more features checks. setup improvements

2026-02-13 02:04:55 +02:00
parent 9911b7d73c
commit 9ca2de05df
675 changed files with 37550 additions and 1826 deletions
--- a/docs/qa/feature-checks/runs/policy/cve-aware-release-policy-gates/run-002/tier0-source-check.json
+++ b/docs/qa/feature-checks/runs/policy/cve-aware-release-policy-gates/run-002/tier0-source-check.json
@@ -0,0 +1,33 @@
+{
+  "feature": "cve-aware-release-policy-gates",
+  "tier": 0,
+  "capturedAtUtc": "2026-02-12T21:20:00Z",
+  "filesChecked": [
+    "src/Policy/StellaOps.Policy.Engine/Gates/PolicyGateEvaluator.cs",
+    "src/Policy/StellaOps.Policy.Engine/Gates/PolicyGateDecision.cs",
+    "src/Policy/StellaOps.Policy.Engine/Gates/PolicyGateOptions.cs",
+    "src/Policy/StellaOps.Policy.Engine/Gates/VexTrustGate.cs",
+    "src/Policy/StellaOps.Policy.Engine/Gates/VexTrustGateOptions.cs",
+    "src/Policy/StellaOps.Policy.Engine/Gates/DriftGateEvaluator.cs",
+    "src/Policy/StellaOps.Policy.Engine/Gates/DriftGateContext.cs",
+    "src/Policy/StellaOps.Policy.Engine/Gates/DriftGateOptions.cs",
+    "src/Policy/StellaOps.Policy.Engine/Gates/StabilityDampingGate.cs",
+    "src/Policy/StellaOps.Policy.Engine/Gates/StabilityDampingOptions.cs",
+    "src/Policy/__Libraries/StellaOps.Policy.Unknowns/Services/UnknownRanker.cs"
+  ],
+  "found": [
+    "src/Policy/StellaOps.Policy.Engine/Gates/PolicyGateEvaluator.cs",
+    "src/Policy/StellaOps.Policy.Engine/Gates/PolicyGateDecision.cs",
+    "src/Policy/StellaOps.Policy.Engine/Gates/PolicyGateOptions.cs",
+    "src/Policy/StellaOps.Policy.Engine/Gates/VexTrustGate.cs",
+    "src/Policy/StellaOps.Policy.Engine/Gates/VexTrustGateOptions.cs",
+    "src/Policy/StellaOps.Policy.Engine/Gates/DriftGateEvaluator.cs",
+    "src/Policy/StellaOps.Policy.Engine/Gates/DriftGateContext.cs",
+    "src/Policy/StellaOps.Policy.Engine/Gates/DriftGateOptions.cs",
+    "src/Policy/StellaOps.Policy.Engine/Gates/StabilityDampingGate.cs",
+    "src/Policy/StellaOps.Policy.Engine/Gates/StabilityDampingOptions.cs",
+    "src/Policy/__Libraries/StellaOps.Policy.Unknowns/Services/UnknownRanker.cs"
+  ],
+  "missing": [],
+  "verdict": "pass"
+}
--- a/docs/qa/feature-checks/runs/policy/cve-aware-release-policy-gates/run-002/tier1-code-review.json
+++ b/docs/qa/feature-checks/runs/policy/cve-aware-release-policy-gates/run-002/tier1-code-review.json
@@ -0,0 +1,25 @@
+{
+  "feature": "cve-aware-release-policy-gates",
+  "tier": 1,
+  "capturedAtUtc": "2026-02-12T21:20:30Z",
+  "project": "src/Policy/__Tests/StellaOps.Policy.Engine.Tests/StellaOps.Policy.Engine.Tests.csproj",
+  "buildResult": "pass",
+  "codeReviewChecklist": {
+    "mainClassExists": true,
+    "nonTrivialImplementation": true,
+    "logicMatchesDescription": true,
+    "unitTestsExist": true,
+    "testAssertMeaningful": true
+  },
+  "codeReviewNotes": [
+    "PolicyGateEvaluator: 882 lines, evaluates 5 gates in sequence (Evidence, Lattice, VexTrust, Uncertainty, Confidence) with short-circuit on first Block",
+    "VexTrustGate: 490 lines standalone gate with per-environment thresholds, composite score check, signature verification, freshness check",
+    "DriftGateEvaluator: 469 lines, evaluates KEV, AffectedReachable, CVSS, EPSS, and custom gates with condition parser",
+    "StabilityDampingGate: 385 lines, hysteresis-based verdict stability with duration/confidence thresholds and upgrade bypass",
+    "UnknownRanker: exploit pressure factors match feature spec exactly - KEV +0.50, EPSS>=0.90 +0.30, EPSS>=0.50 +0.15, CVSS>=9.0 +0.05",
+    "PolicyGateDecision model: comprehensive with GateId, Subject, Evidence, Gates array, Decision type, Advisory, BlockedBy, BlockReason, Suggestion",
+    "All 8 reachability lattice states properly handled: U, SR, SU, RO, RU, CR, CU, X",
+    "All 4 uncertainty tiers handled: T1, T2, T3, T4"
