Add determinism tests for verdict artifact generation and update SHA256 sums script
- Implemented comprehensive tests for verdict artifact generation to ensure deterministic outputs across various scenarios, including identical inputs, parallel execution, and change ordering. - Created helper methods for generating sample verdict inputs and computing canonical hashes. - Added tests to validate the stability of canonical hashes, proof spine ordering, and summary statistics. - Introduced a new PowerShell script to update SHA256 sums for files, ensuring accurate hash generation and file integrity checks.
This commit is contained in:
StellaOps Bot
@@ -1,12 +1,42 @@
|
||||
# Exceptions API (stub)
|
||||
# Exceptions API
|
||||
|
||||
> Status: BLOCKED — awaiting exception API contract (DOCS-EXC-25-003).
|
||||
Exceptions are time-bound, tenant-scoped, auditable objects that change policy outcomes without mutating upstream evidence. They are used for waivers, compensating controls, and scoped suppressions in a way that is replayable offline.
|
||||
|
||||
## To be provided
|
||||
- OpenAPI spec path (once delivered)
|
||||
- Endpoint list, payloads, errors, idempotency semantics
|
||||
- Deterministic examples (request/response NDJSON) with hashes
|
||||
This document is the entry point for exception contracts. Concrete shapes live in the gateway and Console schemas listed below.
|
||||
|
||||
## Determinism
|
||||
- When examples/spec arrive, hash into `docs/api/SHA256SUMS`.
|
||||
- Keep sample payloads under `docs/api/exceptions/samples/` (one file per case) with stable ordering/fields.
|
||||
## Core Concepts
|
||||
|
||||
- **Exception object:** `{ exceptionId, tenantId, scope, vuln, effect, justification, owner, expiration, evidenceRefs, policyBinding, status }`
|
||||
- **Append-only history:** changes are recorded as transitions; revoke/expire supersedes instead of delete.
|
||||
- **Two-phase activation (recommended):** `draft → staged → active` to support simulation and controlled rollout.
|
||||
- **Effects:** examples include `suppress`, `defer`, `downgrade`, `requireControl` (exact effect catalog is policy-driven).
|
||||
|
||||
## API Surfaces
|
||||
|
||||
- **Console CRUD/workflow (gateway-proxied):** see `docs/api/console/exception-schema.md`
|
||||
- **Policy + Exceptions gateway contract:** `docs/api/gateway/policy-exceptions.md`
|
||||
- **Exception workflow events (SSE stream):** `docs/api/gateway/exception-events.md`
|
||||
|
||||
## Security & Headers
|
||||
|
||||
Common requirements across endpoints:
|
||||
|
||||
- `Authorization: Bearer <token>` (or DPoP where configured)
|
||||
- `X-StellaOps-Tenant: <tenantId>` (required)
|
||||
|
||||
Scopes vary by deployment, but typically follow:
|
||||
|
||||
- Read: `exception:read`
|
||||
- Create/edit: `exception:write`
|
||||
- Approve/reject/revoke: `exception:approve`
|
||||
- Simulation endpoints: `policy:simulate` (plus `exception:read` when simulating with overrides)
|
||||
|
||||
## Offline / Air-Gap
|
||||
|
||||
- Imports/exports are file-based (NDJSON or JSON) with deterministic ordering and UTC timestamps.
|
||||
- Signed exports (DSSE) are supported when Attestor is enabled; when disabled, exports remain hash-addressed and reproducible.
|
||||
|
||||
## Related Docs
|
||||
|
||||
- Exception Governance migration guide: `docs/migration/exception-governance.md`
|
||||
- CLI usage guide: `docs/modules/cli/guides/exceptions.md`
|
||||
|
||||
Reference in New Issue
Block a user