# Reachability-Aware Vulnerability Analysis (Multi-Layer)

## Module
ReachGraph

## Status
IMPLEMENTED

## Description
Multi-layer reachability with source (Layer1/2/3), binary mapping, and runtime correlation. Lattice-based states and hybrid results combining static and runtime analysis.

## Implementation Details
- **IReachabilityIndex**: `src/__Libraries/StellaOps.Reachability.Core/IReachabilityIndex.cs` -- unified facade: `QueryStaticAsync` (Layer 1-3 source analysis), `QueryRuntimeAsync` (runtime correlation), `QueryHybridAsync` (combines static + runtime with lattice state)
- **ReachabilityIndex**: `src/__Libraries/StellaOps.Reachability.Core/ReachabilityIndex.cs` -- default implementation combining adapters
- **HybridReachabilityResult**: `src/__Libraries/StellaOps.Reachability.Core/HybridReachabilityResult.cs` -- hybrid result with lattice state, confidence, VEX recommendation
- **StaticReachabilityResult**: `src/__Libraries/StellaOps.Reachability.Core/StaticReachabilityResult.cs` -- static analysis result
- **RuntimeReachabilityResult**: `src/__Libraries/StellaOps.Reachability.Core/RuntimeReachabilityResult.cs` -- runtime observation result
- **LatticeState enum**: `src/__Libraries/StellaOps.Reachability.Core/LatticeState.cs` -- 8-state lattice (U/SR/SU/RO/RU/CR/CU/X)
- **ReachabilityLattice**: `src/__Libraries/StellaOps.Reachability.Core/ReachabilityLattice.cs` -- state machine with `FrozenDictionary` transitions, evidence accumulation, confidence scoring
- **ConfidenceCalculator**: `src/__Libraries/StellaOps.Reachability.Core/ConfidenceCalculator.cs` -- confidence computation
- **IReachGraphAdapter**: `src/__Libraries/StellaOps.Reachability.Core/IReachGraphAdapter.cs` -- adapter for ReachGraph data
- **ISignalsAdapter**: `src/__Libraries/StellaOps.Reachability.Core/ISignalsAdapter.cs` -- adapter for runtime signals
- **HybridQueryOptions**: `src/__Libraries/StellaOps.Reachability.Core/HybridQueryOptions.cs` -- query options for hybrid analysis
- **Symbol infrastructure**: `src/__Libraries/StellaOps.Reachability.Core/Symbols/` -- `SymbolCanonicalizer`, `SymbolMatcher`, normalizers (DotNet, Java, Native, Script)
- **Tests**: `src/__Libraries/__Tests/StellaOps.Reachability.Core.Tests/`
- **Source**: Feature matrix scan

## E2E Test Plan
- [ ] Verify static reachability query (Layer 1-3) returns call graph path evidence
- [ ] Test runtime reachability query correlates observed execution with observation window
- [ ] Verify hybrid query combines static and runtime into lattice state with confidence
- [ ] Test multi-layer analysis transitions correctly through lattice states
- [ ] Verify batch query for CVE vulnerability analysis returns results for all symbols
- [ ] Test symbol canonicalization across languages (Java, .NET, native, script)