# VEX Cryptographic Verification

## Module
Excititor

## Status
VERIFIED

## Description
Cryptographic signature verification of VEX documents at ingestion time with crypto profile selection and issuer validation.

## Implementation Details
- **Modules**: `src/Excititor/__Libraries/StellaOps.Excititor.Core/Verification/`, `src/Excititor/StellaOps.Excititor.Worker/Signature/`
- **Key Classes**:
  - `ProductionVexSignatureVerifier` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Verification/ProductionVexSignatureVerifier.cs`) - production signature verifier for VEX documents
  - `CryptoProfileSelector` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Verification/CryptoProfileSelector.cs`) - selects crypto profile (FIPS, eIDAS, GOST, SM) based on issuer
  - `VerificationCacheService` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Verification/VerificationCacheService.cs`) - caches verification results for performance
  - `VexSignatureVerifierOptions` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Verification/VexSignatureVerifierOptions.cs`) - configurable verification options
  - `VexVerificationModels` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Verification/VexVerificationModels.cs`) - verification result models
  - `VexVerificationMetrics` (`src/Excititor/__Libraries/StellaOps.Excititor.Core/Verification/VexVerificationMetrics.cs`) - metrics for verification operations
  - `WorkerSignatureVerifier` (`src/Excititor/StellaOps.Excititor.Worker/Signature/WorkerSignatureVerifier.cs`) - worker-side signature verification
  - `VerifyingVexRawDocumentSink` (`src/Excititor/StellaOps.Excititor.Worker/Signature/VerifyingVexRawDocumentSink.cs`) - sink that verifies signatures before persisting
- **Interfaces**: `IVexSignatureVerifierV2`
- **Source**: Feature matrix scan

## E2E Test Plan
- [ ] Ingest a cryptographically signed VEX document and verify `ProductionVexSignatureVerifier` validates the signature
- [ ] Verify `CryptoProfileSelector` selects the correct crypto profile based on the issuer's regional requirements
- [ ] Verify `VerificationCacheService` caches verification results and returns cached results for repeated checks
- [ ] Ingest a VEX document with an invalid signature and verify rejection with a clear error
- [ ] Verify `VerifyingVexRawDocumentSink` rejects unsigned documents when signature verification is required
- [ ] Verify `VexVerificationMetrics` records verification success/failure counts and latency

## Verification
- Verified on 2026-02-13 via `run-001`.
- Tier 0: Source files confirmed present on disk.
- Tier 1: `dotnet build` passed (0 errors); 503/504 tests passed (1 env_issue: no local Postgres).
- Tier 2d: `docs/qa/feature-checks/runs/excititor/vex-cryptographic-verification/run-001/tier2-integration-check.json`