up

src/Cli/StellaOps.Cli/Services/BackendOperationsClient.cs

@@ -4357,6 +4357,61 @@ internal sealed class BackendOperationsClient : IBackendOperationsClient
             ?? new ReachabilityExplainResult();
     }
 
+    // UI-CLI-401-007: Graph explain with DSSE pointers, runtime hits, predicates, counterfactuals
+    public async Task<GraphExplainResult> ExplainGraphAsync(GraphExplainRequest request, CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        EnsureBackendConfigured();
+        OfflineModeGuard.ThrowIfOffline("graph explain");
+
+        var queryParams = new List<string>();
+
+        if (!string.IsNullOrWhiteSpace(request.VulnerabilityId))
+            queryParams.Add($"vulnerabilityId={Uri.EscapeDataString(request.VulnerabilityId)}");
+
+        if (!string.IsNullOrWhiteSpace(request.PackagePurl))
+            queryParams.Add($"packagePurl={Uri.EscapeDataString(request.PackagePurl)}");
+
+        if (request.IncludeCallPaths)
+            queryParams.Add("includeCallPaths=true");
+
+        if (request.IncludeRuntimeHits)
+            queryParams.Add("includeRuntimeHits=true");
+
+        if (request.IncludePredicates)
+            queryParams.Add("includePredicates=true");
+
+        if (request.IncludeDsseEnvelopes)
+            queryParams.Add("includeDsseEnvelopes=true");
+
+        if (request.IncludeCounterfactuals)
+            queryParams.Add("includeCounterfactuals=true");
+
+        var query = queryParams.Count > 0 ? "?" + string.Join("&", queryParams) : "";
+        var relative = $"api/graphs/{Uri.EscapeDataString(request.GraphId)}/explain{query}";
+
+        using var httpRequest = CreateRequest(HttpMethod.Get, relative);
+
+        if (!string.IsNullOrWhiteSpace(request.Tenant))
+        {
+            httpRequest.Headers.TryAddWithoutValidation("X-Tenant-Id", request.Tenant.Trim());
+        }
+
+        await AuthorizeRequestAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+        var response = await _httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+        if (!response.IsSuccessStatusCode)
+        {
+            var (message, _) = await CreateFailureDetailsAsync(response, cancellationToken).ConfigureAwait(false);
+            throw new HttpRequestException($"Explain graph failed: {message}", null, response.StatusCode);
+        }
+
+        return await response.Content.ReadFromJsonAsync<GraphExplainResult>(JsonOptions, cancellationToken).ConfigureAwait(false)
+            ?? new GraphExplainResult();
+    }
+
     // CLI-SDK-63-001: API spec operations
     public async Task<ApiSpecListResponse> ListApiSpecsAsync(string? tenant, CancellationToken cancellationToken)
     {
@@ -4660,4 +4715,121 @@ internal sealed class BackendOperationsClient : IBackendOperationsClient
         var result = await response.Content.ReadFromJsonAsync<SdkListResponse>(JsonOptions, cancellationToken).ConfigureAwait(false);
         return result ?? new SdkListResponse { Success = false, Error = "Empty response" };
     }
+
+    /// <summary>
+    /// Exports VEX decisions as OpenVEX documents with optional DSSE signing.
+    /// </summary>
+    public async Task<DecisionExportResponse> ExportDecisionsAsync(
+        DecisionExportRequest request,
+        CancellationToken cancellationToken = default)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        try
+        {
+            var queryParams = new List<string>();
+
+            if (!string.IsNullOrEmpty(request.ScanId))
+            {
+                queryParams.Add($"scanId={Uri.EscapeDataString(request.ScanId)}");
+            }
+
+            if (request.VulnIds is { Count: > 0 })
+            {
+                foreach (var vulnId in request.VulnIds)
+                {
+                    queryParams.Add($"vulnId={Uri.EscapeDataString(vulnId)}");
+                }
+            }
+
+            if (request.Purls is { Count: > 0 })
+            {
+                foreach (var purl in request.Purls)
+                {
+                    queryParams.Add($"purl={Uri.EscapeDataString(purl)}");
+                }
+            }
+
+            if (request.Statuses is { Count: > 0 })
+            {
+                foreach (var status in request.Statuses)
+                {
+                    queryParams.Add($"status={Uri.EscapeDataString(status)}");
+                }
+            }
+
+            queryParams.Add($"format={Uri.EscapeDataString(request.Format)}");
+            queryParams.Add($"sign={request.Sign.ToString().ToLowerInvariant()}");
+            queryParams.Add($"rekor={request.SubmitToRekor.ToString().ToLowerInvariant()}");
+            queryParams.Add($"includeEvidence={request.IncludeEvidence.ToString().ToLowerInvariant()}");
+
+            var queryString = queryParams.Count > 0 ? "?" + string.Join("&", queryParams) : "";
+            var url = $"{_options.BackendUrl}/api/v1/decisions/export{queryString}";
+
+            using var httpRequest = new HttpRequestMessage(HttpMethod.Get, url);
+            httpRequest.Headers.TryAddWithoutValidation("X-Tenant-Id", request.TenantId);
+            await AuthorizeRequestAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+            var response = await _httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
+
+            if (!response.IsSuccessStatusCode)
+            {
+                var (message, _) = await CreateFailureDetailsAsync(response, cancellationToken).ConfigureAwait(false);
+                return new DecisionExportResponse
+                {
+                    Success = false,
+                    Error = message
+                };
+            }
+
+            var content = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
+
+            // Extract metadata from response headers
+            response.Headers.TryGetValues("X-VEX-Digest", out var digestValues);
+            response.Headers.TryGetValues("X-VEX-Rekor-Index", out var rekorIndexValues);
+            response.Headers.TryGetValues("X-VEX-Rekor-UUID", out var rekorUuidValues);
+            response.Headers.TryGetValues("X-VEX-Statement-Count", out var countValues);
+            response.Headers.TryGetValues("X-VEX-Signed", out var signedValues);
+
+            var digest = digestValues?.FirstOrDefault();
+            var rekorUuid = rekorUuidValues?.FirstOrDefault();
+            long? rekorIndex = null;
+            int statementCount = 0;
+            bool signed = false;
+
+            if (rekorIndexValues?.FirstOrDefault() is { } indexStr && long.TryParse(indexStr, out var idx))
+            {
+                rekorIndex = idx;
+            }
+
+            if (countValues?.FirstOrDefault() is { } countStr && int.TryParse(countStr, out var cnt))
+            {
+                statementCount = cnt;
+            }
+
+            if (signedValues?.FirstOrDefault() is { } signedStr)
+            {
+                signed = signedStr.Equals("true", StringComparison.OrdinalIgnoreCase);
+            }
+
+            return new DecisionExportResponse
+            {
+                Success = true,
+                Content = content,
+                Digest = digest,
+                RekorLogIndex = rekorIndex,
+                RekorUuid = rekorUuid,
+                StatementCount = statementCount,
+                Signed = signed
+            };
+        }
+        catch (HttpRequestException ex)
+        {
+            return new DecisionExportResponse
+            {
+                Success = false,
+                Error = ex.Message
+            };
+        }
+    }
 }

