stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

Refactor code structure for improved readability and maintainability; optimize performance in key functions.

Browse Source
This commit is contained in:
master
2025-12-22 19:06:31 +02:00
parent dfaa2079aa
commit 4602ccc3a3
1444 changed files with 109919 additions and 8058 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
docs/modules/policy/architecture.md
View File

@@ -111,7 +111,7 @@ Key notes:
| **Authority Client** (`Authority/`) | Acquire tokens, enforce scopes, perform DPoP key rotation. | Only service identity uses `effective:write`. |
| **DSL Compiler** (`Dsl/`) | Parse, canonicalise, IR generation, checksum caching. | Uses Roslyn-like pipeline; caches by `policyId+version+hash`. |
| **Selection Layer** (`Selection/`) | Batch SBOM ↔ advisory ↔ VEX joiners; apply equivalence tables; support incremental cursors. | Deterministic ordering (SBOM → advisory → VEX). |
| **Evaluator** (`Evaluation/`) | Execute IR with first-match semantics, compute severity/trust/reachability weights, record rule hits. | Stateless; all inputs provided by selection layer. |
| **Evaluator** (`Evaluation/`) | Execute IR with first-match semantics, compute severity/trust/reachability weights, record rule hits, and emit a unified confidence score with factor breakdown (reachability/runtime/VEX/provenance/policy). | Stateless; all inputs provided by selection layer. |
| **Signals** (`Signals/`) | Normalizes reachability, trust, entropy, uncertainty, runtime hits into a single dictionary passed to Evaluator; supplies default `unknown` values when signals missing. Entropy penalties are derived from Scanner `layer_summary.json`/`entropy.report.json` (K=0.5, cap=0.3, block at image opaque ratio > 0.15 w/ unknown provenance) and exported via `policy_entropy_penalty_value` / `policy_entropy_image_opaque_ratio`; SPL scope `entropy.*` exposes `penalty`, `image_opaque_ratio`, `blocked`, `warned`, `capped`, `top_file_opaque_ratio`. | Aligns with `signals.*` namespace in DSL. |
| **Materialiser** (`Materialization/`) | Upsert effective findings, append history, manage explain bundle exports. | PostgreSQL transactions per SBOM chunk. |
| **Orchestrator** (`Runs/`) | Change-stream ingestion, fairness, retry/backoff, queue writer. | Works with Scheduler Models DTOs. |

5
docs/modules/policy/evidence-hooks.md
View File

@@ -173,6 +173,11 @@ validationSchema: "https://stellaops.io/schemas/evidence/feature-flag/v1"
| `Expired` | Evidence older than maxAge |
| `InsufficientTrust` | Source trust score too low |
## Persistence
- Hook registry: `policy.evidence_hooks` with `max_age_seconds` and `min_trust_score`.
- Evidence submissions: `policy.submitted_evidence` with `validation_status`, `reference`, and optional `dsse_envelope`.
## Submission Flow
```

6
docs/modules/policy/recheck-policy.md
View File

@@ -180,6 +180,12 @@ Conditions can be scoped to specific environments:
6. Update exception with recheck result
```
## Persistence
- Recheck policy definitions are stored in `policy.recheck_policies` with `conditions` as JSONB.
- Exceptions reference a policy through `policy.exceptions.recheck_policy_id`.
- The latest evaluation snapshot is stored in `policy.exceptions.last_recheck_result` and `policy.exceptions.last_recheck_at`.
## Build Gate Integration
Recheck policies integrate with build gates: