# EPSS Change Events for Reanalysis Triggers

## Module
Scanner

## Status
VERIFIED

## Description
Deterministic EPSS change events with per-CVE deltas, priority bands, idempotent event IDs, and scan manifests extended with tool versions and evidence digests for policy fingerprinting.

## Implementation Details
- **EPSS Change Detection**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Epss/EpssChangeDetector.cs` - Detects EPSS score changes per CVE
  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Epss/EpssChangeRecord.cs` - Change record model with deltas
  - `src/Scanner/__Libraries/StellaOps.Scanner.Core/Epss/EpssChangeEvent.cs` - Deterministic change event with idempotent event ID
  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Epss/Events/EpssUpdatedEvent.cs` - Updated event for signal dispatch
- **EPSS Provider & Caching**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Core/Epss/IEpssProvider.cs` - Interface for EPSS data access
  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Epss/EpssProvider.cs` - PostgreSQL-backed EPSS provider
  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Epss/CachingEpssProvider.cs` - Cached EPSS provider
  - `src/Scanner/__Libraries/StellaOps.Scanner.Core/Epss/EpssPriorityBand.cs` - Priority band classification
  - `src/Scanner/__Libraries/StellaOps.Scanner.Core/Epss/EpssEvidence.cs` - EPSS evidence model
- **Signal Publishing**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Epss/IEpssSignalPublisher.cs` - Signal publisher interface
- **Worker Jobs**:
  - `src/Scanner/StellaOps.Scanner.Worker/Processing/EpssEnrichmentJob.cs` - EPSS enrichment job
  - `src/Scanner/StellaOps.Scanner.Worker/Processing/EpssIngestJob.cs` - EPSS data ingestion job
  - `src/Scanner/StellaOps.Scanner.Worker/Processing/EpssSignalJob.cs` - EPSS signal dispatch job
  - `src/Scanner/StellaOps.Scanner.Worker/Processing/EpssEnrichmentStageExecutor.cs` - Stage executor for scan pipeline
- **API**: `src/Scanner/StellaOps.Scanner.WebService/Endpoints/EpssEndpoints.cs` - `EpssEndpoints` with batch lookup, history, and status

## E2E Test Plan
- [ ] Ingest EPSS data and verify change detection identifies CVEs with score deltas
- [ ] Verify idempotent event IDs are deterministic for the same CVE/delta combination
- [ ] Verify priority band classification (critical, high, medium, low) based on EPSS score thresholds
- [ ] Verify EPSS change events trigger scan reanalysis for affected artifacts
- [ ] Call `POST /api/v1/epss/batch` with CVE IDs and verify EPSS scores are returned
- [ ] Call `GET /api/v1/epss/{cveId}/history` and verify EPSS score history with change events

---

## Verification

| Check | Result |
|-------|--------|
| Tier 0 - Source files exist | PASS |
| Tier 1 - Build + code review | PASS |
| Tier 2 - Integration tests | PASS |
| Verified | 2026-02-13T18:10:00Z |