feat: Add VEX compact fixture and implement offline verifier for Findings Ledger exports

- Introduced a new VEX compact fixture for testing purposes. - Implemented `verify_export.py` script to validate Findings Ledger exports, ensuring deterministic ordering and applying redaction manifests. - Added a lightweight stub `HarnessRunner` for unit tests to validate ledger hashing expectations. - Documented tasks related to the Mirror Creator. - Created models for entropy signals and implemented the `EntropyPenaltyCalculator` to compute penalties based on scanner outputs. - Developed unit tests for `EntropyPenaltyCalculator` to ensure correct penalty calculations and handling of edge cases. - Added tests for symbol ID normalization in the reachability scanner. - Enhanced console status service with comprehensive unit tests for connection handling and error recovery. - Included Cosign tool version 2.6.0 with checksums for various platforms.
2025-12-02 21:08:01 +02:00
parent 6d049905c7
commit 47168fec38
146 changed files with 4329 additions and 549 deletions
--- a/src/Policy/StellaOps.Policy.Engine/Telemetry/PolicyEngineTelemetry.cs
+++ b/src/Policy/StellaOps.Policy.Engine/Telemetry/PolicyEngineTelemetry.cs
@@ -55,12 +55,12 @@ public static class PolicyEngineTelemetry
            unit: "overrides",
            description: "Total number of VEX overrides applied during policy evaluation.");

-    // Counter: policy_compilation_total{outcome}
-    private static readonly Counter<long> PolicyCompilationCounter =
-        Meter.CreateCounter<long>(
-            "policy_compilation_total",
-            unit: "compilations",
-            description: "Total number of policy compilations attempted.");
+    // Counter: policy_compilation_total{outcome}
+    private static readonly Counter<long> PolicyCompilationCounter =
+        Meter.CreateCounter<long>(
+            "policy_compilation_total",
+            unit: "compilations",
+            description: "Total number of policy compilations attempted.");

    // Histogram: policy_compilation_seconds
    private static readonly Histogram<double> PolicyCompilationSecondsHistogram =
@@ -70,17 +70,73 @@ public static class PolicyEngineTelemetry
            description: "Duration of policy compilation.");

    // Counter: policy_simulation_total{tenant,outcome}
-    private static readonly Counter<long> PolicySimulationCounter =
-        Meter.CreateCounter<long>(
-            "policy_simulation_total",
-            unit: "simulations",
-            description: "Total number of policy simulations executed.");
-
-    #region Golden Signals - Latency
-
-    // Histogram: policy_api_latency_seconds{endpoint,method,status}
-    private static readonly Histogram<double> ApiLatencyHistogram =
-        Meter.CreateHistogram<double>(
+    private static readonly Counter<long> PolicySimulationCounter =
+        Meter.CreateCounter<long>(
+            "policy_simulation_total",
+            unit: "simulations",
+            description: "Total number of policy simulations executed.");
+
+    #region Entropy Metrics
+
+    // Counter: policy_entropy_penalty_total{outcome}
+    private static readonly Counter<long> EntropyPenaltyCounter =
+        Meter.CreateCounter<long>(
+            "policy_entropy_penalty_total",
+            unit: "penalties",
+            description: "Total entropy penalties computed from scanner evidence.");
+
+    // Histogram: policy_entropy_penalty_value{outcome}
+    private static readonly Histogram<double> EntropyPenaltyHistogram =
+        Meter.CreateHistogram<double>(
+            "policy_entropy_penalty_value",
+            unit: "ratio",
+            description: "Entropy penalty values (after cap).");
+
+    // Histogram: policy_entropy_image_opaque_ratio{outcome}
+    private static readonly Histogram<double> EntropyImageOpaqueRatioHistogram =
+        Meter.CreateHistogram<double>(
+            "policy_entropy_image_opaque_ratio",
+            unit: "ratio",
+            description: "Image opaque ratios observed in layer summaries.");
+
+    // Histogram: policy_entropy_top_file_ratio{outcome}
+    private static readonly Histogram<double> EntropyTopFileRatioHistogram =
+        Meter.CreateHistogram<double>(
+            "policy_entropy_top_file_ratio",
+            unit: "ratio",
+            description: "Opaque ratio of the top offending file when present.");
+
+    /// <summary>
+    /// Records an entropy penalty computation.
+    /// </summary>
+    public static void RecordEntropyPenalty(
+        double penalty,
+        string outcome,
+        double imageOpaqueRatio,
+        double? topFileOpaqueRatio = null)
+    {
+        var tags = new TagList
+        {
+            { "outcome", NormalizeTag(outcome) },
+        };
+
+        EntropyPenaltyCounter.Add(1, tags);
+        EntropyPenaltyHistogram.Record(penalty, tags);
+        EntropyImageOpaqueRatioHistogram.Record(imageOpaqueRatio, tags);
+
+        if (topFileOpaqueRatio.HasValue)
+        {
+            EntropyTopFileRatioHistogram.Record(topFileOpaqueRatio.Value, tags);
+        }
+    }
+
+    #endregion
+
+    #region Golden Signals - Latency
+
+    // Histogram: policy_api_latency_seconds{endpoint,method,status}
+    private static readonly Histogram<double> ApiLatencyHistogram =
+        Meter.CreateHistogram<double>(
            "policy_api_latency_seconds",
            unit: "s",
            description: "API request latency by endpoint.");