, callgraph, and runtime facts inputs; compares computed digest against expected
+- **PaginationService**: `src/ReachGraph/StellaOps.ReachGraph.WebService/Services/PaginationService.cs` -- cursor-based pagination for large result sets
+- **Tests**: `src/ReachGraph/__Tests/StellaOps.ReachGraph.WebService.Tests/ReachGraphApiIntegrationTests.cs`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify graph retrieval falls back from cache to database when cache misses
+- [ ] Test slice queries degrade gracefully when full graph is not available
+- [ ] Verify replay verification provides fallback for determinism validation
+- [ ] Test idempotent upsert handles concurrent writes without data loss
+- [ ] Verify pagination handles large result sets with cursor-based navigation

docs/features/unchecked/reachgraph/reachability-replay-verification.md

@@ -0,0 +1,28 @@
+# Reachability Replay Verification
+
+## Module
+ReachGraph
+
+## Status
+IMPLEMENTED
+
+## Description
+Replay verification service for reachability computations is implemented in the ReachGraph module.
+
+## Implementation Details
+- **IReachGraphReplayService**: `src/ReachGraph/StellaOps.ReachGraph.WebService/Services/IReachGraphReplayService.cs` -- `ReplayAsync(ReplayRequest, tenantId)` for deterministic replay verification
+- **ReachGraphReplayService**: `src/ReachGraph/StellaOps.ReachGraph.WebService/Services/ReachGraphReplayService.cs` -- recomputes graph from inputs (SBOM, VEX, callgraph, runtime facts), compares digest using `ReachGraphDigestComputer`; reports `ReplayDivergence` (NodesAdded, NodesRemoved, EdgesChanged) on mismatch
+- **ReplayRequest model**: `src/ReachGraph/StellaOps.ReachGraph.WebService/Models/ReachGraphContracts.cs` -- `ExpectedDigest`, `ReplayInputs` (SBOM, VEX, callgraph, runtime facts), optional `ReachGraphScope`
+- **ReplayResponse model**: `src/ReachGraph/StellaOps.ReachGraph.WebService/Models/ReachGraphContracts.cs` -- `Match` (bool), `ComputedDigest`, `ExpectedDigest`, `DurationMs`, `InputsVerified` (per-input verification), `Divergence` (detailed diff)
+- **ReachGraphController replay endpoint**: `src/ReachGraph/StellaOps.ReachGraph.WebService/Controllers/ReachGraphController.cs` -- POST `v1/reachgraphs/replay` with rate limiting
+- **NodeHashRecipe**: `src/__Libraries/StellaOps.Reachability.Core/NodeHashRecipe.cs` -- deterministic node hashing
+- **PathHashRecipe**: `src/__Libraries/StellaOps.Reachability.Core/PathHashRecipe.cs` -- deterministic path hashing
+- **Tests**: `src/ReachGraph/__Tests/StellaOps.ReachGraph.WebService.Tests/ReachGraphApiIntegrationTests.cs`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify replay from identical inputs produces matching digest (deterministic)
+- [ ] Test replay with modified SBOM detects divergence with accurate node/edge diff
+- [ ] Verify InputsVerified reports individual input verification status
+- [ ] Test replay duration is reported in milliseconds for performance monitoring
+- [ ] Verify replay endpoint handles missing original graph with appropriate error

