# Threat Vector Inference and Capability Detection

## Module
Scanner

## Status
IMPLEMENTED

## Description
Automated inference of threat vectors from entrypoint characteristics, capability detection (network, file system, crypto, IPC), and data flow boundary mapping for security surface assessment.

## Implementation Details
- **Threat Vector Inference**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Analysis/ThreatVectorInferrer.cs` - `ThreatVectorInferrer` inferring threat vectors (External, Internal, Privileged) from entrypoint characteristics and exposure patterns
  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/ThreatVector.cs` - `ThreatVector` enum defining threat vector classifications
- **Capability Detection**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Analysis/CapabilityDetector.cs` - `CapabilityDetector` detecting entrypoint capabilities (NetworkAccess, FileSystem, Crypto, ProcessExec, IPC) from code patterns
  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/CapabilityClass.cs` - `CapabilityClass` flags enum for detected capabilities
- **Data Flow Boundary Mapping**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Analysis/DataBoundaryMapper.cs` - `DataBoundaryMapper` mapping data flow trust boundaries between entrypoints and downstream services
  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/DataFlowBoundary.cs` - `DataFlowBoundary` enum defining trust boundary types

## E2E Test Plan
- [ ] Analyze an HTTP-exposed entrypoint and verify `ThreatVectorInferrer` classifies it as "External" threat vector
- [ ] Analyze an internal-only service and verify it is classified as "Internal" threat vector
- [ ] Verify `CapabilityDetector` identifies NetworkAccess capability for entrypoints making HTTP calls
- [ ] Verify `CapabilityDetector` identifies FileSystem capability for entrypoints performing file I/O
- [ ] Verify `DataBoundaryMapper` correctly identifies trust boundary crossings (e.g., user input -> database query)
- [ ] Verify all three analysis components (threat vector, capability, data flow boundary) produce deterministic results for the same code patterns