Refactor code structure for improved readability and maintainability; optimize performance in key functions.

etc/concelier.yaml.sample

@@ -117,24 +117,38 @@ mirror:
       requireAuthentication: false
       maxDownloadRequestsPerHour: 1200
 
-sources:
-  ghsa:
-    apiToken: "${GITHUB_PAT}"
-    pageSize: 50
-    maxPagesPerFetch: 5
-    requestDelay: "00:00:00.200"
-    failureBackoff: "00:05:00"
-    rateLimitWarningThreshold: 500
-    secondaryRateLimitBackoff: "00:02:00"
-  cve:
-    baseEndpoint: "https://cveawg.mitre.org/api/"
-    apiOrg: ""
-    apiUser: ""
-    apiKey: ""
-    # Optional mirror used when credentials are unavailable.
-    seedDirectory: "./seed-data/cve"
-    pageSize: 200
-    maxPagesPerFetch: 5
-    initialBackfill: "30.00:00:00"
-    requestDelay: "00:00:00.250"
-    failureBackoff: "00:10:00"
+concelier:
+  sources:
+    ghsa:
+      apiToken: "${GITHUB_PAT}"
+      pageSize: 50
+      maxPagesPerFetch: 5
+      requestDelay: "00:00:00.200"
+      failureBackoff: "00:05:00"
+      rateLimitWarningThreshold: 500
+      secondaryRateLimitBackoff: "00:02:00"
+    cve:
+      baseEndpoint: "https://cveawg.mitre.org/api/"
+      apiOrg: ""
+      apiUser: ""
+      apiKey: ""
+      # Optional mirror used when credentials are unavailable.
+      seedDirectory: "./seed-data/cve"
+      pageSize: 200
+      maxPagesPerFetch: 5
+      initialBackfill: "30.00:00:00"
+      requestDelay: "00:00:00.250"
+      failureBackoff: "00:10:00"
+    alpine:
+      baseUri: "https://secdb.alpinelinux.org/"
+      releases:
+        - "v3.18"
+        - "v3.19"
+        - "v3.20"
+      repositories:
+        - "main"
+        - "community"
+      maxDocumentsPerFetch: 20
+      fetchTimeout: "00:00:45"
+      requestDelay: "00:00:00"
+      userAgent: "StellaOps.Concelier.Alpine/0.1 (+https://stella-ops.org)"

