# Reachability-Aware Security as Gate

## Module
Cli

## Status
IMPLEMENTED

## Description
Reachability-aware vulnerability triage with score gating for release decisions is implemented across Scanner, ReachGraph, and CLI modules.

## Implementation Details
- **Gate Command**: `src/Cli/StellaOps.Cli/Commands/GateCommandGroup.cs` -- `GateCommandGroup` for `stella gate` commands
- **VEX Gate Scan**: `src/Cli/StellaOps.Cli/Commands/VexGateScanCommandGroup.cs` -- VEX-gated scan operations
- **Score Gate**: `src/Cli/StellaOps.Cli/Commands/ScoreGateCommandGroup.cs` -- score-based gating
- **Tests**: `src/Cli/__Tests/StellaOps.Cli.Tests/Commands/ScoreGateCommandTests.cs`, `VexGateCommandTests.cs`
- **Commands**:
  - `stella gate evaluate <digest>` -- evaluate all gates for an artifact
  - `stella gate scan <image>` -- scan with gate evaluation
- **Exit codes**: 0=pass, 1=warn, 2=fail/block

## E2E Test Plan
- [ ] Run `stella gate evaluate sha256:abc123` and verify gate evaluation with reachability awareness
- [ ] Verify unreachable CVEs do not trigger gate failures
- [ ] Verify reachable CVEs with high scores trigger appropriate gate level
- [ ] Run `stella gate scan myregistry/app:v1.0` and verify scan with gate evaluation
- [ ] Verify exit codes: 0=pass, 1=warn, 2=block
- [ ] Verify `--format json` output with gate details