# Excitor consensus JSON sample (beta)

```jsonc
{
  "vulnId": "CVE-2025-12345",
  "productKey": "pkg:maven/org.apache.commons/commons-text@1.11.0",
  "rollupStatus": "NOT_AFFECTED",
  "sources": [
    {
      "providerId": "redhat",
      "status": "NOT_AFFECTED",
      "justification": "component_not_present",
      "weight": 0.62,
      "trust": {
        "tier": "distro",
        "note": "tier=distro;weight=0.62",
        "weight": 0.62,
        "cosign": {
          "issuer": "https://issuer.redhat.com",
          "identityPattern": "spiffe://redhat/vex/*"
        },
        "pgpFingerprints": [
          "04F2C0A87B1D9E90B1D8A35DCEB5ABCD12345678"
        ]
      },
      "lastObserved": "2025-11-04T18:22:31Z",
      "accepted": true,
      "reason": "trust-tier vendor, signed OpenVEX"
    },
    {
      "providerId": "github",
      "status": "AFFECTED",
      "justification": null,
      "weight": 0.27,
      "trust": {
        "tier": "community",
        "note": "tier=community;weight=0.27",
        "weight": 0.27
      },
      "lastObserved": "2025-11-05T01:12:03Z",
      "accepted": false,
      "reason": "lower trust tier and stale statement"
    }
  ],
  "policyRevisionId": "vex-consensus-policy@2025-11-05",
  "evaluatedAt": "2025-11-05T02:05:14Z",
  "consensusDigest": "sha256:41f2d96728b24f7a8b7f1251983b8edccd1e0f5781d4a51e51c8e6b20c1fa31a"
}
```

> **Note:** This payload is generated from the beta consensus endpoint and is subject to change prior to GA. Keys and semantics are documented alongside API previews in `docs/modules/excitor/README.md`.
> **New:** `sources[].trust` mirrors the `vex.provenance.*` envelope emitted by Excititor connectors (provider weight/tier, cosign hints, PGP fingerprints). VEX Lens copies the raw metadata so Policy Engine, Console, and Advisory AI can explain consensus decisions without replaying ingestion.