git.stella-ops.org/docs/features/checked/binaryindex/patch-coverage-tracking.md

# Patch Coverage Tracking

## Module
BinaryIndex

## Status
VERIFIED

## Description
Dedicated patch coverage API endpoint for tracking which CVE patches are covered in binary analysis.

## Implementation Details
- **Modules**: `src/BinaryIndex/StellaOps.BinaryIndex.WebService/Controllers/`
- **Key Classes**:
  - `PatchCoverageController` (`src/BinaryIndex/StellaOps.BinaryIndex.WebService/Controllers/PatchCoverageController.cs`) - REST API controller for patch coverage queries using `IDeltaSignatureRepository`
  - `DeltaSignatureMatcher` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.DeltaSig/DeltaSignatureMatcher.cs`) - matches delta signatures to assess patch coverage
  - `DeltaSigService` / `DeltaSigServiceV2` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.DeltaSig/`) - service layer for delta-sig operations
- **Interfaces**: `IDeltaSignatureRepository` - repository for persisted delta signatures used by patch coverage queries

## E2E Test Plan
- [x] Query patch coverage API for a known CVE and verify coverage status (covered/not covered)
- [x] Verify patch coverage percentage calculation: submit binaries with partial patch coverage
- [x] Verify that delta signatures for the CVE fix are used to determine coverage
- [x] Verify API returns correct coverage for batch queries across multiple CVEs
- [x] Verify coverage tracking updates when new delta signatures are added

## Verification
- Tier 0/1/2 artifacts: `docs/qa/feature-checks/runs/binaryindex/patch-coverage-tracking/run-001/`.
- Result: verified.
- Evidence summary:
  - `tier1-test-webservice-patchcoverage.log`: Passed 7/7.
  - `tier1-test-deltasig-matcher.log`: Passed 8/8.
  - `tier2-test-webservice-patchcoverage.log`: Passed 7/7.
  - `tier2-test-deltasig-matcher.log`: Passed 8/8.
- Note: webservice and webservice-tests builds were run with scoped output paths in this run to avoid concurrent binary-lock collisions on shared `bin/Release` outputs.