# Signature Required Policy Gate (SignatureRequiredGate)

## Module
Policy

## Status
IMPLEMENTED

## Description
Policy gate requiring valid cryptographic signatures on release artifacts before promotion, with configurable signing key allowlists, certificate chain validation, and Rekor inclusion proof requirements.

## Implementation Details
- **PolicyGateEvaluator**: `src/Policy/StellaOps.Policy.Engine/Gates/PolicyGateEvaluator.cs`
  - Evidence Completeness gate (first in pipeline) verifies signature presence
  - Signature requirements configurable per environment
  - Gate result types: Pass (valid signature), Block (missing/invalid signature)
- **VexTrustGate**: `src/Policy/StellaOps.Policy.Engine/Gates/VexTrustGate.cs`
  - `RequireIssuerVerified` per-environment: production=true, staging=true, development=false
  - Issuer signature verification as part of VEX trust evaluation
- **VexTrustGateOptions**: `src/Policy/StellaOps.Policy.Engine/Gates/VexTrustGateOptions.cs`
  - Per-environment signing requirements (RequireIssuerVerified flag)
  - FailureAction: Warn or Block when signature verification fails
- **EvidenceRequirementValidator**: `src/Policy/__Libraries/StellaOps.Policy.Exceptions/Services/EvidenceRequirementValidator.cs`
  - DSSE signature verification for evidence attestations
  - Validates signed evidence meets trust requirements
- **VerdictAttestationService**: `src/Policy/StellaOps.Policy.Engine/Attestation/VerdictAttestationService.cs`
  - DSSE-signed verdict attestations with certificate chain
- **KnowledgeSnapshotManifest**: `src/Policy/__Libraries/StellaOps.Policy/Snapshots/KnowledgeSnapshotManifest.cs`
  - TrustBundleRef (BundleId, Digest, Uri) for trust anchor set
  - Signature field on manifest for optional DSSE signing

## E2E Test Plan
- [ ] Evaluate artifact with valid signature from allowed key; verify gate passes
- [ ] Evaluate artifact without signature; verify gate blocks with "missing signature" message
- [ ] Evaluate artifact with signature from key not in allowlist; verify gate blocks
- [ ] Configure environment requiring issuer verification; provide unverified issuer; verify gate blocks
- [ ] Configure environment not requiring issuer verification (development); provide unsigned VEX; verify gate passes
- [ ] Evaluate artifact with expired certificate; verify gate blocks with certificate validation error
- [ ] Verify DSSE envelope structure on verdict attestation includes valid signature
- [ ] Verify TrustBundleRef in KnowledgeSnapshotManifest references correct trust anchor set
- [ ] Verify EvidenceRequirementValidator validates DSSE signature on evidence attestation