git.stella-ops.org/docs/features/unimplemented/scanner/canonical-node-hash-and-path-hash-recipes-for-reachability.md

Canonical Node-Hash and Path-Hash Recipes for Reachability

Module

Scanner

Status

PARTIALLY_IMPLEMENTED

Description

Canonical node-hash (PURL/symbol normalization + SHA-256) and path-hash (top-K selection + PathFingerprint) recipes for deterministic static/runtime evidence joins. Extended PathWitness, RichGraph, SARIF export with hash fields.

Implementation Details

• Path Witness with Hash Fields:
  • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/PathWitness.cs - PathWitness model with node-hash and path-hash fields
  • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/PathWitnessBuilder.cs - PathWitnessBuilder computes canonical hashes during witness construction
  • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/IPathWitnessBuilder.cs - Interface
• Rich Graph Integration:
  • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/RichGraph.cs - RichGraph model extended with hash fields on nodes
  • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Ordering/DeterministicGraphOrderer.cs - Deterministic ordering for canonical hash computation
• Witness Matching & Verification:
  • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/WitnessMatcher.cs - Matches witnesses using canonical hashes for deterministic joins
  • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/WitnessSchema.cs - Schema validation for witness hash fields
• Slice Integration:
  • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Slices/SliceExtractor.cs - Slice extraction with path-hash for top-K selection
  • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Slices/SliceModels.cs - Slice models with hash fields
• Subgraph Extraction:
  • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Subgraph/ReachabilitySubgraphModels.cs - Subgraph models with hash fields

E2E Test Plan

• Scan an image and verify PathWitness results include canonical node-hash fields (SHA-256 of normalized PURL/symbol)
• Verify path-hash is computed using top-K selection and PathFingerprint algorithm
• Run the same scan twice and verify node-hash and path-hash values are deterministically identical
• Verify RichGraph response includes hash fields on nodes via GET /api/v1/scans/{scanId}/reachability
• Verify static/runtime evidence join works correctly using canonical hashes as join keys
• Verify SARIF export includes hash fields in reachability-related results

Verification Findings

• run-001 Tier 0 confirmed all listed reachability files/classes exist.
• Tier 1 build/tests passed for reachability library and focused tests (24/24), including node-hash/path-hash emission and deterministic replay checks.
• Code review and Tier 2 semantic checks failed (missing_code):
  • PathWitnessBuilder advertises top-K node hashes, but PathHash is computed from all node hashes and does not use a PathFingerprint recipe.
  • RichGraph defines NodeHash on nodes, but RichGraphBuilder does not populate it during node construction.
  • Slices/SliceExtractor and Slices/SliceModels currently contain no path-hash/node-hash fields for documented slice integration claims.