# Sprint 401 – Reachability Evidence Chain

_Window:_ November 11 – November 22, 2025  
_Theme:_ Finish the provable reachability pipeline (graph CAS → replay → DSSE → policy/UI) so Sprint 402 can focus on polish.

| Task ID | State | Task description | Owners (Source) |
|---------|-------|------------------|-----------------|
| GRAPH-CAS-401-001 | TODO | Finalize richgraph schema (`richgraph-v1`), emit canonical SymbolIDs, compute graph hash (BLAKE3), and store CAS manifests under `cas://reachability/graphs/{sha256}`. Update Scanner Worker adapters + fixtures. | Scanner Worker Guild (`src/Scanner/StellaOps.Scanner.Worker`) |
| SIGNALS-RUNTIME-401-002 | TODO | Ship `/signals/runtime-facts` ingestion for NDJSON (and gzip) batches, dedupe hits, and link runtime evidence CAS URIs to callgraph nodes. Include retention + RBAC tests. | Signals Guild (`src/Signals/StellaOps.Signals`) |
| SIGNALS-SCORING-401-003 | TODO | Extend `ReachabilityScoringService` to lattice states (`Unknown/NotPresent/Unreachable/Conditional/Reachable/Observed`), persist predicates + blocked edges, and expose `/graphs/{scanId}` CAS lookups. | Signals Guild (`src/Signals/StellaOps.Signals`) |
| REPLAY-401-004 | TODO | Bump replay manifest to v2 (feeds, analyzers, policies), have `ReachabilityReplayWriter` enforce CAS registration + hash sorting, and add deterministic tests to `tests/reachability/StellaOps.Reachability.FixtureTests`. | BE-Base Platform Guild (`src/__Libraries/StellaOps.Replay.Core`) |
| AUTH-REACH-401-005 | TODO | Introduce DSSE predicate types for SBOM/Graph/VEX/Replay, plumb signing through Authority + Signer, and mirror statements to Rekor (including PQ variants where required). | Authority & Signer Guilds (`src/Authority/StellaOps.Authority`, `src/Signer/StellaOps.Signer`) |
| POLICY-VEX-401-006 | TODO | Policy Engine consumes reachability facts, emits OpenVEX with evidence references, updates SPL schema with `reachability.state/confidence` predicates, and produces API metrics. | Policy Guild (`src/Policy/StellaOps.Policy.Engine`, `src/Policy/__Libraries/StellaOps.Policy`) |
| UI-CLI-401-007 | TODO | Implement CLI `stella graph explain` + UI explain drawer showing signed call-path, predicates, runtime hits, and DSSE pointers; include counterfactual controls. | UI & CLI Guilds (`src/Cli/StellaOps.Cli`, `src/UI/StellaOps.UI`) |
| QA-DOCS-401-008 | TODO | Wire `reachbench-2025-expanded` fixtures into CI, document CAS layouts + replay steps in `docs/reachability/DELIVERY_GUIDE.md`, and publish operator runbook for runtime ingestion. | QA & Docs Guilds (`docs`, `tests/README.md`) |
| SIGNALS-GAP-401-009 | TODO | Track `/signals/runtime-facts` GA and lattice scoring thresholds (policy-driven `max_path_conf`) with CAS-backed runtime storage per `docs/reachability/REACHABILITY_GAP_TASKS.md#3`. Emit `signals.fact.updated` events + retention docs. | Signals Guild (`src/Signals/StellaOps.Signals`, `docs/reachability/REACHABILITY_GAP_TASKS.md`) |
| REPLAY-GAP-401-010 | TODO | Enforce BLAKE3 hashing + CAS registration for graphs/traces before manifest writes and document schema v2 impacts. | BE-Base Platform Guild (`src/__Libraries/StellaOps.Replay.Core`, `docs/replay/DETERMINISTIC_REPLAY.md`) |
| POLICY-GAP-401-011 | TODO | Implement policy thresholds + OpenVEX evidence references (graph hash, runtime facts) so `status=affected` only when confidence ≥ configured value. Update SPL + API docs. | Policy Guild (`src/Policy/StellaOps.Policy.Engine`, `docs/modules/policy/architecture.md`) |
| EXPERIENCE-GAP-401-012 | TODO | Expose reachability evidence to CLI/UI (explain drawer, `--evidence=graph`, `--threshold`) and update Notify templates + API reference accordingly. | UI & CLI Guilds, Notify Guild (`src/Cli/StellaOps.Cli`, `src/UI/StellaOps.UI`, `docs/09_API_CLI_REFERENCE.md`) |

> Use `docs/reachability/DELIVERY_GUIDE.md` for architecture context, dependencies, and acceptance tests.