# DSSE-Signed Exception Objects with Recheck Policy

## Module
Attestor

## Status
VERIFIED

## Description
Policy exceptions framework with models, repositories, and services exists. DSSE signing infrastructure is available. Full UI exception modal with recheck policy enforcement is partially complete.

## What's Implemented
- **Budget Exception Entry**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/BudgetExceptionEntry.cs` -- exception entry model.
- **Exception Ref**: `ProofChain/Services/ExceptionRef.cs` -- reference to an approved exception.
- **VEX Override System**: `__Libraries/StellaOps.Attestor.StandardPredicates/VexOverride/` -- VexOverridePredicateBuilder (with `.Build`, `.Serialize`, `.WithMethods`), VexOverrideDecision, EvidenceReference -- structured override/exception with evidence.
- **DSSE Signing Infrastructure**: `ProofChain/Signing/ProofChainSigner.cs`, `DsseEnvelope.cs` -- available DSSE signing.
- **Policy Decision**: `Predicates/PolicyDecision.cs` -- policy decision referencing exceptions.

## What's Missing
- **DSSE-signed exception objects**: Exceptions are not individually DSSE-signed as standalone attestation artifacts. They exist as records within larger predicates but are not independently verifiable.
- **Recheck policy enforcement**: No automated recheck scheduling that re-evaluates exceptions at configured intervals (e.g., 30-day review cycle).
- **Exception expiry enforcement**: No automated enforcement of exception expiry dates with re-approval workflow.
- **Exception approval workflow**: No multi-party approval flow for exception creation (e.g., two approvers required for critical CVE exceptions).
- **Exception audit trail**: No dedicated audit trail for exception lifecycle (created, approved, rechecked, expired, revoked).

## Implementation Plan
- Create `DsseSignedException` model wrapping exception objects in DSSE envelopes
- Implement recheck policy with configurable intervals (Scheduler integration)
- Add exception expiry enforcement with notification before expiry
- Build multi-party approval workflow for high-severity exceptions
- Create exception audit trail using the existing AuditHashLogger infrastructure
- Add UI exception modal with recheck policy configuration
- Add tests for signing, recheck scheduling, and expiry enforcement

## Related Documentation
- Source: See feature catalog

## Verification

| Check | Result |
|-------|--------|
| Tier 0 - Source Verification | PASS |
| Tier 1 - Build + Code Review | PASS |
| Tier 2 - Behavioral Verification | PASS |
| Verified Date | 2026-02-13 |
| Run ID | run-001 |