more features checks. setup improvements

docs/qa/feature-checks/runs/policy/cve-aware-release-policy-gates/run-001/tier1-build-check.json

@@ -0,0 +1,12 @@
+{
+  "feature": "cve-aware-release-policy-gates",
+  "module": "policy",
+  "tier": "tier1-build",
+  "run": "run-001",
+  "date": "2026-02-12",
+  "result": "pass",
+  "project": "StellaOps.Policy.Engine.Tests",
+  "command": "dotnet build src/Policy/__Tests/StellaOps.Policy.Engine.Tests/StellaOps.Policy.Engine.Tests.csproj --no-restore --verbosity quiet",
+  "output": "Build succeeded. 0 Warning(s) 0 Error(s)",
+  "notes": "Engine test project builds cleanly with all new CveAwareReleasePolicyGatesDeepTests"
+}

docs/qa/feature-checks/runs/policy/cve-aware-release-policy-gates/run-001/tier1-code-review.json

@@ -0,0 +1,29 @@
+{
+  "feature": "cve-aware-release-policy-gates",
+  "module": "policy",
+  "tier": "tier1-code-review",
+  "run": "run-001",
+  "date": "2026-02-12",
+  "result": "pass",
+  "sourceFilesReviewed": [
+    "src/Policy/StellaOps.Policy.Engine/Gates/PolicyGateEvaluator.cs",
+    "src/Policy/StellaOps.Policy.Engine/Gates/VexTrustGate.cs",
+    "src/Policy/StellaOps.Policy.Engine/Gates/DriftGateEvaluator.cs",
+    "src/Policy/StellaOps.Policy.Engine/Gates/StabilityDampingGate.cs",
+    "src/Policy/StellaOps.Policy.Engine/Gates/PolicyGateDecision.cs",
+    "src/Policy/StellaOps.Policy.Engine/Gates/DriftGateContext.cs"
+  ],
+  "testFilesReviewed": [
+    "src/Policy/__Tests/StellaOps.Policy.Engine.Tests/Gates/PolicyGateEvaluatorTests.cs",
+    "src/Policy/__Tests/StellaOps.Policy.Engine.Tests/Gates/VexTrustGateTests.cs"
+  ],
+  "newTestFile": "src/Policy/__Tests/StellaOps.Policy.Engine.Tests/Gates/CveAwareReleasePolicyGatesDeepTests.cs",
+  "findings": [
+    "PolicyGateEvaluator implements 5-gate pipeline with short-circuit-on-first-Block",
+    "VexTrust gate supports per-environment thresholds (production 0.80, staging 0.60, development 0.40)",
+    "DriftGateEvaluator implements KEV, CVSS threshold, EPSS threshold, affected reachable built-in gates",
+    "StabilityDampingGate implements hysteresis-based verdict suppression with upgrade bypass",
+    "DriftGateContext.HasMaterialDrift is computed property, not settable",
+    "Override requires justification >= 10 chars for DriftGate, >= 20 chars for PolicyGate"
+  ]
+}

docs/qa/feature-checks/runs/policy/cve-aware-release-policy-gates/run-001/tier2-test-results.json

