sprints and audit work

src/Scanner/__Benchmarks/StellaOps.Scanner.Gate.Benchmarks/BenchmarkDotNet.Artifacts/results/StellaOps.Scanner.Gate.Benchmarks.VexGateBenchmarks-report-github.md

@@ -0,0 +1,19 @@
+```
+
+BenchmarkDotNet v0.14.0, Windows 11 (10.0.26100.7462)
+Unknown processor
+.NET SDK 10.0.101
+  [Host]     : .NET 10.0.1 (10.0.125.57005), X64 RyuJIT AVX2
+  Job-IXVNFV : .NET 10.0.1 (10.0.125.57005), X64 RyuJIT AVX2
+
+IterationCount=10  RunStrategy=Throughput  
+
+```
+| Method                  | Mean     | Error    | StdDev   | Ratio | RatioSD | Gen0   | Allocated | Alloc Ratio |
+|------------------------ |---------:|---------:|---------:|------:|--------:|-------:|----------:|------------:|
+| Evaluate_Single         | 283.3 ns |  7.83 ns |  5.18 ns |  1.00 |    0.02 | 0.1316 |     552 B |        1.00 |
+| Evaluate_Batch100       | 396.8 ns | 13.62 ns |  9.01 ns |  1.40 |    0.04 | 0.1648 |     691 B |        1.25 |
+| Evaluate_Batch1000      | 418.0 ns | 15.04 ns |  9.95 ns |  1.48 |    0.04 | 0.1650 |     691 B |        1.25 |
+| Evaluate_NoRuleMatch    | 350.5 ns | 16.08 ns | 10.64 ns |  1.24 |    0.04 | 0.1760 |     736 B |        1.33 |
+| Evaluate_FirstRuleMatch | 298.2 ns | 11.85 ns |  7.05 ns |  1.05 |    0.03 | 0.1316 |     552 B |        1.00 |
+| Evaluate_DiverseMix     | 396.1 ns | 20.15 ns | 11.99 ns |  1.40 |    0.05 | 0.1648 |     691 B |        1.25 |

src/Scanner/__Benchmarks/StellaOps.Scanner.Gate.Benchmarks/BenchmarkDotNet.Artifacts/results/StellaOps.Scanner.Gate.Benchmarks.VexGateBenchmarks-report.csv

@@ -0,0 +1,7 @@
+Method;Job;AnalyzeLaunchVariance;EvaluateOverhead;MaxAbsoluteError;MaxRelativeError;MinInvokeCount;MinIterationTime;OutlierMode;Affinity;EnvironmentVariables;Jit;LargeAddressAware;Platform;PowerPlanMode;Runtime;AllowVeryLargeObjects;Concurrent;CpuGroups;Force;HeapAffinitizeMask;HeapCount;NoAffinitize;RetainVm;Server;Arguments;BuildConfiguration;Clock;EngineFactory;NuGetReferences;Toolchain;IsMutator;InvocationCount;IterationCount;IterationTime;LaunchCount;MaxIterationCount;MaxWarmupIterationCount;MemoryRandomization;MinIterationCount;MinWarmupIterationCount;RunStrategy;UnrollFactor;WarmupCount;Mean;Error;StdDev;Ratio;RatioSD;Gen0;Allocated;Alloc Ratio
+Evaluate_Single;Job-IXVNFV;False;Default;Default;Default;Default;Default;Default;11111111;Empty;RyuJit;Default;X64;8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c;.NET 10.0;False;True;False;True;Default;Default;False;False;False;Default;Default;Default;Default;Default;Default;Default;Default;10;Default;Default;Default;Default;Default;Default;Default;Throughput;16;Default;283.3 ns;7.83 ns;5.18 ns;1.00;0.02;0.1316;552 B;1.00
+Evaluate_Batch100;Job-IXVNFV;False;Default;Default;Default;Default;Default;Default;11111111;Empty;RyuJit;Default;X64;8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c;.NET 10.0;False;True;False;True;Default;Default;False;False;False;Default;Default;Default;Default;Default;Default;Default;Default;10;Default;Default;Default;Default;Default;Default;Default;Throughput;16;Default;396.8 ns;13.62 ns;9.01 ns;1.40;0.04;0.1648;691 B;1.25
+Evaluate_Batch1000;Job-IXVNFV;False;Default;Default;Default;Default;Default;Default;11111111;Empty;RyuJit;Default;X64;8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c;.NET 10.0;False;True;False;True;Default;Default;False;False;False;Default;Default;Default;Default;Default;Default;Default;Default;10;Default;Default;Default;Default;Default;Default;Default;Throughput;16;Default;418.0 ns;15.04 ns;9.95 ns;1.48;0.04;0.1650;691 B;1.25
+Evaluate_NoRuleMatch;Job-IXVNFV;False;Default;Default;Default;Default;Default;Default;11111111;Empty;RyuJit;Default;X64;8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c;.NET 10.0;False;True;False;True;Default;Default;False;False;False;Default;Default;Default;Default;Default;Default;Default;Default;10;Default;Default;Default;Default;Default;Default;Default;Throughput;16;Default;350.5 ns;16.08 ns;10.64 ns;1.24;0.04;0.1760;736 B;1.33
+Evaluate_FirstRuleMatch;Job-IXVNFV;False;Default;Default;Default;Default;Default;Default;11111111;Empty;RyuJit;Default;X64;8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c;.NET 10.0;False;True;False;True;Default;Default;False;False;False;Default;Default;Default;Default;Default;Default;Default;Default;10;Default;Default;Default;Default;Default;Default;Default;Throughput;16;Default;298.2 ns;11.85 ns;7.05 ns;1.05;0.03;0.1316;552 B;1.00
+Evaluate_DiverseMix;Job-IXVNFV;False;Default;Default;Default;Default;Default;Default;11111111;Empty;RyuJit;Default;X64;8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c;.NET 10.0;False;True;False;True;Default;Default;False;False;False;Default;Default;Default;Default;Default;Default;Default;Default;10;Default;Default;Default;Default;Default;Default;Default;Throughput;16;Default;396.1 ns;20.15 ns;11.99 ns;1.40;0.05;0.1648;691 B;1.25

