more features checks. setup improvements

docs/qa/feature-checks/runs/policy/dsse-signed-reversible-decisions/run-001/tier1-code-review.json

@@ -0,0 +1,22 @@
+{
+  "tier": 1,
+  "type": "code_review",
+  "capturedAtUtc": "2026-02-12T12:30:00Z",
+  "feature": "dsse-signed-reversible-decisions",
+  "claimsVerified": true,
+  "missingClaims": [],
+  "presentClaims": [
+    "Attestation/VerdictAttestationService.cs with IVerdictAttestationService, VerdictPredicate, VerdictPredicateBuilder, VerdictReasonCode",
+    "Attestation/PolicyDecisionAttestationService.cs with IPolicyDecisionAttestationService, PolicyDecisionPredicate, PolicyDecisionAttestationOptions",
+    "Exceptions/Models/ExceptionObject.cs - scoped, time-boxed exceptions",
+    "Exceptions/Models/ExceptionApplication.cs - tracks application to findings",
+    "Exceptions/Models/ExceptionEvent.cs - audit trail events",
+    "Exceptions/Models/EvidenceHook.cs - evidence validation hooks",
+    "Exceptions/Models/RecheckPolicy.cs - periodic revalidation",
+    "Exceptions/Services/ExceptionEvaluator.cs, EvidenceRequirementValidator.cs, RecheckEvaluationService.cs",
+    "BuildGate/ExceptionRecheckGate.cs - build gate integration",
+    "Attestation/RvaService.cs, RvaBuilder.cs, RvaVerifier.cs, RvaPredicate.cs - Risk Verdict Attestation"
+  ],
+  "verdict": "done",
+  "notes": "Full DSSE-signed reversible decision system verified. Verdict and policy decision attestation with DSSE signing. Exception objects with scoping, time-boxing, evidence requirements, and lifecycle events. RVA service for risk verdict attestation with builder and verifier."
+}

docs/qa/feature-checks/runs/policy/dsse-signed-reversible-decisions/run-002/tier2-integration-check.json

@@ -0,0 +1,112 @@
+{
+  "type": "integration",
+  "capturedAtUtc": "2026-02-12T21:30:00Z",
+  "testCommand": "dotnet test src/Policy/__Tests/StellaOps.Policy.Exceptions.Tests/StellaOps.Policy.Exceptions.Tests.csproj --no-restore -v normal && dotnet test src/Policy/__Tests/StellaOps.Policy.Engine.Tests/StellaOps.Policy.Engine.Tests.csproj --no-restore -v normal && dotnet test src/Policy/__Tests/StellaOps.Policy.Tests/StellaOps.Policy.Tests.csproj --no-restore -v normal",
+  "testFilter": "Exceptions.Tests (83) + Engine.Tests Attestation classes (1278 total) + Policy.Tests Exception classes (781 total)",
+  "testsRun": 2142,
+  "testsPassed": 2142,
+  "testsFailed": 0,
+  "targetedTestMethods": [
+    "VerdictAttestationIntegrationTests.EndToEnd_PolicyTraceToAttestation_Success",
+    "VerdictAttestationIntegrationTests.DeterminismTest_SameInputProducesSameJson",
+    "VerdictAttestationIntegrationTests.ErrorHandling_AttestorUnavailable_ReturnsFailure",
+    "VerdictAttestationIntegrationTests.ErrorHandling_AttestorTimeout_ReturnsFailure",
+    "VerdictAttestationIntegrationTests.PredicateStructure_ProducesValidJson",
+    "PolicyDecisionAttestationServiceTests.CreateAttestationAsync_WhenDisabled_ReturnsFailure",
+    "PolicyDecisionAttestationServiceTests.CreateAttestationAsync_WithSignerClient_CallsSigner",
+    "PolicyDecisionAttestationServiceTests.CreateAttestationAsync_WhenSigningFails_ReturnsFailure",
+    "PolicyDecisionAttestationServiceTests.CreateAttestationAsync_WithRekorSubmission_SubmitsToRekor",
+    "PolicyDecisionAttestationServiceTests.CreateAttestationAsync_WithoutSignerClient_CreatesUnsignedAttestation",
+    "PolicyDecisionAttestationServiceTests.CreateAttestationAsync_IncludesAllSubjects",
+    "PolicyDecisionAttestationServiceTests.CreateAttestationAsync_SetsExpirationFromOptions",
