git.stella-ops.org/docs/features/unchecked/excititor/automatic-code-not-reachable-vex-justification-generation.md

Automatic code_not_reachable VEX Justification Generation

Module

Excititor

Status

IMPLEMENTED

Description

Automatically generates VEX code_not_reachable justifications when reachability slice verdict is "unreachable", including slice digest as evidence reference and supporting OpenVEX, CSAF, and CycloneDX formats. Auto-generated justifications require human approval by default.

Implementation Details

• Modules: src/Excititor/__Libraries/StellaOps.Excititor.Core/AutoVex/, src/Excititor/__Libraries/StellaOps.Excititor.Core/Justification/, src/Excititor/__Libraries/StellaOps.Excititor.Core/Reachability/
• Key Classes:
  • VexNotReachableJustification (src/Excititor/__Libraries/StellaOps.Excititor.Core/AutoVex/VexNotReachableJustification.cs) - generates code_not_reachable justifications from reachability data
  • ReachabilityJustificationGenerator (src/Excititor/__Libraries/StellaOps.Excititor.Core/Justification/ReachabilityJustificationGenerator.cs) - generates justifications from reachability slice verdicts
  • VexDowngradeGenerator (src/Excititor/__Libraries/StellaOps.Excititor.Core/AutoVex/VexDowngradeGenerator.cs) - generates VEX downgrade statements when code is unreachable
  • AutoVexDowngradeService (src/Excititor/__Libraries/StellaOps.Excititor.Core/AutoVex/AutoVexDowngradeService.cs) - service orchestrating auto-VEX downgrade workflow
  • ReachabilityLatticeUpdater (src/Excititor/__Libraries/StellaOps.Excititor.Core/AutoVex/ReachabilityLatticeUpdater.cs) - updates lattice state with reachability evidence
  • TimeBoxedConfidence (src/Excititor/__Libraries/StellaOps.Excititor.Core/AutoVex/TimeBoxedConfidence.cs) - time-bounded confidence for auto-generated justifications
  • SliceVerdictConsumer (src/Excititor/__Libraries/StellaOps.Excititor.Core/Reachability/SliceVerdictConsumer.cs) - consumes reachability slice verdicts
• Interfaces: ISliceVerdictConsumer
• Source: SPRINT_3830_0001_0001_vex_integration_policy_binding.md

E2E Test Plan

• Trigger a reachability slice verdict of "unreachable" and verify VexNotReachableJustification generates a code_not_reachable justification
• Verify the generated justification includes the slice digest as evidence reference
• Verify AutoVexDowngradeService marks auto-generated justifications as requiring human approval by default
• Verify TimeBoxedConfidence applies time-bounded confidence decay to auto-generated justifications
• Verify generated justifications are compatible with OpenVEX, CSAF, and CycloneDX export formats
• Verify ReachabilityLatticeUpdater updates the lattice state when reachability evidence changes