consolidation of some of the modules, localization fixes, product advisories work, qa work

src/Policy/__Tests/StellaOps.Policy.Engine.Tests/Integration/PolicyEngineApiHostTests.cs

@@ -2,6 +2,7 @@ using System.Net;
 using System.Security.Claims;
 using System.Text.Encodings.Web;
 using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Authentication.JwtBearer;
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
@@ -9,6 +10,7 @@ using Microsoft.Extensions.DependencyInjection.Extensions;
 using Microsoft.Extensions.Hosting;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
+using StellaOps.Auth.Abstractions;
 using StellaOps.Policy.Engine.Attestation;
 using StellaOps.TestKit.Fixtures;
 using Xunit;
@@ -88,6 +90,10 @@ public sealed class PolicyEngineWebServiceFixture : WebServiceFixture<StellaOps.
     private static void ConfigureTestServices(IServiceCollection services)
     {
         services.RemoveAll<IHostedService>();
+        services.RemoveAll<IConfigureOptions<AuthenticationOptions>>();
+        services.RemoveAll<IPostConfigureOptions<AuthenticationOptions>>();
+        services.RemoveAll<IConfigureOptions<JwtBearerOptions>>();
+        services.RemoveAll<IPostConfigureOptions<JwtBearerOptions>>();
 
         services.AddAuthentication(options =>
             {
@@ -96,6 +102,9 @@ public sealed class PolicyEngineWebServiceFixture : WebServiceFixture<StellaOps.
             })
             .AddScheme<AuthenticationSchemeOptions, TestAuthHandler>(
                 TestAuthHandler.SchemeName,
+                _ => { })
+            .AddScheme<AuthenticationSchemeOptions, TestAuthHandler>(
+                StellaOpsAuthenticationDefaults.AuthenticationScheme,
                 _ => { });
     }
 
@@ -105,6 +114,8 @@ public sealed class PolicyEngineWebServiceFixture : WebServiceFixture<StellaOps.
         {
             var settings = new Dictionary<string, string?>
             {
+                ["PolicyEngine:ResourceServer:Authority"] = "http://127.0.0.1:59999",
+                ["PolicyEngine:ResourceServer:RequireHttpsMetadata"] = "false",
                 ["VerdictAttestation:Enabled"] = "true",
                 ["VerdictAttestation:FailOnError"] = "true",
                 ["VerdictAttestation:RekorEnabled"] = "true",
@@ -142,6 +153,7 @@ internal sealed class TestAuthHandler : AuthenticationHandler<AuthenticationSche
         var claims = new[]
         {
             new Claim("scope", "policy:read"),
+            new Claim(StellaOpsClaimTypes.Tenant, "test-tenant"),
             new Claim("tenant_id", "test-tenant"),
             new Claim(ClaimTypes.NameIdentifier, "test-user")
         };
@@ -153,4 +165,3 @@ internal sealed class TestAuthHandler : AuthenticationHandler<AuthenticationSche
         return Task.FromResult(AuthenticateResult.Success(ticket));
     }
 }
-

src/Policy/__Tests/StellaOps.Policy.Engine.Tests/Scoring/ScorePolicyServiceCachingTests.cs

@@ -193,6 +193,7 @@ public sealed class ScorePolicyServiceCachingTests
         var policy1 = new ScorePolicy
         {
             PolicyVersion = "score.v1",
+            PolicyId = "policy-1",
             ScoringProfile = "advanced",
             WeightsBps = new WeightsBps
             {
@@ -206,6 +207,7 @@ public sealed class ScorePolicyServiceCachingTests
         var policy2 = new ScorePolicy
         {
             PolicyVersion = "score.v1",
+            PolicyId = "policy-1",
             ScoringProfile = "advanced",
             WeightsBps = new WeightsBps
             {
@@ -225,6 +227,7 @@ public sealed class ScorePolicyServiceCachingTests
     private static ScorePolicy CreateTestPolicy(string id) => new()
     {
         PolicyVersion = "score.v1",
+        PolicyId = id,
         ScoringProfile = "advanced",
         WeightsBps = new WeightsBps
         {

src/Policy/__Tests/StellaOps.Policy.Engine.Tests/Snapshots/ComplexVerdict_MultipleRules_Canonical.json

