# Evidence Requirement Validation for Exceptions

## Module
Policy

## Status
IMPLEMENTED

## Description
Validates that exceptions include required evidence (attestation IDs, VEX notes, reachability proofs) before approval.

## Implementation Details
- **EvidenceRequirementValidator**: `src/Policy/__Libraries/StellaOps.Policy.Exceptions/Services/EvidenceRequirementValidator.cs`
  - Validates all required evidence is present for exception approval
  - Checks: attestation IDs, VEX notes, reachability proofs, security review evidence
  - Evidence freshness validation: age vs MaxAge threshold
  - Trust score validation: minimum score for evidence acceptance
  - DSSE signature verification: validates signed evidence
  - Returns detailed validation result with per-requirement status
- **ExceptionObject**: `src/Policy/__Libraries/StellaOps.Policy.Exceptions/Models/ExceptionObject.cs` -- exception model with evidence requirements
  - Required evidence types defined per exception scope
  - Scopes: CVE-level, package-level, finding-level
- **EvidenceHook**: `src/Policy/__Libraries/StellaOps.Policy.Exceptions/Models/EvidenceHook.cs` -- evidence hook configuration
  - Mandatory flag, MaxAge, trust score threshold, DSSE requirement
- **ExceptionEvaluator**: `src/Policy/__Libraries/StellaOps.Policy.Exceptions/Services/ExceptionEvaluator.cs` -- evaluates exception applicability with evidence checks
- **ExceptionApplication**: `src/Policy/__Libraries/StellaOps.Policy.Exceptions/Models/ExceptionApplication.cs` -- tracks exception applications with evidence snapshot
- **Exception Repositories**: `src/Policy/__Libraries/StellaOps.Policy.Exceptions/Repositories/` -- persistence for exceptions and evidence

## E2E Test Plan
- [ ] Create exception requiring attestation ID; verify validation fails when attestation ID is missing
- [ ] Create exception requiring VEX note; provide valid VEX note; verify validation passes
- [ ] Create exception requiring reachability proof; provide proof; verify validation passes
- [ ] Validate evidence with expired MaxAge; verify freshness check fails
- [ ] Validate evidence with trust score below minimum; verify trust check fails
- [ ] Create exception with multiple required evidence types; provide all; verify validation passes
- [ ] Create exception with multiple required evidence types; omit one; verify validation fails with specific missing requirement
- [ ] Verify ExceptionApplication records the evidence snapshot at time of application
- [ ] Verify exception evaluator checks evidence requirements before determining applicability