docs/features/unchecked/reachgraph/reachgraph-slice-query-rest-apis.md

@@ -0,0 +1,38 @@
+# ReachGraph Slice Query REST APIs
+
+## Module
+ReachGraph
+
+## Status
+IMPLEMENTED
+
+## Description
+REST API layer for ReachGraph with slice queries by package, CVE, entrypoint, and file path. Includes replay endpoint for deterministic verification, pagination service, and store service. While "ReachGraph Service" is known, the specific slice query API layer with multi-dimensional querying (by-package, by-CVE, by-entrypoint, by-file) is a distinct shipped capability.
+
+## Implementation Details
+- **ReachGraphController**: `src/ReachGraph/StellaOps.ReachGraph.WebService/Controllers/ReachGraphController.cs` -- REST API at `v1/reachgraphs` with full CRUD and slice queries:
+  - POST `/` -- upsert graph (idempotent by BLAKE3 digest)
+  - GET `/{digest}` -- retrieve full graph (cached 24h, ETag support)
+  - GET `/{digest}/slice?q=` -- slice by package PURL with wildcards, configurable depth/direction
+  - GET `/{digest}/slice?cve=` -- slice by CVE with sinks and reachability paths
+  - GET `/{digest}/slice?entrypoint=` -- slice by entrypoint (max depth 10)
+  - GET `/{digest}/slice?file=` -- slice by file path
+  - POST `/replay` -- deterministic replay verification
+  - GET `/by-artifact/{artifactDigest}` -- list graphs for artifact
+  - DELETE `/{digest}` -- admin delete
+- **IReachGraphSliceService**: `src/ReachGraph/StellaOps.ReachGraph.WebService/Services/IReachGraphSliceService.cs` -- four slice methods with configurable depth
+- **ReachGraphSliceService**: `src/ReachGraph/StellaOps.ReachGraph.WebService/Services/ReachGraphSliceService.cs` -- cached slice computation
+- **SliceQueryResponse model**: `src/ReachGraph/StellaOps.ReachGraph.WebService/Models/ReachGraphContracts.cs` -- `SchemaVersion`, `SliceQuery` (type/query/cve/entrypoint/file/depth/direction), `Nodes`, `Edges`, counts
+- **CveSliceResponse**: extends `SliceQueryResponse` with `Sinks` and `ReachabilityPath` (entrypoint-to-sink hops with edges)
+- **PaginationService**: `src/ReachGraph/StellaOps.ReachGraph.WebService/Services/PaginationService.cs` -- cursor-based pagination for large slices
+- **Tests**: `src/ReachGraph/__Tests/StellaOps.ReachGraph.WebService.Tests/ReachGraphApiIntegrationTests.cs`, `ReachGraphTestFactory.cs`
+- **Source**: SPRINT_1227_0012_0002_BE_reachgraph_store.md
+
+## E2E Test Plan
+- [ ] Verify package slice returns subgraph with nodes/edges at configurable depth (default 3)
+- [ ] Test CVE slice returns sinks and reachability paths with hop sequences
+- [ ] Verify entrypoint slice traces all downstream paths (max depth 10)
+- [ ] Test file-based slice returns reachability for all symbols in a file
+- [ ] Verify direction parameter filters upstream/downstream/both edges
+- [ ] Test by-artifact listing returns all graphs for an artifact digest
+- [ ] Verify response caching (24h for full graph, slice-specific cache keys)

docs/features/unchecked/reachgraph/static-sbom-call-graph-pruning.md

@@ -0,0 +1,29 @@
+# Static SBOM Call-Graph Pruning
+
+## Module
+ReachGraph
+
+## Status
+IMPLEMENTED
+
+## Description
+SBOM-based reachability filtering is implemented as a pipeline stage in the Scanner worker, with dependency reachability reporting and ReachGraph storage.
+
+## Implementation Details
+- **IReachabilityIndex**: `src/__Libraries/StellaOps.Reachability.Core/IReachabilityIndex.cs` -- `QueryStaticAsync` for static call-graph reachability analysis; `QueryHybridAsync` with batch support for SBOM-wide analysis
+- **ReachabilityIndex**: `src/__Libraries/StellaOps.Reachability.Core/ReachabilityIndex.cs` -- implementation using adapters for graph and signals data
+- **LatticeState.StaticReachable / StaticUnreachable**: `src/__Libraries/StellaOps.Reachability.Core/LatticeState.cs` -- static analysis determines SR or SU lattice state for each symbol
+- **ReachabilityLattice**: `src/__Libraries/StellaOps.Reachability.Core/ReachabilityLattice.cs` -- transitions from Unknown to StaticReachable (confidence 0.30) or StaticUnreachable (confidence 0.40) based on call graph evidence
+- **SymbolRef**: `src/__Libraries/StellaOps.Reachability.Core/SymbolRef.cs` -- symbol reference for graph queries
+- **Symbol canonicalization**: `src/__Libraries/StellaOps.Reachability.Core/Symbols/SymbolCanonicalizer.cs`, `SymbolMatcher.cs` -- language-aware symbol normalization for accurate graph matching
+- **ReachGraphStoreService**: `src/ReachGraph/StellaOps.ReachGraph.WebService/Services/ReachGraphStoreService.cs` -- stores pruned/filtered reachability graphs
+- **ReachGraphSliceService**: `src/ReachGraph/StellaOps.ReachGraph.WebService/Services/ReachGraphSliceService.cs` -- slice queries for accessing filtered results by package
+- **Tests**: `src/__Libraries/__Tests/StellaOps.Reachability.Core.Tests/`
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Verify static call-graph analysis correctly identifies reachable symbols (SR state)
+- [ ] Test unreachable symbols are pruned with StaticUnreachable (SU) state
+- [ ] Verify SBOM-based batch query prunes findings for all packages in SBOM
+- [ ] Test symbol canonicalization handles cross-language symbol formats
+- [ ] Verify pruned results are stored in ReachGraph and queryable via slice API