up

src/Policy/StellaOps.Policy.Engine/Domain/PolicyBundleModels.cs

@@ -6,7 +6,18 @@ namespace StellaOps.Policy.Engine.Domain;
 
 public sealed record PolicyBundleRequest(
     [property: JsonPropertyName("dsl")] PolicyDslPayload Dsl,
-    [property: JsonPropertyName("signingKeyId")] string? SigningKeyId);
+    [property: JsonPropertyName("signingKeyId")] string? SigningKeyId,
+    [property: JsonPropertyName("provenance")] PolicyProvenanceInput? Provenance = null);
+
+/// <summary>
+/// Input provenance information for policy compilation.
+/// </summary>
+public sealed record PolicyProvenanceInput(
+    [property: JsonPropertyName("sourceType")] string SourceType,
+    [property: JsonPropertyName("sourceUrl")] string? SourceUrl = null,
+    [property: JsonPropertyName("submitter")] string? Submitter = null,
+    [property: JsonPropertyName("commitSha")] string? CommitSha = null,
+    [property: JsonPropertyName("branch")] string? Branch = null);
 
 public sealed record PolicyBundleResponse(
     [property: JsonPropertyName("success")] bool Success,
@@ -14,4 +25,18 @@ public sealed record PolicyBundleResponse(
     [property: JsonPropertyName("signature")] string? Signature,
     [property: JsonPropertyName("sizeBytes")] int SizeBytes,
     [property: JsonPropertyName("createdAt")] DateTimeOffset? CreatedAt,
-    [property: JsonPropertyName("diagnostics")] ImmutableArray<PolicyIssue> Diagnostics);
+    [property: JsonPropertyName("diagnostics")] ImmutableArray<PolicyIssue> Diagnostics,
+    [property: JsonPropertyName("aocMetadata")] PolicyAocMetadataResponse? AocMetadata = null);
+
+/// <summary>
+/// AOC metadata returned from policy compilation.
+/// </summary>
+public sealed record PolicyAocMetadataResponse(
+    [property: JsonPropertyName("compilationId")] string CompilationId,
+    [property: JsonPropertyName("compilerVersion")] string CompilerVersion,
+    [property: JsonPropertyName("compiledAt")] DateTimeOffset CompiledAt,
+    [property: JsonPropertyName("sourceDigest")] string SourceDigest,
+    [property: JsonPropertyName("artifactDigest")] string ArtifactDigest,
+    [property: JsonPropertyName("complexityScore")] double ComplexityScore,
+    [property: JsonPropertyName("ruleCount")] int RuleCount,
+    [property: JsonPropertyName("durationMilliseconds")] long DurationMilliseconds);

src/Policy/StellaOps.Policy.Engine/Domain/PolicyPackRecord.cs

@@ -35,17 +35,17 @@ internal sealed class PolicyPackRecord
         => revisions.IsEmpty ? 1 : revisions.Keys.Max() + 1;
 }
 
-internal sealed class PolicyRevisionRecord
-{
-    private readonly ConcurrentDictionary<string, PolicyActivationApproval> approvals = new(StringComparer.OrdinalIgnoreCase);
-
-    public PolicyBundleRecord? Bundle { get; private set; }
-
-    public PolicyRevisionRecord(int version, bool requiresTwoPerson, PolicyRevisionStatus status, DateTimeOffset createdAt)
-    {
-        Version = version;
-        RequiresTwoPersonApproval = requiresTwoPerson;
-        Status = status;
+internal sealed class PolicyRevisionRecord
+{
+    private readonly ConcurrentDictionary<string, PolicyActivationApproval> approvals = new(StringComparer.OrdinalIgnoreCase);
+
+    public PolicyBundleRecord? Bundle { get; private set; }
+
+    public PolicyRevisionRecord(int version, bool requiresTwoPerson, PolicyRevisionStatus status, DateTimeOffset createdAt)
+    {
+        Version = version;
+        RequiresTwoPersonApproval = requiresTwoPerson;
+        Status = status;
         CreatedAt = createdAt;
     }
 
@@ -73,43 +73,102 @@ internal sealed class PolicyRevisionRecord
         }
     }
 
