# Scanner PR/MR Evidence Annotations (Webhook-Driven)

## Module
Scanner

## Status
IMPLEMENTED

## Description
Webhook-driven PR/MR annotation generation with evidence anchors (attestation digest, policy verdict, verify command), ASCII-only output, and posting via SCM annotation clients with retry/backoff.

## Implementation Details
- **PR Annotation Service**:
  - `src/Scanner/StellaOps.Scanner.WebService/Services/PrAnnotationService.cs` - `PrAnnotationService` generates PR/MR annotations with evidence anchors including attestation digest, policy verdict, and verify command
- **Webhook Handler**:
  - `src/Scanner/StellaOps.Scanner.WebService/Services/PrAnnotationWebhookHandler.cs` - `PrAnnotationWebhookHandler` processes incoming webhook events from SCM providers and triggers annotation generation
  - `src/Scanner/StellaOps.Scanner.WebService/Endpoints/WebhookEndpoints.cs` - Webhook endpoints receiving SCM events for PR/MR annotation
- **Reachability Gate**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Cache/PrReachabilityGate.cs` - `PrReachabilityGate` evaluating reachability status for PR annotations
- **Tests**:
  - `src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/PrAnnotationServiceTests.cs` - Unit tests for annotation generation
  - `src/Scanner/__Tests/StellaOps.Scanner.Reachability.Tests/PrReachabilityGateTests.cs` - PR reachability gate tests

## E2E Test Plan
- [ ] Send a webhook event for a PR/MR and verify `PrAnnotationWebhookHandler` triggers annotation generation
- [ ] Verify the generated annotation includes attestation digest, policy verdict, and a `stella verify` command
- [ ] Verify annotation output is ASCII-only (no unicode characters that might break SCM rendering)
- [ ] Verify annotations are posted to the SCM provider (Gitea, GitHub, GitLab) with retry/backoff on failure
- [ ] Verify `PrReachabilityGate` integrates reachability status into the PR annotation (showing which vulnerabilities are reachable)