save checkpoint: save features

docs/features/checked/vulnexplorer/vulnexplorer-triage-api.md

@@ -0,0 +1,37 @@
+# VulnExplorer Triage API
+
+## Module
+VulnExplorer
+
+## Status
+VERIFIED
+
+## Description
+Backend API for the vulnerability triage workspace providing VEX decision endpoints, audit bundle creation, SPDX 3.0.1 data model integration, and triage workflow state management with evidence-linked decisions.
+
+## Implementation Details
+- **VEX Decision Store**: `src/VulnExplorer/StellaOps.VulnExplorer.Api/Data/VexDecisionStore.cs` -- in-memory store for VEX triage decisions; manages decision state (not_affected, affected, fixed, under_investigation) with evidence references and analyst justifications.
+- **VEX Decision Models**: `src/VulnExplorer/StellaOps.VulnExplorer.Api/Models/VexDecisionModels.cs` -- data models for VEX decisions including status, justification, impact statement, action statement, and linked evidence artifacts.
+- **Vulnerability Models**: `src/VulnExplorer/StellaOps.VulnExplorer.Api/Models/VulnModels.cs` -- core vulnerability data models (CVE ID, CVSS scores, affected components, fix availability) used by the triage workspace.
+- **Fix Verification Models**: `src/VulnExplorer/StellaOps.VulnExplorer.Api/Models/FixVerificationModels.cs` -- models for fix verification status tracking (fix applied, verified by scanner, verified by binary diff, pending verification).
+- **Attestation Models**: `src/VulnExplorer/StellaOps.VulnExplorer.Api/Models/AttestationModels.cs` -- models for creating audit bundles that attest to triage decisions, linking VEX statements with the evidence that supports them.
+- **IVexOverrideAttestorClient**: `src/VulnExplorer/StellaOps.VulnExplorer.Api/Data/IVexOverrideAttestorClient.cs` -- client interface for submitting VEX override decisions to the Attestor service for cryptographic signing and transparency log recording.
+- **Evidence Subgraph Contracts**: `src/VulnExplorer/StellaOps.VulnExplorer.WebService/Contracts/EvidenceSubgraphContracts.cs` -- API contracts for querying evidence subgraphs associated with a vulnerability, including reachability analysis, binary diff results, and proof chain references.
+- **Sample Data**: `src/VulnExplorer/StellaOps.VulnExplorer.Api/Data/SampleData.cs` -- seed data for development and demo scenarios with pre-populated vulnerabilities, components, and triage decisions.
+- **API Program**: `src/VulnExplorer/StellaOps.VulnExplorer.Api/Program.cs` -- ASP.NET Minimal API host exposing triage endpoints for VEX decisions, evidence queries, and audit bundle creation.
+
+## E2E Test Plan
+- [ ] Create a VEX decision via the triage API (POST) with status "not_affected" and a justification, then retrieve it (GET) and verify all fields match
+- [ ] Create a VEX decision, submit it to the Attestor via `IVexOverrideAttestorClient`, and verify the returned attestation contains the decision digest and transparency log entry
+- [ ] Query the evidence subgraph for a specific CVE and verify the response includes linked reachability analysis, binary diff results, and proof chain references
+- [ ] Create a fix verification record, update it through the verification workflow (pending -> verified_by_scanner -> verified_by_diff), and verify each state transition is recorded
+- [ ] Create an audit bundle for a triage session with multiple VEX decisions and verify the bundle contains all decisions with their linked evidence artifacts
+- [ ] Attempt to create a VEX decision with an invalid status value and verify the API returns a 400 error with a descriptive validation message
+
+
+## Verification
+- Verified via QA FLOW on 2026-02-11 using run-001 (failure evidence) and run-002 (pass after fixes).
+- Tier 0 artifact: docs/qa/feature-checks/runs/vulnexplorer/vulnexplorer-triage-api/run-002/tier0-source-check.json.
+- Tier 1 artifact: docs/qa/feature-checks/runs/vulnexplorer/vulnexplorer-triage-api/run-002/tier1-build-check.json.
+- Tier 2 artifact: docs/qa/feature-checks/runs/vulnexplorer/vulnexplorer-triage-api/run-002/tier2-api-check.json.
+