# Reachability Drift Detection and Delta Evidence

## Module
Attestor

## Status
VERIFIED

## Description
Reachability drift predicates tracking new/removed call paths to vulnerable functions with drift analysis metadata, delta summaries between baselines, and reachability status flip tracking between scans.

## Implementation Details
- **Reachability Drift Predicate**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/ReachabilityDriftPredicate.cs` -- predicate capturing reachability status changes between scans (new paths, removed paths, unchanged paths).
- **Drift Analysis Metadata**: `Predicates/DriftAnalysisMetadata.cs` -- metadata about the drift analysis (baseline scan ID, current scan ID, timestamp, tool). Also in `Statements/DriftAnalysisMetadata.cs`.
- **Drift Image Reference**: `Predicates/DriftImageReference.cs` -- image reference for the baseline and current scan.
- **Drift Predicate Summary**: `Predicates/DriftPredicateSummary.cs` -- summary of drift counts (new paths, removed paths, flipped statuses).
- **Drift Scanner Info**: `Predicates/DriftScannerInfo.cs` -- scanner that produced the drift data. Also in `Statements/DriftScannerInfo.cs`.
- **Drifted Sink Predicate Summary**: `Predicates/DriftedSinkPredicateSummary.cs` -- summary of drifted vulnerable sinks.
- **Reachability Drift Payload**: `Statements/ReachabilityDriftPayload.cs` -- in-toto payload for drift data.
- **Reachability Drift Statement**: `Statements/ReachabilityDriftStatement.cs` -- in-toto statement wrapping the drift payload.
- **Drift Summary**: `Statements/DriftSummary.cs` -- statement-level drift summary. `DriftedSinkSummary.cs` -- per-sink drift summary.
- **Change Trace**: `ChangeTrace/ChangeTraceAttestationService.cs` (with `.Helpers`, `.Mapping`) -- creates change trace attestations for drift events.
- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/ReachabilityDriftTests.cs`

## E2E Test Plan
- [ ] Create a `ReachabilityDriftPredicate` with 2 new paths, 1 removed path, and verify the drift data is correct
- [ ] Verify `DriftAnalysisMetadata` captures baseline and current scan IDs, timestamps, and tool info
- [ ] Verify `DriftPredicateSummary` correctly counts new, removed, and unchanged paths
- [ ] Detect a reachability status flip (Unreachable -> Reachable) between scans and verify it is flagged in the drift
- [ ] Build a `ReachabilityDriftStatement` and sign it; verify the DSSE envelope contains the drift payload
- [ ] Create drift data for multiple sinks and verify `DriftedSinkPredicateSummary` tracks per-sink drift
- [ ] Create a `ChangeTraceAttestationService` attestation for the drift event and verify it links to baseline and current evidence
- [ ] Verify `DriftImageReference` correctly identifies the container image versions being compared

## Verification

| Check | Result |
|-------|--------|
| Tier 0 - Source Verification | PASS |
| Tier 1 - Build + Code Review | PASS |
| Tier 2 - Behavioral Verification | PASS |
| Verified Date | 2026-02-13 |
| Run ID | run-001 |