src/Cli/StellaOps.Cli/Services/IBackendOperationsClient.cs

@@ -123,6 +123,9 @@ internal interface IBackendOperationsClient
     Task<ReachabilityListResponse> ListReachabilityAnalysesAsync(ReachabilityListRequest request, CancellationToken cancellationToken);
     Task<ReachabilityExplainResult> ExplainReachabilityAsync(ReachabilityExplainRequest request, CancellationToken cancellationToken);
 
+    // UI-CLI-401-007: Graph explain with DSSE pointers, runtime hits, predicates, counterfactuals
+    Task<GraphExplainResult> ExplainGraphAsync(GraphExplainRequest request, CancellationToken cancellationToken);
+
     // CLI-SDK-63-001: API spec download
     Task<ApiSpecListResponse> ListApiSpecsAsync(string? tenant, CancellationToken cancellationToken);
     Task<ApiSpecDownloadResult> DownloadApiSpecAsync(ApiSpecDownloadRequest request, CancellationToken cancellationToken);

src/Cli/StellaOps.Cli/Services/Models/DecisionModels.cs

@@ -0,0 +1,100 @@
+using System.Collections.Generic;
+
+namespace StellaOps.Cli.Services.Models;
+
+/// <summary>
+/// Request to export VEX decisions.
+/// </summary>
+public sealed class DecisionExportRequest
+{
+    /// <summary>
+    /// Tenant identifier.
+    /// </summary>
+    public required string TenantId { get; init; }
+
+    /// <summary>
+    /// Optional scan identifier to filter decisions.
+    /// </summary>
+    public string? ScanId { get; init; }
+
+    /// <summary>
+    /// Optional vulnerability identifiers to filter.
+    /// </summary>
+    public List<string>? VulnIds { get; init; }
+
+    /// <summary>
+    /// Optional Package URLs to filter.
+    /// </summary>
+    public List<string>? Purls { get; init; }
+
+    /// <summary>
+    /// Optional statuses to filter.
+    /// </summary>
+    public List<string>? Statuses { get; init; }
+
+    /// <summary>
+    /// Output format (openvex, dsse, ndjson).
+    /// </summary>
+    public string Format { get; init; } = "openvex";
+
+    /// <summary>
+    /// Whether to sign the output with DSSE.
+    /// </summary>
+    public bool Sign { get; init; }
+
+    /// <summary>
+    /// Whether to submit DSSE envelope to Rekor.
+    /// </summary>
+    public bool SubmitToRekor { get; init; }
+
+    /// <summary>
+    /// Whether to include reachability evidence blocks.
+    /// </summary>
+    public bool IncludeEvidence { get; init; } = true;
+}
+
+/// <summary>
+/// Response from VEX decision export.
+/// </summary>
+public sealed class DecisionExportResponse
+{
+    /// <summary>
+    /// Whether the export was successful.
+    /// </summary>
+    public bool Success { get; init; }
+
+    /// <summary>
+    /// Error message if export failed.
+    /// </summary>
+    public string? Error { get; init; }
+
+    /// <summary>
+    /// The exported document content.
+    /// </summary>
+    public string? Content { get; init; }
+
+    /// <summary>
+    /// Whether the output was signed.
+    /// </summary>
+    public bool Signed { get; init; }
+
+    /// <summary>
+    /// SHA-256 digest of the payload.
+    /// </summary>
+    public string? Digest { get; init; }
+
+    /// <summary>
+    /// Rekor log index if submitted to transparency log.
+    /// </summary>
+    public long? RekorLogIndex { get; init; }
+
+    /// <summary>
+    /// Rekor entry UUID if submitted to transparency log.
+    /// </summary>
+    public string? RekorUuid { get; init; }
+
+    /// <summary>
+    /// Number of VEX statements in the export.
+    /// </summary>
+    public int StatementCount { get; init; }
+}

