up

src/Policy/StellaOps.Policy.Engine/Evaluation/PolicyEvaluationContext.cs

@@ -11,15 +11,16 @@ internal sealed record PolicyEvaluationRequest(
     PolicyIrDocument Document,
     PolicyEvaluationContext Context);
 
-internal sealed record PolicyEvaluationContext(
-    PolicyEvaluationSeverity Severity,
-    PolicyEvaluationEnvironment Environment,
-    PolicyEvaluationAdvisory Advisory,
-    PolicyEvaluationVexEvidence Vex,
-    PolicyEvaluationSbom Sbom,
-    PolicyEvaluationExceptions Exceptions,
-    PolicyEvaluationReachability Reachability,
-    DateTimeOffset? EvaluationTimestamp = null)
+internal sealed record PolicyEvaluationContext(
+    PolicyEvaluationSeverity Severity,
+    PolicyEvaluationEnvironment Environment,
+    PolicyEvaluationAdvisory Advisory,
+    PolicyEvaluationVexEvidence Vex,
+    PolicyEvaluationSbom Sbom,
+    PolicyEvaluationExceptions Exceptions,
+    PolicyEvaluationReachability Reachability,
+    PolicyEvaluationEntropy Entropy,
+    DateTimeOffset? EvaluationTimestamp = null)
 {
     /// <summary>
     /// Gets the evaluation timestamp for deterministic time-based operations.
@@ -36,12 +37,12 @@ internal sealed record PolicyEvaluationContext(
         PolicyEvaluationEnvironment environment,
         PolicyEvaluationAdvisory advisory,
         PolicyEvaluationVexEvidence vex,
-        PolicyEvaluationSbom sbom,
-        PolicyEvaluationExceptions exceptions,
-        DateTimeOffset? evaluationTimestamp = null)
-        : this(severity, environment, advisory, vex, sbom, exceptions, PolicyEvaluationReachability.Unknown, evaluationTimestamp)
-    {
-    }
+        PolicyEvaluationSbom sbom,
+        PolicyEvaluationExceptions exceptions,
+        DateTimeOffset? evaluationTimestamp = null)
+        : this(severity, environment, advisory, vex, sbom, exceptions, PolicyEvaluationReachability.Unknown, PolicyEvaluationEntropy.Unknown, evaluationTimestamp)
+{
+}
 }
 
 internal sealed record PolicyEvaluationSeverity(string Normalized, decimal? Score = null);
@@ -187,15 +188,15 @@ internal sealed record PolicyExceptionApplication(
 /// <summary>
 /// Reachability evidence for policy evaluation.
 /// </summary>
-internal sealed record PolicyEvaluationReachability(
-    string State,
-    decimal Confidence,
-    decimal Score,
-    bool HasRuntimeEvidence,
-    string? Source,
-    string? Method,
-    string? EvidenceRef)
-{
+internal sealed record PolicyEvaluationReachability(
+    string State,
+    decimal Confidence,
+    decimal Score,
+    bool HasRuntimeEvidence,
+    string? Source,
+    string? Method,
+    string? EvidenceRef)
+{
     /// <summary>
     /// Default unknown reachability state.
     /// </summary>
@@ -275,4 +276,26 @@ internal sealed record PolicyEvaluationReachability(
     /// Whether this reachability data has low confidence (&lt; 0.5).
     /// </summary>
     public bool IsLowConfidence => Confidence < 0.5m;
-}
+}
+
+/// <summary>
+/// Entropy evidence for policy evaluation.
+/// </summary>
+internal sealed record PolicyEvaluationEntropy(
+    decimal Penalty,
+    decimal ImageOpaqueRatio,
+    bool Blocked,
+    bool Warned,
+    bool Capped,
+    decimal? TopFileOpaqueRatio)
+{
+    public static PolicyEvaluationEntropy Unknown { get; } = new(
+        Penalty: 0m,
+        ImageOpaqueRatio: 0m,
+        Blocked: false,
+        Warned: false,
+        Capped: false,
+        TopFileOpaqueRatio: null);
+
+    public bool HasData => Penalty != 0m || ImageOpaqueRatio != 0m || Warned || Blocked;
+}

