# Suppression Witness Proof Model (DSSE-Signable Not-Affected Evidence)

## Module
Scanner

## Status
VERIFIED

## Description
A DSSE-signable proof model documenting why a vulnerability is NOT exploitable (unreachable code, linker GC, feature flag off, patched symbol, gate blocked, etc.). Complements PathWitness which documents why code IS reachable. Includes 10 suppression types and content-addressed witness IDs.

## Implementation Details
- **Suppression Witness Model**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/SuppressionWitness.cs` - `SuppressionWitness` model with 10 suppression types (unreachable code, linker GC, feature flag off, patched symbol, gate blocked, etc.) and content-addressed witness IDs
  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/SuppressionWitnessSchema.cs` - JSON schema definition for suppression witness validation
- **Builder**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/SuppressionWitnessBuilder.cs` - `SuppressionWitnessBuilder` constructing suppression witnesses with evidence chains and suppression type classification
  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/ISuppressionWitnessBuilder.cs` - Interface for suppression witness construction
- **DSSE Signing**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/SuppressionDsseSigner.cs` - `SuppressionDsseSigner` signing suppression witnesses using DSSE envelopes
  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/ISuppressionDsseSigner.cs` - Interface for suppression DSSE signing
- **Content-Addressed IDs**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/ClaimIdGenerator.cs` - `ClaimIdGenerator` generating deterministic, content-addressed witness IDs
- **DI Registration**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/SuppressionWitnessServiceCollectionExtensions.cs` - DI registration for suppression witness services

## E2E Test Plan
- [ ] Create a suppression witness for an unreachable code path and verify the witness includes the suppression type "UnreachableCode" with evidence
- [ ] Create a suppression witness for linker GC (dead code elimination) and verify it documents the eliminated symbols
- [ ] Sign a suppression witness with DSSE and verify the envelope validates against the suppression witness schema
- [ ] Verify content-addressed witness IDs are deterministic (same evidence produces identical IDs)
- [ ] Verify suppression witnesses complement PathWitnesses by providing the inverse proof (not-affected vs. affected)
- [ ] Verify all 10 suppression types can be constructed and signed correctly

---

## Verification

| Check | Result |
|-------|--------|
| Tier 0 - Source files exist | PASS |
| Tier 1 - Build + code review | PASS |
| Tier 2 - Integration tests | PASS |
| Verified | 2026-02-13T18:10:00Z |