src/Cli/StellaOps.Cli/Services/Models/ReachabilityModels.cs

@@ -250,3 +250,272 @@ internal sealed record ReachabilityOverride
     [JsonPropertyName("score")]
     public double? Score { get; init; }
 }
+
+// UI-CLI-401-007: Graph explain models with DSSE pointers, runtime hits, predicates, counterfactual controls
+
+/// <summary>
+/// Request to explain a call graph with signed evidence.
+/// </summary>
+internal sealed class GraphExplainRequest
+{
+    [JsonPropertyName("graphId")]
+    public string GraphId { get; init; } = string.Empty;
+
+    [JsonPropertyName("vulnerabilityId")]
+    public string? VulnerabilityId { get; init; }
+
+    [JsonPropertyName("packagePurl")]
+    public string? PackagePurl { get; init; }
+
+    [JsonPropertyName("includeCallPaths")]
+    public bool IncludeCallPaths { get; init; }
+
+    [JsonPropertyName("includeRuntimeHits")]
+    public bool IncludeRuntimeHits { get; init; }
+
+    [JsonPropertyName("includePredicates")]
+    public bool IncludePredicates { get; init; }
+
+    [JsonPropertyName("includeDsseEnvelopes")]
+    public bool IncludeDsseEnvelopes { get; init; }
+
+    [JsonPropertyName("includeCounterfactuals")]
+    public bool IncludeCounterfactuals { get; init; }
+
+    [JsonPropertyName("tenant")]
+    public string? Tenant { get; init; }
+}
+
+/// <summary>
+/// Result of graph explanation with signed evidence.
+/// </summary>
+internal sealed class GraphExplainResult
+{
+    [JsonPropertyName("graphId")]
+    public string GraphId { get; init; } = string.Empty;
+
+    [JsonPropertyName("graphHash")]
+    public string GraphHash { get; init; } = string.Empty;
+
+    [JsonPropertyName("vulnerabilityId")]
+    public string? VulnerabilityId { get; init; }
+
+    [JsonPropertyName("packagePurl")]
+    public string? PackagePurl { get; init; }
+
+    [JsonPropertyName("reachabilityState")]
+    public string ReachabilityState { get; init; } = string.Empty;
+
+    [JsonPropertyName("reachabilityScore")]
+    public double? ReachabilityScore { get; init; }
+
+    [JsonPropertyName("confidence")]
+    public string Confidence { get; init; } = string.Empty;
+
+    [JsonPropertyName("reasoning")]
+    public string? Reasoning { get; init; }
+
+    [JsonPropertyName("signedCallPaths")]
+    public IReadOnlyList<SignedCallPath> SignedCallPaths { get; init; } = Array.Empty<SignedCallPath>();
+
+    [JsonPropertyName("runtimeHits")]
+    public IReadOnlyList<RuntimeHit> RuntimeHits { get; init; } = Array.Empty<RuntimeHit>();
+
+    [JsonPropertyName("predicates")]
+    public IReadOnlyList<ReachabilityPredicate> Predicates { get; init; } = Array.Empty<ReachabilityPredicate>();
+
+    [JsonPropertyName("dssePointers")]
+    public IReadOnlyList<DssePointer> DssePointers { get; init; } = Array.Empty<DssePointer>();
+
+    [JsonPropertyName("counterfactuals")]
+    public IReadOnlyList<CounterfactualControl> Counterfactuals { get; init; } = Array.Empty<CounterfactualControl>();
+
+    [JsonPropertyName("vexDecision")]
+    public GraphVexDecision? VexDecision { get; init; }
+}
+
+/// <summary>
+/// Call path with cryptographic signature.
+/// </summary>
+internal sealed class SignedCallPath
+{
+    [JsonPropertyName("pathId")]
+    public string PathId { get; init; } = string.Empty;
+
+    [JsonPropertyName("pathHash")]
+    public string PathHash { get; init; } = string.Empty;
+
+    [JsonPropertyName("depth")]
+    public int Depth { get; init; }
+
+    [JsonPropertyName("entryPoint")]
+    public ReachabilityFunction EntryPoint { get; init; } = new();
+
+    [JsonPropertyName("frames")]
+    public IReadOnlyList<ReachabilityFunction> Frames { get; init; } = Array.Empty<ReachabilityFunction>();
+
+    [JsonPropertyName("vulnerableFunction")]
+    public ReachabilityFunction VulnerableFunction { get; init; } = new();
+
+    [JsonPropertyName("dsseEnvelopeId")]
+    public string? DsseEnvelopeId { get; init; }
+
+    [JsonPropertyName("rekorEntryId")]
+    public string? RekorEntryId { get; init; }
+
+    [JsonPropertyName("signedAt")]
+    public DateTimeOffset? SignedAt { get; init; }
+}
+
+/// <summary>
+/// Runtime execution hit from instrumentation probes.
+/// </summary>
+internal sealed class RuntimeHit
+{
+    [JsonPropertyName("hitId")]
+    public string HitId { get; init; } = string.Empty;
+
+    [JsonPropertyName("functionName")]
