# Reachability Subgraph Extraction and Proof of Exposure

## Module
Scanner

## Status
VERIFIED

## Description
Full subgraph extraction for reachability proofs with witness tracking, explanation generation, and proof spine building.

## Implementation Details
- **Subgraph Extraction**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Subgraph/ReachabilitySubgraphExtractor.cs` - `ReachabilitySubgraphExtractor` extracts full subgraphs for reachability proofs including all nodes and edges on paths from entrypoints to vulnerable sinks
  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/SubgraphExtractor.cs` - Base subgraph extraction logic
- **Witness Tracking**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/PathWitness.cs` - `PathWitness` records witnessed reachability paths
  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/RuntimeObservation.cs` - `RuntimeObservation` records runtime-observed call events with stack samples
  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/IRuntimeWitnessGenerator.cs` - Interface for generating runtime witnesses
  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/RuntimeWitnessRequest.cs` - Request model for witness generation
- **Attestation**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Attestation/ReachabilitySubgraphPublisher.cs` - Publishes proof-of-exposure subgraphs as attestations
  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Attestation/ReachabilityWitnessPublisher.cs` - Publishes witness records as attestations
- **Resolver**: `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/IReachabilityResolver.cs` - Interface for resolving reachability queries

## E2E Test Plan
- [ ] Extract a subgraph for a specific vulnerability and verify it contains all nodes and edges from entrypoint to vulnerable sink
- [ ] Verify witness tracking records runtime-observed call events that confirm reachability
- [ ] Verify proof-of-exposure subgraphs are publishable as DSSE-signed attestations
- [ ] Verify the subgraph includes gate annotations (auth, admin-only) on intermediate nodes
- [ ] Verify explanation generation produces human-readable descriptions of the exposure path
- [ ] Verify the reachability resolver correctly queries subgraphs for specific CVE/component pairs

---

## Verification

| Check | Result |
|-------|--------|
| Tier 0 - Source files exist | PASS |
| Tier 1 - Build + code review | PASS |
| Tier 2 - Integration tests | PASS |
| Verified | 2026-02-13T18:10:00Z |