# Smart-Diff Material Risk Change Detection (R1-R4 Rules, Reachability Integration)

## Module
Scanner

## Status
VERIFIED

## Description
MaterialRiskChangeDetector implementing rules R1-R4 (Reachability flip, VEX status flip, affected range boundary, intelligence/policy flip) with reachability gate bridge, boundary proofs, predicate schema with JSON serializer and schema validation, and deterministic golden fixture tests.

## Implementation Details
- **Material Risk Change Detector**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/Detection/MaterialRiskChangeDetector.cs` - `MaterialRiskChangeDetector` implementing rules R1 (reachability flip), R2 (VEX status flip), R3 (affected range boundary), R4 (intelligence/policy flip)
  - `src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/Detection/MaterialRiskChangeResult.cs` - `MaterialRiskChangeResult` model capturing detected material risk changes
- **Reachability Gate Bridge**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/Detection/ReachabilityGateBridge.cs` - `ReachabilityGateBridge` connecting SmartDiff detection with reachability analysis for R1 rule evaluation
- **Delta Verdict Builder**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/Attestation/DeltaVerdictBuilder.cs` - `DeltaVerdictBuilder` building attestation predicates for material risk changes
- **SARIF Output**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/Output/SarifOutputGenerator.cs` - `SarifOutputGenerator` producing SARIF output for SmartDiff findings (rules SDIFF001-004)
- **Configuration**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/Detection/SmartDiffScoringConfig.cs` - Scoring configuration for risk change detection thresholds
  - `src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/Detection/Repositories.cs` - Repository interfaces for SmartDiff persistence
- **Persistence**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Postgres/PostgresMaterialRiskChangeRepository.cs` - PostgreSQL persistence for material risk changes
- **WebService**:
  - `src/Scanner/StellaOps.Scanner.WebService/Endpoints/SmartDiffEndpoints.cs` - SmartDiff REST API endpoints
- **Tests**:
  - `src/Scanner/__Tests/StellaOps.Scanner.SmartDiff.Tests/MaterialRiskChangeDetectorTests.cs` - Unit tests for R1-R4 rules
  - `src/Scanner/__Tests/StellaOps.Scanner.SmartDiff.Tests/ReachabilityGateBridgeTests.cs` - Gate bridge tests
  - `src/Scanner/__Tests/StellaOps.Scanner.SmartDiff.Tests/StateComparisonGoldenTests.cs` - Golden fixture determinism tests
  - `src/Scanner/__Tests/StellaOps.Scanner.SmartDiff.Tests/SarifOutputGeneratorTests.cs` - SARIF output tests
  - `src/Scanner/__Tests/StellaOps.Scanner.SmartDiff.Tests/DeltaVerdictBuilderTests.cs` - Verdict builder tests

## E2E Test Plan
- [ ] Detect a reachability flip (R1) when a previously unreachable vulnerability becomes reachable and verify the material risk change is captured
- [ ] Detect a VEX status flip (R2) when a VEX statement changes from "not_affected" to "affected" and verify the change is classified correctly
- [ ] Detect an affected range boundary change (R3) when a vulnerability's affected version range expands to include the scanned version
- [ ] Detect an intelligence/policy flip (R4) when external intelligence or policy rules change the risk assessment
- [ ] Verify `ReachabilityGateBridge` correctly integrates reachability data for R1 rule evaluation
- [ ] Run golden fixture tests and verify deterministic output (byte-for-byte identical for same inputs)

---

## Verification

| Check | Result |
|-------|--------|
| Tier 0 - Source files exist | PASS |
| Tier 1 - Build + code review | PASS |
| Tier 2 - Integration tests | PASS |
| Verified | 2026-02-13T18:10:00Z |