@@ -0,0 +1,71 @@
+{
+  "verdictId": "VERDICT-2025-005",
+  "policyId": "POL-COMPLEX-001",
+  "policyName": "Complex Multi-Rule Policy",
+  "policyVersion": "3.0.0",
+  "tenantId": "TENANT-003",
+  "evaluatedAt": "2025-12-24T12:00:00+00:00",
+  "digestEvaluated": "sha256:complex123",
+  "outcome": 1,
+  "rulesMatched": 5,
+  "rulesTotal": 8,
+  "violations": [],
+  "warnings": [
+    {
+      "ruleName": "warn_eol_runtime",
+      "severity": "medium",
+      "message": "Runtime marked as EOL; upgrade recommended",
+      "packagePurl": "pkg:deb/debian/python3.9@3.9.2"
+    },
+    {
+      "ruleName": "warn_ruby_git_sources",
+      "severity": "low",
+      "message": "Git-sourced Ruby gem present; review required",
+      "packagePurl": "pkg:gem/custom-gem@1.0.0"
+    }
+  ],
+  "matchedRules": [
+    {
+      "ruleName": "block_critical",
+      "priority": 5,
+      "status": 0,
+      "reason": "No critical vulnerabilities"
+    },
+    {
+      "ruleName": "escalate_high_internet",
+      "priority": 4,
+      "status": 0,
+      "reason": "No high severity on internet-exposed assets"
+    },
+    {
+      "ruleName": "require_vex_justification",
+      "priority": 3,
+      "status": 1,
+      "reason": "VEX statement accepted"
+    },
+    {
+      "ruleName": "warn_eol_runtime",
+      "priority": 1,
+      "status": 3,
+      "reason": "EOL runtime detected"
+    },
+    {
+      "ruleName": "warn_ruby_git_sources",
+      "priority": 1,
+      "status": 3,
+      "reason": "Git-sourced gem detected"
+    }
+  ],
+  "unknownsBudgetResult": null,
+  "vexMergeTrace": null,
+  "scoreResult": null,
+  "metadata": {
+    "evaluationDurationMs": 123,
+    "feedVersions": {
+      "nvd": "2025-12-24",
+      "ghsa": "2025-12-24",
+      "osv": "2025-12-24"
+    },
+    "policyChecksum": "sha256:policy789"
+  }
+}

src/Policy/__Tests/StellaOps.Policy.Engine.Tests/Snapshots/EmptyVerdict_Canonical.json

@@ -0,0 +1,25 @@
+{
+  "verdictId": "VERDICT-2025-006",
+  "policyId": "POL-PROD-001",
+  "policyName": "Production Baseline Policy",
+  "policyVersion": "1.2.3",
+  "tenantId": "TENANT-001",
+  "evaluatedAt": "2025-12-24T12:00:00+00:00",
+  "digestEvaluated": "sha256:empty123",
+  "outcome": 0,
+  "rulesMatched": 0,
+  "rulesTotal": 5,
+  "violations": [],
+  "warnings": [],
+  "matchedRules": [],
+  "unknownsBudgetResult": null,
+  "vexMergeTrace": null,
+  "scoreResult": null,
+  "metadata": {
+    "evaluationDurationMs": 12,
+    "feedVersions": {
+      "nvd": "2025-12-24"
+    },
+    "policyChecksum": "sha256:policy123"
+  }
+}

src/Policy/__Tests/StellaOps.Policy.Engine.Tests/Snapshots/FailingVerdict_WithViolations_Canonical.json

@@ -0,0 +1,50 @@
+{
+  "verdictId": "VERDICT-2025-002",
+  "policyId": "POL-PROD-001",
+  "policyName": "Production Baseline Policy",
+  "policyVersion": "1.2.3",
+  "tenantId": "TENANT-001",
+  "evaluatedAt": "2025-12-24T12:00:00+00:00",
+  "digestEvaluated": "sha256:abc123def456",
+  "outcome": 2,
+  "rulesMatched": 3,
+  "rulesTotal": 5,
+  "violations": [
+    {
+      "ruleName": "block_critical",
+      "severity": "critical",
+      "message": "Critical vulnerability CVE-2024-0001 found",
+      "vulnerabilityId": "CVE-2024-0001",
+      "packagePurl": "pkg:npm/lodash@4.17.20",
+      "remediation": "Upgrade to lodash@4.17.21"
+    },
+    {
+      "ruleName": "block_critical",
+      "severity": "critical",
+      "message": "Critical vulnerability CVE-2024-0002 found",
+      "vulnerabilityId": "CVE-2024-0002",
+      "packagePurl": "pkg:npm/express@4.18.0",
+      "remediation": "Upgrade to express@4.19.0"
+    }
+  ],
+  "warnings": [],
+  "matchedRules": [
+    {
+      "ruleName": "block_critical",
+      "priority": 5,
+      "status": 2,
+      "reason": "2 critical vulnerabilities found"
+    }
+  ],
+  "unknownsBudgetResult": null,
+  "vexMergeTrace": null,
+  "scoreResult": null,
+  "metadata": {
+    "evaluationDurationMs": 67,
+    "feedVersions": {
+      "nvd": "2025-12-24",
+      "ghsa": "2025-12-24"
+    },
+    "policyChecksum": "sha256:policy123"
+  }
+}

src/Policy/__Tests/StellaOps.Policy.Engine.Tests/Snapshots/MultiRuleEvaluationTrace.json

