# Attestable reachability slices (DSSE/in-toto signed evidence) ## Module Attestor ## Status VERIFIED ## Description Reachability witness payloads wrapped in DSSE-signed attestations provide verifiable evidence slices for triage decisions. ## Implementation Details - **Reachability Witness Payload**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/ReachabilityWitnessPayload.cs` (with `.Path` partial) -- defines the witness payload containing call paths from entry points to vulnerable functions. - **Witness Path Nodes**: `WitnessPathNode.cs`, `WitnessCallPathNode.cs` -- model individual nodes in the reachability call path. - **Witness Evidence Metadata**: `WitnessEvidenceMetadata.cs` -- metadata about the evidence source (scanner, analysis tool, timestamp). - **Witness Gate Info**: `WitnessGateInfo.cs` -- gate information for policy evaluation of witness data. - **Reachability Witness Statement**: `ReachabilityWitnessStatement.cs` -- wraps witness payload as an in-toto statement with subject and predicate. - **Reachability Subgraph**: `ReachabilitySubgraphStatement.cs` -- subgraph attestation for minimal reachability evidence. `ReachabilitySubgraphPredicate.cs` defines the subgraph predicate. - **DSSE Signing**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Signing/ProofChainSigner.cs` (with `.Verification` partial) signs statements. `DsseEnvelope.cs`, `DsseSignature.cs` model the envelope. - **Path Witness Predicate Types**: `src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/PathWitnessPredicateTypes.cs` -- defines predicate type URIs for path witnesses. - **Proof Emitter**: `IProofEmitter.cs` -- interface for emitting signed proofs including reachability slices. ## E2E Test Plan - [ ] Create a `ReachabilityWitnessPayload` with a call path containing 3+ nodes from entry point to vulnerable function, wrap in `ReachabilityWitnessStatement`, and verify the statement structure - [ ] Sign the witness statement via `ProofChainSigner` and verify the DSSE envelope contains valid signature and payload - [ ] Verify the signed reachability slice via `ProofChainSigner.Verification` and confirm signature validation passes - [ ] Create a `ReachabilitySubgraphPredicate` with a minimal subgraph (entry point -> intermediate -> sink) and verify it serializes with correct predicate type - [ ] Modify the signed envelope payload and verify that signature verification fails (tamper detection) - [ ] Create witness payloads with `WitnessEvidenceMetadata` from different analysis tools and verify metadata is preserved in the signed attestation ## Verification - Verified on 2026-02-11 via `run-001`. - Tier 1 and Tier 2 feature-scoped xUnit class-filtered execution passed (`5/5`) in: - `src/Attestor/__Tests/StellaOps.Attestor.ProofChain.Tests/Statements/ReachabilityWitnessAttestationBehaviorTests.cs` - Full ProofChain suite remains baseline-red on unrelated failures (`35`), but feature-scoped reachability verification passed and includes fresh behavioral evidence. - Behavior confirmed: - `ReachabilityWitnessPayload` + `ReachabilityWitnessStatement` structure with 3-node call path and witness metadata - DSSE signing and verification through `ProofChainSigner` - tamper detection on modified DSSE payload - `ReachabilitySubgraphStatement` serialization with predicate type `reachability-subgraph.stella/v1` - witness evidence metadata preservation across signed payload serialization/deserialization - Evidence: - `docs/qa/feature-checks/runs/attestor/attestable-reachability-slices/run-001/tier0-source-check.json` - `docs/qa/feature-checks/runs/attestor/attestable-reachability-slices/run-001/tier1-build-check.json` - `docs/qa/feature-checks/runs/attestor/attestable-reachability-slices/run-001/tier2-integration-check.json`