# VEX Override Predicate System (Signed Justifications with Proofs)

## Module
Attestor

## Status
VERIFIED

## Description
Full VEX override predicate system with builder, parser, serialization, validation, decision models, evidence references, and tool info. Supports "not_affected" claims with structured proof bundles and signed justifications.

## Implementation Details
- **VEX Override Predicate**: `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/VexOverride/VexOverridePredicate.cs` -- data model for VEX override predicates containing decision, justification, evidence, and tool metadata.
- **VEX Override Decision**: `VexOverride/VexOverrideDecision.cs` -- decision model with status (not_affected, affected, fixed), justification text, approver identity, and decision timestamp.
- **VEX Override Predicate Builder**: `VexOverride/VexOverridePredicateBuilder.cs` (with `.Build`, `.Serialize`, `.WithMethods`) -- fluent builder: `.WithStatus()`, `.WithJustification()`, `.WithEvidence()`, `.WithToolInfo()`. `.Build` finalizes the predicate, `.Serialize` produces canonical JSON.
- **VEX Override Predicate Parser**: `VexOverride/VexOverridePredicateParser.cs` (with `.DecisionValidation`, `.ExtractMetadata`, `.FieldValidation`, `.Helpers`, `.ParsePredicate`, `.Validation`) -- comprehensive parser with multi-layer validation: `.ParsePredicate` extracts the predicate, `.DecisionValidation` validates decision semantics, `.FieldValidation` validates required fields, `.ExtractMetadata` extracts metadata.
- **Evidence Reference**: `VexOverride/EvidenceReference.cs` -- reference to supporting evidence (type, URI, digest, description).
- **Tool Info**: `VexOverride/ToolInfo.cs` -- information about the tool/human that authored the override (name, version, vendor).
- **Tests**: `__Tests/StellaOps.Attestor.StandardPredicates.Tests/VexOverride/`

## E2E Test Plan
- [ ] Build a VEX override via `VexOverridePredicateBuilder.WithStatus("not_affected").WithJustification("Vulnerable function not in call path").WithEvidence(ref).Build()` and verify the predicate is complete
- [ ] Serialize the predicate via `.Serialize` and verify canonical JSON output
- [ ] Parse the serialized JSON via `VexOverridePredicateParser.ParsePredicate` and verify round-trip fidelity for all fields
- [ ] Validate decision semantics: create a not_affected override without justification and verify `.DecisionValidation` rejects it
- [ ] Validate field completeness: create a predicate missing the tool info and verify `.FieldValidation` reports the missing field
- [ ] Create an override with 3 evidence references (scan report, backport proof, manual review) and verify all are serialized/parsed
- [ ] Build an override with status="fixed" and verify no justification is required (fixed status does not require justification)
- [ ] Parse a malformed VEX override (invalid JSON) and verify the parser returns structured errors via `.Validation`

## Verification

| Check | Result |
|-------|--------|
| Tier 0 - Source Verification | PASS |
| Tier 1 - Build + Code Review | PASS |
| Tier 2 - Behavioral Verification | PASS |
| Verified Date | 2026-02-13 |
| Run ID | run-001 |