@@ -0,0 +1,90 @@
+{
+  "traceId": "TRACE-2025-002",
+  "policyId": "POL-COMPLEX-001",
+  "policyName": "Complex Multi-Rule Policy",
+  "evaluationContext": {
+    "digestEvaluated": "sha256:xyz789",
+    "tenantId": "TENANT-002",
+    "environment": "staging",
+    "exposure": "internal"
+  },
+  "startedAt": "2025-12-24T12:00:00+00:00",
+  "completedAt": "2025-12-24T12:00:00.089+00:00",
+  "durationMs": 89,
+  "outcome": "Warn",
+  "steps": [
+    {
+      "stepNumber": 1,
+      "ruleName": "block_critical",
+      "priority": 5,
+      "phase": 3,
+      "condition": "severity.normalized \u003E= \u0022Critical\u0022",
+      "conditionResult": false,
+      "action": null,
+      "explanation": "No critical vulnerabilities",
+      "durationMs": 10,
+      "vexMergeDetail": null,
+      "profileApplicationDetail": null,
+      "escalationDetail": null
+    },
+    {
+      "stepNumber": 2,
+      "ruleName": "escalate_high_internet",
+      "priority": 4,
+      "phase": 3,
+      "condition": "severity.normalized == \u0022High\u0022 and env.exposure == \u0022internet\u0022",
+      "conditionResult": false,
+      "action": null,
+      "explanation": "Not internet-exposed, skipping escalation",
+      "durationMs": 8,
+      "vexMergeDetail": null,
+      "profileApplicationDetail": null,
+      "escalationDetail": null
+    },
+    {
+      "stepNumber": 3,
+      "ruleName": "block_ruby_dev",
+      "priority": 4,
+      "phase": 3,
+      "condition": "sbom.any_component(ruby.group(\u0022development\u0022))",
+      "conditionResult": false,
+      "action": null,
+      "explanation": "No development-only Ruby gems",
+      "durationMs": 12,
+      "vexMergeDetail": null,
+      "profileApplicationDetail": null,
+      "escalationDetail": null
+    },
+    {
+      "stepNumber": 4,
+      "ruleName": "require_vex_justification",
+      "priority": 3,
+      "phase": 3,
+      "condition": "vex.any(status in [\u0022not_affected\u0022,\u0022fixed\u0022])",
+      "conditionResult": true,
+      "action": "status := vex.status",
+      "explanation": "VEX statement found: not_affected (component_not_present)",
+      "durationMs": 25,
+      "vexMergeDetail": null,
+      "profileApplicationDetail": null,
+      "escalationDetail": null
+    },
+    {
+      "stepNumber": 5,
+      "ruleName": "warn_eol_runtime",
+      "priority": 1,
+      "phase": 3,
+      "condition": "severity.normalized \u003C= \u0022Medium\u0022 and sbom.has_tag(\u0022runtime:eol\u0022)",
+      "conditionResult": true,
+      "action": "warn message \u0022Runtime marked as EOL; upgrade recommended.\u0022",
+      "explanation": "EOL runtime detected: python3.9",
+      "durationMs": 15,
+      "vexMergeDetail": null,
+      "profileApplicationDetail": null,
+      "escalationDetail": null
+    }
+  ],
+  "finalStatus": "warning",
+  "matchedRuleCount": 2,
+  "totalRuleCount": 5
+}

src/Policy/__Tests/StellaOps.Policy.Engine.Tests/Snapshots/PassingVerdict_Canonical.json

@@ -0,0 +1,39 @@
+{
+  "verdictId": "VERDICT-2025-001",
+  "policyId": "POL-PROD-001",
+  "policyName": "Production Baseline Policy",
+  "policyVersion": "1.2.3",
+  "tenantId": "TENANT-001",
+  "evaluatedAt": "2025-12-24T12:00:00+00:00",
+  "digestEvaluated": "sha256:abc123def456",
+  "outcome": 0,
+  "rulesMatched": 2,
+  "rulesTotal": 5,
+  "violations": [],
+  "warnings": [],
+  "matchedRules": [
+    {
+      "ruleName": "allow_low_severity",
+      "priority": 1,
+      "status": 1,
+      "reason": "Severity \u003C= Low, allowing"
+    },
+    {
+      "ruleName": "vex_not_affected",
+      "priority": 2,
+      "status": 1,
+      "reason": "VEX status is not_affected"
+    }
+  ],
+  "unknownsBudgetResult": null,
+  "vexMergeTrace": null,
+  "scoreResult": null,
+  "metadata": {
+    "evaluationDurationMs": 42,
+    "feedVersions": {
+      "nvd": "2025-12-24",
+      "ghsa": "2025-12-24"
+    },
+    "policyChecksum": "sha256:policy123"
+  }
+}

src/Policy/__Tests/StellaOps.Policy.Engine.Tests/Snapshots/PolicyEvaluationTraceSnapshotTests.cs

