# VEX Decisioning Engine (Not Just Ingestion) (Moat Score 4)

## Module
Policy

## Status
IMPLEMENTED

## Description
Full VEX decisioning with consensus engine, trust scoring, OpenVEX and CSAF normalization, and trust lattice conflict resolution.

## Implementation Details
- **TrustLatticeEngine**: `src/Policy/__Libraries/StellaOps.Policy/TrustLattice/TrustLatticeEngine.cs`
  - Full VEX decisioning pipeline: VEX normalization -> claim ingestion -> K4 evaluation -> disposition selection -> proof bundle
  - Three VEX format normalizers: CycloneDX, OpenVEX, CSAF
  - Fluent ClaimBuilder: Assert, Present, Applies, Reachable, Mitigated, Fixed, Misattributed
  - `Evaluate()` with optional SubjectFilter and proof bundle generation
  - Disposition selection from K4 lattice values: True -> not_affected, False -> affected, Conflict -> disputed, Unknown -> under_investigation
- **K4Lattice**: `src/Policy/__Libraries/StellaOps.Policy/TrustLattice/K4Lattice.cs`
  - Belnap four-valued logic: Unknown=0, True=1, False=2, Conflict=3
  - Join (consensus): T join F = Conflict; commutative, idempotent
  - Meet (agreement): T meet F = Unknown
  - FromSupport(): maps evidence support to K4 value
- **ClaimScoreMerger**: `src/Policy/__Libraries/StellaOps.Policy/TrustLattice/ClaimScoreMerger.cs`
  - Deterministic claim merging with conflict penalization (0.25 penalty)
  - Merge ordering: adjusted score -> specificity -> original score -> source ID -> index
  - MergePolicy: ConflictPenalty, PreferSpecificity, RequireReplayProofOnConflict
  - Returns MergeResult: winning claim, conflicts, RequiresReplayProof flag
- **VexTrustGate**: `src/Policy/StellaOps.Policy.Engine/Gates/VexTrustGate.cs`
  - Gates policy decisions based on VEX trust scores
  - Per-environment thresholds with FailureAction (Warn/Block)
- **PolicyGateEvaluator**: `src/Policy/StellaOps.Policy.Engine/Gates/PolicyGateEvaluator.cs`
  - VEX Trust gate (3rd in 5-gate pipeline) evaluates trust lattice results

## E2E Test Plan
- [ ] Ingest CycloneDX VEX with not_affected status; verify K4 value=True after normalization
- [ ] Ingest OpenVEX with affected status; verify K4 value=False after normalization
- [ ] Ingest CSAF VEX with fixed status; verify K4 value=True after normalization
- [ ] Ingest conflicting claims (CycloneDX not_affected + OpenVEX affected); verify K4 Conflict, disposition=disputed
- [ ] Verify ClaimScoreMerger: signed claim (score 0.9) wins over unsigned claim (score 0.95) when PreferSpecificity enabled
- [ ] Verify conflict penalization: conflicting claims receive 0.25 penalty
- [ ] Evaluate with VexTrustGate in production (threshold 0.80); provide trust score 0.85; verify gate passes
- [ ] Evaluate with VexTrustGate; provide trust score 0.60 in production; verify gate blocks
- [ ] Build claim via fluent API: Assert("CVE-2024-1234").Present("pkg:npm/lodash@4.17.21").Mitigated(); verify claim correctly formed
- [ ] Verify proof bundle includes all claims, scores, and K4 evaluations for audit