# Reachability and VEX

## Reachability evidence
- Static call graphs are produced by Scanner analyzers.
- Runtime traces are collected by Zastava when enabled.
- Union bundles combine static and runtime evidence for scoring and replay.

## Hybrid reachability attestations
- Graph-level DSSE is required for every reachability graph.
- Optional edge-bundle DSSE captures contested or runtime edges.
- Rekor publishing can be tiered; offline kits cache proofs when available.

## Reachability scoring (Signals)
- Bucket model: entrypoint, direct, runtime, unknown, unreachable.
- Default weights: entrypoint 1.0, direct 0.85, runtime 0.45, unknown 0.5, unreachable 0.0.
- Unknowns pressure reduces the final score to avoid false safety.

## VEX consensus
- Excititor ingests and normalizes VEX statements (OpenVEX, CSAF VEX).
- Policy Engine merges evidence using lattice logic with explicit Unknown handling.
- Decisions include evidence refs and can be exported as downstream VEX.

## Unknowns registry
- Unknowns are first-class objects with scoring, SLA bands, and evidence links.
- Unknowns are stored with deterministic ordering and exported for offline review.