git.stella-ops.org/bench/vex-lattice/README.md

# VEX Lattice Benchmark Suite

> **Purpose:** Verify VEX lattice merge semantics and jurisdiction rules.
> **Status:** Active
> **Sprint:** SPRINT_3850_0001_0001 (Competitive Gap Closure)

## Overview

StellaOps implements VEX (Vulnerability Exploitability eXchange) with:
- Lattice-based merge semantics (stable outcomes)
- Jurisdiction-specific trust rules (US/EU/RU/CN)
- Source precedence and confidence weighting
- Deterministic conflict resolution

## What Gets Tested

### Lattice Properties
- Idempotency: merge(a, a) = a
- Commutativity: merge(a, b) = merge(b, a)
- Associativity: merge(merge(a, b), c) = merge(a, merge(b, c))
- Monotonicity: once "not_affected", never regresses

### Status Precedence
Order from most to least specific:
1. `not_affected` (strongest)
2. `affected` (with fix)
3. `under_investigation`
4. `affected` (no fix)

### Jurisdiction Rules
- US: FDA/NIST sources preferred
- EU: ENISA/BSI sources preferred
- RU: FSTEC sources preferred
- CN: CNVD sources preferred

## Test Cases

### TC-001: Idempotency

```json
{
  "input_a": { "status": "not_affected", "justification": "vulnerable_code_not_in_execute_path" },
  "input_b": { "status": "not_affected", "justification": "vulnerable_code_not_in_execute_path" },
  "expected": { "status": "not_affected", "justification": "vulnerable_code_not_in_execute_path" }
}
```

### TC-002: Commutativity

```json
{
  "merge_ab": "merge(vendor_vex, nvd_vex)",
  "merge_ba": "merge(nvd_vex, vendor_vex)",
  "expected": "identical_result"
}
```

### TC-003: Associativity

```json
{
  "lhs": "merge(merge(a, b), c)",
  "rhs": "merge(a, merge(b, c))",
  "expected": "identical_result"
}
```

### TC-004: Conflict Resolution

```json
{
  "vendor_says": "not_affected",
  "nvd_says": "affected",
  "expected": "not_affected",
  "reason": "vendor_has_higher_precedence"
}
```

### TC-005: Jurisdiction Override

```json
{
  "jurisdiction": "EU",
  "bsi_says": "not_affected",
  "nist_says": "affected",
  "expected": "not_affected",
  "reason": "bsi_preferred_in_eu"
}
```

## Fixtures

```
fixtures/
├── lattice-properties/
│   ├── idempotency.json
│   ├── commutativity.json
│   └── associativity.json
├── conflict-resolution/
│   ├── vendor-vs-nvd.json
│   ├── multiple-vendors.json
│   └── timestamp-tiebreaker.json
├── jurisdiction-rules/
│   ├── us-fda-nist.json
│   ├── eu-enisa-bsi.json
│   ├── ru-fstec.json
│   └── cn-cnvd.json
└── expected/
    └── all-tests.results.json
```

## Running the Suite

```bash
# Run VEX lattice tests
dotnet test tests/StellaOps.Policy.Vex.Tests

# Run lattice property verification
./run-lattice-tests.sh

# Run jurisdiction rule tests
./run-jurisdiction-tests.sh
```

## Metrics

| Metric | Target | Description |
|--------|--------|-------------|
| Lattice properties | 100% pass | All algebraic properties hold |
| Jurisdiction correctness | 100% pass | Correct source preferred by region |
| Merge determinism | 100% pass | Same inputs → same output |

## Integration with CI

```yaml
# .gitea/workflows/bench-vex-lattice.yaml
name: VEX Lattice Benchmark
on:
  push:
    paths:
      - 'src/Policy/**'
      - 'bench/vex-lattice/**'

jobs:
  lattice:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Run Lattice Tests
        run: dotnet test tests/StellaOps.Policy.Vex.Tests
      - name: Run Property Tests
        run: ./bench/vex-lattice/run-lattice-tests.sh
```