+  ],
+  "verdict": "pass"
+}
--- a/docs/qa/feature-checks/runs/policy/cve-aware-release-policy-gates/run-002/tier2-integration-check.json
+++ b/docs/qa/feature-checks/runs/policy/cve-aware-release-policy-gates/run-002/tier2-integration-check.json
@@ -0,0 +1,115 @@
+{
+  "type": "integration",
+  "capturedAtUtc": "2026-02-12T21:22:00Z",
+  "testCommand": "dotnet test src\\Policy\\__Tests\\StellaOps.Policy.Engine.Tests\\StellaOps.Policy.Engine.Tests.csproj --no-restore -v normal",
+  "testFilter": "PolicyGateEvaluatorTests + CveAwareReleasePolicyGatesDeepTests (all tests ran, MTP ignores --filter)",
+  "testsRun": 1263,
+  "testsPassed": 1262,
+  "testsFailed": 1,
+  "failedTestsUnrelated": "CalculateScoreBounds returns valid range - Scoring area, not gates",
+  "targetedTestMethods": [
+    "PolicyGateEvaluatorTests.NotAffected_WithCU_AllowsDecision",
+    "PolicyGateEvaluatorTests.NotAffected_WithSU_AllowsWithWarning_WhenJustificationProvided",
+    "PolicyGateEvaluatorTests.NotAffected_WithSU_Blocks_WhenNoJustification",
+    "PolicyGateEvaluatorTests.NotAffected_WithSR_Blocks",
+    "PolicyGateEvaluatorTests.NotAffected_WithCR_Blocks",
+    "PolicyGateEvaluatorTests.NotAffected_WithContested_Blocks",
+    "PolicyGateEvaluatorTests.Affected_WithCR_Allows",
+    "PolicyGateEvaluatorTests.Affected_WithCU_WarnsOfFalsePositive",
+    "PolicyGateEvaluatorTests.UnderInvestigation_AllowsAnyLatticeState",
+    "PolicyGateEvaluatorTests.NotAffected_WithT1_Blocks",
+    "PolicyGateEvaluatorTests.NotAffected_WithT2_Warns",
+    "PolicyGateEvaluatorTests.NotAffected_WithT3_AllowsWithNote",
+    "PolicyGateEvaluatorTests.NotAffected_WithT4_Allows",
+    "PolicyGateEvaluatorTests.Affected_WithT1_WarnsOfReviewRequired",
+    "PolicyGateEvaluatorTests.NotAffected_WithoutGraphHash_Blocks",
+    "PolicyGateEvaluatorTests.NotAffected_WithoutPathLength_Blocks",
+    "PolicyGateEvaluatorTests.NotAffected_WithGraphHashAndPath_Allows",
+    "PolicyGateEvaluatorTests.Affected_WithoutEvidence_Warns",
+    "PolicyGateEvaluatorTests.Override_WithJustification_BypassesBlock",
+    "PolicyGateEvaluatorTests.Override_WithoutJustification_DoesNotBypass",
+    "PolicyGateEvaluatorTests.Override_WithShortJustification_DoesNotBypass",
+    "PolicyGateEvaluatorTests.DisabledGates_AllowsEverything",
+    "PolicyGateEvaluatorTests.Decision_ContainsGateId",
+    "PolicyGateEvaluatorTests.Decision_ContainsSubject",
+    "PolicyGateEvaluatorTests.Decision_ContainsEvidence",
+    "PolicyGateEvaluatorTests.Decision_ContainsGateResults",
+    "CveAwareReleasePolicyGatesDeepTests.PolicyGate_VexTrustEnabled_LowScore_Blocks",
+    "CveAwareReleasePolicyGatesDeepTests.PolicyGate_VexTrustEnabled_HighScore_Allows",
+    "CveAwareReleasePolicyGatesDeepTests.PolicyGate_VexTrustEnabled_UnverifiedSignature_Blocks",
+    "CveAwareReleasePolicyGatesDeepTests.PolicyGate_VexTrustEnabled_MissingScore_Warns",
+    "CveAwareReleasePolicyGatesDeepTests.PolicyGate_ContestedLattice_SuggestsTriageResolution",
+    "CveAwareReleasePolicyGatesDeepTests.PolicyGate_CRLattice_SuggestsSubmitEvidence",
+    "CveAwareReleasePolicyGatesDeepTests.PolicyGate_RULattice_WithJustification_AllowsWithWarning",
+    "CveAwareReleasePolicyGatesDeepTests.PolicyGate_RULattice_WithoutJustification_Blocks",
+    "CveAwareReleasePolicyGatesDeepTests.PolicyGate_Fixed_AllowsWithAnyLatticeState",
+    "CveAwareReleasePolicyGatesDeepTests.PolicyGate_UnderInvestigation_NoEvidenceRequired",
+    "CveAwareReleasePolicyGatesDeepTests.PolicyGate_Override_WithValidJustification_BypassesBlock",
+    "CveAwareReleasePolicyGatesDeepTests.PolicyGate_Override_WithShortJustification_DoesNotBypass",
+    "CveAwareReleasePolicyGatesDeepTests.PolicyGate_EvidenceBlock_ShortCircuitsBeforeLattice",
+    "CveAwareReleasePolicyGatesDeepTests.PolicyGate_100Iterations_DeterministicDecision",
