# CVSS v4.0 Environmental Metrics Completion

## Module
Policy

## Status
VERIFIED

## Description
Completes CVSS v4.0 scoring with all Modified Attack/Impact environmental metrics (MAV, MAC, MAT, MPR, MUI, MVC, MVI, MVA, MSC, MSI, MSA). Extends the existing MacroVector scoring engine with environment-specific risk adjustments. Includes receipt-based deterministic scoring and REST endpoints.

## Implementation Details
- **CvssV4Engine**: `src/Policy/StellaOps.Policy.Scoring/Engine/CvssV4Engine.cs` -- `CvssV4Engine` (sealed partial class implements `ICvssV4Engine`)
  - Sprint: SPRINT_1227_0013_0002_LB_cvss_v4_environmental
  - `ComputeScores(baseMetrics, threatMetrics?, environmentalMetrics?)` computes all score variants:
    - CVSS-B (base score only)
    - CVSS-BT (base + threat, when ExploitMaturity != NotDefined)
    - CVSS-BE (base + environmental, when modified metrics present)
    - CVSS-BTE (full: base + threat + environmental)
  - `DetermineEffectiveScore` selects the most specific score type available
  - MacroVector-based scoring per FIRST CVSS v4.0 specification
- **CvssEnvironmentalMetrics**: Modified metrics covering all attack/impact dimensions:
  - Modified Attack metrics: MAV (Attack Vector), MAC (Attack Complexity), MAT (Attack Requirements), MPR (Privileges Required), MUI (User Interaction)
  - Modified Impact metrics: MVC (Confidentiality), MVI (Integrity), MVA (Availability), MSC (Subsequent Confidentiality), MSI (Subsequent Integrity), MSA (Subsequent Availability)
  - All values default to NotDefined (inherit base metric values)
- **MacroVectorLookup**: `src/Policy/StellaOps.Policy.Scoring/Engine/MacroVectorLookup.cs` -- lookup table for macro vector scoring
- **CvssScores Model**: BaseScore, ThreatScore, EnvironmentalScore, FullScore, EffectiveScore, EffectiveScoreType
- **CvssScoreReceipt**: `src/Policy/StellaOps.Policy.Scoring/CvssScoreReceipt.cs` -- deterministic receipt with input hashes and policy references
- **Receipts**: `src/Policy/StellaOps.Policy.Scoring/Receipts/` -- receipt persistence and generation
- **CVSS Receipt Endpoints**: `src/Policy/StellaOps.Policy.Engine/Endpoints/CvssReceiptEndpoints.cs` -- REST API for scoring with receipts
- **CvssMetrics**: `src/Policy/StellaOps.Policy.Scoring/CvssMetrics.cs` -- metric definitions with CVSS v4.0 enums
- **CvssPolicy**: `src/Policy/StellaOps.Policy.Scoring/CvssPolicy.cs` -- policy-driven scoring thresholds

## E2E Test Plan
- [x] Score a CVSS v4.0 vector with base metrics only; verify CVSS-B score matches FIRST specification
- [x] Score with environmental metrics (MAV=Network modified to MAV=Local); verify CVSS-BE score is lower than CVSS-B
- [x] Score with both threat (ExploitMaturity=Attacked) and environmental metrics; verify CVSS-BTE full score computed
- [x] Score with threat metrics only (no environmental); verify CVSS-BT computed and CVSS-BE is null
- [x] POST to CVSS receipt endpoint; verify receipt contains input hash, scoring policy reference, and deterministic score
- [x] Score same vector twice; verify identical scores and matching receipt hashes
- [x] Score with all Modified metrics set to NotDefined; verify environmental score equals base score
- [x] Score with MSI=Safety; verify maximum environmental impact applied
- [x] Verify effective score type selection: CVSS-BTE preferred when all metrics present
- [x] Verify CvssEngineFactory returns CvssV4Engine for v4.0 vectors

## Verification
- **Run ID**: run-002
- **Date**: 2026-02-12
- **Tests**: 263 tests passed (0 failed) in StellaOps.Policy.Scoring.Tests including 19 deep environmental verification tests
- **Evidence**: `docs/qa/feature-checks/runs/policy/cvss-v4-0-environmental-metrics-completion/run-002/`