up

src/Policy/StellaOps.Policy.Engine/Services/PolicyRuntimeEvaluationService.cs

@@ -1,5 +1,6 @@
 using System.Collections.Immutable;
 using System.Diagnostics;
+using System.Linq;
 using System.Security.Cryptography;
 using System.Text;
 using System.Text.Json;
@@ -27,6 +28,9 @@ internal sealed record RuntimeEvaluationRequest(
     PolicyEvaluationSbom Sbom,
     PolicyEvaluationExceptions Exceptions,
     PolicyEvaluationReachability Reachability,
+    string? EntropyLayerSummary,
+    string? EntropyReport,
+    bool? ProvenanceAttested,
     DateTimeOffset? EvaluationTimestamp = null,
     bool BypassCache = false);
 
@@ -59,6 +63,7 @@ internal sealed class PolicyRuntimeEvaluationService
     private readonly IPolicyEvaluationCache _cache;
     private readonly PolicyEvaluator _evaluator;
     private readonly ReachabilityFacts.ReachabilityFactsJoiningService? _reachabilityFacts;
+    private readonly Signals.Entropy.EntropyPenaltyCalculator _entropy;
     private readonly TimeProvider _timeProvider;
     private readonly ILogger<PolicyRuntimeEvaluationService> _logger;
 
@@ -73,6 +78,7 @@ internal sealed class PolicyRuntimeEvaluationService
         IPolicyEvaluationCache cache,
         PolicyEvaluator evaluator,
         ReachabilityFacts.ReachabilityFactsJoiningService? reachabilityFacts,
+        Signals.Entropy.EntropyPenaltyCalculator entropy,
         TimeProvider timeProvider,
         ILogger<PolicyRuntimeEvaluationService> logger)
     {
@@ -80,6 +86,7 @@ internal sealed class PolicyRuntimeEvaluationService
         _cache = cache ?? throw new ArgumentNullException(nameof(cache));
         _evaluator = evaluator ?? throw new ArgumentNullException(nameof(evaluator));
         _reachabilityFacts = reachabilityFacts;
+        _entropy = entropy ?? throw new ArgumentNullException(nameof(entropy));
         _timeProvider = timeProvider ?? throw new ArgumentNullException(nameof(timeProvider));
         _logger = logger ?? throw new ArgumentNullException(nameof(logger));
     }
@@ -158,6 +165,8 @@ internal sealed class PolicyRuntimeEvaluationService
                 $"Compiled policy document not found for pack '{request.PackId}' version {request.Version}.");
         }
 
+        var entropy = ComputeEntropy(effectiveRequest);
+
         var context = new PolicyEvaluationContext(
             effectiveRequest.Severity,
             new PolicyEvaluationEnvironment(ImmutableDictionary<string, string>.Empty),
@@ -166,6 +175,7 @@ internal sealed class PolicyRuntimeEvaluationService
             effectiveRequest.Sbom,
             effectiveRequest.Exceptions,
             effectiveRequest.Reachability,
+            entropy,
             evaluationTimestamp);
 
         var evalRequest = new Evaluation.PolicyEvaluationRequest(document, context);
@@ -335,6 +345,8 @@ internal sealed class PolicyRuntimeEvaluationService
                 var startTimestamp = _timeProvider.GetTimestamp();
                 var evaluationTimestamp = request.EvaluationTimestamp ?? _timeProvider.GetUtcNow();
 
+                var entropy = ComputeEntropy(request);
+
                 var context = new PolicyEvaluationContext(
                     request.Severity,
                     new PolicyEvaluationEnvironment(ImmutableDictionary<string, string>.Empty),
@@ -343,6 +355,7 @@ internal sealed class PolicyRuntimeEvaluationService
                     request.Sbom,
                     request.Exceptions,
                     request.Reachability,
+                    entropy,
                     evaluationTimestamp);
 
                 var evalRequest = new Evaluation.PolicyEvaluationRequest(document, context);
@@ -495,6 +508,12 @@ internal sealed class PolicyRuntimeEvaluationService
                 source = request.Reachability.Source,
                 method = request.Reachability.Method
             },
+            entropy = new
+            {
+                layerSummary = request.EntropyLayerSummary is null ? null : StableHash(request.EntropyLayerSummary),
+                entropyReport = request.EntropyReport is null ? null : StableHash(request.EntropyReport),
+                provenanceAttested = request.ProvenanceAttested ?? false
+            }
         };
 
         var json = JsonSerializer.Serialize(contextData, ContextSerializerOptions);
@@ -517,6 +536,42 @@ internal sealed class PolicyRuntimeEvaluationService
         return (long)elapsed.TotalMilliseconds;
     }
 
+    private PolicyEvaluationEntropy ComputeEntropy(RuntimeEvaluationRequest request)
+    {
+        if (string.IsNullOrWhiteSpace(request.EntropyLayerSummary))
+        {
+            return PolicyEvaluationEntropy.Unknown;
+        }
+
+        try
+        {
+            var result = _entropy.ComputeFromJson(
+                request.EntropyLayerSummary!,
+                request.EntropyReport,
+                request.ProvenanceAttested ?? false);
+
+            return new PolicyEvaluationEntropy(
+                Penalty: result.Penalty,
+                ImageOpaqueRatio: result.ImageOpaqueRatio,
+                Blocked: result.Blocked,
+                Warned: result.Warned,
+                Capped: result.Capped,
+                TopFileOpaqueRatio: result.TopFiles.FirstOrDefault()?.OpaqueRatio);
+        }
+        catch (Exception ex)
+        {
+            _logger.LogWarning(ex, "Failed to compute entropy penalty; defaulting to zero.");
+            return PolicyEvaluationEntropy.Unknown;
+        }
+    }
+
+    private static string StableHash(string input)
+    {
+        Span<byte> hash = stackalloc byte[32];
+        SHA256.HashData(Encoding.UTF8.GetBytes(input), hash);
+        return Convert.ToHexStringLower(hash);
+    }
+
     private async Task<RuntimeEvaluationRequest> EnrichReachabilityAsync(
         RuntimeEvaluationRequest request,
         CancellationToken cancellationToken)