git.stella-ops.org/src/Policy/__Libraries/StellaOps.Policy.Determinization/Evidence/ReachabilityEvidence.cs

using System.Text.Json.Serialization;

namespace StellaOps.Policy.Determinization.Evidence;

/// <summary>
/// Reachability analysis evidence.
/// </summary>
public sealed record ReachabilityEvidence
{
    /// <summary>
    /// Reachability status.
    /// </summary>
    [JsonPropertyName("status")]
    public required ReachabilityStatus Status { get; init; }

    /// <summary>
    /// Call path depth (if reachable).
    /// </summary>
    [JsonPropertyName("depth")]
    public int? Depth { get; init; }

    /// <summary>
    /// Entry point function name (if reachable).
    /// </summary>
    [JsonPropertyName("entry_point")]
    public string? EntryPoint { get; init; }

    /// <summary>
    /// Vulnerable function name.
    /// </summary>
    [JsonPropertyName("vulnerable_function")]
    public string? VulnerableFunction { get; init; }

    /// <summary>
    /// When this reachability analysis was performed (UTC).
    /// </summary>
    [JsonPropertyName("analyzed_at")]
    public required DateTimeOffset AnalyzedAt { get; init; }

    /// <summary>
    /// PathWitness digest (if available).
    /// </summary>
    [JsonPropertyName("witness_digest")]
    public string? WitnessDigest { get; init; }

    /// <summary>
    /// Analysis confidence [0.0, 1.0].
    /// </summary>
    [JsonPropertyName("confidence")]
    public double Confidence { get; init; } = 1.0;

    /// <summary>
    /// Convenience property indicating if code is reachable.
    /// </summary>
    [JsonIgnore]
    public bool IsReachable => Status == ReachabilityStatus.Reachable;

    // Sprint: SPRINT_20260112_004_BE_policy_determinization_attested_rules (DET-ATT-002)

    /// <summary>
    /// Anchor metadata for the reachability evidence (DSSE envelope, Rekor, etc.).
    /// </summary>
    [JsonPropertyName("anchor")]
    public EvidenceAnchor? Anchor { get; init; }

    /// <summary>
    /// Whether the reachability evidence is anchored (has DSSE/Rekor attestation).
    /// </summary>
    [JsonIgnore]
    public bool IsAnchored => Anchor?.Anchored == true;
}

/// <summary>
/// Reachability status.
/// </summary>
public enum ReachabilityStatus
{
    /// <summary>Vulnerable code is reachable from entry points.</summary>
    Reachable,

    /// <summary>Vulnerable code is not reachable.</summary>
    Unreachable,

    /// <summary>Reachability indeterminate (analysis incomplete or failed).</summary>
    Indeterminate
}