new advisories work and features gaps work
This commit is contained in:
master
@@ -367,7 +367,126 @@ The Policy Engine reads uncertainty gate thresholds from configuration:
|
||||
|
||||
---
|
||||
|
||||
## 13 · Versioning & Compatibility
|
||||
## 13 · Signed Override Enforcement (Sprint 20260112.004)
|
||||
|
||||
Signed VEX overrides provide cryptographic assurance that operator decisions (not_affected, compensating controls) are authentic and auditable. The Policy Engine exposes override signature status to DSL rules for enforcement.
|
||||
|
||||
### 13.1 Override Signal Namespace
|
||||
|
||||
Within predicates and actions you may reference the following override signals:
|
||||
|
||||
| Signal | Type | Description |
|
||||
|--------|------|-------------|
|
||||
| `override.signed` | `bool` | `true` when the VEX override has a valid DSSE signature. |
|
||||
| `override.rekor_verified` | `bool` | `true` when the override signature is anchored in Rekor transparency log. |
|
||||
| `override.signing_key_id` | `string` | Key identifier used to sign the override. |
|
||||
| `override.signer_identity` | `string` | Identity (email, OIDC subject) of the signer. |
|
||||
| `override.envelope_digest` | `string` | SHA-256 digest of the DSSE envelope. |
|
||||
| `override.rekor_log_index` | `int?` | Rekor log index if anchored; `null` otherwise. |
|
||||
| `override.rekor_integrated_time` | `datetime?` | Timestamp when anchored in Rekor. |
|
||||
| `override.valid_from` | `datetime?` | Override validity window start (if specified). |
|
||||
| `override.valid_until` | `datetime?` | Override validity window end (if specified). |
|
||||
| `override.within_validity_period` | `bool` | `true` when current time is within validity window (or no window specified). |
|
||||
| `override.key_trust_level` | `string` | Trust level: `Unknown`, `LowTrust`, `OrganizationTrusted`, `HighlyTrusted`. |
|
||||
|
||||
### 13.2 Enforcement Rules
|
||||
|
||||
#### 13.2.1 Require Signed Overrides
|
||||
|
||||
Block unsigned VEX overrides from being accepted:
|
||||
|
||||
```dsl
|
||||
rule require_signed_overrides priority 1 {
|
||||
when vex.any(status in ["not_affected", "fixed"])
|
||||
and not override.signed
|
||||
then status := "under_investigation"
|
||||
annotate override_blocked := "Unsigned override rejected"
|
||||
because "Production environments require signed VEX overrides";
|
||||
}
|
||||
```
|
||||
|
||||
#### 13.2.2 Require Rekor Anchoring for Critical Assets
|
||||
|
||||
For critical assets, require transparency log anchoring:
|
||||
|
||||
```dsl
|
||||
rule require_rekor_for_critical priority 2 {
|
||||
when env.asset_tier == "critical"
|
||||
and vex.any(status == "not_affected")
|
||||
and override.signed
|
||||
and not override.rekor_verified
|
||||
then status := "under_investigation"
|
||||
warn message "Critical asset requires Rekor-anchored override"
|
||||
because "Critical assets require transparency log verification";
|
||||
}
|
||||
```
|
||||
|
||||
#### 13.2.3 Trust Level Gating
|
||||
|
||||
Gate override acceptance based on signer trust level:
|
||||
|
||||
```dsl
|
||||
rule gate_by_trust_level priority 5 {
|
||||
when override.signed
|
||||
and override.key_trust_level in ["Unknown", "LowTrust"]
|
||||
and env.security_posture == "strict"
|
||||
then status := "under_investigation"
|
||||
annotate trust_gate_failed := override.signer_identity
|
||||
because "Strict posture requires OrganizationTrusted or higher";
|
||||
}
|
||||
```
|
||||
|
||||
#### 13.2.4 Validity Period Enforcement
|
||||
|
||||
Reject expired or not-yet-valid overrides:
|
||||
|
||||
```dsl
|
||||
rule enforce_validity_period priority 3 {
|
||||
when override.signed
|
||||
and exists(override.valid_until)
|
||||
and not override.within_validity_period
|
||||
then status := "affected"
|
||||
annotate override_expired := override.valid_until
|
||||
because "VEX override has expired or is not yet valid";
|
||||
}
|
||||
```
|
||||
|
||||
### 13.3 Default Enforcement Profile
|
||||
|
||||
The default enforcement profile blocks unsigned overrides in production:
|
||||
|
||||
```dsl
|
||||
settings {
|
||||
require_signed_overrides = true;
|
||||
require_rekor_for_production = false;
|
||||
minimum_trust_level = "OrganizationTrusted";
|
||||
enforce_validity_period = true;
|
||||
}
|
||||
```
|
||||
|
||||
Override these settings in environment-specific policy packs.
|
||||
|
||||
### 13.4 Offline Mode Considerations
|
||||
|
||||
In sealed/offline deployments:
|
||||
|
||||
- `override.rekor_verified` evaluates to `false` (no network access to verify).
|
||||
- Use embedded proofs in the DSSE envelope for signature verification.
|
||||
- Policies should fall back to signature verification without requiring Rekor:
|
||||
|
||||
```dsl
|
||||
rule offline_safe_override priority 5 {
|
||||
when env.sealed_mode == true
|
||||
and override.signed
|
||||
and override.key_trust_level in ["OrganizationTrusted", "HighlyTrusted"]
|
||||
then status := vex.status
|
||||
because "Offline mode accepts signed overrides from trusted keys without Rekor";
|
||||
}
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## 14 · Versioning & Compatibility
|
||||
|
||||
- `syntax "stella-dsl@1"` is mandatory.
|
||||
- Future revisions (`@2`, …) will be additive; existing packs continue to compile with their declared version.
|
||||
@@ -375,7 +494,7 @@ The Policy Engine reads uncertainty gate thresholds from configuration:
|
||||
|
||||
---
|
||||
|
||||
## 14 · Compliance Checklist
|
||||
## 15 · Compliance Checklist
|
||||
|
||||
- [ ] **Grammar validated:** Policy compiles with `stella policy lint` and matches `syntax "stella-dsl@1"`.
|
||||
- [ ] **Deterministic constructs only:** No use of forbidden namespaces (`DateTime.Now`, `Guid.NewGuid`, external services).
|
||||
|
||||
Reference in New Issue
Block a user