-    public PolicyActivationApprovalStatus AddApproval(PolicyActivationApproval approval)
-    {
-        if (!approvals.TryAdd(approval.ActorId, approval))
-        {
-            return PolicyActivationApprovalStatus.Duplicate;
+    public PolicyActivationApprovalStatus AddApproval(PolicyActivationApproval approval)
+    {
+        if (!approvals.TryAdd(approval.ActorId, approval))
+        {
+            return PolicyActivationApprovalStatus.Duplicate;
         }
 
         return approvals.Count >= 2
-            ? PolicyActivationApprovalStatus.ThresholdReached
-            : PolicyActivationApprovalStatus.Pending;
-    }
-
-    public void SetBundle(PolicyBundleRecord bundle)
-    {
-        Bundle = bundle ?? throw new ArgumentNullException(nameof(bundle));
-    }
-}
-
-internal enum PolicyRevisionStatus
-{
-    Draft,
+            ? PolicyActivationApprovalStatus.ThresholdReached
+            : PolicyActivationApprovalStatus.Pending;
+    }
+
+    public void SetBundle(PolicyBundleRecord bundle)
+    {
+        Bundle = bundle ?? throw new ArgumentNullException(nameof(bundle));
+    }
+}
+
+internal enum PolicyRevisionStatus
+{
+    Draft,
     Approved,
     Active
 }
 
-internal sealed record PolicyActivationApproval(string ActorId, DateTimeOffset ApprovedAt, string? Comment);
-
-internal enum PolicyActivationApprovalStatus
-{
-    Pending,
-    ThresholdReached,
-    Duplicate
-}
-
-internal sealed record PolicyBundleRecord(
-    string Digest,
-    string Signature,
-    int Size,
-    DateTimeOffset CreatedAt,
-    ImmutableArray<byte> Payload);
+internal sealed record PolicyActivationApproval(string ActorId, DateTimeOffset ApprovedAt, string? Comment);
+
+internal enum PolicyActivationApprovalStatus
+{
+    Pending,
+    ThresholdReached,
+    Duplicate
+}
+
+internal sealed record PolicyBundleRecord(
+    string Digest,
+    string Signature,
+    int Size,
+    DateTimeOffset CreatedAt,
+    ImmutableArray<byte> Payload,
+    PolicyAocMetadata? AocMetadata = null);
+
+/// <summary>
+/// Attestation of Compliance metadata for a policy revision.
+/// Links policy decisions to explanation trees and AOC chain.
+/// </summary>
+internal sealed record PolicyAocMetadata(
+    /// <summary>Unique identifier for this compilation run.</summary>
+    string CompilationId,
+    /// <summary>Version of the compiler used (e.g., "stella-dsl@1").</summary>
+    string CompilerVersion,
+    /// <summary>Timestamp when compilation started.</summary>
+    DateTimeOffset CompiledAt,
+    /// <summary>SHA256 digest of the source policy document.</summary>
+    string SourceDigest,
+    /// <summary>SHA256 digest of the compiled artifact.</summary>
+    string ArtifactDigest,
+    /// <summary>Complexity score from compilation analysis.</summary>
+    double ComplexityScore,
+    /// <summary>Number of rules in the compiled policy.</summary>
+    int RuleCount,
+    /// <summary>Compilation duration in milliseconds.</summary>
+    long DurationMilliseconds,
+    /// <summary>Provenance information about the source.</summary>
+    PolicyProvenance? Provenance = null,
+    /// <summary>Reference to the signed attestation envelope.</summary>
+    PolicyAttestationRef? AttestationRef = null);
+
+/// <summary>
+/// Provenance information for policy source tracking.
+/// </summary>
+internal sealed record PolicyProvenance(
+    /// <summary>Type of source (git, upload, api).</summary>
+    string SourceType,
+    /// <summary>URL or path to the source.</summary>
+    string? SourceUrl,
+    /// <summary>User or service that submitted the policy.</summary>
+    string? Submitter,
+    /// <summary>Git commit SHA if applicable.</summary>
+    string? CommitSha,
+    /// <summary>Git branch if applicable.</summary>
+    string? Branch,
+    /// <summary>Timestamp when source was ingested.</summary>
+    DateTimeOffset IngestedAt);
+
+/// <summary>
+/// Reference to a signed DSSE attestation for the policy compilation.
+/// </summary>
+internal sealed record PolicyAttestationRef(
+    /// <summary>Unique identifier for the attestation.</summary>
+    string AttestationId,
+    /// <summary>SHA256 digest of the attestation envelope.</summary>
+    string EnvelopeDigest,
+    /// <summary>URI where the attestation can be retrieved.</summary>
+    string? Uri,
+    /// <summary>Key identifier used for signing.</summary>
+    string? SigningKeyId,
+    /// <summary>Timestamp when attestation was created.</summary>
+    DateTimeOffset CreatedAt);