save checkpoint

docs/features/checked/scanner/reachability-slice-dsse-predicate.md

@@ -0,0 +1,46 @@
+# Reachability Slice DSSE Predicate (Attestable Minimal Subgraph)
+
+## Module
+Scanner
+
+## Status
+VERIFIED
+
+## Description
+Defines attestable reachability slices as DSSE predicates (`stellaops.dev/predicates/reachability-slice@v1`) containing minimal subgraphs for specific CVE queries. Includes slice extraction from full call graphs, DSSE signing with CAS storage, and verdict computation (reachable/unreachable/unknown with confidence scores).
+
+## Implementation Details
+- **Slice Extraction**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Slices/SliceExtractor.cs` - `SliceExtractor` extracts minimal subgraphs from full call graphs for specific CVE queries
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Slices/SliceModels.cs` - Models for reachability slices including verdict (reachable/unreachable/unknown) with confidence scores
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Slices/SliceSchema.cs` - Schema definition for `stellaops.dev/predicates/reachability-slice@v1` predicate
+- **DSSE Signing**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Slices/SliceDsseSigner.cs` - `SliceDsseSigner` signs reachability slices as DSSE predicates
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Slices/SliceHasher.cs` - `SliceHasher` computes content-addressed hashes for slice integrity
+- **CAS Storage**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Slices/SliceCasStorage.cs` - `SliceCasStorage` content-addressable storage for DSSE-signed reachability slices
+- **Policy Binding**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Slices/PolicyBinding.cs` - Policy version binding for slices
+- **Observed Path Slices**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Slices/ObservedPathSliceGenerator.cs` - Generates slices from runtime-observed paths
+- **Diff Computation**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Slices/SliceDiffComputer.cs` - Computes diffs between slice versions
+
+## E2E Test Plan
+- [ ] Extract a reachability slice for a specific CVE and verify it contains the minimal subgraph (entrypoint to vulnerable function)
+- [ ] Verify the slice is signed as a DSSE predicate with `stellaops.dev/predicates/reachability-slice@v1` type
+- [ ] Verify the slice includes a verdict (reachable/unreachable/unknown) with a confidence score
+- [ ] Verify DSSE signature verification passes for a correctly signed slice
+- [ ] Verify CAS storage correctly stores and retrieves slices by content address
+- [ ] Verify slice diff computation identifies changes between two slice versions for the same CVE
+
+---
+
+## Verification
+
+| Check | Result |
+|-------|--------|
+| Tier 0 - Source files exist | PASS |
+| Tier 1 - Build + code review | PASS |
+| Tier 2 - Integration tests | PASS |
+| Verified | 2026-02-13T18:10:00Z |