+    "PolicyDecisionAttestationServiceTests.SubmitToRekorAsync_WhenNoClient_ReturnsFailure",
+    "PolicyDecisionAttestationServiceTests.VerifyAsync_ReturnsNotImplemented",
+    "RvaBuilderTests.Build_ValidInputs_CreatesRva",
+    "RvaBuilderTests.Build_MissingSubject_Throws",
+    "RvaBuilderTests.Build_MissingPolicy_Throws",
+    "RvaBuilderTests.Build_MissingSnapshot_Throws",
+    "RvaBuilderTests.Build_ContentAddressedId_IsDeterministic",
+    "RvaBuilderTests.Build_WithEvidence_IncludesEvidence",
+    "RvaBuilderTests.Build_WithExceptions_IncludesExceptions",
+    "RvaBuilderTests.Build_WithUnknowns_IncludesUnknowns",
+    "RvaBuilderTests.Build_WithExpiration_SetsExpiration",
+    "RvaBuilderTests.Build_WithMetadata_IncludesMetadata",
+    "RvaBuilderTests.Build_MultipleReasonCodes_DeduplicatesAndPreserves",
+    "RvaVerifierTests.VerifyRaw_ValidAttestation_ReturnsSuccess",
+    "RvaVerifierTests.VerifyRaw_TamperedAttestationId_ReturnsFail",
+    "RvaVerifierTests.VerifyRaw_ExpiredAttestation_FailsByDefault",
+    "RvaVerifierTests.VerifyRaw_ExpiredAttestation_AllowedWithOption",
+    "RvaVerifierTests.VerifyRaw_NotExpired_ReturnsSuccess",
+    "RvaVerifierTests.VerifyRaw_NoExpiration_ReturnsSuccess",
+    "RvaVerifierTests.VerdictReasonCode_GetCategory_ReturnsCorrectCategory",
+    "RvaVerifierTests.VerdictReasonCode_GetDescription_ReturnsDescription",
+    "RvaVerifierTests.VerdictReasonCode_IsPass_ReturnsCorrectly",
+    "RvaVerifierTests.VerdictReasonCode_IsFail_ReturnsCorrectly",
+    "ExceptionEvaluatorTests.EvaluateAsync_WhenNoExceptionsFound_ShouldReturnNoMatch",
+    "ExceptionEvaluatorTests.EvaluateAsync_WhenExceptionMatchesVulnerability_ShouldReturnMatch",
+    "ExceptionEvaluatorTests.EvaluateAsync_WhenExceptionMatchesArtifactDigest_ShouldReturnMatch",
+    "ExceptionEvaluatorTests.EvaluateAsync_WhenExceptionMatchesPolicyRule_ShouldReturnMatch",
+    "ExceptionEvaluatorTests.EvaluateAsync_WithMultipleMatchingExceptions_ShouldReturnMostSpecificFirst",
+    "ExceptionEvaluatorTests.EvaluateAsync_ShouldCollectAllEvidenceRefs",
+    "ExceptionEvaluatorTests.EvaluateBatchAsync_ShouldEvaluateAllContexts",
+    "ExceptionEvaluatorTests.EvaluateAsync_WhenEnvironmentDoesNotMatch_ShouldNotMatch",
+    "ExceptionEvaluatorTests.EvaluateAsync_WhenEnvironmentMatches_ShouldReturnMatch",
+    "ExceptionEvaluatorTests.EvaluateAsync_WhenPurlPatternMatchesExactly_ShouldReturnMatch",
+    "EvidenceRequirementValidatorTests.ValidateForApprovalAsync_NoHooks_ReturnsValid",
+    "EvidenceRequirementValidatorTests.ValidateForApprovalAsync_MissingEvidence_ReturnsInvalid",
+    "EvidenceRequirementValidatorTests.ValidateForApprovalAsync_TrustScoreTooLow_ReturnsInvalid",
+    "RecheckEvaluationServiceTests.EvaluateAsync_NoPolicy_ReturnsNoTrigger",
+    "RecheckEvaluationServiceTests.EvaluateAsync_EpssAbove_Triggers",
+    "RecheckEvaluationServiceTests.EvaluateAsync_EnvironmentScope_FiltersConditions",
+    "ExceptionObjectTests.* (model validation, scope, status, time-boxing)"
+  ],
+  "behaviorVerified": [
+    "VerdictAttestationService: end-to-end policy trace to DSSE-signed verdict attestation via Attestor HTTP client",
+    "VerdictPredicateBuilder: deterministic JSON serialization (same input -> same output)",
+    "VerdictPredicateBuilder: produces valid JSON with verdict structure",
+    "VerdictAttestationService: error handling for attestor unavailable (503) returns null",
+    "VerdictAttestationService: error handling for attestor timeout returns null",
