# VEX Status Promotion Gate

## Module
Policy

## Status
IMPLEMENTED

## Description
Promotion gate that blocks environment promotions based on VEX status thresholds, ensuring only properly triaged artifacts can advance.

## Implementation Details
- **VexTrustGate**: `src/Policy/StellaOps.Policy.Engine/Gates/VexTrustGate.cs` (implements `IVexTrustGate`)
  - `EvaluateAsync(VexTrustGateRequest)` evaluates VEX trust for status transitions
  - VexTrustGateRequest: RequestedStatus, Environment, VexTrustStatus, TenantId
  - VexTrustStatus: TrustScore (0.0-1.0), PolicyTrustThreshold, MeetsPolicyThreshold, TrustBreakdown
  - Per-environment evaluation: production requires highest trust, development most permissive
- **VexTrustGateOptions**: `src/Policy/StellaOps.Policy.Engine/Gates/VexTrustGateOptions.cs`
  - ApplyToStatuses: ["not_affected", "fixed"] -- statuses requiring trust verification
  - Per-environment thresholds:
    - Production: MinCompositeScore=0.80, RequireIssuerVerified=true, MinAccuracyRate=0.85, AcceptableFreshness=["fresh"], FailureAction=Block
    - Staging: MinCompositeScore=0.60, RequireIssuerVerified=true, AcceptableFreshness=["fresh","stale"], FailureAction=Warn
    - Development: MinCompositeScore=0.40, RequireIssuerVerified=false, AcceptableFreshness=["fresh","stale","superseded"], FailureAction=Warn
  - MissingTrustBehavior: Allow, Warn, Block
  - TenantOverrides for tenant-specific thresholds
- **PolicyGateEvaluator**: `src/Policy/StellaOps.Policy.Engine/Gates/PolicyGateEvaluator.cs`
  - VEX Trust gate (3rd in pipeline) blocks promotion when trust insufficient
  - VEX trust evaluation integrated with lattice state and uncertainty tier gates

## E2E Test Plan
- [ ] Request promotion to production with trust score 0.85; verify gate passes
- [ ] Request promotion to production with trust score 0.70; verify gate blocks (threshold 0.80)
- [ ] Request promotion to staging with trust score 0.65; verify gate passes (threshold 0.60)
- [ ] Request promotion with stale VEX in production; verify gate blocks (only "fresh" acceptable)
- [ ] Request promotion with stale VEX in staging; verify gate passes (stale acceptable)
- [ ] Request promotion with unverified issuer in production; verify gate blocks
- [ ] Request promotion with unverified issuer in development; verify gate passes
- [ ] Request promotion with MissingTrustBehavior=Block and no VEX data; verify gate blocks
- [ ] Verify tenant-specific overrides apply when TenantId matches
- [ ] Verify gate returns descriptive message identifying which threshold was not met