git.stella-ops.org/docs/implplan/SPRINT_4500_SUMMARY.md

# SPRINT_4500 SUMMARY: VEX Hub & Trust Scoring

## Program Overview

| Field | Value |
|-------|-------|
| **Program ID** | 4500 |
| **Theme** | VEX Distribution Network: Aggregation, Trust, and Ecosystem |
| **Priority** | P1 (High) |
| **Total Effort** | ~6 weeks |
| **Advisory Source** | 19-Dec-2025 - Stella Ops candidate features mapped to moat strength |

---

## Strategic Context

The advisory explicitly calls out Aqua's VEX Hub as competitive. This program establishes StellaOps as a trusted VEX distribution layer with:
1. **VEX Hub** — Aggregation, validation, and serving at scale
2. **Trust Scoring** — Multi-dimensional trust assessment of VEX sources

---

## Sprint Breakdown

| Sprint ID | Title | Effort | Moat |
|-----------|-------|--------|------|
| 4500_0001_0001 | VEX Hub Aggregation Service | 4 weeks | 3-4 |
| 4500_0001_0002 | VEX Trust Scoring Framework | 2 weeks | 3-4 |

---

## New Module

This program introduces a new module: `src/VexHub/`

---

## Dependencies

- **Requires**: VexLens (exists)
- **Requires**: Excititor connectors (exist)
- **Requires**: TrustWeightEngine (exists)

---

## Outcomes

1. VEX Hub aggregates statements from all configured sources
2. API enables query by CVE, PURL, source
3. Trivy/Grype can consume VEX from hub URL
4. Trust scores inform consensus decisions

---

## Competitive Positioning

| Competitor | VEX Capability | StellaOps Differentiation |
|------------|----------------|---------------------------|
| Aqua VEX Hub | Centralized repository | +Trust scoring, +Verification, +Decisioning coupling |
| Trivy | VEX consumption | +Aggregation source, +Consensus engine |
| Anchore | VEX annotation | +Multi-source, +Lattice logic |

---

**Sprint Series Status:** TODO

**Created:** 2025-12-22