src/Scanner/__Benchmarks/StellaOps.Scanner.Gate.Benchmarks/BenchmarkDotNet.Artifacts/results/StellaOps.Scanner.Gate.Benchmarks.VexGateBenchmarks-report.html

@@ -0,0 +1,36 @@
+<!DOCTYPE html>
+<html lang='en'>
+<head>
+<meta charset='utf-8' />
+<title>StellaOps.Scanner.Gate.Benchmarks.VexGateBenchmarks-20260107-091600</title>
+
+<style type="text/css">
+	table { border-collapse: collapse; display: block; width: 100%; overflow: auto; }
+	td, th { padding: 6px 13px; border: 1px solid #ddd; text-align: right; }
+	tr { background-color: #fff; border-top: 1px solid #ccc; }
+	tr:nth-child(even) { background: #f8f8f8; }
+</style>
+</head>
+<body>
+<pre><code>
+BenchmarkDotNet v0.14.0, Windows 11 (10.0.26100.7462)
+Unknown processor
+.NET SDK 10.0.101
+  [Host]     : .NET 10.0.1 (10.0.125.57005), X64 RyuJIT AVX2
+  Job-IXVNFV : .NET 10.0.1 (10.0.125.57005), X64 RyuJIT AVX2
+</code></pre>
+<pre><code>IterationCount=10  RunStrategy=Throughput  
+</code></pre>
+
+<table>
+<thead><tr><th>Method           </th><th>Mean</th><th>Error</th><th>StdDev</th><th>Ratio</th><th>RatioSD</th><th>Gen0</th><th>Allocated</th><th>Alloc Ratio</th>
+</tr>
+</thead><tbody><tr><td>Evaluate_Single</td><td>283.3 ns</td><td>7.83 ns</td><td>5.18 ns</td><td>1.00</td><td>0.02</td><td>0.1316</td><td>552 B</td><td>1.00</td>
+</tr><tr><td>Evaluate_Batch100</td><td>396.8 ns</td><td>13.62 ns</td><td>9.01 ns</td><td>1.40</td><td>0.04</td><td>0.1648</td><td>691 B</td><td>1.25</td>
+</tr><tr><td>Evaluate_Batch1000</td><td>418.0 ns</td><td>15.04 ns</td><td>9.95 ns</td><td>1.48</td><td>0.04</td><td>0.1650</td><td>691 B</td><td>1.25</td>
+</tr><tr><td>Evaluate_NoRuleMatch</td><td>350.5 ns</td><td>16.08 ns</td><td>10.64 ns</td><td>1.24</td><td>0.04</td><td>0.1760</td><td>736 B</td><td>1.33</td>
+</tr><tr><td>Evaluate_FirstRuleMatch</td><td>298.2 ns</td><td>11.85 ns</td><td>7.05 ns</td><td>1.05</td><td>0.03</td><td>0.1316</td><td>552 B</td><td>1.00</td>
+</tr><tr><td>Evaluate_DiverseMix</td><td>396.1 ns</td><td>20.15 ns</td><td>11.99 ns</td><td>1.40</td><td>0.05</td><td>0.1648</td><td>691 B</td><td>1.25</td>
+</tr></tbody></table>
+</body>
+</html>

