# VEX Decisioning as First-Class Policy Objects

## Module
Attestor

## Status
VERIFIED

## Description
VEX decisions are modeled as first-class policy objects with dedicated UI modal, decision service, history tracking, merge explanations, and backend attestable VEX override predicates with builder/parser infrastructure.

## Implementation Details
- **VEX Override Predicate**: `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/VexOverride/VexOverridePredicate.cs` -- first-class predicate model for VEX override decisions.
- **VEX Override Decision**: `VexOverride/VexOverrideDecision.cs` -- decision model (not_affected, affected, fixed) with justification, approver, and timestamp.
- **VEX Override Predicate Builder**: `VexOverride/VexOverridePredicateBuilder.cs` (with `.Build`, `.Serialize`, `.WithMethods`) -- fluent builder for constructing VEX override predicates with evidence references and tool info.
- **VEX Override Predicate Parser**: `VexOverride/VexOverridePredicateParser.cs` (with `.DecisionValidation`, `.ExtractMetadata`, `.FieldValidation`, `.Helpers`, `.ParsePredicate`, `.Validation`) -- parser for reading and validating VEX override predicates.
- **Evidence Reference**: `VexOverride/EvidenceReference.cs` -- reference to supporting evidence (proof bundle, scan result, analysis report).
- **Tool Info**: `VexOverride/ToolInfo.cs` -- information about the tool that generated the VEX decision.
- **Policy Decision Predicate**: `__Libraries/StellaOps.Attestor.ProofChain/Predicates/PolicyDecision.cs` -- policy decision record for attestation binding.
- **VEX Merge Trace**: `Predicates/VexMergeTrace.cs` -- trace of VEX merge operations explaining how multiple VEX sources were combined.
- **VEX Verdict Summary**: `Predicates/VexVerdictSummary.cs` -- summary of final VEX verdicts after merge and override application.
- **Tests**: `__Tests/StellaOps.Attestor.StandardPredicates.Tests/VexOverride/`

## E2E Test Plan
- [ ] Build a VEX override predicate via `VexOverridePredicateBuilder` with status=not_affected, justification, and evidence references; verify it serializes correctly
- [ ] Parse a serialized VEX override predicate via `VexOverridePredicateParser` and verify all fields round-trip (status, justification, evidence, tool info)
- [ ] Validate a VEX override decision via `.DecisionValidation` and verify it requires a justification for not_affected status
- [ ] Create a VEX override with invalid status and verify field validation rejects it with specific error messages
- [ ] Build a VEX override with multiple evidence references and verify each is correctly serialized and parsed
- [ ] Verify merge trace: create two conflicting VEX decisions and verify `VexMergeTrace` explains the resolution
- [ ] Create a policy decision referencing a VEX override and verify `PolicyDecision` links to the override predicate
- [ ] Verify the builder's `.WithMethods` fluent API: chain `.WithStatus()`, `.WithJustification()`, `.WithEvidence()` and verify the predicate is complete

## Verification

| Check | Result |
|-------|--------|
| Tier 0 - Source Verification | PASS |
| Tier 1 - Build + Code Review | PASS |
| Tier 2 - Behavioral Verification | PASS |
| Verified Date | 2026-02-13 |
| Run ID | run-001 |