git.stella-ops.org/docs/implplan/SPRINT_3800_SUMMARY.md

Sprint Epic 3800 · Layered Binary + Call-Stack Reachability

Overview

This epic implements the two-stage reachability map as described in the product advisory "Layered binary + call‑stack reachability" (20-Dec-2025). It extends Stella Ops' reachability analysis with:

1. Deeper binary analysis - Disassembly-based call edge extraction
2. CVE→Symbol mapping - Connect vulnerabilities to specific binary functions
3. Attestable slices - Minimal proof units for triage decisions
4. Query & replay APIs - On-demand reachability queries with verification
5. VEX automation - Auto-generate code_not_reachable justifications
6. Runtime traces - eBPF/ETW-based observed path evidence
7. OCI storage & CLI - Artifact management and command-line tools

Sprint Breakdown

Sprint	Topic	Tasks	Status
3800.0001.0001	Binary Call-Edge Enhancement	8	TODO
3810.0001.0001	CVE→Symbol Mapping & Slice Format	7	TODO
3820.0001.0001	Slice Query & Replay APIs	7	TODO
3830.0001.0001	VEX Integration & Policy Binding	6	TODO
3840.0001.0001	Runtime Trace Merge	7	TODO
3850.0001.0001	OCI Storage & CLI	8	TODO

Total Tasks: 43 Status: TODO (0/43 complete)

Recommended Execution Order

Sprint 3810 (CVE→Symbol + Slices) ─────────────────┐
                                                   ├──► Sprint 3820 (Query APIs) ──► Sprint 3830 (VEX)
Sprint 3800 (Binary Enhancement) ──────────────────┘

Sprint 3850 (OCI + CLI) ─────────────────────────────► (parallel with 3830)

Sprint 3840 (Runtime Traces) ────────────────────────► (optional, parallel with 3830-3850)

Key Deliverables

Schemas & Contracts

Artifact	Location	Sprint
Slice predicate schema	docs/schemas/stellaops-slice.v1.schema.json	3810
Slice OCI media type	application/vnd.stellaops.slice.v1+json	3850
Runtime event schema	docs/schemas/runtime-call-event.schema.json	3840

APIs

Endpoint	Method	Description	Sprint
/api/slices/query	POST	Query reachability for CVE/symbols	3820
/api/slices/{digest}	GET	Retrieve attested slice	3820
/api/slices/replay	POST	Verify slice reproducibility	3820

CLI Commands

Command	Description	Sprint
stella binary submit	Submit binary graph	3850
stella binary info	Display graph info	3850
stella binary symbols	List symbols	3850
stella binary verify	Verify attestation	3850

Documentation

Document	Location	Sprint
Slice schema specification	docs/reachability/slice-schema.md	3810
CVE→Symbol mapping guide	docs/reachability/cve-symbol-mapping.md	3810
Replay verification guide	docs/reachability/replay-verification.md	3820

Dependencies

External Libraries

Library	Purpose	Sprint
iced-x86	x86/x64 disassembly	3800
Capstone	ARM64 disassembly	3800
libbpf/cilium-ebpf	eBPF collector	3840

Cross-Module Dependencies

From	To	Integration Point
Scanner	Concelier	Advisory feed for CVE→symbol mapping
Scanner	Attestor	DSSE signing for slices
Scanner	Excititor	Slice verdict consumption
Policy	Scanner	Unknowns budget enforcement

Risk Register

Risk	Impact	Mitigation	Owner
Disassembly performance	High	Cap at 5s per 10MB binary	Scanner Team
Missing CVE→symbol mappings	Medium	Fallback to package-level	Scanner Team
eBPF kernel compatibility	Medium	Require 5.8+, provide fallback	Platform Team
OCI registry compatibility	Low	Test against major registries	Scanner Team

Success Metrics

1. Coverage: >80% of binary CVEs have symbol-level mapping
2. Performance: Slice query <2s for typical graphs
3. Accuracy: Replay match rate >99.9%
4. Adoption: CLI commands used in >50% of offline deployments

Related Documentation

• Product Advisory
• Binary Reachability Schema
• RichGraph Contract
• Function-Level Evidence

---

Created: 2025-12-22. Owner: Scanner Guild.