# VEX Evidence Auto-Linking Service (IVexEvidenceLinker)

## Module
EvidenceLocker

## Status
IMPLEMENTED

## Description
Service that auto-links VEX assertions to supporting binary-diff evidence by matching patched findings to VEX entries, storing evidence URIs with confidence scores, and validating DSSE signatures before accepting links.

## Implementation Details
- **Modules**: `src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/`, `src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Core/`
- **Key Classes**:
  - `EvidenceBundleRepository` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Repositories/EvidenceBundleRepository.cs`) - retrieves evidence bundles for VEX linking
  - `EvidenceSignatureService` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Signing/EvidenceSignatureService.cs`) - validates DSSE signatures before accepting evidence links
  - `EvidenceIdentifiers` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Core/Domain/EvidenceIdentifiers.cs`) - content-addressed identifiers for evidence linking
  - `EvidenceBundleMetadata` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Core/Domain/EvidenceBundleMetadata.cs`) - metadata including VEX link references
- **Interfaces**: `IEvidenceBundleRepository`, `IEvidenceSignatureService`
- **Source**: SPRINT_20260113_003_001_EXCITITOR_vex_evidence_linker.md

## E2E Test Plan
- [ ] Create a VEX assertion for a patched CVE and verify the service auto-links it to the corresponding binary-diff evidence
- [ ] Verify evidence URIs are stored with confidence scores reflecting the match quality
- [ ] Verify `EvidenceSignatureService` validates DSSE signatures on evidence before accepting the link
- [ ] Verify VEX entries without matching binary-diff evidence are not linked (no false positives)
- [ ] Verify linked evidence is queryable by VEX assertion ID and by CVE identifier
- [ ] Verify links are immutable: once created, evidence links cannot be modified without creating a new version