save checkpoint

docs/features/checked/attestor/vex-decisioning-as-first-class-policy-objects.md

@@ -0,0 +1,42 @@
+# VEX Decisioning as First-Class Policy Objects
+
+## Module
+Attestor
+
+## Status
+VERIFIED
+
+## Description
+VEX decisions are modeled as first-class policy objects with dedicated UI modal, decision service, history tracking, merge explanations, and backend attestable VEX override predicates with builder/parser infrastructure.
+
+## Implementation Details
+- **VEX Override Predicate**: `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/VexOverride/VexOverridePredicate.cs` -- first-class predicate model for VEX override decisions.
+- **VEX Override Decision**: `VexOverride/VexOverrideDecision.cs` -- decision model (not_affected, affected, fixed) with justification, approver, and timestamp.
+- **VEX Override Predicate Builder**: `VexOverride/VexOverridePredicateBuilder.cs` (with `.Build`, `.Serialize`, `.WithMethods`) -- fluent builder for constructing VEX override predicates with evidence references and tool info.
+- **VEX Override Predicate Parser**: `VexOverride/VexOverridePredicateParser.cs` (with `.DecisionValidation`, `.ExtractMetadata`, `.FieldValidation`, `.Helpers`, `.ParsePredicate`, `.Validation`) -- parser for reading and validating VEX override predicates.
+- **Evidence Reference**: `VexOverride/EvidenceReference.cs` -- reference to supporting evidence (proof bundle, scan result, analysis report).
+- **Tool Info**: `VexOverride/ToolInfo.cs` -- information about the tool that generated the VEX decision.
+- **Policy Decision Predicate**: `__Libraries/StellaOps.Attestor.ProofChain/Predicates/PolicyDecision.cs` -- policy decision record for attestation binding.
+- **VEX Merge Trace**: `Predicates/VexMergeTrace.cs` -- trace of VEX merge operations explaining how multiple VEX sources were combined.
+- **VEX Verdict Summary**: `Predicates/VexVerdictSummary.cs` -- summary of final VEX verdicts after merge and override application.
+- **Tests**: `__Tests/StellaOps.Attestor.StandardPredicates.Tests/VexOverride/`
+
+## E2E Test Plan
+- [ ] Build a VEX override predicate via `VexOverridePredicateBuilder` with status=not_affected, justification, and evidence references; verify it serializes correctly
+- [ ] Parse a serialized VEX override predicate via `VexOverridePredicateParser` and verify all fields round-trip (status, justification, evidence, tool info)
+- [ ] Validate a VEX override decision via `.DecisionValidation` and verify it requires a justification for not_affected status
+- [ ] Create a VEX override with invalid status and verify field validation rejects it with specific error messages
+- [ ] Build a VEX override with multiple evidence references and verify each is correctly serialized and parsed
+- [ ] Verify merge trace: create two conflicting VEX decisions and verify `VexMergeTrace` explains the resolution
+- [ ] Create a policy decision referencing a VEX override and verify `PolicyDecision` links to the override predicate
+- [ ] Verify the builder's `.WithMethods` fluent API: chain `.WithStatus()`, `.WithJustification()`, `.WithEvidence()` and verify the predicate is complete
+
+## Verification
+
+| Check | Result |
+|-------|--------|
+| Tier 0 - Source Verification | PASS |
+| Tier 1 - Build + Code Review | PASS |
+| Tier 2 - Behavioral Verification | PASS |
+| Verified Date | 2026-02-13 |
+| Run ID | run-001 |