+    public string FunctionName { get; init; } = string.Empty;
+
+    [JsonPropertyName("className")]
+    public string? ClassName { get; init; }
+
+    [JsonPropertyName("packageName")]
+    public string? PackageName { get; init; }
+
+    [JsonPropertyName("hitCount")]
+    public long HitCount { get; init; }
+
+    [JsonPropertyName("firstObserved")]
+    public DateTimeOffset FirstObserved { get; init; }
+
+    [JsonPropertyName("lastObserved")]
+    public DateTimeOffset LastObserved { get; init; }
+
+    [JsonPropertyName("probeSource")]
+    public string ProbeSource { get; init; } = string.Empty;
+
+    [JsonPropertyName("traceId")]
+    public string? TraceId { get; init; }
+
+    [JsonPropertyName("observationWindow")]
+    public string? ObservationWindow { get; init; }
+}
+
+/// <summary>
+/// Semantic predicate attached to reachability evidence.
+/// </summary>
+internal sealed class ReachabilityPredicate
+{
+    [JsonPropertyName("predicateType")]
+    public string PredicateType { get; init; } = string.Empty;
+
+    [JsonPropertyName("predicateUri")]
+    public string PredicateUri { get; init; } = string.Empty;
+
+    [JsonPropertyName("subject")]
+    public string Subject { get; init; } = string.Empty;
+
+    [JsonPropertyName("content")]
+    public string? Content { get; init; }
+
+    [JsonPropertyName("signedBy")]
+    public string? SignedBy { get; init; }
+
+    [JsonPropertyName("timestamp")]
+    public DateTimeOffset Timestamp { get; init; }
+}
+
+/// <summary>
+/// DSSE envelope pointer for signed evidence.
+/// </summary>
+internal sealed class DssePointer
+{
+    [JsonPropertyName("envelopeId")]
+    public string EnvelopeId { get; init; } = string.Empty;
+
+    [JsonPropertyName("payloadType")]
+    public string PayloadType { get; init; } = string.Empty;
+
+    [JsonPropertyName("payloadHash")]
+    public string PayloadHash { get; init; } = string.Empty;
+
+    [JsonPropertyName("keyId")]
+    public string KeyId { get; init; } = string.Empty;
+
+    [JsonPropertyName("algorithm")]
+    public string Algorithm { get; init; } = string.Empty;
+
+    [JsonPropertyName("rekorLogIndex")]
+    public long? RekorLogIndex { get; init; }
+
+    [JsonPropertyName("rekorLogId")]
+    public string? RekorLogId { get; init; }
+
+    [JsonPropertyName("rekorIntegratedTime")]
+    public DateTimeOffset? RekorIntegratedTime { get; init; }
+
+    [JsonPropertyName("verificationUrl")]
+    public string? VerificationUrl { get; init; }
+}
+
+/// <summary>
+/// Counterfactual control showing what-if scenarios.
+/// </summary>
+internal sealed class CounterfactualControl
+{
+    [JsonPropertyName("controlId")]
+    public string ControlId { get; init; } = string.Empty;
+
+    [JsonPropertyName("controlType")]
+    public string ControlType { get; init; } = string.Empty;
+
+    [JsonPropertyName("description")]
+    public string Description { get; init; } = string.Empty;
+
+    [JsonPropertyName("currentState")]
+    public string CurrentState { get; init; } = string.Empty;
+
+    [JsonPropertyName("alternativeState")]
+    public string AlternativeState { get; init; } = string.Empty;
+
+    [JsonPropertyName("impact")]
+    public string Impact { get; init; } = string.Empty;
+
+    [JsonPropertyName("recommendation")]
+    public string? Recommendation { get; init; }
+
+    [JsonPropertyName("affectedPaths")]
+    public IReadOnlyList<string> AffectedPaths { get; init; } = Array.Empty<string>();
+
+    [JsonPropertyName("riskReduction")]
+    public double? RiskReduction { get; init; }
+}
+
+/// <summary>
+/// VEX decision linked to graph evidence.
+/// </summary>
+internal sealed class GraphVexDecision
+{
+    [JsonPropertyName("vexDocumentId")]
+    public string VexDocumentId { get; init; } = string.Empty;
+
+    [JsonPropertyName("status")]
+    public string Status { get; init; } = string.Empty;
+
+    [JsonPropertyName("justification")]
+    public string? Justification { get; init; }
+
+    [JsonPropertyName("actionStatement")]
+    public string? ActionStatement { get; init; }
+
+    [JsonPropertyName("dsseEnvelopeId")]
+    public string? DsseEnvelopeId { get; init; }
+
+    [JsonPropertyName("rekorEntryId")]
+    public string? RekorEntryId { get; init; }
+
+    [JsonPropertyName("issuedAt")]
+    public DateTimeOffset IssuedAt { get; init; }
+}