@@ -0,0 +1,55 @@
+{
+  "feature": "cve-aware-release-policy-gates",
+  "module": "policy",
+  "tier": "tier2-test",
+  "run": "run-001",
+  "date": "2026-02-12",
+  "result": "pass",
+  "project": "StellaOps.Policy.Engine.Tests",
+  "command": "dotnet test src/Policy/__Tests/StellaOps.Policy.Engine.Tests/StellaOps.Policy.Engine.Tests.csproj --no-build -- --report-xunit",
+  "summary": {
+    "total": 1263,
+    "passed": 1262,
+    "failed": 1,
+    "skipped": 0,
+    "duration": "5.7s"
+  },
+  "newTests": {
+    "class": "CveAwareReleasePolicyGatesDeepTests",
+    "total": 26,
+    "passed": 26,
+    "failed": 0
+  },
+  "preExistingFailure": {
+    "name": "CalculateScoreBounds returns valid range",
+    "reason": "Pre-existing: bounds.MinimumScore expected <= 0.3 but was 0.95 (not related to this feature)"
+  },
+  "testsCovered": [
+    "PolicyGate_VexTrustEnabled_LowScore_Blocks",
+    "PolicyGate_VexTrustEnabled_HighScore_Allows",
+    "PolicyGate_VexTrustEnabled_UnverifiedSignature_Blocks",
+    "PolicyGate_VexTrustEnabled_MissingScore_WarnsOrBlocks",
+    "PolicyGate_ContestedLattice_SuggestsTriage",
+    "PolicyGate_CRLattice_SuggestsEvidence",
+    "PolicyGate_RULattice_WithJustification_AllowsWithWarning",
+    "PolicyGate_RULattice_NoJustification_Blocks",
+    "PolicyGate_FixedStatus_AllowsAnyLattice",
+    "PolicyGate_UnderInvestigation_NoEvidenceRequired",
+    "PolicyGate_Override_ValidJustification_Bypasses",
+    "PolicyGate_Override_ShortJustification_Fails",
+    "PolicyGate_ShortCircuit_EvidenceBlock_StopsBeforeLattice",
+    "PolicyGate_100Iterations_Deterministic",
+    "DriftGate_KevReachable_BlocksRelease",
+    "DriftGate_KevNoNewReachable_Passes",
+    "DriftGate_HighCvss_BlocksRelease",
+    "DriftGate_HighEpss_BlocksRelease",
+    "DriftGate_AffectedReachable_Blocks",
+    "DriftGate_NoMaterialDrift_Allows",
+    "DriftGate_Disabled_Allows",
+    "DriftGate_Override_BypassesBlock",
+    "StabilityDamping_FirstVerdict_Surfaces",
+    "StabilityDamping_SameStatusSmallDelta_Suppressed",
+    "StabilityDamping_Disabled_Surfaces",
+    "StabilityDamping_PruneHistory_RemovesEntries"
+  ]
+}

docs/qa/feature-checks/runs/policy/cve-aware-release-policy-gates/run-002/tier0-source-check.json

@@ -0,0 +1,33 @@
+{
+  "feature": "cve-aware-release-policy-gates",
+  "tier": 0,
+  "capturedAtUtc": "2026-02-12T21:20:00Z",
+  "filesChecked": [
+    "src/Policy/StellaOps.Policy.Engine/Gates/PolicyGateEvaluator.cs",
+    "src/Policy/StellaOps.Policy.Engine/Gates/PolicyGateDecision.cs",
+    "src/Policy/StellaOps.Policy.Engine/Gates/PolicyGateOptions.cs",
+    "src/Policy/StellaOps.Policy.Engine/Gates/VexTrustGate.cs",
+    "src/Policy/StellaOps.Policy.Engine/Gates/VexTrustGateOptions.cs",
+    "src/Policy/StellaOps.Policy.Engine/Gates/DriftGateEvaluator.cs",
+    "src/Policy/StellaOps.Policy.Engine/Gates/DriftGateContext.cs",
+    "src/Policy/StellaOps.Policy.Engine/Gates/DriftGateOptions.cs",
+    "src/Policy/StellaOps.Policy.Engine/Gates/StabilityDampingGate.cs",
+    "src/Policy/StellaOps.Policy.Engine/Gates/StabilityDampingOptions.cs",
+    "src/Policy/__Libraries/StellaOps.Policy.Unknowns/Services/UnknownRanker.cs"
+  ],
+  "found": [
+    "src/Policy/StellaOps.Policy.Engine/Gates/PolicyGateEvaluator.cs",
+    "src/Policy/StellaOps.Policy.Engine/Gates/PolicyGateDecision.cs",
+    "src/Policy/StellaOps.Policy.Engine/Gates/PolicyGateOptions.cs",
+    "src/Policy/StellaOps.Policy.Engine/Gates/VexTrustGate.cs",
+    "src/Policy/StellaOps.Policy.Engine/Gates/VexTrustGateOptions.cs",
+    "src/Policy/StellaOps.Policy.Engine/Gates/DriftGateEvaluator.cs",
+    "src/Policy/StellaOps.Policy.Engine/Gates/DriftGateContext.cs",
+    "src/Policy/StellaOps.Policy.Engine/Gates/DriftGateOptions.cs",
+    "src/Policy/StellaOps.Policy.Engine/Gates/StabilityDampingGate.cs",
+    "src/Policy/StellaOps.Policy.Engine/Gates/StabilityDampingOptions.cs",
+    "src/Policy/__Libraries/StellaOps.Policy.Unknowns/Services/UnknownRanker.cs"
+  ],
+  "missing": [],
+  "verdict": "pass"
+}

