# Reachability Slice DSSE Predicate (Attestable Minimal Subgraph)

## Module
Scanner

## Status
IMPLEMENTED

## Description
Defines attestable reachability slices as DSSE predicates (`stellaops.dev/predicates/reachability-slice@v1`) containing minimal subgraphs for specific CVE queries. Includes slice extraction from full call graphs, DSSE signing with CAS storage, and verdict computation (reachable/unreachable/unknown with confidence scores).

## Implementation Details
- **Slice Extraction**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Slices/SliceExtractor.cs` - `SliceExtractor` extracts minimal subgraphs from full call graphs for specific CVE queries
  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Slices/SliceModels.cs` - Models for reachability slices including verdict (reachable/unreachable/unknown) with confidence scores
  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Slices/SliceSchema.cs` - Schema definition for `stellaops.dev/predicates/reachability-slice@v1` predicate
- **DSSE Signing**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Slices/SliceDsseSigner.cs` - `SliceDsseSigner` signs reachability slices as DSSE predicates
  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Slices/SliceHasher.cs` - `SliceHasher` computes content-addressed hashes for slice integrity
- **CAS Storage**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Slices/SliceCasStorage.cs` - `SliceCasStorage` content-addressable storage for DSSE-signed reachability slices
- **Policy Binding**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Slices/PolicyBinding.cs` - Policy version binding for slices
- **Observed Path Slices**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Slices/ObservedPathSliceGenerator.cs` - Generates slices from runtime-observed paths
- **Diff Computation**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Slices/SliceDiffComputer.cs` - Computes diffs between slice versions

## E2E Test Plan
- [ ] Extract a reachability slice for a specific CVE and verify it contains the minimal subgraph (entrypoint to vulnerable function)
- [ ] Verify the slice is signed as a DSSE predicate with `stellaops.dev/predicates/reachability-slice@v1` type
- [ ] Verify the slice includes a verdict (reachable/unreachable/unknown) with a confidence score
- [ ] Verify DSSE signature verification passes for a correctly signed slice
- [ ] Verify CAS storage correctly stores and retrieves slices by content address
- [ ] Verify slice diff computation identifies changes between two slice versions for the same CVE