# 16-Feb-2026 - eBPF micro-witness deterministic replay across distros

## Advisory source
- Source: user-provided product advisory text (review session, 2026-02-16 UTC).
- Scope: CO-RE eBPF micro-witnesses replayable and deterministic across kernels, distros, and toolchains, with DSSE + Sigstore bundle portability.

## Outcome
- Result: partially aligned implementation with confirmed contract and implementation gaps.
- Decision: advisory translated into product/module docs plus an active implementation sprint.

## Confirmed gap themes
- Runtime collector support check is hard-gated on `/sys/kernel/btf/vmlinux`; split-BTF/external-vmlinux fallback behavior is not implemented as a deterministic recorded contract.
- Runtime witness payload lacks required deterministic symbolization tuple for cross-distro replay (`symbolizer`, `libc_variant`, `sysroot`, debug/symbol pointers).
- Runtime witness generation pipeline is interface-defined but not implemented end-to-end in Scanner.
- DSSE witness support exists, but per-witness Sigstore bundle contract (`trace.sigstore.json`) is not standardized in witness storage/export/indexing.

## Translation artifacts
- Active sprint: `docs/implplan/SPRINT_20260216_001_Signals_ebpf_micro_witness_determinism_profile.md`
- Product update: `docs/product/ebpf-micro-witness-determinism.md`
- Module contract: `docs/modules/signals/contracts/ebpf-micro-witness-determinism-profile.md`

## Notes
- External web fetches: none.
- Repository verification inputs included runtime and storage code paths under `src/Signals/`, `src/Scanner/`, `src/RuntimeInstrumentation/`, `src/Attestor/`, and `src/EvidenceLocker/`.