# Reachability Status Classification (R0-R3/UNREACHABLE through REACHABLE_PROVEN)

## Module
Scanner

## Status
IMPLEMENTED

## Description
Reachability classification with multiple tiers (unreachable, possibly reachable, reachable static, reachable proven) and confidence scoring with deterministic modifiers.

## Implementation Details
- **Reachability Models**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/DependencyReachabilityModels.cs` - Defines reachability status tiers (R0=UNREACHABLE, R1=POSSIBLY_REACHABLE, R2=REACHABLE_STATIC, R3=REACHABLE_PROVEN) with confidence scoring
  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/ReachabilityPolicy.cs` - `ReachabilityPolicy` configures classification thresholds and tier boundaries
- **Static Analysis**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/StaticReachabilityAnalyzer.cs` - `StaticReachabilityAnalyzer` performs static call graph analysis for R2 classification
  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/ConditionalReachabilityAnalyzer.cs` - `ConditionalReachabilityAnalyzer` handles conditional reachability (feature flags, config-dependent paths)
- **Combiner**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/ReachGraphReachabilityCombiner.cs` - `ReachGraphReachabilityCombiner` combines static and runtime signals for final classification
  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/VulnerabilityReachabilityFilter.cs` - `VulnerabilityReachabilityFilter` filters vulnerabilities based on reachability status
- **Reporting**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/Reporting/DependencyReachabilityReporter.cs` - Reporter for reachability classification results
  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/Reporting/DependencyReachabilityReport.cs` - Report model
  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/ReachabilityReportBuilder.cs` - Builder for constructing reports

## E2E Test Plan
- [ ] Scan a container with a vulnerability in unreachable code and verify it is classified as R0 (UNREACHABLE)
- [ ] Scan a container with a vulnerability in statically reachable code (call graph path exists) and verify R2 (REACHABLE_STATIC)
- [ ] Verify runtime-confirmed reachability (observed call) promotes classification to R3 (REACHABLE_PROVEN)
- [ ] Verify conditional reachability (behind feature flag or config) is classified as R1 (POSSIBLY_REACHABLE) with appropriate confidence
- [ ] Verify confidence scores are computed deterministically for the same input
- [ ] Verify the vulnerability filter correctly suppresses R0 findings from default result sets