stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

semi implemented and features implemented save checkpoint

Browse Source
This commit is contained in:
master
2026-02-08 18:00:49 +02:00
parent 04360dff63
commit 1bf6bbf395
20895 changed files with 716795 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
docs/features/unchecked/libraries/policy-lock-generator.md Normal file
View File

@@ -0,0 +1,29 @@
# Policy Lock Generator (Verdict Reproducibility)
## Module
__Libraries
## Status
IMPLEMENTED
## Description
Generates deterministic policy lock files that pin the exact policy rules, versions, and evaluation parameters used to produce a verdict. Ensures verdicts can be reproduced identically by capturing the full policy context alongside the CGS hash.
## Implementation Details
- **PolicyLockGenerator**: `src/__Libraries/StellaOps.Verdict/PolicyLockGenerator.cs` -- implements `IPolicyLockGenerator`; `GenerateAsync(policyId)` creates `PolicyLock` with SchemaVersion "1.0", auto-generated PolicyVersion from ID + timestamp, rule hashes dict, EngineVersion "1.0.0"; `GenerateForVersionAsync(policyId, version)` pins specific version; `ValidateAsync(policyLock)` checks SchemaVersion, PolicyVersion, EngineVersion, non-empty RuleHashes, future timestamp detection (5min tolerance), hash format validation ("sha256:" + 64 hex chars); `ComputeRuleHash` uses SHA256 of canonical JSON `{definition, version}` with prefix "sha256:"; uses injected `TimeProvider` for deterministic timestamps
- **IPolicyLockGenerator**: `src/__Libraries/StellaOps.Verdict/IPolicyLockGenerator.cs` -- interface: GenerateAsync, GenerateForVersionAsync, ValidateAsync
- **PolicyLock**: record with SchemaVersion, PolicyVersion, RuleHashes (IReadOnlyDictionary<string, string>), EngineVersion, GeneratedAt
- **PolicyLockValidation**: record with IsValid, ErrorMessage, MismatchedRules
- **VerdictBuilderService**: `src/__Libraries/StellaOps.Verdict/VerdictBuilderService.cs` -- integrates with PolicyLockGenerator
- **VerdictServiceCollectionExtensions**: `src/__Libraries/StellaOps.Verdict/VerdictServiceCollectionExtensions.cs` -- DI registration
- **Source**: SPRINT_20251229_001_001_BE_cgs_infrastructure.md
## E2E Test Plan
- [ ] Verify GenerateAsync creates PolicyLock with non-empty RuleHashes dictionary
- [ ] Test ComputeRuleHash produces deterministic SHA-256 hash in "sha256:{hex}" format
- [ ] Verify ValidateAsync detects missing required fields (SchemaVersion, PolicyVersion, EngineVersion)
- [ ] Test future timestamp detection (GeneratedAt > now + 5 minutes fails validation)
- [ ] Verify ValidateAsync catches invalid hash format (non-hex, wrong length)
- [ ] Test GenerateForVersionAsync pins exact version string in PolicyLock
- [ ] Verify same policy input produces identical PolicyLock (deterministic)
- [ ] Test TimeProvider injection enables deterministic timestamp generation in tests