@@ -15,6 +15,18 @@ public sealed class PolicyEvaluationTraceSnapshotTests
 {
     private static readonly DateTimeOffset FrozenTime = DateTimeOffset.Parse("2025-12-24T12:00:00Z");
 
+    [Fact]
+    public void SnapshotDirectory_ResolvesToSourceControlledSnapshotsFolder()
+    {
+        var snapshotsDirectory = SnapshotAssert.ResolveDefaultSnapshotsDirectory();
+
+        Directory.Exists(snapshotsDirectory).Should().BeTrue();
+        Path.GetFileName(snapshotsDirectory).Should().Be("Snapshots");
+        File.Exists(Path.Combine(snapshotsDirectory, "PolicyEvaluationTraceSnapshotTests.cs"))
+            .Should()
+            .BeTrue("snapshot root should resolve to the source-controlled Snapshots folder");
+    }
+
     /// <summary>
     /// Verifies that a simple evaluation trace produces stable structure.
     /// </summary>

src/Policy/__Tests/StellaOps.Policy.Engine.Tests/Snapshots/ProfileApplicationTrace.json

@@ -0,0 +1,58 @@
+{
+  "traceId": "TRACE-2025-004",
+  "policyId": "POL-PROFILE-001",
+  "policyName": "Profile-Based Policy",
+  "evaluationContext": {
+    "digestEvaluated": "sha256:profile123",
+    "tenantId": "TENANT-003",
+    "environment": "production",
+    "exposure": "internet"
+  },
+  "startedAt": "2025-12-24T12:00:00+00:00",
+  "completedAt": "2025-12-24T12:00:00.055+00:00",
+  "durationMs": 55,
+  "outcome": "Pass",
+  "steps": [
+    {
+      "stepNumber": 1,
+      "ruleName": "profile_severity",
+      "priority": 100,
+      "phase": 0,
+      "condition": "profile.severity.enabled",
+      "conditionResult": true,
+      "action": null,
+      "explanation": "Applying severity profile adjustments",
+      "durationMs": 18,
+      "vexMergeDetail": null,
+      "profileApplicationDetail": {
+        "profileName": "severity",
+        "adjustments": [
+          {
+            "finding": "CVE-2024-0001",
+            "originalSeverity": "High",
+            "adjustedSeverity": "Critical",
+            "reason": "GHSA source weight \u002B0.5, internet exposure \u002B0.5"
+          }
+        ]
+      },
+      "escalationDetail": null
+    },
+    {
+      "stepNumber": 2,
+      "ruleName": "block_critical",
+      "priority": 5,
+      "phase": 3,
+      "condition": "severity.normalized \u003E= \u0022Critical\u0022",
+      "conditionResult": false,
+      "action": null,
+      "explanation": "Post-profile: no critical vulnerabilities (VEX override applied)",
+      "durationMs": 10,
+      "vexMergeDetail": null,
+      "profileApplicationDetail": null,
+      "escalationDetail": null
+    }
+  ],
+  "finalStatus": "allowed",
+  "matchedRuleCount": 1,
+  "totalRuleCount": 2
+}

src/Policy/__Tests/StellaOps.Policy.Engine.Tests/Snapshots/SeverityEscalationTrace.json

@@ -0,0 +1,53 @@
+{
+  "traceId": "TRACE-2025-005",
+  "policyId": "POL-ESCALATE-001",
+  "policyName": "Escalation Policy",
+  "evaluationContext": {
+    "digestEvaluated": "sha256:escalate123",
+    "tenantId": "TENANT-001",
+    "environment": "production",
+    "exposure": "internet"
+  },
+  "startedAt": "2025-12-24T12:00:00+00:00",
+  "completedAt": "2025-12-24T12:00:00.045+00:00",
+  "durationMs": 45,
+  "outcome": "Fail",
+  "steps": [
+    {
+      "stepNumber": 1,
+      "ruleName": "escalate_high_internet",
+      "priority": 4,
+      "phase": 2,
+      "condition": "severity.normalized == \u0022High\u0022 and env.exposure == \u0022internet\u0022",
+      "conditionResult": true,
+      "action": "escalate to severity_band(\u0022Critical\u0022)",
+      "explanation": "High severity on internet-exposed asset escalated to Critical",
+      "durationMs": 15,
+      "vexMergeDetail": null,
+      "profileApplicationDetail": null,
+      "escalationDetail": {
+        "finding": "CVE-2024-0001",
+        "originalSeverity": "High",
+        "escalatedSeverity": "Critical",
+        "reason": "Internet exposure triggers escalation per policy rule"
+      }
+    },
+    {
+      "stepNumber": 2,
+      "ruleName": "block_critical",
+      "priority": 5,
+      "phase": 3,
+      "condition": "severity.normalized \u003E= \u0022Critical\u0022",
+      "conditionResult": true,
+      "action": "status := \u0022blocked\u0022",
+      "explanation": "Critical severity (post-escalation) triggers block",
+      "durationMs": 10,
+      "vexMergeDetail": null,
+      "profileApplicationDetail": null,
+      "escalationDetail": null
+    }
+  ],
+  "finalStatus": "blocked",
+  "matchedRuleCount": 2,
+  "totalRuleCount": 2
+}

src/Policy/__Tests/StellaOps.Policy.Engine.Tests/Snapshots/SimpleEvaluationTrace.json

