Add Canonical JSON serialization library with tests and documentation

- Implemented CanonJson class for deterministic JSON serialization and hashing.
- Added unit tests for CanonJson functionality, covering various scenarios including key sorting, handling of nested objects, arrays, and special characters.
- Created project files for the Canonical JSON library and its tests, including necessary package references.
- Added README.md for library usage and API reference.
- Introduced RabbitMqIntegrationFactAttribute for conditional RabbitMQ integration tests.

docs/reachability/DELIVERY_GUIDE.md

@@ -123,6 +123,49 @@ Each sprint is two weeks; refer to `docs/implplan/SPRINT_0401_0001_0001_reachabi
 - Status model: `always_reachable`, `conditional`, `not_reachable`, `not_analyzed`, `ambiguous`, each with confidence and evidence tags.
 - Deliver language-specific profiles + fixture cases to prove coverage; update CLI/UI explainers to show framework route context.
 
+### 5.10 Vulnerability Surfaces (Sprint 3700)
+
+Vulnerability surfaces identify **which specific methods changed** in a security fix, enabling precise reachability analysis:
+
+- **Surface computation**: Download vulnerable and fixed package versions, fingerprint all methods, diff to find changed methods (sinks).
+- **Trigger extraction**: Build internal call graphs, reverse BFS from sinks to public APIs (triggers).
+- **Per-ecosystem support**:
+  - NuGet: Cecil IL fingerprinting
+  - npm: Babel AST fingerprinting  
+  - Maven: ASM bytecode fingerprinting
+  - PyPI: Python AST fingerprinting
+- **Integration**: `ISurfaceQueryService` queries triggers during scan; use triggers as sinks instead of all package methods.
+- **Storage**: `scanner.vuln_surfaces`, `scanner.vuln_surface_sinks`, `scanner.vuln_surface_triggers` tables.
+- **Docs**: `docs/contracts/vuln-surface-v1.md` for schema details.
+
+### 5.11 Confidence Tiers
+
+Reachability findings are classified into confidence tiers:
+
+| Tier | Condition | Display | Implications |
+|------|-----------|---------|--------------|
+| **Confirmed** | Surface exists AND trigger method is reachable | Red badge | Highest confidence—vulnerable code definitely called |
+| **Likely** | No surface but package API is called | Orange badge | Medium confidence—package used but specific vuln path unknown |
+| **Present** | No call graph, dependency in SBOM | Gray badge | Lowest confidence—cannot determine reachability |
+| **Unreachable** | Surface exists AND no trigger reachable | Green badge | High confidence vulnerability is not exploitable |
+
+- Tier assignment logic in `SurfaceAwareReachabilityAnalyzer`
+- API responses include `confidenceTier` and `confidenceDisplay`
+- UI badges reflect tier colors
+- VEX statements reference tier in justification
+
+### 5.12 Reachability Drift (Sprint 3600)
+
+Track function-level reachability changes between scans:
+
+- **New reachable**: Sinks that became reachable (alert)
+- **Mitigated**: Sinks that became unreachable (positive)
+- **Causal attribution**: Why change occurred (guard removed, new route, code change)
+- **Components**: `DriftDetectionEngine`, `PathCompressor`, `DriftCauseExplainer`
+- **API**: `POST /api/drift/analyze`, `GET /api/drift/{id}`
+- **UI**: `PathViewerComponent`, `RiskDriftCardComponent`
+- **Attestation**: DSSE-signed drift predicates for evidence chain
+
 ---
 
 ## 6. Acceptance Tests
@@ -139,7 +182,7 @@ Each sprint is two weeks; refer to `docs/implplan/SPRINT_0401_0001_0001_reachabi
 
 - Place developer-facing updates here (`docs/reachability`).
 - [Function-level evidence guide](function-level-evidence.md) captures the Nov 2025 advisory scope, task references, and schema expectations; keep it in lockstep with sprint status.
-- [Reachability runtime runbook](../runbooks/reachability-runtime.md) documents ingestion, CAS staging, air-gap handling, and troubleshooting—link every runtime feature PR to this guide.
+- [Reachability runtime runbook](../runbooks/reachability-runtime.md) documents ingestion, CAS staging, air-gap handling, and troubleshooting—link every runtime feature PR to this guide.
 - [VEX Evidence Playbook](../benchmarks/vex-evidence-playbook.md) defines the bench repo layout, artifact shapes, verifier tooling, and metrics; keep it updated when Policy/Signer/CLI features land.
 - [Reachability lattice](lattice.md) describes the confidence states, evidence/mitigation kinds, scoring policy, event graph schema, and VEX gates; update it when lattices or probes change.
 - [PURL-resolved edges spec](purl-resolved-edges.md) defines the purl + symbol-digest annotation rules for graphs and SBOM joins.