save checkpoint
This commit is contained in:
master
@@ -0,0 +1,41 @@
|
||||
# Risk Verdict Attestation (RVA) Contract
|
||||
|
||||
## Module
|
||||
Policy
|
||||
|
||||
## Status
|
||||
IMPLEMENTED
|
||||
|
||||
## Description
|
||||
Structured Risk Verdict Attestation with PASS/FAIL/PASS_WITH_EXCEPTIONS/INDETERMINATE verdicts, policy references, knowledge snapshot bindings, evidence references, and reason codes as a first-class product artifact.
|
||||
|
||||
## Implementation Details
|
||||
- **VerdictAttestationService**: `src/Policy/StellaOps.Policy.Engine/Attestation/VerdictAttestationService.cs`
|
||||
- Generates DSSE-signed attestations for policy verdicts
|
||||
- Verdict types: PASS, FAIL, PASS_WITH_EXCEPTIONS, INDETERMINATE
|
||||
- Policy reference binding: PolicyBundleDigest links attestation to specific policy version
|
||||
- Knowledge snapshot binding: SnapshotId links to frozen evaluation inputs
|
||||
- Evidence references: content-addressed digests for all evidence used
|
||||
- Reason codes for verdict justification
|
||||
- **PolicyDecisionAttestationService**: `src/Policy/StellaOps.Policy.Engine/Attestation/PolicyDecisionAttestationService.cs`
|
||||
- Creates attestations for individual policy decisions within a verdict
|
||||
- **RvaService**: `src/Policy/StellaOps.Policy.Engine/Attestation/RvaService.cs` -- Risk Verdict Attestation service
|
||||
- **ScoringDeterminismVerifier**: `src/Policy/StellaOps.Policy.Engine/Attestation/ScoringDeterminismVerifier.cs` -- verifies scoring determinism before attestation
|
||||
- **ReplayedVerdict model**: `src/Policy/__Libraries/StellaOps.Policy/Replay/ReplayResult.cs`
|
||||
- ReplayDecision enum: Unknown, Pass, Fail, PassWithExceptions, Indeterminate
|
||||
- Verdict includes Score, FindingIds, KnowledgeSnapshotId
|
||||
- **KnowledgeSnapshotManifest**: `src/Policy/__Libraries/StellaOps.Policy/Snapshots/KnowledgeSnapshotManifest.cs`
|
||||
- Content-addressed snapshot binding: SnapshotId (ksm:sha256:{hash})
|
||||
- **Attestation directory**: `src/Policy/StellaOps.Policy.Engine/Attestation/` -- 28 files for attestation generation, verification, and management
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Generate RVA for artifact with all gates passing; verify verdict=PASS with reason codes
|
||||
- [ ] Generate RVA for artifact with blocked gate; verify verdict=FAIL with blocking gate in reason
|
||||
- [ ] Generate RVA for artifact with exception applied; verify verdict=PASS_WITH_EXCEPTIONS
|
||||
- [ ] Generate RVA with indeterminate state (missing evidence); verify verdict=INDETERMINATE
|
||||
- [ ] Verify RVA includes PolicyBundleDigest matching the policy used for evaluation
|
||||
- [ ] Verify RVA includes SnapshotId matching the KnowledgeSnapshotManifest
|
||||
- [ ] Verify RVA includes evidence references (content-addressed digests)
|
||||
- [ ] Verify DSSE signature on RVA is valid and covers all verdict fields
|
||||
- [ ] Verify ScoringDeterminismVerifier passes before attestation generation
|
||||
- [ ] Parse RVA JSON; verify all required fields are present (verdict, policy_ref, snapshot_id, evidence_refs, reason_codes, generated_at)
|
||||
Reference in New Issue
Block a user