more features checks. setup improvements

docs/features/checked/policy/dsse-signed-reversible-decisions.md

@@ -0,0 +1,50 @@
+# DSSE-signed reversible decisions (MUTE_REACH, MUTE_VEX, ACK, EXCEPTION)
+
+## Module
+Policy
+
+## Status
+IMPLEMENTED
+
+## Description
+VEX decision signing service produces DSSE-signed decisions; exception objects model scoped, time-boxed exceptions with evidence requirements.
+
+## Implementation Details
+- **VerdictAttestationService**: `src/Policy/StellaOps.Policy.Engine/Attestation/VerdictAttestationService.cs` -- signs verdict decisions with DSSE envelopes
+  - `IVerdictAttestationService` interface
+  - `VerdictPredicate.cs` -- verdict predicate for attestation payload
+  - `VerdictPredicateBuilder.cs` -- fluent builder for verdict predicates
+  - `VerdictReasonCode.cs` -- reason codes for verdict decisions
+- **PolicyDecisionAttestationService**: `src/Policy/StellaOps.Policy.Engine/Attestation/PolicyDecisionAttestationService.cs` -- signs policy decisions
+  - `IPolicyDecisionAttestationService` interface
+  - `PolicyDecisionPredicate.cs` -- decision predicate payload
+  - `PolicyDecisionAttestationOptions.cs` -- signing options
+- **Exception Objects**: `src/Policy/__Libraries/StellaOps.Policy.Exceptions/Models/ExceptionObject.cs` -- scoped, time-boxed exception model
+  - Scope: CVE-level, package-level, or finding-level
+  - Time-boxing: ExpiresAt, auto-expire enforcement
+  - Evidence requirements: required evidence types per exception
+  - Status: Active, Expired, Revoked
+- **Exception Application**: `src/Policy/__Libraries/StellaOps.Policy.Exceptions/Models/ExceptionApplication.cs` -- tracks when exceptions are applied to findings
+- **Exception Events**: `src/Policy/__Libraries/StellaOps.Policy.Exceptions/Models/ExceptionEvent.cs` -- audit trail of exception lifecycle events (create, apply, expire, revoke)
+- **Evidence Hooks**: `src/Policy/__Libraries/StellaOps.Policy.Exceptions/Models/EvidenceHook.cs` -- hooks for evidence validation on exception approval
+- **RecheckPolicy**: `src/Policy/__Libraries/StellaOps.Policy.Exceptions/Models/RecheckPolicy.cs` -- recheck policy for exception revalidation
+- **Exception Evaluator**: `src/Policy/__Libraries/StellaOps.Policy.Exceptions/Services/ExceptionEvaluator.cs` -- evaluates exception applicability
+- **Evidence Requirement Validator**: `src/Policy/__Libraries/StellaOps.Policy.Exceptions/Services/EvidenceRequirementValidator.cs` -- validates evidence requirements are met
+- **Recheck Evaluation Service**: `src/Policy/__Libraries/StellaOps.Policy.Exceptions/Services/RecheckEvaluationService.cs` -- periodic recheck of exception validity
+- **ExceptionRecheckGate**: `src/Policy/StellaOps.Policy.Engine/BuildGate/ExceptionRecheckGate.cs` -- build gate that rechecks exception validity
+- **RVA Service**: `src/Policy/StellaOps.Policy.Engine/Attestation/RvaService.cs` -- Risk Verdict Attestation service
+  - `RvaBuilder.cs` -- builds RVA attestations
+  - `RvaVerifier.cs` -- verifies RVA attestation integrity
+  - `RvaPredicate.cs` -- RVA predicate model
+
+## E2E Test Plan
+- [ ] Create an exception with ExpiresAt in the future; verify exception is Active
+- [ ] Apply exception to a finding; verify DSSE-signed decision envelope is produced
+- [ ] Verify exception application is recorded in ExceptionEvent audit trail
+- [ ] Wait for exception expiry; verify ExceptionRecheckGate detects expiration and re-evaluates finding
+- [ ] Create exception with evidence requirements; verify EvidenceRequirementValidator blocks approval when evidence missing
+- [ ] Verify signed verdict predicate contains: finding ID, CVE, decision, reason code, timestamp
+- [ ] Verify PolicyDecisionAttestationService signs decisions with correct predicate payload
+- [ ] Revoke an active exception; verify finding is re-evaluated without exception
+- [ ] Run RecheckEvaluationService; verify exceptions past recheck policy interval are revalidated
+- [ ] Verify RvaService builds and verifies Risk Verdict Attestation with scoring determinism