fcb5ffe25d
- Fix namespace conflicts (Subgraph → PoESubgraph) - Add hash sanitization for Windows filesystem (colon → underscore) - Update all test mocks to use It.IsAny<>() - Add direct orchestrator unit tests - All 8 PoE tests now passing (100% success rate) - Complete SPRINT_3500_0001_0001 documentation Fixes compilation errors and Windows filesystem compatibility issues. Tests: 8/8 passing Files: 8 modified, 1 new test, 1 completion report 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
1.1 KiB
1.1 KiB
Reachability and VEX
Reachability evidence
- Static call graphs are produced by Scanner analyzers.
- Runtime traces are collected by Zastava when enabled.
- Union bundles combine static and runtime evidence for scoring and replay.
Hybrid reachability attestations
- Graph-level DSSE is required for every reachability graph.
- Optional edge-bundle DSSE captures contested or runtime edges.
- Rekor publishing can be tiered; offline kits cache proofs when available.
Reachability scoring (Signals)
- Bucket model: entrypoint, direct, runtime, unknown, unreachable.
- Default weights: entrypoint 1.0, direct 0.85, runtime 0.45, unknown 0.5, unreachable 0.0.
- Unknowns pressure reduces the final score to avoid false safety.
VEX consensus
- Excititor ingests and normalizes VEX statements (OpenVEX, CSAF VEX).
- Policy Engine merges evidence using lattice logic with explicit Unknown handling.
- Decisions include evidence refs and can be exported as downstream VEX.
Unknowns registry
- Unknowns are first-class objects with scoring, SLA bands, and evidence links.
- Unknowns are stored with deterministic ordering and exported for offline review.