semi implemented and features implemented save checkpoint

docs/features/unchecked/policy/cvss-v4-0-environmental-metrics-completion.md

@@ -0,0 +1,44 @@
+# CVSS v4.0 Environmental Metrics Completion
+
+## Module
+Policy
+
+## Status
+IMPLEMENTED
+
+## Description
+Completes CVSS v4.0 scoring with all Modified Attack/Impact environmental metrics (MAV, MAC, MAT, MPR, MUI, MVC, MVI, MVA, MSC, MSI, MSA). Extends the existing MacroVector scoring engine with environment-specific risk adjustments. Includes receipt-based deterministic scoring and REST endpoints.
+
+## Implementation Details
+- **CvssV4Engine**: `src/Policy/StellaOps.Policy.Scoring/Engine/CvssV4Engine.cs` -- `CvssV4Engine` (sealed partial class implements `ICvssV4Engine`)
+  - Sprint: SPRINT_1227_0013_0002_LB_cvss_v4_environmental
+  - `ComputeScores(baseMetrics, threatMetrics?, environmentalMetrics?)` computes all score variants:
+    - CVSS-B (base score only)
+    - CVSS-BT (base + threat, when ExploitMaturity != NotDefined)
+    - CVSS-BE (base + environmental, when modified metrics present)
+    - CVSS-BTE (full: base + threat + environmental)
+  - `DetermineEffectiveScore` selects the most specific score type available
+  - MacroVector-based scoring per FIRST CVSS v4.0 specification
+- **CvssEnvironmentalMetrics**: Modified metrics covering all attack/impact dimensions:
+  - Modified Attack metrics: MAV (Attack Vector), MAC (Attack Complexity), MAT (Attack Requirements), MPR (Privileges Required), MUI (User Interaction)
+  - Modified Impact metrics: MVC (Confidentiality), MVI (Integrity), MVA (Availability), MSC (Subsequent Confidentiality), MSI (Subsequent Integrity), MSA (Subsequent Availability)
+  - All values default to NotDefined (inherit base metric values)
+- **MacroVectorLookup**: `src/Policy/StellaOps.Policy.Scoring/Engine/MacroVectorLookup.cs` -- lookup table for macro vector scoring
+- **CvssScores Model**: BaseScore, ThreatScore, EnvironmentalScore, FullScore, EffectiveScore, EffectiveScoreType
+- **CvssScoreReceipt**: `src/Policy/StellaOps.Policy.Scoring/CvssScoreReceipt.cs` -- deterministic receipt with input hashes and policy references
+- **Receipts**: `src/Policy/StellaOps.Policy.Scoring/Receipts/` -- receipt persistence and generation
+- **CVSS Receipt Endpoints**: `src/Policy/StellaOps.Policy.Engine/Endpoints/CvssReceiptEndpoints.cs` -- REST API for scoring with receipts
+- **CvssMetrics**: `src/Policy/StellaOps.Policy.Scoring/CvssMetrics.cs` -- metric definitions with CVSS v4.0 enums
+- **CvssPolicy**: `src/Policy/StellaOps.Policy.Scoring/CvssPolicy.cs` -- policy-driven scoring thresholds
+
+## E2E Test Plan
+- [ ] Score a CVSS v4.0 vector with base metrics only; verify CVSS-B score matches FIRST specification
+- [ ] Score with environmental metrics (MAV=Network modified to MAV=Local); verify CVSS-BE score is lower than CVSS-B
+- [ ] Score with both threat (ExploitMaturity=Attacked) and environmental metrics; verify CVSS-BTE full score computed
+- [ ] Score with threat metrics only (no environmental); verify CVSS-BT computed and CVSS-BE is null
+- [ ] POST to CVSS receipt endpoint; verify receipt contains input hash, scoring policy reference, and deterministic score
+- [ ] Score same vector twice; verify identical scores and matching receipt hashes
+- [ ] Score with all Modified metrics set to NotDefined; verify environmental score equals base score
+- [ ] Score with MSI=Safety; verify maximum environmental impact applied
+- [ ] Verify effective score type selection: CVSS-BTE preferred when all metrics present
+- [ ] Verify CvssEngineFactory returns CvssV4Engine for v4.0 vectors