# VEX-gated policy decisions (gate decision with decision hash)

## Module
Cli

## Status
IMPLEMENTED

## Description
VEX gate service and policy evaluator for blocking/allowing based on VEX status, with CLI command support and UI gate summary panel. Evaluates findings against policy rules based on vendor status, exploitability, reachability, compensating controls, and severity levels.

## Implementation Details
- **Command Group**: `src/Cli/StellaOps.Cli/Commands/VexGateScanCommandGroup.cs` -- `VexGateScanCommandGroup` (static class)
  - Sprint: SPRINT_20260106_003_002_SCANNER_vex_gate_service (T026, T027)
  - Uses Spectre.Console for rich table output
  - Calls Scanner API: `api/v1/vex-gate/policy` and `api/v1/scans/{scanId}/gate-results`
- **Commands**:
  - `stella scan gate-policy show [--tenant <id>] [--output table|json|yaml]` -- display current VEX gate policy including rules, priorities, and conditions
  - `stella scan gate-results --scan-id <id> [--decision Pass|Warn|Block] [--output table|json] [--limit <n>]` -- get VEX gate results for a scan with decision filtering
- **DTOs**: `VexGatePolicyDto` (PolicyId, Version, DefaultDecision, Rules), `VexGatePolicyRuleDto` (RuleId, Priority, Decision, Condition), `VexGatePolicyConditionDto` (VendorStatus, IsExploitable, IsReachable, HasCompensatingControl, SeverityLevels), `VexGateResultsDto` (ScanId, Summary, GatedFindings), `VexGateSummaryDto` (TotalFindings, Passed, Warned, Blocked, EvaluatedAt), `GatedFindingDto` (FindingId, Cve, Purl, Decision, Rationale, PolicyRuleMatched, Evidence)
- **Decision Types**: Pass (green), Warn (yellow), Block (red)
- **Output Formats**: Table with Spectre.Console styling, JSON, YAML

## E2E Test Plan
- [ ] Run `stella scan gate-policy show` and verify policy table with Policy ID, Version, Default Decision, Rules Count
- [ ] Run `stella scan gate-policy show --output json` and verify valid JSON with policy rules
- [ ] Run `stella scan gate-policy show --output yaml` and verify YAML output with rule hierarchy
- [ ] Run `stella scan gate-policy show --tenant <id>` and verify tenant-specific policy
- [ ] Run `stella scan gate-results --scan-id <id>` and verify summary table (Total, Passed, Warned, Blocked) and findings table
- [ ] Run `stella scan gate-results --scan-id <id> --decision Block` and verify only blocked findings shown
- [ ] Run `stella scan gate-results --scan-id <id> --output json` and verify JSON with gateSummary and gatedFindings
- [ ] Run `stella scan gate-results --scan-id <id> --limit 5` and verify at most 5 findings
- [ ] Verify 404 response for unknown scan ID returns warning, not error
- [ ] Verify exit code 0 on success, 1 on API error