VEX conflict resolution (side-by-side merge with provenance)

Module

Concelier

IMPLEMENTED

VEX conflict resolver and consensus engine merge statements from multiple sources with rationale models explaining merge outcomes.

Modules: src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/
Key Classes:
- VexConflictResolver (src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConflictResolver.cs) - resolves conflicts between VEX statements from multiple sources with provenance-based precedence
- VexConsumptionReporter (src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConsumptionReporter.cs) - reports VEX consumption outcomes and merge rationale
- VexConsumptionPolicyLoader (src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConsumptionPolicyLoader.cs) - loads VEX consumption policies defining merge rules
- VexConsumptionPolicyDefaults (src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConsumptionPolicy.cs) - default merge policy configuration
- VexConsumptionOptions (src/Concelier/__Libraries/StellaOps.Concelier.SbomIntegration/Vex/VexConsumptionOptions.cs) - options for VEX consumption behavior
Interfaces: IVexConflictResolver, IVexConsumptionReporter, IVexConsumptionPolicyLoader
Source: Feature matrix scan

Submit two conflicting VEX statements (affected vs not_affected) for the same CVE+product and verify the resolver produces a merged outcome with rationale
Verify provenance-based precedence: vendor VEX statement takes precedence over community source
Verify VexConsumptionReporter emits a report explaining why one statement won over another
Verify policy-based resolution: load a custom merge policy and confirm it changes the resolution outcome
Verify side-by-side preservation: both original statements remain accessible after merge