src/Cli/StellaOps.Cli/Services/Models/SymbolBundleModels.cs

@@ -0,0 +1,130 @@
+using System;
+using System.Collections.Generic;
+using System.Text.Json.Serialization;
+
+namespace StellaOps.Cli.Services.Models;
+
+// SYMS-BUNDLE-401-014: Symbol bundle CLI models
+
+/// <summary>
+/// Request to build a symbol bundle.
+/// </summary>
+internal sealed record SymbolBundleBuildRequest(
+    [property: JsonPropertyName("name")] string Name,
+    [property: JsonPropertyName("version")] string Version,
+    [property: JsonPropertyName("sourceDir")] string SourceDir,
+    [property: JsonPropertyName("outputDir")] string OutputDir,
+    [property: JsonPropertyName("platform")] string? Platform = null,
+    [property: JsonPropertyName("tenantId")] string? TenantId = null,
+    [property: JsonPropertyName("sign")] bool Sign = false,
+    [property: JsonPropertyName("signingKeyPath")] string? SigningKeyPath = null,
+    [property: JsonPropertyName("keyId")] string? KeyId = null,
+    [property: JsonPropertyName("signingAlgorithm")] string SigningAlgorithm = "ecdsa-p256",
+    [property: JsonPropertyName("submitRekor")] bool SubmitRekor = false,
+    [property: JsonPropertyName("rekorUrl")] string RekorUrl = "https://rekor.sigstore.dev",
+    [property: JsonPropertyName("format")] string Format = "zip",
+    [property: JsonPropertyName("compressionLevel")] int CompressionLevel = 6);
+
+/// <summary>
+/// Result of symbol bundle build operation.
+/// </summary>
+internal sealed record SymbolBundleBuildResult(
+    [property: JsonPropertyName("success")] bool Success,
+    [property: JsonPropertyName("bundlePath")] string? BundlePath = null,
+    [property: JsonPropertyName("manifestPath")] string? ManifestPath = null,
+    [property: JsonPropertyName("bundleId")] string? BundleId = null,
+    [property: JsonPropertyName("entryCount")] int EntryCount = 0,
+    [property: JsonPropertyName("totalSizeBytes")] long TotalSizeBytes = 0,
+    [property: JsonPropertyName("signed")] bool Signed = false,
+    [property: JsonPropertyName("rekorLogIndex")] long? RekorLogIndex = null,
+    [property: JsonPropertyName("error")] string? Error = null,
+    [property: JsonPropertyName("warnings")] IReadOnlyList<string>? Warnings = null,
+    [property: JsonPropertyName("durationMs")] long DurationMs = 0);
+
+/// <summary>
+/// Request to verify a symbol bundle.
+/// </summary>
+internal sealed record SymbolBundleVerifyRequest(
+    [property: JsonPropertyName("bundlePath")] string BundlePath,
+    [property: JsonPropertyName("publicKeyPath")] string? PublicKeyPath = null,
+    [property: JsonPropertyName("verifyRekorOffline")] bool VerifyRekorOffline = true,
+    [property: JsonPropertyName("rekorPublicKeyPath")] string? RekorPublicKeyPath = null,
+    [property: JsonPropertyName("verifyBlobHashes")] bool VerifyBlobHashes = true);
+
+/// <summary>
+/// Result of symbol bundle verification.
+/// </summary>
+internal sealed record SymbolBundleVerifyResult(
+    [property: JsonPropertyName("valid")] bool Valid,
+    [property: JsonPropertyName("bundleId")] string? BundleId = null,
+    [property: JsonPropertyName("name")] string? Name = null,
+    [property: JsonPropertyName("version")] string? Version = null,
+    [property: JsonPropertyName("signatureStatus")] string SignatureStatus = "unsigned",
+    [property: JsonPropertyName("rekorStatus")] string? RekorStatus = null,
+    [property: JsonPropertyName("hashStatus")] SymbolBundleHashStatus? HashStatus = null,
+    [property: JsonPropertyName("errors")] IReadOnlyList<string>? Errors = null,
+    [property: JsonPropertyName("warnings")] IReadOnlyList<string>? Warnings = null);
+
+/// <summary>
+/// Hash verification status for a bundle.
+/// </summary>
+internal sealed record SymbolBundleHashStatus(
+    [property: JsonPropertyName("bundleHashValid")] bool BundleHashValid,
+    [property: JsonPropertyName("validEntries")] int ValidEntries,
+    [property: JsonPropertyName("invalidEntries")] int InvalidEntries,
+    [property: JsonPropertyName("totalEntries")] int TotalEntries,
+    [property: JsonPropertyName("invalidEntryIds")] IReadOnlyList<string>? InvalidEntryIds = null);
+
+/// <summary>
+/// Request to extract a symbol bundle.
+/// </summary>
+internal sealed record SymbolBundleExtractRequest(
+    [property: JsonPropertyName("bundlePath")] string BundlePath,
+    [property: JsonPropertyName("outputDir")] string OutputDir,
+    [property: JsonPropertyName("verifyFirst")] bool VerifyFirst = true,
+    [property: JsonPropertyName("platform")] string? Platform = null,
+    [property: JsonPropertyName("overwrite")] bool Overwrite = false,
+    [property: JsonPropertyName("manifestsOnly")] bool ManifestsOnly = false);
+
+/// <summary>
+/// Result of symbol bundle extraction.
+/// </summary>
+internal sealed record SymbolBundleExtractResult(
+    [property: JsonPropertyName("success")] bool Success,
+    [property: JsonPropertyName("extractedCount")] int ExtractedCount = 0,
+    [property: JsonPropertyName("skippedCount")] int SkippedCount = 0,
+    [property: JsonPropertyName("totalBytesExtracted")] long TotalBytesExtracted = 0,
+    [property: JsonPropertyName("verificationPassed")] bool? VerificationPassed = null,
+    [property: JsonPropertyName("error")] string? Error = null,
+    [property: JsonPropertyName("durationMs")] long DurationMs = 0);
+
+/// <summary>
+/// Symbol bundle manifest info for inspection.
+/// </summary>
+internal sealed record SymbolBundleInfo(
+    [property: JsonPropertyName("bundleId")] string BundleId,
+    [property: JsonPropertyName("name")] string Name,
+    [property: JsonPropertyName("version")] string Version,
+    [property: JsonPropertyName("createdAt")] DateTimeOffset CreatedAt,
+    [property: JsonPropertyName("platform")] string? Platform = null,
+    [property: JsonPropertyName("tenantId")] string? TenantId = null,
+    [property: JsonPropertyName("entryCount")] int EntryCount = 0,
+    [property: JsonPropertyName("totalSizeBytes")] long TotalSizeBytes = 0,
+    [property: JsonPropertyName("hashAlgorithm")] string HashAlgorithm = "blake3",
+    [property: JsonPropertyName("signed")] bool Signed = false,
+    [property: JsonPropertyName("signatureAlgorithm")] string? SignatureAlgorithm = null,
+    [property: JsonPropertyName("signatureKeyId")] string? SignatureKeyId = null,
+    [property: JsonPropertyName("rekorLogIndex")] long? RekorLogIndex = null,
+    [property: JsonPropertyName("entries")] IReadOnlyList<SymbolBundleEntryInfo>? Entries = null);
+
+/// <summary>
+/// Individual entry in a symbol bundle.
+/// </summary>
+internal sealed record SymbolBundleEntryInfo(
+    [property: JsonPropertyName("debugId")] string DebugId,
+    [property: JsonPropertyName("binaryName")] string BinaryName,
+    [property: JsonPropertyName("platform")] string? Platform = null,
+    [property: JsonPropertyName("format")] string? Format = null,
+    [property: JsonPropertyName("blobHash")] string? BlobHash = null,
+    [property: JsonPropertyName("blobSizeBytes")] long BlobSizeBytes = 0,
+    [property: JsonPropertyName("symbolCount")] int SymbolCount = 0);

