# Jurisdiction-Specific VEX Trust Rules (US/EU/RU/CN)

## Module
Policy

## Status
IMPLEMENTED

## Description
Configurable jurisdiction-specific trust rules for VEX statements, enabling different trust levels and source preferences for US, EU, Russia, and China regulatory contexts.

## Implementation Details
- **VexTrustGate**: `src/Policy/StellaOps.Policy.Engine/Gates/VexTrustGate.cs` (implements `IVexTrustGate`)
  - `EvaluateAsync(VexTrustGateRequest)` evaluates trust score against per-environment thresholds
  - VexTrustStatus with TrustScore (0.0-1.0), PolicyTrustThreshold, MeetsPolicyThreshold, TrustBreakdown
  - Checks: composite score >= threshold, issuer verification, accuracy rate, freshness
- **VexTrustGateOptions**: `src/Policy/StellaOps.Policy.Engine/Gates/VexTrustGateOptions.cs`
  - Per-environment thresholds: production (MinCompositeScore=0.80, RequireIssuerVerified=true, MinAccuracyRate=0.85, FailureAction=Block), staging (0.60, verified, Warn), development (0.40, unverified OK, Warn), default (0.70, verified, Warn)
  - `ApplyToStatuses`: ["not_affected", "fixed"]
  - `MissingTrustBehavior`: Allow, Warn, or Block when VEX trust data is absent
  - `TenantOverrides`: tenant-specific threshold overrides per environment
  - Acceptable freshness states per environment (prod: fresh only; dev: fresh, stale, superseded)
  - MaxAge per environment (optional time-based freshness)
  - FailureAction enum: Warn, Block
- **TrustLatticeEngine**: `src/Policy/__Libraries/StellaOps.Policy/TrustLattice/TrustLatticeEngine.cs`
  - Three VEX normalizers for different formats: CycloneDX, OpenVEX, CSAF
  - Jurisdiction-aware VEX source trust via normalizer selection and claim scoring
  - ClaimScoreMerger with conflict penalization for multi-source VEX
- **PolicyGateEvaluator VEX Trust gate**: `src/Policy/StellaOps.Policy.Engine/Gates/PolicyGateEvaluator.cs`
  - VEX Trust gate evaluates per-environment thresholds with MissingTrustBehavior fallback
  - Integrated into 5-gate sequential pipeline
- **VexTrustGateMetrics**: `src/Policy/StellaOps.Policy.Engine/Gates/VexTrustGateMetrics.cs` -- OpenTelemetry metrics for gate decisions

## E2E Test Plan
- [ ] Configure production threshold MinCompositeScore=0.80; evaluate VEX with score 0.75; verify gate blocks
- [ ] Configure staging threshold MinCompositeScore=0.60; evaluate VEX with score 0.65; verify gate passes
- [ ] Configure production RequireIssuerVerified=true; evaluate unsigned VEX; verify gate blocks
- [ ] Configure development RequireIssuerVerified=false; evaluate unsigned VEX; verify gate passes
- [ ] Configure production MinAccuracyRate=0.85; evaluate issuer with 0.80 accuracy; verify gate warns/blocks
- [ ] Configure production AcceptableFreshness=["fresh"]; evaluate stale VEX; verify gate blocks
- [ ] Configure MissingTrustBehavior=Block; evaluate without VEX trust data; verify gate blocks
- [ ] Configure MissingTrustBehavior=Allow; evaluate without VEX trust data; verify gate passes
- [ ] Configure TenantOverrides with custom thresholds for tenant-A; verify tenant-A uses custom thresholds
- [ ] Verify VexTrustGateMetrics records gate decisions with trust_score, environment, and decision tags