# DSSE-signed reversible decisions (MUTE_REACH, MUTE_VEX, ACK, EXCEPTION)

## Module
Policy

## Status
IMPLEMENTED

## Description
VEX decision signing service produces DSSE-signed decisions; exception objects model scoped, time-boxed exceptions with evidence requirements.

## Implementation Details
- **VerdictAttestationService**: `src/Policy/StellaOps.Policy.Engine/Attestation/VerdictAttestationService.cs` -- signs verdict decisions with DSSE envelopes
  - `IVerdictAttestationService` interface
  - `VerdictPredicate.cs` -- verdict predicate for attestation payload
  - `VerdictPredicateBuilder.cs` -- fluent builder for verdict predicates
  - `VerdictReasonCode.cs` -- reason codes for verdict decisions
- **PolicyDecisionAttestationService**: `src/Policy/StellaOps.Policy.Engine/Attestation/PolicyDecisionAttestationService.cs` -- signs policy decisions
  - `IPolicyDecisionAttestationService` interface
  - `PolicyDecisionPredicate.cs` -- decision predicate payload
  - `PolicyDecisionAttestationOptions.cs` -- signing options
- **Exception Objects**: `src/Policy/__Libraries/StellaOps.Policy.Exceptions/Models/ExceptionObject.cs` -- scoped, time-boxed exception model
  - Scope: CVE-level, package-level, or finding-level
  - Time-boxing: ExpiresAt, auto-expire enforcement
  - Evidence requirements: required evidence types per exception
  - Status: Active, Expired, Revoked
- **Exception Application**: `src/Policy/__Libraries/StellaOps.Policy.Exceptions/Models/ExceptionApplication.cs` -- tracks when exceptions are applied to findings
- **Exception Events**: `src/Policy/__Libraries/StellaOps.Policy.Exceptions/Models/ExceptionEvent.cs` -- audit trail of exception lifecycle events (create, apply, expire, revoke)
- **Evidence Hooks**: `src/Policy/__Libraries/StellaOps.Policy.Exceptions/Models/EvidenceHook.cs` -- hooks for evidence validation on exception approval
- **RecheckPolicy**: `src/Policy/__Libraries/StellaOps.Policy.Exceptions/Models/RecheckPolicy.cs` -- recheck policy for exception revalidation
- **Exception Evaluator**: `src/Policy/__Libraries/StellaOps.Policy.Exceptions/Services/ExceptionEvaluator.cs` -- evaluates exception applicability
- **Evidence Requirement Validator**: `src/Policy/__Libraries/StellaOps.Policy.Exceptions/Services/EvidenceRequirementValidator.cs` -- validates evidence requirements are met
- **Recheck Evaluation Service**: `src/Policy/__Libraries/StellaOps.Policy.Exceptions/Services/RecheckEvaluationService.cs` -- periodic recheck of exception validity
- **ExceptionRecheckGate**: `src/Policy/StellaOps.Policy.Engine/BuildGate/ExceptionRecheckGate.cs` -- build gate that rechecks exception validity
- **RVA Service**: `src/Policy/StellaOps.Policy.Engine/Attestation/RvaService.cs` -- Risk Verdict Attestation service
  - `RvaBuilder.cs` -- builds RVA attestations
  - `RvaVerifier.cs` -- verifies RVA attestation integrity
  - `RvaPredicate.cs` -- RVA predicate model

## E2E Test Plan
- [ ] Create an exception with ExpiresAt in the future; verify exception is Active
- [ ] Apply exception to a finding; verify DSSE-signed decision envelope is produced
- [ ] Verify exception application is recorded in ExceptionEvent audit trail
- [ ] Wait for exception expiry; verify ExceptionRecheckGate detects expiration and re-evaluates finding
- [ ] Create exception with evidence requirements; verify EvidenceRequirementValidator blocks approval when evidence missing
- [ ] Verify signed verdict predicate contains: finding ID, CVE, decision, reason code, timestamp
- [ ] Verify PolicyDecisionAttestationService signs decisions with correct predicate payload
- [ ] Revoke an active exception; verify finding is re-evaluated without exception
- [ ] Run RecheckEvaluationService; verify exceptions past recheck policy interval are revalidated
- [ ] Verify RvaService builds and verifies Risk Verdict Attestation with scoring determinism