stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

save checkpoint

Browse Source
This commit is contained in:
master
2026-02-14 09:11:48 +02:00
parent 9ca2de05df
commit e9aeadc040
1512 changed files with 30863 additions and 4728 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
docs/features/checked/policy/signed-vex-override-enforcement-in-policy-engine.md Normal file
View File

@@ -0,0 +1,43 @@
# Signed VEX Override Enforcement in Policy Engine
## Module
Policy
## Status
IMPLEMENTED
## Description
Policy engine requires signed VEX override attestations with DSSE/Rekor validation, exposes override_signed and override_rekor_verified signals to DSL, and supports key trust levels and validity period enforcement.
## Implementation Details
- **VexTrustGate**: `src/Policy/StellaOps.Policy.Engine/Gates/VexTrustGate.cs` (implements `IVexTrustGate`)
- Evaluates VEX trust including signature verification status
- VexTrustStatus with TrustScore and TrustBreakdown (issuer verification, accuracy, freshness)
- Per-environment thresholds for signature requirements
- **VexTrustGateOptions**: `src/Policy/StellaOps.Policy.Engine/Gates/VexTrustGateOptions.cs`
- Production: RequireIssuerVerified=true, MinCompositeScore=0.80, FailureAction=Block
- Staging: RequireIssuerVerified=true, FailureAction=Warn
- MissingTrustBehavior: Allow/Warn/Block when VEX trust data absent
- **TrustLatticeEngine**: `src/Policy/__Libraries/StellaOps.Policy/TrustLattice/TrustLatticeEngine.cs`
- VEX normalization pipeline supports DSSE-signed VEX documents
- Three normalizers: CycloneDX, OpenVEX, CSAF
- Signed VEX claims receive higher trust scores in ClaimScoreMerger
- **ClaimScoreMerger**: `src/Policy/__Libraries/StellaOps.Policy/TrustLattice/ClaimScoreMerger.cs`
- Signed claims scored higher via specificity and score adjustments
- Conflict penalization (0.25) applies to conflicting signed/unsigned claims
- **EvidenceRequirementValidator**: `src/Policy/__Libraries/StellaOps.Policy.Exceptions/Services/EvidenceRequirementValidator.cs`
- DSSE signature verification on VEX override evidence
- Trust score threshold validation for signed evidence
- **PolicyGateEvaluator**: `src/Policy/StellaOps.Policy.Engine/Gates/PolicyGateEvaluator.cs`
- VEX Trust gate evaluates signed override status as part of multi-gate pipeline
## E2E Test Plan
- [ ] Submit DSSE-signed VEX override; verify VexTrustGate passes with high TrustScore
- [ ] Submit unsigned VEX override in production; verify VexTrustGate blocks (RequireIssuerVerified=true)
- [ ] Submit unsigned VEX override in development; verify VexTrustGate passes (RequireIssuerVerified=false)
- [ ] Submit signed VEX with expired signing key; verify trust score reduced or gate blocks
- [ ] Submit signed VEX with Rekor inclusion proof; verify higher trust score than without proof
- [ ] Submit conflicting signed and unsigned VEX claims; verify ClaimScoreMerger applies conflict penalty, signed claim wins
- [ ] Verify VexTrustStatus includes TrustBreakdown with issuer verification status
- [ ] Submit VEX override with trust score below MinCompositeScore; verify gate blocks in production
- [ ] Configure MissingTrustBehavior=Block; submit VEX without trust data; verify gate blocks