# VEX-First Decisioning Pipeline

## Module
Attestor

## Status
VERIFIED

## Description
VEX-first decision pipeline with override predicates, proof integration, and attestation-backed VEX statements.

## Implementation Details
- **VEX Override Predicate Builder**: `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/VexOverride/VexOverridePredicateBuilder.cs` (with `.Build`, `.Serialize`, `.WithMethods`) -- constructs VEX override predicates with decision, justification, and evidence for the VEX-first pipeline.
- **VEX Override Predicate Parser**: `VexOverride/VexOverridePredicateParser.cs` (with `.DecisionValidation`, `.ExtractMetadata`, `.FieldValidation`, `.Helpers`, `.ParsePredicate`, `.Validation`) -- parses and validates VEX override predicates.
- **VEX Override Decision**: `VexOverride/VexOverrideDecision.cs` -- decision model applied before scanner findings.
- **VEX Override Predicate**: `VexOverride/VexOverridePredicate.cs` -- predicate model for VEX overrides.
- **VEX Proof Integrator**: `__Libraries/StellaOps.Attestor.ProofChain/Generators/VexProofIntegrator.cs` (with `.Helpers`, `.Metadata`) -- integrates proof references into VEX verdicts.
- **VEX Verdict Proof Payload**: `Generators/VexVerdictProofPayload.cs` -- proof-carrying VEX verdict payload.
- **VEX Attestation Predicate**: `Predicates/VexAttestationPredicate.cs` -- attestation predicate for VEX decisions.
- **VEX Predicate**: `Predicates/VexPredicate.cs` -- base VEX predicate model.
- **VEX Verdict Statement**: `Statements/VexVerdictStatement.cs` -- in-toto statement wrapping the VEX verdict.
- **Policy Decision**: `Predicates/PolicyDecision.cs` -- policy decision that may reference VEX overrides.
- **Evidence Reference**: `VexOverride/EvidenceReference.cs` -- evidence supporting the VEX decision.
- **Tool Info**: `VexOverride/ToolInfo.cs` -- tool information for the decision source.
- **Tests**: `__Tests/StellaOps.Attestor.StandardPredicates.Tests/VexOverride/`

## E2E Test Plan
- [ ] Apply a VEX override (not_affected) to a CVE before scanning and verify the override predicate is created with justification and evidence
- [ ] Run the VEX-first pipeline: apply override, then integrate proof via `VexProofIntegrator`; verify the final verdict carries proof references
- [ ] Build a `VexVerdictStatement` from the VEX-first pipeline output and verify it is a valid in-toto attestation
- [ ] Override a CVE as not_affected, then receive a scanner finding for the same CVE; verify the VEX override takes precedence
- [ ] Apply multiple VEX overrides and verify each generates a separate `VexOverridePredicate` with independent evidence
- [ ] Parse a VEX override predicate and verify all decision fields, justification, and evidence references are correctly extracted
- [ ] Verify VEX-first with proof: create an override backed by backport proof and verify `VexVerdictProofPayload` references the proof
- [ ] Create a VEX override without required justification and verify validation rejects it

## Verification

| Check | Result |
|-------|--------|
| Tier 0 - Source Verification | PASS |
| Tier 1 - Build + Code Review | PASS |
| Tier 2 - Behavioral Verification | PASS |
| Verified Date | 2026-02-13 |
| Run ID | run-001 |