src/Cli/StellaOps.Cli/Services/Models/VexExplainModels.cs

@@ -0,0 +1,264 @@
+// UI-VEX-401-032: VEX Decision Explanation Models
+// Provides comprehensive decision explanation with reachability evidence and attestation details
+
+using System.Text.Json.Serialization;
+
+namespace StellaOps.Cli.Services.Models;
+
+/// <summary>
+/// Complete VEX decision explanation with all supporting evidence.
+/// </summary>
+internal sealed class VexDecisionExplanation
+{
+    [JsonPropertyName("vulnerabilityId")]
+    public required string VulnerabilityId { get; init; }
+
+    [JsonPropertyName("productKey")]
+    public required string ProductKey { get; init; }
+
+    [JsonPropertyName("tenant")]
+    public required string Tenant { get; init; }
+
+    [JsonPropertyName("timestamp")]
+    public DateTimeOffset Timestamp { get; init; }
+
+    [JsonPropertyName("decision")]
+    public required VexDecisionSummary Decision { get; init; }
+
+    [JsonPropertyName("callPathEvidence")]
+    public CallPathEvidence? CallPathEvidence { get; set; }
+
+    [JsonPropertyName("runtimeHitEvidence")]
+    public RuntimeHitEvidence? RuntimeHitEvidence { get; set; }
+
+    [JsonPropertyName("graphMetadata")]
+    public ReachabilityGraphMetadata? GraphMetadata { get; set; }
+
+    [JsonPropertyName("dsseAttestation")]
+    public DsseAttestationInfo? DsseAttestation { get; set; }
+
+    [JsonPropertyName("rekorEntry")]
+    public RekorEntryInfo? RekorEntry { get; set; }
+}
+
+/// <summary>
+/// VEX decision summary with status and justification.
+/// </summary>
+internal sealed class VexDecisionSummary
+{
+    [JsonPropertyName("status")]
+    public required string Status { get; init; }
+
+    [JsonPropertyName("justification")]
+    public required string Justification { get; init; }
+
+    [JsonPropertyName("impactStatement")]
+    public required string ImpactStatement { get; init; }
+
+    [JsonPropertyName("decisionSource")]
+    public required string DecisionSource { get; init; }
+}
+
+/// <summary>
+/// Call path analysis evidence showing reachability status.
+/// </summary>
+internal sealed class CallPathEvidence
+{
+    [JsonPropertyName("analysisMethod")]
+    public required string AnalysisMethod { get; init; }
+
+    [JsonPropertyName("entryPointsAnalyzed")]
+    public int EntryPointsAnalyzed { get; init; }
+
+    [JsonPropertyName("vulnerableFunctionsIdentified")]
+    public int VulnerableFunctionsIdentified { get; init; }
+
+    [JsonPropertyName("pathsToVulnerableCode")]
+    public int PathsToVulnerableCode { get; init; }
+
+    [JsonPropertyName("vulnerableFunction")]
+    public FunctionReference? VulnerableFunction { get; init; }
+
+    [JsonPropertyName("nearestReachableDistance")]
+    public int? NearestReachableDistance { get; init; }
+
+    [JsonPropertyName("analysisComplete")]
+    public bool AnalysisComplete { get; init; }
+}
+
+/// <summary>
+/// Reference to a specific function in code.
+/// </summary>
+internal sealed class FunctionReference
+{
+    [JsonPropertyName("name")]
+    public required string Name { get; init; }
+
+    [JsonPropertyName("module")]
+    public required string Module { get; init; }
+
+    [JsonPropertyName("file")]
+    public required string File { get; init; }
+
+    [JsonPropertyName("line")]
+    public int Line { get; init; }
+}
+
+/// <summary>
+/// Runtime execution hit evidence from production telemetry.
+/// </summary>
+internal sealed class RuntimeHitEvidence
+{
+    [JsonPropertyName("collectionPeriod")]
+    public required DateRange CollectionPeriod { get; init; }
+
+    [JsonPropertyName("totalExecutions")]
+    public long TotalExecutions { get; init; }
+
+    [JsonPropertyName("vulnerableFunctionHits")]
+    public long VulnerableFunctionHits { get; init; }
+
+    [JsonPropertyName("coveragePercentage")]
+    public decimal CoveragePercentage { get; init; }
+
+    [JsonPropertyName("profilingMethod")]
+    public required string ProfilingMethod { get; init; }