src/Scanner/__Benchmarks/StellaOps.Scanner.Gate.Benchmarks/Program.cs

@@ -0,0 +1,11 @@
+// -----------------------------------------------------------------------------
+// Program.cs
+// Sprint: SPRINT_20260106_003_002_SCANNER_vex_gate_service
+// Task: T014 - Performance benchmarks for batch evaluation
+// Description: Entry point for VEX gate benchmarks.
+// -----------------------------------------------------------------------------
+
+using BenchmarkDotNet.Running;
+using StellaOps.Scanner.Gate.Benchmarks;
+
+BenchmarkRunner.Run<VexGateBenchmarks>();

src/Scanner/__Benchmarks/StellaOps.Scanner.Gate.Benchmarks/StellaOps.Scanner.Gate.Benchmarks.csproj

@@ -0,0 +1,20 @@
+<Project Sdk="Microsoft.NET.Sdk">
+  <PropertyGroup>
+    <OutputType>Exe</OutputType>
+    <TargetFramework>net10.0</TargetFramework>
+    <LangVersion>preview</LangVersion>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <Nullable>enable</Nullable>
+    <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
+    <NoWarn>$(NoWarn);NU1603</NoWarn>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="BenchmarkDotNet" />
+    <PackageReference Include="Microsoft.Extensions.Logging.Abstractions" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\..\__Libraries\StellaOps.Scanner.Gate\StellaOps.Scanner.Gate.csproj" />
+  </ItemGroup>
+</Project>

