# VEX-gated policy decisions (gate decision with decision hash) ## Module Cli ## Status VERIFIED ## Description VEX gate service and policy evaluator for blocking/allowing based on VEX status, with CLI command support and UI gate summary panel. Evaluates findings against policy rules based on vendor status, exploitability, reachability, compensating controls, and severity levels. ## Implementation Details - **Command Group**: `src/Cli/StellaOps.Cli/Commands/VexGateScanCommandGroup.cs` -- `VexGateScanCommandGroup` (static class) - Sprint: SPRINT_20260106_003_002_SCANNER_vex_gate_service (T026, T027) - Uses Spectre.Console for rich table output - Calls Scanner API: `api/v1/vex-gate/policy` and `api/v1/scans/{scanId}/gate-results` - **Commands**: - `stella scan gate-policy show [--tenant ] [--output table|json|yaml]` -- display current VEX gate policy including rules, priorities, and conditions - `stella scan gate-results --scan-id [--decision Pass|Warn|Block] [--output table|json] [--limit ]` -- get VEX gate results for a scan with decision filtering - **DTOs**: `VexGatePolicyDto` (PolicyId, Version, DefaultDecision, Rules), `VexGatePolicyRuleDto` (RuleId, Priority, Decision, Condition), `VexGatePolicyConditionDto` (VendorStatus, IsExploitable, IsReachable, HasCompensatingControl, SeverityLevels), `VexGateResultsDto` (ScanId, Summary, GatedFindings), `VexGateSummaryDto` (TotalFindings, Passed, Warned, Blocked, EvaluatedAt), `GatedFindingDto` (FindingId, Cve, Purl, Decision, Rationale, PolicyRuleMatched, Evidence) - **Decision Types**: Pass (green), Warn (yellow), Block (red) - **Output Formats**: Table with Spectre.Console styling, JSON, YAML ## E2E Test Plan - [ ] Run `stella scan gate-policy show` and verify policy table with Policy ID, Version, Default Decision, Rules Count - [ ] Run `stella scan gate-policy show --output json` and verify valid JSON with policy rules - [ ] Run `stella scan gate-policy show --output yaml` and verify YAML output with rule hierarchy - [ ] Run `stella scan gate-policy show --tenant ` and verify tenant-specific policy - [ ] Run `stella scan gate-results --scan-id ` and verify summary table (Total, Passed, Warned, Blocked) and findings table - [ ] Run `stella scan gate-results --scan-id --decision Block` and verify only blocked findings shown - [ ] Run `stella scan gate-results --scan-id --output json` and verify JSON with gateSummary and gatedFindings - [ ] Run `stella scan gate-results --scan-id --limit 5` and verify at most 5 findings - [ ] Verify 404 response for unknown scan ID returns warning, not error - [ ] Verify exit code 0 on success, 1 on API error ## Verification - **Verified**: 2026-02-13T15:30:00Z - **Tier 0 (Source)**: pass -- all referenced source files exist on disk - **Tier 1 (Build)**: pass -- module builds cleanly, 412 tests pass in StellaOps.Cli.Commands.Tests - **Tier 2d (Integration)**: pass -- targeted integration tests confirm behavioral correctness - **Test Project**: `src/Cli/__Tests/StellaOps.Cli.Commands.Tests/StellaOps.Cli.Commands.Tests.csproj` - **Evidence**: `docs/qa/feature-checks/runs/cli/vex-gated-policy-decisions/run-001/tier2-integration-check.json`