save checkpoint
This commit is contained in:
master
45
docs/features/checked/policy/vex-decisioning-engine.md
Normal file
45
docs/features/checked/policy/vex-decisioning-engine.md
Normal file
@@ -0,0 +1,45 @@
|
||||
# VEX Decisioning Engine (Not Just Ingestion) (Moat Score 4)
|
||||
|
||||
## Module
|
||||
Policy
|
||||
|
||||
## Status
|
||||
IMPLEMENTED
|
||||
|
||||
## Description
|
||||
Full VEX decisioning with consensus engine, trust scoring, OpenVEX and CSAF normalization, and trust lattice conflict resolution.
|
||||
|
||||
## Implementation Details
|
||||
- **TrustLatticeEngine**: `src/Policy/__Libraries/StellaOps.Policy/TrustLattice/TrustLatticeEngine.cs`
|
||||
- Full VEX decisioning pipeline: VEX normalization -> claim ingestion -> K4 evaluation -> disposition selection -> proof bundle
|
||||
- Three VEX format normalizers: CycloneDX, OpenVEX, CSAF
|
||||
- Fluent ClaimBuilder: Assert, Present, Applies, Reachable, Mitigated, Fixed, Misattributed
|
||||
- `Evaluate()` with optional SubjectFilter and proof bundle generation
|
||||
- Disposition selection from K4 lattice values: True -> not_affected, False -> affected, Conflict -> disputed, Unknown -> under_investigation
|
||||
- **K4Lattice**: `src/Policy/__Libraries/StellaOps.Policy/TrustLattice/K4Lattice.cs`
|
||||
- Belnap four-valued logic: Unknown=0, True=1, False=2, Conflict=3
|
||||
- Join (consensus): T join F = Conflict; commutative, idempotent
|
||||
- Meet (agreement): T meet F = Unknown
|
||||
- FromSupport(): maps evidence support to K4 value
|
||||
- **ClaimScoreMerger**: `src/Policy/__Libraries/StellaOps.Policy/TrustLattice/ClaimScoreMerger.cs`
|
||||
- Deterministic claim merging with conflict penalization (0.25 penalty)
|
||||
- Merge ordering: adjusted score -> specificity -> original score -> source ID -> index
|
||||
- MergePolicy: ConflictPenalty, PreferSpecificity, RequireReplayProofOnConflict
|
||||
- Returns MergeResult: winning claim, conflicts, RequiresReplayProof flag
|
||||
- **VexTrustGate**: `src/Policy/StellaOps.Policy.Engine/Gates/VexTrustGate.cs`
|
||||
- Gates policy decisions based on VEX trust scores
|
||||
- Per-environment thresholds with FailureAction (Warn/Block)
|
||||
- **PolicyGateEvaluator**: `src/Policy/StellaOps.Policy.Engine/Gates/PolicyGateEvaluator.cs`
|
||||
- VEX Trust gate (3rd in 5-gate pipeline) evaluates trust lattice results
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Ingest CycloneDX VEX with not_affected status; verify K4 value=True after normalization
|
||||
- [ ] Ingest OpenVEX with affected status; verify K4 value=False after normalization
|
||||
- [ ] Ingest CSAF VEX with fixed status; verify K4 value=True after normalization
|
||||
- [ ] Ingest conflicting claims (CycloneDX not_affected + OpenVEX affected); verify K4 Conflict, disposition=disputed
|
||||
- [ ] Verify ClaimScoreMerger: signed claim (score 0.9) wins over unsigned claim (score 0.95) when PreferSpecificity enabled
|
||||
- [ ] Verify conflict penalization: conflicting claims receive 0.25 penalty
|
||||
- [ ] Evaluate with VexTrustGate in production (threshold 0.80); provide trust score 0.85; verify gate passes
|
||||
- [ ] Evaluate with VexTrustGate; provide trust score 0.60 in production; verify gate blocks
|
||||
- [ ] Build claim via fluent API: Assert("CVE-2024-1234").Present("pkg:npm/lodash@4.17.21").Mitigated(); verify claim correctly formed
|
||||
- [ ] Verify proof bundle includes all claims, scores, and K4 evaluations for audit
|
||||
Reference in New Issue
Block a user