work
This commit is contained in:
StellaOps Bot
25
docs/modules/cli/guides/commands/policy.md
Normal file
25
docs/modules/cli/guides/commands/policy.md
Normal file
@@ -0,0 +1,25 @@
|
||||
# stella policy — Command Guide
|
||||
|
||||
## Commands
|
||||
- `stella policy eval --input <bundle> --subject <sbom|vex|vuln> [--offline] [--output json|ndjson|table]`
|
||||
- `stella policy simulate --from <bundleA> --to <bundleB> [--budget <ms>] [--offline]`
|
||||
- `stella policy publish --input <bundle> --sign --attest`
|
||||
|
||||
## Flags (common)
|
||||
- `--offline` / `STELLA_OFFLINE=1`: forbid network calls; use cached bundles only.
|
||||
- `--tenant <id>`: scope evaluation to tenant; RLS enforcement required on the server.
|
||||
- `--rationale`: include rationale IDs in responses.
|
||||
- `--output`: `json` (default), `ndjson`, or `table`.
|
||||
|
||||
## Inputs/outputs
|
||||
- Inputs: policy bundles (signed), subject artifacts (SBOM/VEX/Vuln snapshots).
|
||||
- Outputs: deterministic JSON/NDJSON or tables; includes `correlationId`, `policyVersion`, `rationaleIds` when requested.
|
||||
- Exit codes follow `output-and-exit-codes.md`.
|
||||
|
||||
## Determinism rules
|
||||
- Sort evaluation results by subject key; timestamps UTC ISO-8601.
|
||||
- No inferred verdicts beyond Policy Engine response.
|
||||
|
||||
## Offline/air-gap notes
|
||||
- When `--offline`, evaluation must use locally cached bundles and subject artifacts; fail with exit code 5 if network would be needed.
|
||||
- Trust roots loaded from `STELLA_TRUST_ROOTS` when verifying signed bundles.
|
||||
Reference in New Issue
Block a user