etc/excititor-calibration.yaml.sample

@@ -0,0 +1,142 @@
+# Trust Vector Calibration Configuration
+# This file controls how trust vectors are automatically adjusted based on empirical feedback
+
+# Calibration service configuration
+calibration:
+  enabled: true
+
+  # Calibration epoch configuration
+  # An epoch is a period during which feedback is collected before adjustments are applied
+  epoch:
+    # How often to run calibration (in days)
+    intervalDays: 30
+
+    # Minimum samples required before calibration runs
+    minimumSamples: 100
+
+    # Maximum samples to consider per epoch (prevents over-fitting)
+    maximumSamples: 10000
+
+  # Learning rate configuration
+  # Controls how aggressively trust vectors are adjusted
+  learningRate:
+    # Base learning rate (0.0 = no change, 1.0 = full replacement)
+    base: 0.15
+
+    # Adaptive learning based on confidence in calibration data
+    adaptive: true
+
+    # Reduce learning rate when variance is high
+    varianceReduction: true
+
+    # Maximum adjustment per epoch (safety limit)
+    maxAdjustmentPerEpoch: 0.25
+
+  # Feedback sources
+  # Where calibration data comes from
+  feedbackSources:
+    # Ground truth from reachability analysis
+    - source: "reachability"
+      weight: 1.0
+      enabled: true
+
+    # Customer-reported false positives/negatives
+    - source: "customer_feedback"
+      weight: 0.8
+      enabled: true
+
+    # Automated testing results
+    - source: "integration_tests"
+      weight: 0.7
+      enabled: false  # Only enable if test suite is comprehensive
+
+  # Provider-specific calibration settings
+  providerCalibration:
+    # Enable per-provider calibration (vs. global only)
+    perProviderEnabled: true
+
+    # Minimum samples needed for provider-specific calibration
+    providerMinimumSamples: 50
+
+    # Fall back to global calibration if insufficient provider samples
+    fallbackToGlobal: true
+
+  # Calibration manifest signing
+  manifest:
+    # Sign calibration manifests for auditability
+    signManifests: true
+
+    # Signature algorithm
+    signatureAlgorithm: "EdDSA"  # or "RSA", "ECDSA"
+
+    # Store manifests for historical analysis
+    storeManifests: true
+
+    # Retention period for calibration manifests (days)
+    retentionDays: 365
+
+  # Rollback configuration
+  rollback:
+    # Enable automatic rollback if calibration degrades performance
+    enabled: true
+
+    # Threshold for automatic rollback (performance degradation %)
+    degradationThreshold: 10
+
+    # Evaluation window for rollback decision (days)
+    evaluationWindowDays: 7
+
+  # Alerts and notifications
+  alerts:
+    # Notify when calibration epoch completes
+    onEpochComplete: true
+
+    # Notify when significant adjustments are made
+    onSignificantAdjustment: true
+    significantAdjustmentThreshold: 0.15
+
+    # Notify when calibration fails or is rolled back
+    onFailureOrRollback: true
+
+# Comparison engine configuration
+# How calibration compares expected vs. actual outcomes
+comparisonEngine:
+  # Metrics to track
+  metrics:
+    - precision       # True positives / (True positives + False positives)
+    - recall          # True positives / (True positives + False negatives)
+    - f1Score         # Harmonic mean of precision and recall
+    - falsePositiveRate
+    - falseNegativeRate
+
+  # Weighting of metrics in optimization
+  metricWeights:
+    precision: 0.4
+    recall: 0.4
+    f1Score: 0.2
+
+  # Comparison granularity
+  granularity:
+    byProvider: true   # Track performance per provider
+    bySeverity: true   # Track performance per CVE severity
+    byStatus: true     # Track performance per VEX status
+
+# Calibration storage
+storage:
+  # PostgreSQL schema for calibration data
+  schema: "excititor_calibration"
+
+  # Table for calibration manifests
+  manifestsTable: "calibration_manifests"
+
+  # Table for feedback samples
+  samplesTable: "calibration_samples"
+
+  # Table for adjustment history
+  adjustmentsTable: "trust_vector_adjustments"
+
+# Environment variable overrides
+# STELLAOPS_CALIBRATION_ENABLED=true
+# STELLAOPS_CALIBRATION_EPOCH_INTERVAL_DAYS=30
+# STELLAOPS_CALIBRATION_LEARNING_RATE=0.15
+# STELLAOPS_CALIBRATION_MIN_SAMPLES=100

etc/policy-gates.yaml.sample

@@ -0,0 +1,45 @@
+# Policy gate configuration sample for trust lattice evaluation.
+version: "1.0"
+trustLattice:
+  weights:
+    provenance: 0.45
+    coverage: 0.35
+    replayability: 0.20
+  freshness:
+    halfLifeDays: 90
+    floor: 0.35
+  conflictPenalty: 0.25
+
+gates:
+  minimumConfidence:
+    enabled: true
+    thresholds:
+      production: 0.75
+      staging: 0.60
+      development: 0.40
+    applyToStatuses:
+      - not_affected
+      - fixed
+
+  unknownsBudget:
+    enabled: true
+    maxUnknownCount: 5
+    maxCumulativeUncertainty: 2.0
+    escalateOnFail: true
+
+  sourceQuota:
+    enabled: true
+    maxInfluencePercent: 60
+    corroborationDelta: 0.10
+    requireCorroborationFor:
+      - not_affected
+      - fixed
+
+  reachabilityRequirement:
+    enabled: true
+    severityThreshold: CRITICAL
+    requiredForStatuses:
+      - not_affected
+    bypassReasons:
+      - component_not_present
+      - vulnerable_configuration_unused

