# Reachability Witness Proofs (Attestation Predicates, Call-Graph Evidence, UI Panels)

## Module
Attestor

## Status
VERIFIED

## Description
Full attestation predicates for reachability witness payloads including call paths, drift detection, and gate metadata. Entrypoint-to-vulnerable-symbol evidence trails as proof chain statements. UI evidence panels with E2E tests showing visual proof of reachability.

## Implementation Details
- **Reachability Witness Payload**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/ReachabilityWitnessPayload.cs` (with `.Path`) -- witness payload with complete call path data.
- **Reachability Witness Statement**: `Statements/ReachabilityWitnessStatement.cs` -- in-toto statement for DSSE signing.
- **Witness Call Path Node**: `Statements/WitnessCallPathNode.cs` -- node in the call path (function, file, line, module).
- **Witness Path Node**: `Statements/WitnessPathNode.cs` -- generic path node with position metadata.
- **Witness Gate Info**: `Statements/WitnessGateInfo.cs` -- security gate along the path (sanitizer, validator, auth check).
- **Witness Evidence Metadata**: `Statements/WitnessEvidenceMetadata.cs` -- metadata about analysis tool, language, confidence, and assumptions.
- **Reachability Drift**: `Predicates/ReachabilityDriftPredicate.cs` -- drift detection predicate. `Statements/ReachabilityDriftStatement.cs` -- drift statement.
- **Drift Metadata**: `Predicates/DriftAnalysisMetadata.cs`, `DriftPredicateSummary.cs`, `DriftedSinkPredicateSummary.cs` -- drift analysis models.
- **Micro-Witness**: `Predicates/BinaryMicroWitnessPredicate.cs` -- function-level witness. `Predicates/MicroWitnessFunctionEvidence.cs` -- function evidence.
- **DSSE Signing**: `Signing/ProofChainSigner.cs` -- signs witness attestations.
- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/ReachabilityWitnessTests.cs`

## E2E Test Plan
- [ ] Create a `ReachabilityWitnessPayload` with a 6-node call path from entrypoint to vulnerable symbol and verify path structure
- [ ] Add `WitnessGateInfo` entries (input validation gate, authentication gate) and verify gates are captured with pass/fail conditions
- [ ] Sign the witness as `ReachabilityWitnessStatement` and verify the DSSE envelope is valid
- [ ] Create a drift detection witness showing a new call path to a previously unreachable vulnerability and verify drift metadata
- [ ] Verify `WitnessEvidenceMetadata` captures analysis confidence (e.g., 0.95 for static analysis, 0.70 for heuristic)
- [ ] Create micro-witness function evidence for each node in the call path and verify call-stack depth tracking
- [ ] Build a complete evidence trail: SBOM -> call graph -> witness -> VEX verdict and verify the chain is traversable

## Verification

| Check | Result |
|-------|--------|
| Tier 0 - Source Verification | PASS |
| Tier 1 - Build + Code Review | PASS |
| Tier 2 - Behavioral Verification | PASS |
| Verified Date | 2026-02-13 |
| Run ID | run-001 |