save progress

2025-12-20 12:15:16 +02:00
parent 439f10966b
commit 0ada1b583f
95 changed files with 12400 additions and 65 deletions
--- a/docs/key-features.md
+++ b/docs/key-features.md
@@ -61,6 +61,21 @@ Each card below pairs the headline capability with the evidence that backs it an
 - **Evidence:** Vulnerability surfaces in `src/Scanner/__Libraries/StellaOps.Scanner.VulnSurfaces/`; confidence tiers (Confirmed/Likely/Present/Unreachable).
 - **Why it matters:** Makes false positives *structurally impossible*, not heuristically reduced. Path witnesses are DSSE-signed.

+## 12. Trust Algebra and Lattice Engine (2025-12)
+- **What it is:** A deterministic claim resolution engine using **Belnap K4 four-valued logic** (Unknown, True, False, Conflict) to aggregate heterogeneous security assertions (VEX, SBOM, reachability, provenance) into signed, replayable verdicts.
+- **Evidence:** Implementation in `src/Policy/__Libraries/StellaOps.Policy/TrustLattice/`; 110 unit+integration tests; normalizers for CycloneDX, OpenVEX, and CSAF VEX formats; ECMA-424 disposition output (resolved, exploitable, in_triage, etc.).
+- **Technical primitives:**
+  - **K4 Lattice**: Conflict-preserving knowledge aggregation with join/meet/order operations
+  - **Security Atoms**: Six orthogonal propositions (PRESENT, APPLIES, REACHABLE, MITIGATED, FIXED, MISATTRIBUTED)
+  - **Trust Labels**: Four-tuple (AssuranceLevel, AuthorityScope, FreshnessClass, EvidenceClass) for issuer credibility
+  - **Disposition Selection**: Priority-based rules that detect conflicts before auto-dismissal
+  - **Proof Bundles**: Content-addressed audit trail with decision trace
+- **Why it matters:** Unlike naive VEX precedence (vendor > distro > scanner), the lattice engine:
+  - Preserves conflicts as explicit state (⊤) rather than hiding them
+  - Reports critical unknowns (PRESENT, APPLIES, REACHABLE) separately from ancillary ones
+  - Produces deterministic, explainable dispositions that survive audit
+  - Makes "what we don't know" visible and policy-addressable
+
 ## 11. Deterministic Task Packs (2025-11)
 - **What it is:** TaskRunner executes declarative Task Packs with plan-hash binding, approvals, sealed-mode enforcement, and DSSE evidence bundles.
 - **Evidence:** Product advisory `docs/product-advisories/29-Nov-2025 - Task Pack Orchestration and Automation.md`; architecture contract in `docs/modules/taskrunner/architecture.md`; runbook/spec in `docs/task-packs/*.md`.