git.stella-ops.org/docs/features/checked/cli/reachability-aware-security-as-gate.md

# Reachability-Aware Security as Gate

## Module
Cli

## Status
VERIFIED

## Description
Reachability-aware vulnerability triage with score gating for release decisions is implemented across Scanner, ReachGraph, and CLI modules.

## Implementation Details
- **Gate Command**: `src/Cli/StellaOps.Cli/Commands/GateCommandGroup.cs` -- `GateCommandGroup` for `stella gate` commands
- **VEX Gate Scan**: `src/Cli/StellaOps.Cli/Commands/VexGateScanCommandGroup.cs` -- VEX-gated scan operations
- **Score Gate**: `src/Cli/StellaOps.Cli/Commands/ScoreGateCommandGroup.cs` -- score-based gating
- **Tests**: `src/Cli/__Tests/StellaOps.Cli.Tests/Commands/ScoreGateCommandTests.cs`, `VexGateCommandTests.cs`
- **Commands**:
  - `stella gate evaluate <digest>` -- evaluate all gates for an artifact
  - `stella gate scan <image>` -- scan with gate evaluation
- **Exit codes**: 0=pass, 1=warn, 2=fail/block

## E2E Test Plan
- [ ] Run `stella gate evaluate sha256:abc123` and verify gate evaluation with reachability awareness
- [ ] Verify unreachable CVEs do not trigger gate failures
- [ ] Verify reachable CVEs with high scores trigger appropriate gate level
- [ ] Run `stella gate scan myregistry/app:v1.0` and verify scan with gate evaluation
- [ ] Verify exit codes: 0=pass, 1=warn, 2=block
- [ ] Verify `--format json` output with gate details

## Verification

- **Verified**: 2026-02-13T15:30:00Z
- **Tier 0 (Source)**: pass -- all referenced source files exist on disk
- **Tier 1 (Build)**: pass -- module builds cleanly, 412 tests pass in StellaOps.Cli.Commands.Tests
- **Tier 2d (Integration)**: pass -- targeted integration tests confirm behavioral correctness
- **Test Project**: `src/Cli/__Tests/StellaOps.Cli.Commands.Tests/StellaOps.Cli.Commands.Tests.csproj`
- **Evidence**: `docs/qa/feature-checks/runs/cli/reachability-aware-security-as-gate/run-001/tier2-integration-check.json`