# Signed VEX Override Enforcement in Policy Engine

## Module
Policy

## Status
IMPLEMENTED

## Description
Policy engine requires signed VEX override attestations with DSSE/Rekor validation, exposes override_signed and override_rekor_verified signals to DSL, and supports key trust levels and validity period enforcement.

## Implementation Details
- **VexTrustGate**: `src/Policy/StellaOps.Policy.Engine/Gates/VexTrustGate.cs` (implements `IVexTrustGate`)
  - Evaluates VEX trust including signature verification status
  - VexTrustStatus with TrustScore and TrustBreakdown (issuer verification, accuracy, freshness)
  - Per-environment thresholds for signature requirements
- **VexTrustGateOptions**: `src/Policy/StellaOps.Policy.Engine/Gates/VexTrustGateOptions.cs`
  - Production: RequireIssuerVerified=true, MinCompositeScore=0.80, FailureAction=Block
  - Staging: RequireIssuerVerified=true, FailureAction=Warn
  - MissingTrustBehavior: Allow/Warn/Block when VEX trust data absent
- **TrustLatticeEngine**: `src/Policy/__Libraries/StellaOps.Policy/TrustLattice/TrustLatticeEngine.cs`
  - VEX normalization pipeline supports DSSE-signed VEX documents
  - Three normalizers: CycloneDX, OpenVEX, CSAF
  - Signed VEX claims receive higher trust scores in ClaimScoreMerger
- **ClaimScoreMerger**: `src/Policy/__Libraries/StellaOps.Policy/TrustLattice/ClaimScoreMerger.cs`
  - Signed claims scored higher via specificity and score adjustments
  - Conflict penalization (0.25) applies to conflicting signed/unsigned claims
- **EvidenceRequirementValidator**: `src/Policy/__Libraries/StellaOps.Policy.Exceptions/Services/EvidenceRequirementValidator.cs`
  - DSSE signature verification on VEX override evidence
  - Trust score threshold validation for signed evidence
- **PolicyGateEvaluator**: `src/Policy/StellaOps.Policy.Engine/Gates/PolicyGateEvaluator.cs`
  - VEX Trust gate evaluates signed override status as part of multi-gate pipeline

## E2E Test Plan
- [ ] Submit DSSE-signed VEX override; verify VexTrustGate passes with high TrustScore
- [ ] Submit unsigned VEX override in production; verify VexTrustGate blocks (RequireIssuerVerified=true)
- [ ] Submit unsigned VEX override in development; verify VexTrustGate passes (RequireIssuerVerified=false)
- [ ] Submit signed VEX with expired signing key; verify trust score reduced or gate blocks
- [ ] Submit signed VEX with Rekor inclusion proof; verify higher trust score than without proof
- [ ] Submit conflicting signed and unsigned VEX claims; verify ClaimScoreMerger applies conflict penalty, signed claim wins
- [ ] Verify VexTrustStatus includes TrustBreakdown with issuer verification status
- [ ] Submit VEX override with trust score below MinCompositeScore; verify gate blocks in production
- [ ] Configure MissingTrustBehavior=Block; submit VEX without trust data; verify gate blocks