save checkpoint

docs/features/checked/attestor/vex-first-decisioning-pipeline.md

@@ -0,0 +1,45 @@
+# VEX-First Decisioning Pipeline
+
+## Module
+Attestor
+
+## Status
+VERIFIED
+
+## Description
+VEX-first decision pipeline with override predicates, proof integration, and attestation-backed VEX statements.
+
+## Implementation Details
+- **VEX Override Predicate Builder**: `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/VexOverride/VexOverridePredicateBuilder.cs` (with `.Build`, `.Serialize`, `.WithMethods`) -- constructs VEX override predicates with decision, justification, and evidence for the VEX-first pipeline.
+- **VEX Override Predicate Parser**: `VexOverride/VexOverridePredicateParser.cs` (with `.DecisionValidation`, `.ExtractMetadata`, `.FieldValidation`, `.Helpers`, `.ParsePredicate`, `.Validation`) -- parses and validates VEX override predicates.
+- **VEX Override Decision**: `VexOverride/VexOverrideDecision.cs` -- decision model applied before scanner findings.
+- **VEX Override Predicate**: `VexOverride/VexOverridePredicate.cs` -- predicate model for VEX overrides.
+- **VEX Proof Integrator**: `__Libraries/StellaOps.Attestor.ProofChain/Generators/VexProofIntegrator.cs` (with `.Helpers`, `.Metadata`) -- integrates proof references into VEX verdicts.
+- **VEX Verdict Proof Payload**: `Generators/VexVerdictProofPayload.cs` -- proof-carrying VEX verdict payload.
+- **VEX Attestation Predicate**: `Predicates/VexAttestationPredicate.cs` -- attestation predicate for VEX decisions.
+- **VEX Predicate**: `Predicates/VexPredicate.cs` -- base VEX predicate model.
+- **VEX Verdict Statement**: `Statements/VexVerdictStatement.cs` -- in-toto statement wrapping the VEX verdict.
+- **Policy Decision**: `Predicates/PolicyDecision.cs` -- policy decision that may reference VEX overrides.
+- **Evidence Reference**: `VexOverride/EvidenceReference.cs` -- evidence supporting the VEX decision.
+- **Tool Info**: `VexOverride/ToolInfo.cs` -- tool information for the decision source.
+- **Tests**: `__Tests/StellaOps.Attestor.StandardPredicates.Tests/VexOverride/`
+
+## E2E Test Plan
+- [ ] Apply a VEX override (not_affected) to a CVE before scanning and verify the override predicate is created with justification and evidence
+- [ ] Run the VEX-first pipeline: apply override, then integrate proof via `VexProofIntegrator`; verify the final verdict carries proof references
+- [ ] Build a `VexVerdictStatement` from the VEX-first pipeline output and verify it is a valid in-toto attestation
+- [ ] Override a CVE as not_affected, then receive a scanner finding for the same CVE; verify the VEX override takes precedence
+- [ ] Apply multiple VEX overrides and verify each generates a separate `VexOverridePredicate` with independent evidence
+- [ ] Parse a VEX override predicate and verify all decision fields, justification, and evidence references are correctly extracted
+- [ ] Verify VEX-first with proof: create an override backed by backport proof and verify `VexVerdictProofPayload` references the proof
+- [ ] Create a VEX override without required justification and verify validation rejects it
+
+## Verification
+
+| Check | Result |
+|-------|--------|
+| Tier 0 - Source Verification | PASS |
+| Tier 1 - Build + Code Review | PASS |
+| Tier 2 - Behavioral Verification | PASS |
+| Verified Date | 2026-02-13 |
+| Run ID | run-001 |