# Micro-Witness Evidence (Function-Level)

## Module
Attestor

## Status
VERIFIED

## Description
Complete micro-witness system with binary refs, CVE refs, function-level evidence, verdict models, and tooling metadata for fine-grained reachability proof.

## Implementation Details
- **Binary Micro-Witness Predicate**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/BinaryMicroWitnessPredicate.cs` -- complete micro-witness combining binary ref, CVE ref, function evidence, SBOM ref, tooling, and verdicts.
- **Binary Reference**: `Predicates/MicroWitnessBinaryRef.cs` -- identifies the binary artifact (name, version, digest, architecture).
- **CVE Reference**: `Predicates/MicroWitnessCveRef.cs` -- CVE identifier with CVSS score, affected function, and advisory URL.
- **Function Evidence**: `Predicates/MicroWitnessFunctionEvidence.cs` -- function-level evidence with call-stack depth, reachability status, and code location.
- **SBOM Reference**: `Predicates/MicroWitnessSbomRef.cs` -- links micro-witness to an SBOM component entry (component name, version, bom-ref).
- **Tooling Metadata**: `Predicates/MicroWitnessTooling.cs` -- captures the analysis tool (name, version, language, analysis type).
- **Verdicts**: `Predicates/MicroWitnessVerdicts.cs` -- per-function reachability verdicts (Reachable, Unreachable, Unknown) with confidence.
- **Micro-Witness Statement**: `Statements/BinaryMicroWitnessStatement.cs` -- in-toto statement wrapping the micro-witness predicate.
- **Reachability Witness**: `Statements/ReachabilityWitnessPayload.cs` (with `.Path`) -- witness payload with call path data. `ReachabilityWitnessStatement.cs` -- in-toto wrapper.
- **Call Path Nodes**: `Statements/WitnessCallPathNode.cs`, `WitnessPathNode.cs` -- individual nodes in the witness call path.
- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/BinaryMicroWitnessPredicateTests.cs`

## E2E Test Plan
- [ ] Create a `BinaryMicroWitnessPredicate` with a `MicroWitnessBinaryRef`, `MicroWitnessCveRef`, and three `MicroWitnessFunctionEvidence` entries at different call-stack depths; verify the predicate is well-formed
- [ ] Create `MicroWitnessVerdicts` with Reachable, Unreachable, and Unknown verdicts for different functions and verify each verdict has a confidence score
- [ ] Verify `MicroWitnessTooling` captures language-specific analysis tools (e.g., Java call graph analyzer vs Python AST analyzer)
- [ ] Verify `MicroWitnessSbomRef` correctly links the witness to an SBOM component by bom-ref
- [ ] Build a `BinaryMicroWitnessStatement` and sign it into a DSSE envelope; verify the statement structure
- [ ] Create a `ReachabilityWitnessPayload` with a call path of 5 `WitnessCallPathNode` entries and verify path traversal from entrypoint to sink
- [ ] Verify function evidence at call-stack depth 0 (entrypoint) through depth N (vulnerable function) and confirm depth tracking is accurate

## Verification

| Check | Result |
|-------|--------|
| Tier 0 - Source Verification | PASS |
| Tier 1 - Build + Code Review | PASS |
| Tier 2 - Behavioral Verification | PASS |
| Verified Date | 2026-02-13 |
| Run ID | run-001 |