# Reachability evidence schema

Reachability evidence is stored as canonical graphs plus optional runtime facts
and edge bundles. Evidence is content-addressed and signed.

Core identifiers
- symbol_id: canonical symbol identity with format, build id, address range.
- code_id: code block identity when symbols are missing.
- symbol_digest: sha256 of normalized signature or block hash.
- purl: owning component identity when resolved.

Graph payload (richgraph-v1)
- nodes carry symbol ids, digests, purls, and analyzer metadata.
- edges carry kind, confidence, evidence tags, and candidate targets.
- roots capture entrypoints and loader roots.
- graph_hash is the content hash of canonical JSON.

Attestation levels
- Graph DSSE is required for every graph (canonical JSON + hash).
- Edge-bundle DSSE is optional for high-signal edges.
- CAS layout uses cas://reachability/graphs and cas://reachability/edges.

Runtime facts
- Events include symbolId, codeId, purl, hitCount, and observedAt.
- Runtime traces can be stored in CAS and referenced by URI.

Validation rules (examples)
- Edges must include purl or candidates.
- Evidence arrays are sorted and confidence is within 0.0-1.0.
- Graph and edge bundles must reference the same graph_hash.

Related references
- docs/reachability/evidence-schema.md
- docs/reachability/edge-explainability-schema.md
- docs/reachability/runtime-static-union-schema.md