Refactor code structure for improved readability and maintainability; optimize performance in key functions.

etc/trust-lattice.yaml.sample

@@ -0,0 +1,72 @@
+# Trust Lattice Configuration for VEX Source Scoring
+# This file defines the default trust vectors and weights for evaluating VEX sources
+
+# Default trust weights for combining P/C/R components
+# These weights are used when computing the base trust score
+# Formula: BaseTrust = (wP × P) + (wC × C) + (wR × R)
+defaultWeights:
+  provenance: 0.45      # Weight for provenance score (crypto & process integrity)
+  coverage: 0.35        # Weight for coverage score (scope match precision)
+  replayability: 0.20   # Weight for replayability score (determinism & pinning)
+
+# Default trust vectors for source classifications
+# These are fallback values when a source doesn't have explicit configuration
+defaultVectors:
+
+  # Vendor-published VEX statements (e.g., Red Hat, Oracle, Microsoft)
+  vendor:
+    provenance: 0.90     # High - official vendor channels with signing
+    coverage: 0.85       # High - vendor knows their own products
+    replayability: 0.70  # Medium-High - usually versioned but may lack pinning
+
+  # Distribution-published VEX (e.g., Ubuntu, Debian, Alpine)
+  distro:
+    provenance: 0.85     # High - official distro channels
+    coverage: 0.90       # Very High - distros track OS packages precisely
+    replayability: 0.75  # Medium-High - pinned to distro versions
+
+  # Third-party aggregators/hubs (e.g., SUSE Rancher VEX Hub)
+  hub:
+    provenance: 0.75     # Medium-High - depends on hub's verification process
+    coverage: 0.70       # Medium - may aggregate from various sources
+    replayability: 0.60  # Medium - varies by hub's data model
+
+  # Platform-specific VEX (e.g., OCI attestations, cloud provider advisories)
+  platform:
+    provenance: 0.80     # Medium-High - platform signing available
+    coverage: 0.75       # Medium-High - platform-aware matching
+    replayability: 0.65  # Medium - depends on platform's commitment
+
+  # User-supplied/internal VEX statements
+  internal:
+    provenance: 0.70     # Medium - internal PKI or unsigned
+    coverage: 0.95       # Very High - organization knows its own environment
+    replayability: 0.85  # High - controlled by organization
+
+# Claim strength multipliers
+# These adjust the base trust score based on claim metadata
+claimStrength:
+  high: 1.0       # Full trust (e.g., cryptographic proof, reachability analysis)
+  medium: 0.9     # Slightly reduced (e.g., heuristic evidence, manual analysis)
+  low: 0.75       # Significantly reduced (e.g., speculation, incomplete data)
+  unspecified: 0.8  # Conservative default when strength not provided
+
+# Freshness decay configuration
+# Older VEX claims are less trustworthy than recent ones
+freshnessDecay:
+  enabled: true
+  halfLifeDays: 90           # Freshness drops to 50% after this many days
+  minimumFreshness: 0.5      # Floor to prevent complete dismissal of old claims
+
+  # Override: Never apply freshness decay to certain statuses
+  # These statuses are considered "timeless" facts
+  exemptStatuses:
+    - fixed                  # Fix remains valid
+    - notAffected           # Not-affected is structural, doesn't decay
+
+# Environment variable overrides
+# These can be set to override file-based configuration at runtime
+# STELLAOPS_TRUST_LATTICE_DEFAULT_WP=0.45
+# STELLAOPS_TRUST_LATTICE_DEFAULT_WC=0.35
+# STELLAOPS_TRUST_LATTICE_DEFAULT_WR=0.20
+# STELLAOPS_TRUST_LATTICE_FRESHNESS_HALFLIFE_DAYS=90