@@ -0,0 +1,48 @@
+{
+  "traceId": "TRACE-2025-001",
+  "policyId": "POL-PROD-001",
+  "policyName": "Production Baseline Policy",
+  "evaluationContext": {
+    "digestEvaluated": "sha256:abc123def456",
+    "tenantId": "TENANT-001",
+    "environment": "production",
+    "exposure": "internet"
+  },
+  "startedAt": "2025-12-24T12:00:00+00:00",
+  "completedAt": "2025-12-24T12:00:00.042+00:00",
+  "durationMs": 42,
+  "outcome": "Pass",
+  "steps": [
+    {
+      "stepNumber": 1,
+      "ruleName": "block_critical",
+      "priority": 5,
+      "phase": 3,
+      "condition": "severity.normalized \u003E= \u0022Critical\u0022",
+      "conditionResult": false,
+      "action": null,
+      "explanation": "No critical vulnerabilities found in scan",
+      "durationMs": 15,
+      "vexMergeDetail": null,
+      "profileApplicationDetail": null,
+      "escalationDetail": null
+    },
+    {
+      "stepNumber": 2,
+      "ruleName": "allow_low_severity",
+      "priority": 1,
+      "phase": 3,
+      "condition": "severity.normalized \u003C= \u0022Low\u0022",
+      "conditionResult": true,
+      "action": "status := \u0022allowed\u0022",
+      "explanation": "All findings are Low severity or below",
+      "durationMs": 12,
+      "vexMergeDetail": null,
+      "profileApplicationDetail": null,
+      "escalationDetail": null
+    }
+  ],
+  "finalStatus": "allowed",
+  "matchedRuleCount": 1,
+  "totalRuleCount": 2
+}

src/Policy/__Tests/StellaOps.Policy.Engine.Tests/Snapshots/VerdictWithActNowScore_Canonical.json

@@ -0,0 +1,71 @@
+{
+  "verdictId": "VERDICT-2025-007",
+  "policyId": "POL-SCORE-001",
+  "policyName": "EWS Score-Based Policy",
+  "policyVersion": "1.0.0",
+  "tenantId": "TENANT-001",
+  "evaluatedAt": "2025-12-24T12:00:00+00:00",
+  "digestEvaluated": "sha256:score123",
+  "outcome": 2,
+  "rulesMatched": 2,
+  "rulesTotal": 5,
+  "violations": [
+    {
+      "ruleName": "block_act_now",
+      "severity": "critical",
+      "message": "Score 92 in ActNow bucket requires immediate action",
+      "vulnerabilityId": "CVE-2024-0010",
+      "packagePurl": "pkg:npm/critical-pkg@1.0.0",
+      "remediation": "Upgrade to patched version immediately"
+    }
+  ],
+  "warnings": [],
+  "matchedRules": [
+    {
+      "ruleName": "block_act_now",
+      "priority": 10,
+      "status": 2,
+      "reason": "score.is_act_now evaluated true (score=92)"
+    },
+    {
+      "ruleName": "score_threshold_80",
+      "priority": 8,
+      "status": 1,
+      "reason": "score \u003E= 80 threshold exceeded"
+    }
+  ],
+  "unknownsBudgetResult": null,
+  "vexMergeTrace": null,
+  "scoreResult": {
+    "findingId": "FINDING-CVE-2024-0010",
+    "score": 92,
+    "bucket": "ActNow",
+    "inputs": {
+      "reachability": 0.95,
+      "runtime": 0.8,
+      "backport": 0.1,
+      "exploit": 0.9,
+      "sourceTrust": 0.7,
+      "mitigation": 0.05
+    },
+    "flags": [
+      "live-signal",
+      "public-exploit"
+    ],
+    "explanations": [
+      "High reachability (0.95): function is in hot code path",
+      "Active exploit in the wild detected",
+      "No mitigation available"
+    ],
+    "calculatedAt": "2025-12-24T12:00:00+00:00",
+    "policyDigest": "sha256:ews-policy-v1"
+  },
+  "metadata": {
+    "evaluationDurationMs": 78,
+    "feedVersions": {
+      "nvd": "2025-12-24",
+      "ghsa": "2025-12-24"
+    },
+    "policyChecksum": "sha256:score-policy-001"
+  }
+}

src/Policy/__Tests/StellaOps.Policy.Engine.Tests/Snapshots/VerdictWithKevFlaggedScore_Canonical.json

