# Vulnerability-First Triage UX with Exploit Path Grouping and Proof Bundles

## Module
Scanner (with Attestor proof bundle integration)

## Status
IMPLEMENTED

## Description
A vulnerability-first triage inbox where findings are grouped by exploit path similarity rather than by CVE or component. Security engineers see clusters of findings that share the same attack vector (entrypoint -> call chain -> sink), enabling batch triage. Backend triage service with DB context, reachability subgraph extraction, exploit path grouping, and proof generation exist. UI triage inbox and queue components are partially complete.

## What's Implemented
- **Exploit Path Grouping (Backend)**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Triage/Services/IExploitPathGroupingService.cs` -- interface grouping findings by exploit path similarity
  - `src/Scanner/__Libraries/StellaOps.Scanner.Triage/Models/ExploitPath.cs` -- call chain from entrypoint to vulnerable function
  - `src/Scanner/__Tests/StellaOps.Scanner.Triage.Tests/` -- unit tests for exploit path grouping logic
- **Triage Database and API**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Triage/Entities/TriageDbContext.cs` -- EF Core database context
  - `src/Scanner/__Libraries/StellaOps.Scanner.Triage/Entities/TriageFinding.cs` -- finding entity with reachability classification and exploit path reference
  - `src/Scanner/StellaOps.Scanner.WebService/Endpoints/Triage/TriageInboxEndpoints.cs` -- REST API with exploit path grouping support
- **Triage Lanes**: `TriageEnums.cs` -- ACTIVE, BLOCKED, MUTED_REACH, MUTED_VEX
- **Triage Status Service**: `TriageStatusService.cs` -- state transitions across lanes
- **Evidence Integration**: `ProofBundleEndpoints.cs` -- evidence bundles for triage decisions
- **Proof Graph Service**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Graph/InMemoryProofGraphService.cs` (with `.Mutation`, `.Queries`, `.Subgraph`) -- proof graph with subgraph extraction for evidence grouping
- **Micro Witness Evidence**: `MicroWitnessFunctionEvidence.cs`, `MicroWitnessBinaryRef.cs`, `MicroWitnessCveRef.cs` -- function-level reachability evidence
- **Reachability Witness Payload**: `ReachabilityWitnessPayload.cs` (with `.Path`), `WitnessCallPathNode.cs` -- witness payload with exploit call paths
- **Proof Spine System**: `ProofSpineRequest.cs`, `ProofSpineResult.cs` -- proof spine for evidence bundle assembly
- **Sigstore/Evidence Pack Builders**: `SigstoreBundleBuilder.cs`, `ReleaseEvidencePackBuilder.cs` -- builds proof bundles

## What's Missing
- **Triage Inbox UI Component**: No Angular component implementing the vulnerability-first triage inbox with exploit path cluster view, batch triage actions, cluster expansion, sort/filter by cluster size/severity/reachability
- **Exploit Path Similarity Algorithm**: The `IExploitPathGroupingService` interface exists but the clustering/similarity algorithm completeness is unclear
- **Batch Triage API**: No REST endpoint for applying a single triage decision to all findings in an exploit path cluster
- **Cluster Statistics**: No API endpoint returning per-cluster severity and reachability distributions
- **Triage Dashboard**: No dashboard showing triage progress (clusters triaged vs. remaining, MTTR per cluster)
- **Triage Action Workflow**: No triage action buttons (accept risk, suppress, escalate, remediate) with DSSE-signed action records
- **Triage Priority Scoring**: No scoring that prioritizes vulnerabilities by exploit path depth and reachability confidence
- **Inline Proof Bundle Viewer**: No inline viewer showing proof bundle contents (DSSE envelope, Rekor receipt, Merkle proof) within the triage UI

## Implementation Plan
- Complete exploit path similarity algorithm using common call-chain prefix grouping with configurable similarity threshold
- Add `BatchTriageEndpoints` for applying triage decisions to entire exploit path clusters
- Add cluster statistics endpoint returning per-cluster severity and reachability distributions
- Create `TriageInboxComponent` in `src/Web/` with exploit path cluster view, batch actions, and filtering
- Implement triage action workflow with DSSE-signed action records
- Add triage priority scoring based on path depth and confidence
- Build inline proof bundle viewer
- Create triage dashboard with progress metrics
- Add e2e tests for grouping, triage actions, and batch operations

## E2E Test Plan
- [ ] Open triage inbox and verify findings are grouped by exploit path similarity
- [ ] Expand a cluster and verify all individual findings with CVE, severity, and reachability tier
- [ ] Apply batch "mute" action to entire cluster and verify all findings move to MUTED_REACH lane
- [ ] Sort clusters by highest severity and verify correct ordering
- [ ] Filter clusters by reachability tier "Confirmed"
- [ ] Open triage dashboard and verify correct counts
- [ ] Verify batch triage API returns correct affected finding count

## Related Documentation
- Triage infrastructure: `src/Scanner/__Libraries/StellaOps.Scanner.Triage/`
- Proof graph: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Graph/`

## Merged From
- `attestor/vulnerability-first-triage-ux-with-exploit-path-grouping-and-proof-bundles.md` (deleted)