docs/qa/feature-checks/runs/policy/cve-aware-release-policy-gates/run-002/tier1-code-review.json

@@ -0,0 +1,25 @@
+{
+  "feature": "cve-aware-release-policy-gates",
+  "tier": 1,
+  "capturedAtUtc": "2026-02-12T21:20:30Z",
+  "project": "src/Policy/__Tests/StellaOps.Policy.Engine.Tests/StellaOps.Policy.Engine.Tests.csproj",
+  "buildResult": "pass",
+  "codeReviewChecklist": {
+    "mainClassExists": true,
+    "nonTrivialImplementation": true,
+    "logicMatchesDescription": true,
+    "unitTestsExist": true,
+    "testAssertMeaningful": true
+  },
+  "codeReviewNotes": [
+    "PolicyGateEvaluator: 882 lines, evaluates 5 gates in sequence (Evidence, Lattice, VexTrust, Uncertainty, Confidence) with short-circuit on first Block",
+    "VexTrustGate: 490 lines standalone gate with per-environment thresholds, composite score check, signature verification, freshness check",
+    "DriftGateEvaluator: 469 lines, evaluates KEV, AffectedReachable, CVSS, EPSS, and custom gates with condition parser",
+    "StabilityDampingGate: 385 lines, hysteresis-based verdict stability with duration/confidence thresholds and upgrade bypass",
+    "UnknownRanker: exploit pressure factors match feature spec exactly - KEV +0.50, EPSS>=0.90 +0.30, EPSS>=0.50 +0.15, CVSS>=9.0 +0.05",
+    "PolicyGateDecision model: comprehensive with GateId, Subject, Evidence, Gates array, Decision type, Advisory, BlockedBy, BlockReason, Suggestion",
+    "All 8 reachability lattice states properly handled: U, SR, SU, RO, RU, CR, CU, X",
+    "All 4 uncertainty tiers handled: T1, T2, T3, T4"
+  ],
+  "verdict": "pass"
+}

docs/qa/feature-checks/runs/policy/cve-aware-release-policy-gates/run-002/tier2-integration-check.json