@@ -0,0 +1,73 @@
+{
+  "verdictId": "VERDICT-2025-009",
+  "policyId": "POL-SCORE-002",
+  "policyName": "KEV-Aware Score Policy",
+  "policyVersion": "1.0.0",
+  "tenantId": "TENANT-002",
+  "evaluatedAt": "2025-12-24T12:00:00+00:00",
+  "digestEvaluated": "sha256:kev-score",
+  "outcome": 2,
+  "rulesMatched": 2,
+  "rulesTotal": 4,
+  "violations": [
+    {
+      "ruleName": "block_kev_flagged",
+      "severity": "critical",
+      "message": "KEV-listed vulnerability must be remediated immediately",
+      "vulnerabilityId": "CVE-2024-0030",
+      "packagePurl": "pkg:npm/vulnerable-pkg@1.0.0",
+      "remediation": "CISA KEV deadline: 2025-01-15"
+    }
+  ],
+  "warnings": [],
+  "matchedRules": [
+    {
+      "ruleName": "block_kev_flagged",
+      "priority": 15,
+      "status": 2,
+      "reason": "score.has_flag(\u0022kev\u0022) evaluated true"
+    },
+    {
+      "ruleName": "escalate_act_now",
+      "priority": 10,
+      "status": 1,
+      "reason": "score.is_act_now with KEV flag"
+    }
+  ],
+  "unknownsBudgetResult": null,
+  "vexMergeTrace": null,
+  "scoreResult": {
+    "findingId": "FINDING-CVE-2024-0030",
+    "score": 98,
+    "bucket": "ActNow",
+    "inputs": {
+      "reachability": 0.7,
+      "runtime": 0.9,
+      "backport": 0,
+      "exploit": 1,
+      "sourceTrust": 0.85,
+      "mitigation": 0
+    },
+    "flags": [
+      "kev",
+      "public-exploit",
+      "weaponized"
+    ],
+    "explanations": [
+      "CISA KEV listed: actively exploited in the wild",
+      "Exploit complexity: Low",
+      "No backport available",
+      "No mitigation factors apply"
+    ],
+    "calculatedAt": "2025-12-24T12:00:00+00:00",
+    "policyDigest": "sha256:kev-policy-v1"
+  },
+  "metadata": {
+    "evaluationDurationMs": 56,
+    "feedVersions": {
+      "nvd": "2025-12-24",
+      "kev": "2025-12-24"
+    },
+    "policyChecksum": "sha256:kev-policy-001"
+  }
+}

src/Policy/__Tests/StellaOps.Policy.Engine.Tests/Snapshots/VerdictWithLowScore_Canonical.json

@@ -0,0 +1,52 @@
+{
+  "verdictId": "VERDICT-2025-010",
+  "policyId": "POL-SCORE-001",
+  "policyName": "EWS Score-Based Policy",
+  "policyVersion": "1.0.0",
+  "tenantId": "TENANT-001",
+  "evaluatedAt": "2025-12-24T12:00:00+00:00",
+  "digestEvaluated": "sha256:low-score",
+  "outcome": 0,
+  "rulesMatched": 1,
+  "rulesTotal": 5,
+  "violations": [],
+  "warnings": [],
+  "matchedRules": [
+    {
+      "ruleName": "allow_low_score",
+      "priority": 1,
+      "status": 1,
+      "reason": "score \u003C 40 - acceptable risk level"
+    }
+  ],
+  "unknownsBudgetResult": null,
+  "vexMergeTrace": null,
+  "scoreResult": {
+    "findingId": "FINDING-CVE-2024-0040",
+    "score": 25,
+    "bucket": "Watchlist",
+    "inputs": {
+      "reachability": 0.1,
+      "runtime": 0.2,
+      "backport": 0.9,
+      "exploit": 0.15,
+      "sourceTrust": 0.95,
+      "mitigation": 0.8
+    },
+    "flags": [],
+    "explanations": [
+      "Low reachability (0.1): function not in execution path",
+      "Backport available (0.9)",
+      "Strong mitigation factors (0.8)"
+    ],
+    "calculatedAt": "2025-12-24T12:00:00+00:00",
+    "policyDigest": "sha256:ews-policy-v1"
+  },
+  "metadata": {
+    "evaluationDurationMs": 32,
+    "feedVersions": {
+      "nvd": "2025-12-24"
+    },
+    "policyChecksum": "sha256:score-policy-001"
+  }
+}

src/Policy/__Tests/StellaOps.Policy.Engine.Tests/Snapshots/VerdictWithScoreRuleViolation_Canonical.json