+
+    [JsonPropertyName("confidenceLevel")]
+    public required string ConfidenceLevel { get; init; }
+}
+
+/// <summary>
+/// Date range for evidence collection period.
+/// </summary>
+internal sealed class DateRange
+{
+    [JsonPropertyName("start")]
+    public DateTimeOffset Start { get; init; }
+
+    [JsonPropertyName("end")]
+    public DateTimeOffset End { get; init; }
+}
+
+/// <summary>
+/// Metadata about the reachability graph used for analysis.
+/// </summary>
+internal sealed class ReachabilityGraphMetadata
+{
+    [JsonPropertyName("graphId")]
+    public required string GraphId { get; init; }
+
+    [JsonPropertyName("buildTimestamp")]
+    public DateTimeOffset BuildTimestamp { get; init; }
+
+    [JsonPropertyName("totalNodes")]
+    public int TotalNodes { get; init; }
+
+    [JsonPropertyName("totalEdges")]
+    public int TotalEdges { get; init; }
+
+    [JsonPropertyName("entryPoints")]
+    public int EntryPoints { get; init; }
+
+    [JsonPropertyName("vulnerableSinks")]
+    public int VulnerableSinks { get; init; }
+
+    [JsonPropertyName("algorithm")]
+    public required string Algorithm { get; init; }
+
+    [JsonPropertyName("analysisDurationMs")]
+    public long AnalysisDurationMs { get; init; }
+}
+
+/// <summary>
+/// DSSE (Dead Simple Signing Envelope) attestation information.
+/// </summary>
+internal sealed class DsseAttestationInfo
+{
+    [JsonPropertyName("payloadType")]
+    public required string PayloadType { get; init; }
+
+    [JsonPropertyName("digestAlgorithm")]
+    public required string DigestAlgorithm { get; init; }
+
+    [JsonPropertyName("payloadDigest")]
+    public required string PayloadDigest { get; init; }
+
+    [JsonPropertyName("signatures")]
+    public required List<VexDsseSignatureInfo> Signatures { get; init; }
+
+    [JsonPropertyName("verificationStatus")]
+    public string? VerificationStatus { get; set; }
+
+    [JsonPropertyName("verifiedAt")]
+    public DateTimeOffset? VerifiedAt { get; set; }
+}
+
+/// <summary>
+/// Information about a DSSE signature for VEX explanations.
+/// </summary>
+internal sealed class VexDsseSignatureInfo
+{
+    [JsonPropertyName("keyId")]
+    public required string KeyId { get; init; }
+
+    [JsonPropertyName("algorithm")]
+    public required string Algorithm { get; init; }
+
+    [JsonPropertyName("signedAt")]
+    public DateTimeOffset SignedAt { get; init; }
+
+    [JsonPropertyName("publicKeyFingerprint")]
+    public required string PublicKeyFingerprint { get; init; }
+}
+
+/// <summary>
+/// Rekor transparency log entry information.
+/// </summary>
+internal sealed class RekorEntryInfo
+{
+    [JsonPropertyName("rekorUrl")]
+    public required string RekorUrl { get; init; }
+
+    [JsonPropertyName("logIndex")]
+    public long LogIndex { get; init; }
+
+    [JsonPropertyName("entryUuid")]
+    public required string EntryUuid { get; init; }
+
+    [JsonPropertyName("integratedTime")]
+    public DateTimeOffset IntegratedTime { get; init; }
+
+    [JsonPropertyName("treeSize")]
+    public long TreeSize { get; init; }
+
+    [JsonPropertyName("rootHash")]
+    public required string RootHash { get; init; }
+
+    [JsonPropertyName("inclusionProof")]
+    public InclusionProofInfo? InclusionProof { get; set; }
+
+    [JsonPropertyName("inclusionVerified")]
+    public bool? InclusionVerified { get; set; }
+
+    [JsonPropertyName("verifiedAt")]
+    public DateTimeOffset? VerifiedAt { get; set; }
+}
+
+/// <summary>
+/// Merkle tree inclusion proof for Rekor verification.
+/// </summary>
+internal sealed class InclusionProofInfo
+{
+    [JsonPropertyName("logIndex")]
+    public long LogIndex { get; init; }
+
+    [JsonPropertyName("treeSize")]
+    public long TreeSize { get; init; }
+
+    [JsonPropertyName("rootHash")]
+    public required string RootHash { get; init; }
+
+    [JsonPropertyName("hashes")]
+    public required List<string> Hashes { get; init; }
+}

