save progress

2025-12-26 22:03:32 +02:00
parent 9a4cd2e0f7
commit e6c47c8f50
3634 changed files with 253222 additions and 56632 deletions
--- a/etc/policy-gates.yaml.sample
+++ b/etc/policy-gates.yaml.sample
@@ -43,3 +43,66 @@ gates:
    bypassReasons:
      - component_not_present
      - vulnerable_configuration_unused
+
+  # VEX Trust Gate - Enforces minimum VEX signature verification trust thresholds
+  # Order: 250 (after LatticeState/200, before UncertaintyTier/300)
+  vexTrust:
+    enabled: true  # Feature flag - set false during initial rollout
+    
+    # Per-environment trust thresholds
+    thresholds:
+      production:
+        minCompositeScore: 0.80          # Composite trust score minimum
+        requireIssuerVerified: true      # Signature verification mandatory
+        minAccuracyRate: 0.85            # Issuer's historical accuracy threshold
+        acceptableFreshness:
+          - fresh                        # Only fresh VEX in production
+        failureAction: Block             # Block if thresholds not met
+      
+      staging:
+        minCompositeScore: 0.60
+        requireIssuerVerified: true
+        minAccuracyRate: null            # Don't check accuracy in staging
+        acceptableFreshness:
+          - fresh
+          - stale
+        failureAction: Warn              # Warn only in staging
+      
+      development:
+        minCompositeScore: 0.40
+        requireIssuerVerified: false     # Allow unsigned in dev
+        minAccuracyRate: null
+        acceptableFreshness:
+          - fresh
+          - stale
+          - superseded
+        failureAction: Warn
+      
+      default:                           # Fallback for unknown environments
+        minCompositeScore: 0.70
+        requireIssuerVerified: true
+        minAccuracyRate: null
+        acceptableFreshness:
+          - fresh
+          - stale
+        failureAction: Warn
+    
+    # VEX statuses to which this gate applies
+    applyToStatuses:
+      - not_affected
+      - fixed
+    
+    # Behavior when VEX trust data is missing
+    # Options: Allow, Warn, Block
+    missingTrustBehavior: Warn
+    
+    # Enable OpenTelemetry metrics
+    emitMetrics: true
+    
+    # Tenant-specific overrides (optional)
+    # tenantOverrides:
+    #   tenant-a:
+    #     production:
+    #       minCompositeScore: 0.90
+    #       requireIssuerVerified: true
+