@@ -0,0 +1,60 @@
+{
+  "verdictId": "VERDICT-2025-008",
+  "policyId": "POL-SCORE-001",
+  "policyName": "EWS Score-Based Policy",
+  "policyVersion": "1.0.0",
+  "tenantId": "TENANT-001",
+  "evaluatedAt": "2025-12-24T12:00:00+00:00",
+  "digestEvaluated": "sha256:score-violation",
+  "outcome": 2,
+  "rulesMatched": 1,
+  "rulesTotal": 3,
+  "violations": [
+    {
+      "ruleName": "block_high_exploit_reachable",
+      "severity": "high",
+      "message": "Reachable vulnerability with high exploit score blocked",
+      "vulnerabilityId": "CVE-2024-0020",
+      "packagePurl": "pkg:maven/org.example/lib@2.0.0",
+      "remediation": "Apply patch or configure WAF rules"
+    }
+  ],
+  "warnings": [],
+  "matchedRules": [
+    {
+      "ruleName": "block_high_exploit_reachable",
+      "priority": 7,
+      "status": 2,
+      "reason": "score.rch \u003E 0.8 and score.xpl \u003E 0.7 condition met"
+    }
+  ],
+  "unknownsBudgetResult": null,
+  "vexMergeTrace": null,
+  "scoreResult": {
+    "findingId": "FINDING-CVE-2024-0020",
+    "score": 75,
+    "bucket": "ScheduleNext",
+    "inputs": {
+      "reachability": 0.85,
+      "runtime": 0.6,
+      "backport": 0.3,
+      "exploit": 0.75,
+      "sourceTrust": 0.8,
+      "mitigation": 0.2
+    },
+    "flags": [],
+    "explanations": [
+      "High reachability (0.85): code path confirmed reachable",
+      "Exploit code available (0.75)"
+    ],
+    "calculatedAt": "2025-12-24T12:00:00+00:00",
+    "policyDigest": "sha256:ews-policy-v1"
+  },
+  "metadata": {
+    "evaluationDurationMs": 45,
+    "feedVersions": {
+      "nvd": "2025-12-24"
+    },
+    "policyChecksum": "sha256:score-policy-001"
+  }
+}

src/Policy/__Tests/StellaOps.Policy.Engine.Tests/Snapshots/VerdictWithUnknowns_Canonical.json

@@ -0,0 +1,49 @@
+{
+  "verdictId": "VERDICT-2025-003",
+  "policyId": "POL-STRICT-001",
+  "policyName": "Strict Unknown Budget Policy",
+  "policyVersion": "2.0.0",
+  "tenantId": "TENANT-002",
+  "evaluatedAt": "2025-12-24T12:00:00+00:00",
+  "digestEvaluated": "sha256:xyz789",
+  "outcome": 2,
+  "rulesMatched": 1,
+  "rulesTotal": 3,
+  "violations": [
+    {
+      "ruleName": "unknowns_budget",
+      "severity": "high",
+      "message": "Unknowns budget exceeded: 5 critical unknowns (max: 0)",
+      "vulnerabilityId": null,
+      "packagePurl": null,
+      "remediation": "Resolve unknown packages or request VEX statements"
+    }
+  ],
+  "warnings": [],
+  "matchedRules": [
+    {
+      "ruleName": "unknowns_budget",
+      "priority": 10,
+      "status": 2,
+      "reason": "Critical unknowns (5) exceeds budget (0)"
+    }
+  ],
+  "unknownsBudgetResult": {
+    "withinBudget": false,
+    "criticalCount": 5,
+    "highCount": 12,
+    "mediumCount": 45,
+    "lowCount": 120,
+    "totalCount": 182,
+    "action": "Block"
+  },
+  "vexMergeTrace": null,
+  "scoreResult": null,
+  "metadata": {
+    "evaluationDurationMs": 89,
+    "feedVersions": {
+      "nvd": "2025-12-24"
+    },
+    "policyChecksum": "sha256:policy456"
+  }
+}

src/Policy/__Tests/StellaOps.Policy.Engine.Tests/Snapshots/VerdictWithVexMerge_Canonical.json

@@ -0,0 +1,41 @@
+{
+  "verdictId": "VERDICT-2025-004",
+  "policyId": "POL-PROD-001",
+  "policyName": "Production Baseline Policy",
+  "policyVersion": "1.2.3",
+  "tenantId": "TENANT-001",
+  "evaluatedAt": "2025-12-24T12:00:00+00:00",
+  "digestEvaluated": "sha256:abc123def456",
+  "outcome": 0,
+  "rulesMatched": 2,
+  "rulesTotal": 5,
+  "violations": [],
+  "warnings": [],
+  "matchedRules": [
+    {
+      "ruleName": "require_vex_justification",
+      "priority": 3,
+      "status": 1,
+      "reason": "VEX statement accepted with strong justification"
+    }
+  ],
+  "unknownsBudgetResult": null,
+  "vexMergeTrace": {
+    "vulnerabilityId": "CVE-2024-0001",
+    "winningSource": "vendor",
+    "winningStatus": "not_affected",
+    "winningJustification": "component_not_present",
+    "conflictsResolved": 1,
+    "sourcesConsidered": 3,
+    "resolutionReason": "TrustWeight"
+  },
+  "scoreResult": null,
+  "metadata": {
+    "evaluationDurationMs": 55,
+    "feedVersions": {
+      "nvd": "2025-12-24",
+      "ghsa": "2025-12-24"
+    },
+    "policyChecksum": "sha256:policy123"
+  }
+}