etc/trust-lattice.yaml.sample

@@ -0,0 +1,72 @@
+# Trust Lattice Configuration for VEX Source Scoring
+# This file defines the default trust vectors and weights for evaluating VEX sources
+
+# Default trust weights for combining P/C/R components
+# These weights are used when computing the base trust score
+# Formula: BaseTrust = (wP × P) + (wC × C) + (wR × R)
+defaultWeights:
+  provenance: 0.45      # Weight for provenance score (crypto & process integrity)
+  coverage: 0.35        # Weight for coverage score (scope match precision)
+  replayability: 0.20   # Weight for replayability score (determinism & pinning)
+
+# Default trust vectors for source classifications
+# These are fallback values when a source doesn't have explicit configuration
+defaultVectors:
+
+  # Vendor-published VEX statements (e.g., Red Hat, Oracle, Microsoft)
+  vendor:
+    provenance: 0.90     # High - official vendor channels with signing
+    coverage: 0.85       # High - vendor knows their own products
+    replayability: 0.70  # Medium-High - usually versioned but may lack pinning
+
+  # Distribution-published VEX (e.g., Ubuntu, Debian, Alpine)
+  distro:
+    provenance: 0.85     # High - official distro channels
+    coverage: 0.90       # Very High - distros track OS packages precisely
+    replayability: 0.75  # Medium-High - pinned to distro versions
+
+  # Third-party aggregators/hubs (e.g., SUSE Rancher VEX Hub)
+  hub:
+    provenance: 0.75     # Medium-High - depends on hub's verification process
+    coverage: 0.70       # Medium - may aggregate from various sources
+    replayability: 0.60  # Medium - varies by hub's data model
+
+  # Platform-specific VEX (e.g., OCI attestations, cloud provider advisories)
+  platform:
+    provenance: 0.80     # Medium-High - platform signing available
+    coverage: 0.75       # Medium-High - platform-aware matching
+    replayability: 0.65  # Medium - depends on platform's commitment
+
+  # User-supplied/internal VEX statements
+  internal:
+    provenance: 0.70     # Medium - internal PKI or unsigned
+    coverage: 0.95       # Very High - organization knows its own environment
+    replayability: 0.85  # High - controlled by organization
+
+# Claim strength multipliers
+# These adjust the base trust score based on claim metadata
+claimStrength:
+  high: 1.0       # Full trust (e.g., cryptographic proof, reachability analysis)
+  medium: 0.9     # Slightly reduced (e.g., heuristic evidence, manual analysis)
+  low: 0.75       # Significantly reduced (e.g., speculation, incomplete data)
+  unspecified: 0.8  # Conservative default when strength not provided
+
+# Freshness decay configuration
+# Older VEX claims are less trustworthy than recent ones
+freshnessDecay:
+  enabled: true
+  halfLifeDays: 90           # Freshness drops to 50% after this many days
+  minimumFreshness: 0.5      # Floor to prevent complete dismissal of old claims
+
+  # Override: Never apply freshness decay to certain statuses
+  # These statuses are considered "timeless" facts
+  exemptStatuses:
+    - fixed                  # Fix remains valid
+    - notAffected           # Not-affected is structural, doesn't decay
+
+# Environment variable overrides
+# These can be set to override file-based configuration at runtime
+# STELLAOPS_TRUST_LATTICE_DEFAULT_WP=0.45
+# STELLAOPS_TRUST_LATTICE_DEFAULT_WC=0.35
+# STELLAOPS_TRUST_LATTICE_DEFAULT_WR=0.20
+# STELLAOPS_TRUST_LATTICE_FRESHNESS_HALFLIFE_DAYS=90