# VEX Override Workflow with Attestation Linkage ## Module Excititor ## Status VERIFIED ## Description VEX decision APIs extended with attestation references so overrides are DSSE-signed. Attestor integration mints envelopes for operator decisions with envelope digest and Rekor info persistence. Includes offline stub client. ## Implementation Details - **Modules**: `src/Excititor/__Libraries/StellaOps.Excititor.Attestation/`, `src/Excititor/__Libraries/StellaOps.Excititor.Core/Evidence/` - **Key Classes**: - `VexDsseBuilder` (`src/Excititor/__Libraries/StellaOps.Excititor.Attestation/Dsse/VexDsseBuilder.cs`) - builds DSSE envelopes for VEX override decisions - `VexAttestationClient` (`src/Excititor/__Libraries/StellaOps.Excititor.Attestation/VexAttestationClient.cs`) - client for VEX attestation operations - `VexEvidenceAttestor` (`src/Excititor/__Libraries/StellaOps.Excititor.Attestation/Evidence/VexEvidenceAttestor.cs`) - attests VEX evidence with DSSE signatures - `VexAttestationVerifier` (`src/Excititor/__Libraries/StellaOps.Excititor.Attestation/Verification/VexAttestationVerifier.cs`) - verifies VEX attestation envelopes - `VexAttestationPredicate` (`src/Excititor/__Libraries/StellaOps.Excititor.Attestation/Models/VexAttestationPredicate.cs`) - predicate model for VEX attestations - `RekorHttpClient` (`src/Excititor/__Libraries/StellaOps.Excititor.Attestation/Transparency/RekorHttpClient.cs`) - Rekor transparency log client - `DsseEvidenceSignatureValidator` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Evidence/DsseEvidenceSignatureValidator.cs`) - validates DSSE signatures on evidence - `VexEvidenceLinker` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Evidence/VexEvidenceLinker.cs`) - links VEX decisions to supporting evidence - `AttestationEndpoints` (`src/Excititor/StellaOps.Excititor.WebService/Endpoints/AttestationEndpoints.cs`) - REST endpoints for attestation operations - `RekorAttestationEndpoints` (`src/Excititor/StellaOps.Excititor.WebService/Endpoints/RekorAttestationEndpoints.cs`) - Rekor-specific attestation endpoints - **Interfaces**: `IVexSigner`, `ITransparencyLogClient`, `IVexAttestationVerifier` - **Source**: SPRINT_20260112_004_VULN_vex_override_workflow.md ## E2E Test Plan - [ ] Create a VEX override and verify `VexDsseBuilder` mints a DSSE-signed envelope with the operator's decision - [ ] Verify `VexAttestationClient` persists the envelope digest and Rekor entry info - [ ] Verify `VexAttestationVerifier` validates the DSSE signature on a VEX override attestation - [ ] Verify `RekorHttpClient` submits the attestation to the Rekor transparency log and retrieves the entry - [ ] Verify `VexEvidenceLinker` links the override decision to supporting binary-diff or reachability evidence - [ ] Verify `DsseEvidenceSignatureValidator` rejects overrides with invalid DSSE signatures - [ ] Verify attestation endpoints return override history with DSSE envelope and Rekor receipt references ## Verification - Verified on 2026-02-13 via `run-001`. - Tier 0: Source files confirmed present on disk. - Tier 1: `dotnet build` passed (0 errors); 503/504 tests passed (1 env_issue: no local Postgres). - Tier 2d: `docs/qa/feature-checks/runs/excititor/vex-override-workflow-with-attestation-linkage/run-001/tier2-integration-check.json`