# Reachability Corpus Plan (QA-CORPUS-401-031)

Objective
- Build a multi-runtime reachability corpus (Go/.NET/Python/Rust) with EXPECT.yaml ground truths and captured traces.
- Make fixtures CI-consumable to validate reachability scoring and VEX proofs continuously.

Scope & deliverables
- Fixture layout: `tests/reachability/corpus/<language>/<case>/`
  - `expect.yaml` — states (`reachable|conditional|unreachable`), score, evidence refs.
  - `callgraph.*.json` — static graphs per language.
  - `runtime/*.ndjson` — traces/probes when available.
  - `sbom.*.json` — CycloneDX/SPDX slices.
  - `vex.openvex.json` — expected VEX statement.
- CI integration: add corpus harness to `tests/reachability/StellaOps.Reachability.FixtureTests` to validate presence, schema, and determinism (hash manifest).
- Offline posture: all artifacts deterministic, no external downloads; hashes recorded in manifest.

MVP slice (proposed)
- Go: `go-ssh-CVE-2020-9283-keyexchange`
- .NET: `dotnet-kestrel-CVE-2023-44487-http2-rapid-reset`
- Python: `python-django-CVE-2019-19844-sqli-like`
- Rust: `rust-axum-header-parsing-TBD`

Work plan
1) Define shared manifest schema + hash manifest (NDJSON) under `tests/reachability/corpus/manifest.json`.
2) For each MVP case, add minimal static callgraph + EXPECT.yaml with score/state and evidence links. (DONE: stub versions committed)
3) Extend reachability fixture tests to cover corpus folders (presence, hashes, EXPECT.yaml schema). (DONE)
4) Wire CI job to run the extended tests in `tests/reachability/StellaOps.Reachability.FixtureTests`. (TODO)
5) Replace stubs with real callgraphs/traces and expand corpus after MVP passes CI. (TODO)

Determinism rules
- Sort JSON keys; round scores to 2dp; UTC times only if needed.
- Stable ordering of files in manifests; hash with SHA-256.
- No network calls during test or generation.