src/Cli/StellaOps.Cli/Services/Models/VexModels.cs

@@ -101,7 +101,9 @@ internal sealed record VexConsensusDetailResponse(
     [property: JsonPropertyName("quorum")] VexQuorumInfo? Quorum = null,
     [property: JsonPropertyName("rationale")] VexRationaleInfo? Rationale = null,
     [property: JsonPropertyName("signature")] VexSignatureInfo? Signature = null,
-    [property: JsonPropertyName("evidence")] IReadOnlyList<VexEvidenceInfo>? Evidence = null);
+    [property: JsonPropertyName("evidence")] IReadOnlyList<VexEvidenceInfo>? Evidence = null,
+    // GAP-VEX-006: Reachability evidence
+    [property: JsonPropertyName("reachabilityEvidence")] VexReachabilityEvidence? ReachabilityEvidence = null);
 
 /// <summary>
 /// VEX quorum information showing how consensus was reached.
@@ -256,3 +258,42 @@ internal sealed record VexExportVerifyResult(
     [property: JsonPropertyName("keyId")] string? KeyId = null,
     [property: JsonPropertyName("signedAt")] DateTimeOffset? SignedAt = null,
     [property: JsonPropertyName("errors")] IReadOnlyList<string>? Errors = null);
+
+// GAP-VEX-006: Reachability evidence models for VEX decisions
+
+/// <summary>
+/// Reachability evidence linked to VEX decision.
+/// </summary>
+internal sealed record VexReachabilityEvidence(
+    [property: JsonPropertyName("graphHash")] string? GraphHash = null,
+    [property: JsonPropertyName("graphCasUri")] string? GraphCasUri = null,
+    [property: JsonPropertyName("graphAlgorithm")] string? GraphAlgorithm = null,
+    [property: JsonPropertyName("graphGeneratedAt")] DateTimeOffset? GraphGeneratedAt = null,
+    [property: JsonPropertyName("reachabilityState")] string? ReachabilityState = null,
+    [property: JsonPropertyName("confidence")] double? Confidence = null,
+    [property: JsonPropertyName("callPaths")] IReadOnlyList<VexCallPath>? CallPaths = null,
+    [property: JsonPropertyName("runtimeHits")] IReadOnlyList<VexRuntimeHit>? RuntimeHits = null,
+    [property: JsonPropertyName("dsseEnvelopeId")] string? DsseEnvelopeId = null,
+    [property: JsonPropertyName("rekorEntryId")] string? RekorEntryId = null);
+
+/// <summary>
+/// Call path evidence for VEX decision.
+/// </summary>
+internal sealed record VexCallPath(
+    [property: JsonPropertyName("pathId")] string PathId,
+    [property: JsonPropertyName("pathHash")] string? PathHash = null,
+    [property: JsonPropertyName("depth")] int Depth = 0,
+    [property: JsonPropertyName("entryPoint")] string EntryPoint = "",
+    [property: JsonPropertyName("frames")] IReadOnlyList<string> Frames = null!,
+    [property: JsonPropertyName("vulnerableFunction")] string VulnerableFunction = "",
+    [property: JsonPropertyName("dsseEnvelopeId")] string? DsseEnvelopeId = null,
+    [property: JsonPropertyName("rekorEntryId")] string? RekorEntryId = null);
+
+/// <summary>
+/// Runtime execution hit evidence for VEX decision.
+/// </summary>
+internal sealed record VexRuntimeHit(
+    [property: JsonPropertyName("functionName")] string FunctionName,
+    [property: JsonPropertyName("hitCount")] long HitCount = 0,
+    [property: JsonPropertyName("probeSource")] string? ProbeSource = null,
+    [property: JsonPropertyName("lastObserved")] DateTimeOffset? LastObserved = null);