src/Scanner/__Benchmarks/StellaOps.Scanner.Gate.Benchmarks/VexGateBenchmarks.cs

@@ -0,0 +1,229 @@
+// -----------------------------------------------------------------------------
+// VexGateBenchmarks.cs
+// Sprint: SPRINT_20260106_003_002_SCANNER_vex_gate_service
+// Task: T014 - Performance benchmarks for batch evaluation
+// Description: BenchmarkDotNet benchmarks for VEX gate batch evaluation.
+// -----------------------------------------------------------------------------
+
+using BenchmarkDotNet.Attributes;
+using BenchmarkDotNet.Engines;
+using Microsoft.Extensions.Logging.Abstractions;
+using Microsoft.Extensions.Options;
+using StellaOps.Scanner.Gate;
+
+namespace StellaOps.Scanner.Gate.Benchmarks;
+
+/// <summary>
+/// Benchmarks for VEX gate batch evaluation operations.
+/// Target: >= 1000 findings/sec evaluation throughput.
+///
+/// To run: dotnet run -c Release
+/// </summary>
+[MemoryDiagnoser]
+[SimpleJob(RunStrategy.Throughput, iterationCount: 10)]
+public class VexGateBenchmarks
+{
+    private VexGatePolicyEvaluator _policyEvaluator = null!;
+    private VexGateEvidence[] _singleFindings = null!;
+    private VexGateEvidence[] _batchFindings100 = null!;
+    private VexGateEvidence[] _batchFindings1000 = null!;
+
+    [GlobalSetup]
+    public void Setup()
+    {
+        // Setup policy evaluator with default policy
+        var policyOptions = Options.Create(new VexGatePolicyOptions
+        {
+            Enabled = true,
+            Policy = VexGatePolicy.Default,
+        });
+        _policyEvaluator = new VexGatePolicyEvaluator(
+            policyOptions,
+            NullLogger<VexGatePolicyEvaluator>.Instance);
+
+        // Pre-generate test findings
+        _singleFindings = GenerateFindings(1);
+        _batchFindings100 = GenerateFindings(100);
+        _batchFindings1000 = GenerateFindings(1000);
+    }
+
+    private static VexGateEvidence[] GenerateFindings(int count)
+    {
+        var findings = new VexGateEvidence[count];
+        var random = new Random(42); // Fixed seed for reproducibility
+
+        for (int i = 0; i < count; i++)
+        {
+            // Generate diverse evidence scenarios
+            var scenario = i % 5;
+            findings[i] = scenario switch
+            {
+                0 => CreateBlockableEvidence(i),
+                1 => CreateWarnableEvidence(i),
+                2 => CreatePassableVendorNotAffected(i),
+                3 => CreatePassableFixed(i),
+                _ => CreateDefaultEvidence(i),
+            };
+        }
+
+        return findings;
+    }
+
+    private static VexGateEvidence CreateBlockableEvidence(int index)
+    {
+        return new VexGateEvidence
+        {
+            VendorStatus = null,
+            IsExploitable = true,
+            IsReachable = true,
+            HasCompensatingControl = false,
+            ConfidenceScore = 0.95,
+            SeverityLevel = "critical",
+            Justification = null,
+            BackportHints = [],
+        };
+    }
+
+    private static VexGateEvidence CreateWarnableEvidence(int index)
+    {
+        return new VexGateEvidence
+        {
+            VendorStatus = null,
+            IsExploitable = false,
+            IsReachable = false,
+            HasCompensatingControl = false,
+            ConfidenceScore = 0.7,
+            SeverityLevel = "high",
+            Justification = null,
+            BackportHints = [],
+        };
+    }
+
+    private static VexGateEvidence CreatePassableVendorNotAffected(int index)
+    {
+        return new VexGateEvidence
+        {
+            VendorStatus = VexStatus.NotAffected,
+            IsExploitable = false,
+            IsReachable = false,
+            HasCompensatingControl = false,
+            ConfidenceScore = 0.99,
+            SeverityLevel = "medium",
+            Justification = VexJustification.VulnerableCodeNotPresent,
+            BackportHints = [],
+        };
+    }
+
+    private static VexGateEvidence CreatePassableFixed(int index)
+    {
+        return new VexGateEvidence
+        {
+            VendorStatus = VexStatus.Fixed,
+            IsExploitable = false,
+            IsReachable = false,
+            HasCompensatingControl = false,
+            ConfidenceScore = 0.98,
+            SeverityLevel = "high",
+            Justification = null,
+            BackportHints = [$"backport-{index}"],
+        };
+    }
+
+    private static VexGateEvidence CreateDefaultEvidence(int index)
+    {
+        return new VexGateEvidence
+        {
+            VendorStatus = VexStatus.Affected,
+            IsExploitable = true,
+            IsReachable = false,
+            HasCompensatingControl = false,
+            ConfidenceScore = 0.6,
+            SeverityLevel = "medium",
+            Justification = null,
+            BackportHints = [],
+        };
+    }
+
+    /// <summary>
+    /// Benchmark single finding evaluation.
+    /// Baseline for throughput calculations.
+    /// </summary>
+    [Benchmark(Baseline = true)]
+    public (VexGateDecision, string, string) Evaluate_Single()
+    {
+        return _policyEvaluator.Evaluate(_singleFindings[0]);
+    }
+
+    /// <summary>
+    /// Benchmark batch of 100 findings.
+    /// Typical scan size for small containers.
+    /// </summary>
+    [Benchmark(OperationsPerInvoke = 100)]
+    public void Evaluate_Batch100()
+    {
+        for (int i = 0; i < 100; i++)
+        {
+            _ = _policyEvaluator.Evaluate(_batchFindings100[i]);
+        }
+    }
+
+    /// <summary>
+    /// Benchmark batch of 1000 findings.
+    /// Stress test for large container scans.
+    /// Target: >= 1000 findings/sec.
+    /// </summary>
+    [Benchmark(OperationsPerInvoke = 1000)]
+    public void Evaluate_Batch1000()
+    {
+        for (int i = 0; i < 1000; i++)
+        {
+            _ = _policyEvaluator.Evaluate(_batchFindings1000[i]);
+        }
+    }
+
+    /// <summary>
+    /// Benchmark policy rule matching with all rules checked.
+    /// Measures worst-case scenario where no rules match.
+    /// </summary>
+    [Benchmark]
+    public (VexGateDecision, string, string) Evaluate_NoRuleMatch()
+    {
+        // Under investigation status with no definitive exploitability info
+        // This should not match any specific rules and fall to default
+        var evidence = new VexGateEvidence
+        {
+            VendorStatus = VexStatus.UnderInvestigation,
+            IsExploitable = false,
+            IsReachable = false,
+            HasCompensatingControl = true, // Has control so won't match block rule
+            ConfidenceScore = 0.5,
+            SeverityLevel = "low", // Low severity won't match warn rule
+            Justification = null,
+            BackportHints = [],
+        };
+        return _policyEvaluator.Evaluate(evidence);
+    }
+
+    /// <summary>
+    /// Benchmark best-case early exit (first rule matches).
+    /// Measures overhead when exploitable+reachable rule matches.
+    /// </summary>
+    [Benchmark]
+    public (VexGateDecision, string, string) Evaluate_FirstRuleMatch()
+    {
+        return _policyEvaluator.Evaluate(_batchFindings100[0]); // Blockable evidence
+    }
+
+    /// <summary>
+    /// Benchmark diverse findings mix.
+    /// Simulates realistic scan with varied CVE statuses.
+    /// </summary>
+    [Benchmark(OperationsPerInvoke = 100)]
+    public void Evaluate_DiverseMix()
+    {
+        foreach (var evidence in _batchFindings100)
+        {
+            _ = _policyEvaluator.Evaluate(evidence);
+        }
+    }
+}