src/Policy/StellaOps.Policy.Engine/Evaluation/PolicyExpressionEvaluator.cs

@@ -63,12 +63,13 @@ internal sealed class PolicyExpressionEvaluator
             "vex" => new EvaluationValue(new VexScope(this, context.Vex)),
             "advisory" => new EvaluationValue(new AdvisoryScope(context.Advisory)),
             "sbom" => new EvaluationValue(new SbomScope(context.Sbom)),
-            "reachability" => new EvaluationValue(new ReachabilityScope(context.Reachability)),
-            "now" => new EvaluationValue(context.Now),
-            "true" => EvaluationValue.True,
-            "false" => EvaluationValue.False,
-            _ => EvaluationValue.Null,
-        };
+            "reachability" => new EvaluationValue(new ReachabilityScope(context.Reachability)),
+            "entropy" => new EvaluationValue(new EntropyScope(context.Entropy)),
+            "now" => new EvaluationValue(context.Now),
+            "true" => EvaluationValue.True,
+            "false" => EvaluationValue.False,
+            _ => EvaluationValue.Null,
+        };
     }
 
     private EvaluationValue EvaluateMember(PolicyMemberAccessExpression member, EvaluationScope scope)
@@ -100,15 +101,20 @@ internal sealed class PolicyExpressionEvaluator
             return sbom.Get(member.Member);
         }
 
-        if (raw is ReachabilityScope reachability)
-        {
-            return reachability.Get(member.Member);
-        }
-
-        if (raw is ComponentScope componentScope)
-        {
-            return componentScope.Get(member.Member);
-        }
+        if (raw is ReachabilityScope reachability)
+        {
+            return reachability.Get(member.Member);
+        }
+
+        if (raw is EntropyScope entropy)
+        {
+            return entropy.Get(member.Member);
+        }
+
+        if (raw is ComponentScope componentScope)
+        {
+            return componentScope.Get(member.Member);
+        }
 
         if (raw is RubyComponentScope rubyScope)
         {
@@ -856,12 +862,12 @@ internal sealed class PolicyExpressionEvaluator
     /// - reachability.method == "static"
     /// </example>
     private sealed class ReachabilityScope
-    {
-        private readonly PolicyEvaluationReachability reachability;
-
-        public ReachabilityScope(PolicyEvaluationReachability reachability)
-        {
-            this.reachability = reachability;
+    {
+        private readonly PolicyEvaluationReachability reachability;
+
+        public ReachabilityScope(PolicyEvaluationReachability reachability)
+        {
+            this.reachability = reachability;
         }
 
         public EvaluationValue Get(string member) => member.ToLowerInvariant() switch
@@ -879,10 +885,35 @@ internal sealed class PolicyExpressionEvaluator
             "is_under_investigation" or "isunderinvestigation" => new EvaluationValue(reachability.IsUnderInvestigation),
             "is_high_confidence" or "ishighconfidence" => new EvaluationValue(reachability.IsHighConfidence),
             "is_medium_confidence" or "ismediumconfidence" => new EvaluationValue(reachability.IsMediumConfidence),
-            "is_low_confidence" or "islowconfidence" => new EvaluationValue(reachability.IsLowConfidence),
-            _ => EvaluationValue.Null,
-        };
-    }
+            "is_low_confidence" or "islowconfidence" => new EvaluationValue(reachability.IsLowConfidence),
+            _ => EvaluationValue.Null,
+        };
+    }
+
+    /// <summary>
+    /// SPL scope for entropy predicates.
+    /// </summary>
+    private sealed class EntropyScope
+    {
+        private readonly PolicyEvaluationEntropy entropy;
+
+        public EntropyScope(PolicyEvaluationEntropy entropy)
+        {
+            this.entropy = entropy;
+        }
+
+        public EvaluationValue Get(string member) => member.ToLowerInvariant() switch
+        {
+            "penalty" => new EvaluationValue(entropy.Penalty),
+            "image_opaque_ratio" or "imageopaqueratio" => new EvaluationValue(entropy.ImageOpaqueRatio),
+            "blocked" => new EvaluationValue(entropy.Blocked),
+            "warned" => new EvaluationValue(entropy.Warned),
+            "capped" => new EvaluationValue(entropy.Capped),
+            "top_file_opaque_ratio" or "topfileopaqueratio" => new EvaluationValue(entropy.TopFileOpaqueRatio),
+            "has_data" or "hasdata" => new EvaluationValue(entropy.HasData),
+            _ => EvaluationValue.Null,
+        };
+    }
 
     /// <summary>
     /// SPL scope for macOS component predicates.