# Policy gate with evidence-linked approval

## Module
Policy

## Status
IMPLEMENTED

## Description
Policy gates (CVE, EPSS, budget, reachability, signature-required) evaluate artifacts against configurable rules and produce evidence-linked attestations.

## Implementation Details
- **PolicyGateEvaluator**: `src/Policy/StellaOps.Policy.Engine/Gates/PolicyGateEvaluator.cs`
  - 5 sequential gates: Evidence Completeness, Lattice State, VEX Trust, Uncertainty Tier, Confidence Threshold
  - Each gate produces evidence-linked results with attestation references
  - Gate results: Pass, PassWithNote, Warn, Block, Skip
  - Override support with justification text and evidence requirements
- **VexTrustGate**: `src/Policy/StellaOps.Policy.Engine/Gates/VexTrustGate.cs`
  - Evaluates VEX trust score against per-environment thresholds
  - Links VEX attestation references to gate decisions
  - VexTrustStatus with TrustScore, PolicyTrustThreshold, TrustBreakdown
- **ExceptionEvaluator**: `src/Policy/__Libraries/StellaOps.Policy.Exceptions/Services/ExceptionEvaluator.cs`
  - Exception-based approvals with evidence references (sha256 digests, attestation URIs)
  - EvidenceRefs from all matching exceptions aggregated in result
- **EvidenceRequirementValidator**: `src/Policy/__Libraries/StellaOps.Policy.Exceptions/Services/EvidenceRequirementValidator.cs`
  - Validates required evidence before approval: attestation IDs, VEX notes, reachability proofs
  - Evidence freshness (MaxAge), trust score threshold, DSSE signature verification
- **VerdictAttestationService**: `src/Policy/StellaOps.Policy.Engine/Attestation/VerdictAttestationService.cs`
  - DSSE-signed attestations linking verdicts to evidence bundles
  - Each gate decision produces an attestation with proof references
- **KnowledgeSnapshotManifest**: `src/Policy/__Libraries/StellaOps.Policy/Snapshots/KnowledgeSnapshotManifest.cs`
  - Content-addressed bundle linking all evaluation inputs to gate decisions

## E2E Test Plan
- [ ] Evaluate artifact through all gates; verify each gate result includes attestation references
- [ ] Evaluate with VexTrustGate; verify VEX attestation IDs are linked in gate result
- [ ] Approve exception with evidence refs; verify EvidenceRefs appear in ExceptionEvaluationResult.AllEvidenceRefs
- [ ] Require attestation ID evidence for approval; provide valid attestation; verify validation passes
- [ ] Require evidence with MaxAge; provide expired evidence; verify validation fails
- [ ] Generate verdict attestation; verify DSSE signature covers gate decisions and evidence refs
- [ ] Override gate with justification; verify PassWithNote result includes justification attestation
- [ ] Verify KnowledgeSnapshotManifest links policy bundle digest and source digests to gate inputs