src/Policy/__Tests/StellaOps.Policy.Engine.Tests/Snapshots/VexResolutionTrace.json

@@ -0,0 +1,72 @@
+{
+  "traceId": "TRACE-2025-003",
+  "policyId": "POL-VEX-001",
+  "policyName": "VEX-Aware Policy",
+  "evaluationContext": {
+    "digestEvaluated": "sha256:vex123",
+    "tenantId": "TENANT-001",
+    "environment": "production",
+    "exposure": "internet"
+  },
+  "startedAt": "2025-12-24T12:00:00+00:00",
+  "completedAt": "2025-12-24T12:00:00.067+00:00",
+  "durationMs": 67,
+  "outcome": "Pass",
+  "steps": [
+    {
+      "stepNumber": 1,
+      "ruleName": "vex_merge_resolution",
+      "priority": 10,
+      "phase": 1,
+      "condition": "vex.statements.count \u003E 1",
+      "conditionResult": true,
+      "action": null,
+      "explanation": "Multiple VEX statements found; merging via K4 lattice",
+      "durationMs": 20,
+      "vexMergeDetail": {
+        "vulnerabilityId": "CVE-2024-0001",
+        "statementCount": 3,
+        "sources": [
+          {
+            "source": "vendor",
+            "status": "not_affected",
+            "trust": 1.0
+          },
+          {
+            "source": "maintainer",
+            "status": "affected",
+            "trust": 0.9
+          },
+          {
+            "source": "scanner",
+            "status": "unknown",
+            "trust": 0.5
+          }
+        ],
+        "winningSource": "vendor",
+        "winningStatus": "not_affected",
+        "resolutionReason": "TrustWeight",
+        "conflictsResolved": 2
+      },
+      "profileApplicationDetail": null,
+      "escalationDetail": null
+    },
+    {
+      "stepNumber": 2,
+      "ruleName": "require_vex_justification",
+      "priority": 3,
+      "phase": 3,
+      "condition": "vex.justification in [\u0022component_not_present\u0022,\u0022vulnerable_code_not_present\u0022]",
+      "conditionResult": true,
+      "action": "status := vex.status",
+      "explanation": "VEX justification accepted: component_not_present",
+      "durationMs": 12,
+      "vexMergeDetail": null,
+      "profileApplicationDetail": null,
+      "escalationDetail": null
+    }
+  ],
+  "finalStatus": "allowed",
+  "matchedRuleCount": 2,
+  "totalRuleCount": 2
+}

src/Policy/__Tests/StellaOps.Policy.Engine.Tests/StellaOps.Policy.Engine.Tests.csproj

@@ -23,7 +23,7 @@
     <ProjectReference Include="../../StellaOps.Policy.Engine/StellaOps.Policy.Engine.csproj" />
     <ProjectReference Include="../../../__Libraries/StellaOps.DeltaVerdict/StellaOps.DeltaVerdict.csproj" />
     <ProjectReference Include="../../../__Libraries/StellaOps.Provcache/StellaOps.Provcache.csproj" />
-    <ProjectReference Include="../../../Excititor/__Libraries/StellaOps.Excititor.Core/StellaOps.Excititor.Core.csproj" />
+    <ProjectReference Include="../../../Concelier/__Libraries/StellaOps.Excititor.Core/StellaOps.Excititor.Core.csproj" />
     <ProjectReference Include="../../__Libraries/StellaOps.Policy.Unknowns/StellaOps.Policy.Unknowns.csproj" />
     <ProjectReference Include="../../../__Libraries/StellaOps.TestKit/StellaOps.TestKit.csproj" />
     <ProjectReference Include="../../../Scanner/__Libraries/StellaOps.Scanner.Emit/StellaOps.Scanner.Emit.csproj" />

src/Policy/__Tests/StellaOps.Policy.Engine.Tests/Tenancy/TenantIsolationTests.cs

@@ -149,6 +149,7 @@ public sealed class TenantIsolationTests
         // Arrange
         var filter = new TenantContextEndpointFilter();
         var services = new ServiceCollection();
+        services.AddLogging();
         services.AddSingleton<ITenantContextAccessor>(_accessor);
         var sp = services.BuildServiceProvider();