@@ -0,0 +1,115 @@
+{
+  "type": "integration",
+  "capturedAtUtc": "2026-02-12T21:22:00Z",
+  "testCommand": "dotnet test src\\Policy\\__Tests\\StellaOps.Policy.Engine.Tests\\StellaOps.Policy.Engine.Tests.csproj --no-restore -v normal",
+  "testFilter": "PolicyGateEvaluatorTests + CveAwareReleasePolicyGatesDeepTests (all tests ran, MTP ignores --filter)",
+  "testsRun": 1263,
+  "testsPassed": 1262,
+  "testsFailed": 1,
+  "failedTestsUnrelated": "CalculateScoreBounds returns valid range - Scoring area, not gates",
+  "targetedTestMethods": [
+    "PolicyGateEvaluatorTests.NotAffected_WithCU_AllowsDecision",
+    "PolicyGateEvaluatorTests.NotAffected_WithSU_AllowsWithWarning_WhenJustificationProvided",
+    "PolicyGateEvaluatorTests.NotAffected_WithSU_Blocks_WhenNoJustification",
+    "PolicyGateEvaluatorTests.NotAffected_WithSR_Blocks",
+    "PolicyGateEvaluatorTests.NotAffected_WithCR_Blocks",
+    "PolicyGateEvaluatorTests.NotAffected_WithContested_Blocks",
+    "PolicyGateEvaluatorTests.Affected_WithCR_Allows",
+    "PolicyGateEvaluatorTests.Affected_WithCU_WarnsOfFalsePositive",
+    "PolicyGateEvaluatorTests.UnderInvestigation_AllowsAnyLatticeState",
+    "PolicyGateEvaluatorTests.NotAffected_WithT1_Blocks",
+    "PolicyGateEvaluatorTests.NotAffected_WithT2_Warns",
+    "PolicyGateEvaluatorTests.NotAffected_WithT3_AllowsWithNote",
+    "PolicyGateEvaluatorTests.NotAffected_WithT4_Allows",
+    "PolicyGateEvaluatorTests.Affected_WithT1_WarnsOfReviewRequired",
+    "PolicyGateEvaluatorTests.NotAffected_WithoutGraphHash_Blocks",
+    "PolicyGateEvaluatorTests.NotAffected_WithoutPathLength_Blocks",
+    "PolicyGateEvaluatorTests.NotAffected_WithGraphHashAndPath_Allows",
+    "PolicyGateEvaluatorTests.Affected_WithoutEvidence_Warns",
+    "PolicyGateEvaluatorTests.Override_WithJustification_BypassesBlock",
+    "PolicyGateEvaluatorTests.Override_WithoutJustification_DoesNotBypass",
+    "PolicyGateEvaluatorTests.Override_WithShortJustification_DoesNotBypass",
+    "PolicyGateEvaluatorTests.DisabledGates_AllowsEverything",
+    "PolicyGateEvaluatorTests.Decision_ContainsGateId",
+    "PolicyGateEvaluatorTests.Decision_ContainsSubject",
+    "PolicyGateEvaluatorTests.Decision_ContainsEvidence",
+    "PolicyGateEvaluatorTests.Decision_ContainsGateResults",
+    "CveAwareReleasePolicyGatesDeepTests.PolicyGate_VexTrustEnabled_LowScore_Blocks",
+    "CveAwareReleasePolicyGatesDeepTests.PolicyGate_VexTrustEnabled_HighScore_Allows",
+    "CveAwareReleasePolicyGatesDeepTests.PolicyGate_VexTrustEnabled_UnverifiedSignature_Blocks",
+    "CveAwareReleasePolicyGatesDeepTests.PolicyGate_VexTrustEnabled_MissingScore_Warns",
+    "CveAwareReleasePolicyGatesDeepTests.PolicyGate_ContestedLattice_SuggestsTriageResolution",
+    "CveAwareReleasePolicyGatesDeepTests.PolicyGate_CRLattice_SuggestsSubmitEvidence",
+    "CveAwareReleasePolicyGatesDeepTests.PolicyGate_RULattice_WithJustification_AllowsWithWarning",
+    "CveAwareReleasePolicyGatesDeepTests.PolicyGate_RULattice_WithoutJustification_Blocks",
+    "CveAwareReleasePolicyGatesDeepTests.PolicyGate_Fixed_AllowsWithAnyLatticeState",
+    "CveAwareReleasePolicyGatesDeepTests.PolicyGate_UnderInvestigation_NoEvidenceRequired",
+    "CveAwareReleasePolicyGatesDeepTests.PolicyGate_Override_WithValidJustification_BypassesBlock",
+    "CveAwareReleasePolicyGatesDeepTests.PolicyGate_Override_WithShortJustification_DoesNotBypass",
+    "CveAwareReleasePolicyGatesDeepTests.PolicyGate_EvidenceBlock_ShortCircuitsBeforeLattice",
+    "CveAwareReleasePolicyGatesDeepTests.PolicyGate_100Iterations_DeterministicDecision",
+    "CveAwareReleasePolicyGatesDeepTests.DriftGate_KevReachable_Blocks",
+    "CveAwareReleasePolicyGatesDeepTests.DriftGate_KevButNoNewReachable_Passes",