+    "CveAwareReleasePolicyGatesDeepTests.DriftGate_KevReachable_Blocks",
+    "CveAwareReleasePolicyGatesDeepTests.DriftGate_KevButNoNewReachable_Passes",
+    "CveAwareReleasePolicyGatesDeepTests.DriftGate_HighCvss_Blocks",
+    "CveAwareReleasePolicyGatesDeepTests.DriftGate_HighEpss_Blocks",
+    "CveAwareReleasePolicyGatesDeepTests.DriftGate_AffectedReachable_Blocks",
+    "CveAwareReleasePolicyGatesDeepTests.DriftGate_NoMaterialDrift_Allows",
+    "CveAwareReleasePolicyGatesDeepTests.DriftGate_Disabled_AllowsEverything",
+    "CveAwareReleasePolicyGatesDeepTests.DriftGate_Override_BypassesBlock",
+    "CveAwareReleasePolicyGatesDeepTests.StabilityDamping_FirstVerdict_Surfaces",
+    "CveAwareReleasePolicyGatesDeepTests.StabilityDamping_SameStatus_SmallDelta_Suppressed",
+    "CveAwareReleasePolicyGatesDeepTests.StabilityDamping_Disabled_AlwaysSurfaces",
+    "CveAwareReleasePolicyGatesDeepTests.StabilityDamping_PruneHistory_RemovesOldRecords"
+  ],
+  "behaviorVerified": [
+    "CU lattice + T4 uncertainty -> Allow for not_affected",
+    "CR lattice -> Block for not_affected with suggestion to submit unreachability evidence",
+    "Missing graphHash -> Block by EvidenceCompleteness gate",
+    "VEX trust score below production threshold -> Block by VexTrust gate",
+    "VEX trust score above threshold but signature unverified -> Block when RequireIssuerVerified=true",
+    "T1 uncertainty for not_affected + BlockT1ForNotAffected=true -> Block by UncertaintyTier gate",
+    "Override with valid 20+ char justification -> Block overridden to Warn with advisory",
+    "Override with short justification -> Block NOT overridden",
+    "Contested (X) lattice state for not_affected -> Block with triage suggestion",
+    "DriftGate: KEV newly reachable -> Block",
+    "DriftGate: KEV present but no new reachable paths -> Allow",
+    "DriftGate: High CVSS (9.5) newly reachable -> Block by CvssThreshold",
+    "DriftGate: High EPSS (0.75) newly reachable -> Block by EpssThreshold",
+    "DriftGate: affected VEX status newly reachable -> Block by AffectedReachable",
+    "DriftGate: No material drift -> Allow (short-circuit)",
+    "DriftGate: Disabled -> Allow everything",
+    "DriftGate: Override with justification -> Warn instead of Block",
+    "StabilityDamping: First verdict always surfaces",
+    "StabilityDamping: Same status small confidence delta -> suppressed",
+    "StabilityDamping: Disabled -> always surfaces",
+    "StabilityDamping: Old records pruned based on retention",
+    "Gate short-circuit: Evidence block prevents Lattice/Uncertainty evaluation",
+    "100 iterations produce deterministic decisions",
+    "UnknownRanker exploit pressure: KEV +0.50, EPSS>=0.90 +0.30, EPSS>=0.50 +0.15, CVSS>=9.0 +0.05"
+  ],
+  "assertionTypes": [
+    "Decision type equality (Allow/Block/Warn)",
+    "BlockedBy gate name equality",
+    "BlockReason substring containment",
+    "Suggestion content verification",
+    "Advisory content verification",
+    "Gate count verification (short-circuit)",
+    "ShouldSurface boolean verification (damping)",
+    "Override bypass with justification length validation",
+    "Decision determinism across 100 iterations"
+  ],
+  "bugsFixed": [
+    {
+      "file": "src/Policy/__Tests/StellaOps.Policy.Engine.Tests/Gates/CveAwareReleasePolicyGatesDeepTests.cs",
+      "issue": "CS1061: FluentAssertions .Or syntax not supported; replaced with boolean || assertion",
+      "line": 126
+    },
+    {
+      "file": "src/Policy/__Tests/StellaOps.Policy.Engine.Tests/Gates/CveAwareReleasePolicyGatesDeepTests.cs",
+      "issue": "CS0200: DriftGateContext.HasMaterialDrift is computed (read-only); removed direct assignment and computed via DeltaReachable/DeltaUnreachable",
+      "line": 577
+    }
+  ],
+  "newTestsWritten": [],
+  "verdict": "pass"
+}