Add determinism tests for verdict artifact generation and update SHA256 sums script

- Implemented comprehensive tests for verdict artifact generation to ensure deterministic outputs across various scenarios, including identical inputs, parallel execution, and change ordering. - Created helper methods for generating sample verdict inputs and computing canonical hashes. - Added tests to validate the stability of canonical hashes, proof spine ordering, and summary statistics. - Introduced a new PowerShell script to update SHA256 sums for files, ensuring accurate hash generation and file integrity checks.
2025-12-24 02:17:34 +02:00
parent e59921374e
commit 7503c19b8f
390 changed files with 37389 additions and 5380 deletions
--- a/docs/api/SHA256SUMS
+++ b/docs/api/SHA256SUMS
@@ -1,3 +0,0 @@
-# Hash index for exceptions API docs
-# <sha256>  <relative-path>
-ec33d6612473d997196ec463042cc5cff21e107ab9d267fd2fa4ffd166e6f25c  docs/api/exceptions.md
--- a/docs/api/authentication.md
+++ b/docs/api/authentication.md
@@ -1,15 +0,0 @@
-# API Authentication — Draft Skeleton (2025-12-05 UTC)
-
-Status: draft placeholder. Inputs pending: token schema, scopes grammar, rate limits.
-
-## Token Types
- JWT/DSSE? (awaiting confirmation), PAT, service tokens.
-
-## Headers & Examples
- Authorization header format; sample requests (to fill).
-
-## Error Handling
- Standard error codes; retry rules.
-
-## Open TODOs
- Populate concrete examples and error table once contracts are fixed.
--- a/docs/api/exceptions.md
+++ b/docs/api/exceptions.md
@@ -1,12 +1,42 @@
-# Exceptions API (stub)
+# Exceptions API

-> Status: BLOCKED — awaiting exception API contract (DOCS-EXC-25-003).
+Exceptions are time-bound, tenant-scoped, auditable objects that change policy outcomes without mutating upstream evidence. They are used for waivers, compensating controls, and scoped suppressions in a way that is replayable offline.

-## To be provided
- OpenAPI spec path (once delivered)
- Endpoint list, payloads, errors, idempotency semantics
- Deterministic examples (request/response NDJSON) with hashes
+This document is the entry point for exception contracts. Concrete shapes live in the gateway and Console schemas listed below.

-## Determinism
- When examples/spec arrive, hash into `docs/api/SHA256SUMS`.
- Keep sample payloads under `docs/api/exceptions/samples/` (one file per case) with stable ordering/fields.
+## Core Concepts
+
+- **Exception object:** `{ exceptionId, tenantId, scope, vuln, effect, justification, owner, expiration, evidenceRefs, policyBinding, status }`
+- **Append-only history:** changes are recorded as transitions; revoke/expire supersedes instead of delete.
+- **Two-phase activation (recommended):** `draft → staged → active` to support simulation and controlled rollout.
+- **Effects:** examples include `suppress`, `defer`, `downgrade`, `requireControl` (exact effect catalog is policy-driven).
+
+## API Surfaces
+
+- **Console CRUD/workflow (gateway-proxied):** see `docs/api/console/exception-schema.md`
+- **Policy + Exceptions gateway contract:** `docs/api/gateway/policy-exceptions.md`
+- **Exception workflow events (SSE stream):** `docs/api/gateway/exception-events.md`
+
+## Security & Headers
+
+Common requirements across endpoints:
+
+- `Authorization: Bearer <token>` (or DPoP where configured)
+- `X-StellaOps-Tenant: <tenantId>` (required)
+
+Scopes vary by deployment, but typically follow:
+
+- Read: `exception:read`
+- Create/edit: `exception:write`
+- Approve/reject/revoke: `exception:approve`
+- Simulation endpoints: `policy:simulate` (plus `exception:read` when simulating with overrides)
+
+## Offline / Air-Gap
+
+- Imports/exports are file-based (NDJSON or JSON) with deterministic ordering and UTC timestamps.
+- Signed exports (DSSE) are supported when Attestor is enabled; when disabled, exports remain hash-addressed and reproducible.
+
+## Related Docs
+
+- Exception Governance migration guide: `docs/migration/exception-governance.md`
+- CLI usage guide: `docs/modules/cli/guides/exceptions.md`
--- a/docs/api/vex-consensus.md
+++ b/docs/api/vex-consensus.md
@@ -1,25 +0,0 @@
-# VEX Consensus Stream Contract (draft placeholder)
-
-**Status:** Draft v0.2 · owner-proposed
-
-## Scope
- `/vex/consensus` streaming APIs via Web gateway with tenant RBAC/ABAC, caching, and telemetry.
-
-## Endpoint
- `GET /vex/consensus/stream` — SSE stream of consensus VEX statements per tenant.
-
-Headers: `Authorization: DPoP <token>`, `DPoP: <proof>`, `X-StellaOps-Tenant`, optional `If-None-Match`.
-Scopes (proposal): `vex:read` and `vex:consensus`.
-
-Events (draft)
- `started`: `{ tenantId, streamId, status }`
- `consensus_update`: `{ statementId, state, justification, validFrom, validUntil, sources[], etag }`
- `heartbeat`: `{ streamId, ts }`
- `completed`: `{ streamId, status }`
- `failed`: `{ streamId, code, message }`
-
-Rate limits: heartbeats every 30s; idle timeout 90s; backoff via `Retry-After` header on reconnect.
-
-Samples: `docs/api/vex-consensus-sample.ndjson`
-
-Outstanding: finalize scopes, error codes, cache/etag semantics, and add pagination/replay guidance.