# VEX Exception Approval Flow

## Module
Scanner

## Status
IMPLEMENTED

## Description
Approval endpoints for VEX exception workflows with propose/approve two-step process are implemented.

## Implementation Details
- **VEX Gate Controller**:
  - `src/Scanner/StellaOps.Scanner.WebService/Controllers/VexGateController.cs` - `VexGateController` REST API including exception proposal and approval endpoints for VEX exception workflows
- **VEX Gate Query Service**:
  - `src/Scanner/StellaOps.Scanner.WebService/Services/VexGateQueryService.cs` - `VexGateQueryService` querying VEX gate decisions including exception status
- **Contracts**:
  - `src/Scanner/StellaOps.Scanner.WebService/Contracts/VexGateContracts.cs` - API contracts for VEX gate operations including exception proposal and approval
- **VEX Gate Service**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Gate/VexGateService.cs` - `VexGateService` processing VEX gate decisions and exception workflows
  - `src/Scanner/__Libraries/StellaOps.Scanner.Gate/IVexGateService.cs` - Interface for VEX gate operations
  - `src/Scanner/__Libraries/StellaOps.Scanner.Gate/VexGateDecision.cs` - `VexGateDecision` model including exception status
  - `src/Scanner/__Libraries/StellaOps.Scanner.Gate/VexGateAuditLogger.cs` - `VexGateAuditLogger` logging exception proposals and approvals for audit trail

## E2E Test Plan
- [ ] Propose a VEX exception for a blocked finding and verify it enters the "proposed" state awaiting approval
- [ ] Approve a proposed VEX exception and verify the finding's gate decision changes from Block to Pass
- [ ] Reject a proposed VEX exception and verify the finding remains in Block state with rejection reason
- [ ] Verify the audit logger captures all exception proposals and approvals with user attribution and timestamps
- [ ] Verify the two-step process prevents a single user from both proposing and approving the same exception