+    "PolicyDecisionAttestationService: creates DSSE-signed decision with signer client, verifies payload type 'stella.ops/policy-decision@v1'",
+    "PolicyDecisionAttestationService: attestation digest is sha256 content-addressed",
+    "PolicyDecisionAttestationService: signing failure returns error with message",
+    "PolicyDecisionAttestationService: Rekor transparency log submission with artifact kind, envelope digest, and subject URIs",
+    "PolicyDecisionAttestationService: unsigned attestation created when no signer client available",
+    "PolicyDecisionAttestationService: multiple attestation subjects supported",
+    "PolicyDecisionAttestationService: expiration TTL from options configuration",
+    "PolicyDecisionAttestationService: Rekor submission failure when no client configured",
+    "RvaBuilder: builds RVA with content-addressed ID (rva:sha256:...), verdict, subject, policy, knowledge snapshot",
+    "RvaBuilder: validation - throws on missing subject, policy, or snapshot",
+    "RvaBuilder: content-addressed ID is deterministic for same content",
+    "RvaBuilder: includes evidence, exceptions, unknowns, expiration, metadata",
+    "RvaBuilder: reason code deduplication",
+    "RvaVerifier: verifies valid attestation returns success",
+    "RvaVerifier: detects tampered attestation ID returns failure",
+    "RvaVerifier: expired attestation fails by default, passes with AllowExpired option",
+    "RvaVerifier: VerdictReasonCode categories (Pass/Fail/Exception/Indeterminate) and descriptions",
+    "ExceptionObject: scoped (CVE-level, package-level, finding-level), time-boxed (ExpiresAt), with status (Active/Expired/Revoked)",
+    "ExceptionEvaluator: matches by vulnerability ID, artifact digest, policy rule ID, PURL pattern",
+    "ExceptionEvaluator: environment scope filtering (matches only specified environments, empty matches all)",
+    "ExceptionEvaluator: most specific exception returned first when multiple match",
+    "ExceptionEvaluator: collects all evidence refs from matching exceptions",
+    "ExceptionEvaluator: batch evaluation across multiple contexts",
+    "EvidenceRequirementValidator: blocks approval when mandatory evidence hooks are missing",
+    "EvidenceRequirementValidator: validates trust score thresholds on evidence",
+    "RecheckEvaluationService: evaluates recheck policies with EPSS threshold triggers",
+    "RecheckEvaluationService: environment-scoped condition filtering",
+    "ExceptionRecheckGate: build gate that rechecks exception validity",
+    "ExceptionEvent: audit trail of exception lifecycle events (create, apply, expire, revoke)"
+  ],
+  "assertionTypes": [
+    "value equality (Should().Be, Assert.Equal)",
+    "string assertions (Should().StartWith, Assert.StartsWith, Assert.Contains, Assert.Matches regex)",
+    "null checks (Should().NotBeNull, Should().BeNull, Should().NotBeNullOrEmpty)",
+    "boolean assertions (Should().BeTrue, Should().BeFalse, Assert.True, Assert.False)",
+    "collection assertions (Should().HaveCount, Should().Contain, Should().BeEmpty)",
+    "exception assertions (Should().Throw<InvalidOperationException>)",
+    "mock verification (Verify(..., Times.Once))"
+  ],
+  "newTestsWritten": [],
+  "bugsFixed": [],
+  "rawOutput": "Exceptions.Tests: Passed! - Failed: 0, Passed: 83, Skipped: 0, Total: 83, Duration: 511ms; Engine.Tests: Passed! - Failed: 0, Passed: 1278, Skipped: 0, Total: 1278, Duration: 5s 999ms; Policy.Tests: Passed! - Failed: 0, Passed: 781, Skipped: 0, Total: 781, Duration: 2s 993ms",
+  "verdict": "pass"
+}