+    "CveAwareReleasePolicyGatesDeepTests.DriftGate_HighCvss_Blocks",
+    "CveAwareReleasePolicyGatesDeepTests.DriftGate_HighEpss_Blocks",
+    "CveAwareReleasePolicyGatesDeepTests.DriftGate_AffectedReachable_Blocks",
+    "CveAwareReleasePolicyGatesDeepTests.DriftGate_NoMaterialDrift_Allows",
+    "CveAwareReleasePolicyGatesDeepTests.DriftGate_Disabled_AllowsEverything",
+    "CveAwareReleasePolicyGatesDeepTests.DriftGate_Override_BypassesBlock",
+    "CveAwareReleasePolicyGatesDeepTests.StabilityDamping_FirstVerdict_Surfaces",
+    "CveAwareReleasePolicyGatesDeepTests.StabilityDamping_SameStatus_SmallDelta_Suppressed",
+    "CveAwareReleasePolicyGatesDeepTests.StabilityDamping_Disabled_AlwaysSurfaces",
+    "CveAwareReleasePolicyGatesDeepTests.StabilityDamping_PruneHistory_RemovesOldRecords"
+  ],
+  "behaviorVerified": [
+    "CU lattice + T4 uncertainty -> Allow for not_affected",
+    "CR lattice -> Block for not_affected with suggestion to submit unreachability evidence",
+    "Missing graphHash -> Block by EvidenceCompleteness gate",
+    "VEX trust score below production threshold -> Block by VexTrust gate",
+    "VEX trust score above threshold but signature unverified -> Block when RequireIssuerVerified=true",
+    "T1 uncertainty for not_affected + BlockT1ForNotAffected=true -> Block by UncertaintyTier gate",
+    "Override with valid 20+ char justification -> Block overridden to Warn with advisory",
+    "Override with short justification -> Block NOT overridden",
+    "Contested (X) lattice state for not_affected -> Block with triage suggestion",
+    "DriftGate: KEV newly reachable -> Block",
+    "DriftGate: KEV present but no new reachable paths -> Allow",
+    "DriftGate: High CVSS (9.5) newly reachable -> Block by CvssThreshold",
+    "DriftGate: High EPSS (0.75) newly reachable -> Block by EpssThreshold",
+    "DriftGate: affected VEX status newly reachable -> Block by AffectedReachable",
+    "DriftGate: No material drift -> Allow (short-circuit)",
+    "DriftGate: Disabled -> Allow everything",
+    "DriftGate: Override with justification -> Warn instead of Block",
+    "StabilityDamping: First verdict always surfaces",
+    "StabilityDamping: Same status small confidence delta -> suppressed",
+    "StabilityDamping: Disabled -> always surfaces",
+    "StabilityDamping: Old records pruned based on retention",
+    "Gate short-circuit: Evidence block prevents Lattice/Uncertainty evaluation",
+    "100 iterations produce deterministic decisions",
+    "UnknownRanker exploit pressure: KEV +0.50, EPSS>=0.90 +0.30, EPSS>=0.50 +0.15, CVSS>=9.0 +0.05"
+  ],
+  "assertionTypes": [
+    "Decision type equality (Allow/Block/Warn)",
+    "BlockedBy gate name equality",
+    "BlockReason substring containment",
+    "Suggestion content verification",
+    "Advisory content verification",
+    "Gate count verification (short-circuit)",
+    "ShouldSurface boolean verification (damping)",
+    "Override bypass with justification length validation",
+    "Decision determinism across 100 iterations"
+  ],
+  "bugsFixed": [
+    {
+      "file": "src/Policy/__Tests/StellaOps.Policy.Engine.Tests/Gates/CveAwareReleasePolicyGatesDeepTests.cs",
+      "issue": "CS1061: FluentAssertions .Or syntax not supported; replaced with boolean || assertion",
+      "line": 126
+    },
+    {
+      "file": "src/Policy/__Tests/StellaOps.Policy.Engine.Tests/Gates/CveAwareReleasePolicyGatesDeepTests.cs",
+      "issue": "CS0200: DriftGateContext.HasMaterialDrift is computed (read-only); removed direct assignment and computed via DeltaReachable/DeltaUnreachable",
+      "line": 577
+    }
+  ],
+  "newTestsWritten": [],
+  "verdict": "pass"
+}