stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

save checkpoint

Browse Source
This commit is contained in:
master
2026-02-14 09:11:48 +02:00
parent 9ca2de05df
commit e9aeadc040
1512 changed files with 30863 additions and 4728 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
docs/features/checked/policy/vextrustgate-policy-integration.md Normal file
View File

@@ -0,0 +1,43 @@
# VexTrustGate Policy Integration
## Module
Policy
## Status
IMPLEMENTED
## Description
Integrates VEX trust evaluation as a named policy gate in the policy evaluation chain. VexTrustGate validates VEX statement trust levels against configurable thresholds before accepting VEX-based risk reductions. Registered in the GateSelector alongside existing gates. Distinct from known "VEX Trust Scoring" (which computes scores) -- this gates policy decisions based on those scores.
## Implementation Details
- **VexTrustGate**: `src/Policy/StellaOps.Policy.Engine/Gates/VexTrustGate.cs` (implements `IVexTrustGate`)
- `EvaluateAsync(VexTrustGateRequest)` evaluates trust score against thresholds
- Returns VexTrustGateResult with decision (Pass/Warn/Block), details, and recommendations
- Checks: composite score >= threshold, issuer verified, accuracy rate, freshness
- **VexTrustGateOptions**: `src/Policy/StellaOps.Policy.Engine/Gates/VexTrustGateOptions.cs`
- Section key: `"Policy:Gates:VexTrust"`
- Enabled flag (default true)
- ApplyToStatuses: ["not_affected", "fixed"]
- Per-environment thresholds (production/staging/development/default)
- MissingTrustBehavior: Allow, Warn, Block
- EmitMetrics: true (OpenTelemetry)
- TenantOverrides for multi-tenant deployments
- **PolicyGateEvaluator integration**: `src/Policy/StellaOps.Policy.Engine/Gates/PolicyGateEvaluator.cs`
- VEX Trust gate is 3rd in the 5-gate sequential pipeline
- Evaluates after Evidence Completeness and Lattice State gates
- Per-environment thresholds with MissingTrustBehavior fallback
- **VexTrustGateMetrics**: `src/Policy/StellaOps.Policy.Engine/Gates/VexTrustGateMetrics.cs`
- OpenTelemetry metrics: gate decisions, trust scores, evaluation duration
- Tags: environment, decision, trust_score_bucket
## E2E Test Plan
- [ ] Evaluate VEX trust in production with score 0.85 (above 0.80 threshold); verify gate passes
- [ ] Evaluate VEX trust in production with score 0.75 (below 0.80 threshold); verify gate blocks
- [ ] Evaluate VEX trust in staging with score 0.55 (below 0.60 threshold); verify gate warns (FailureAction=Warn)
- [ ] Evaluate VEX trust in development with score 0.35 (below 0.40 threshold); verify gate warns
- [ ] Evaluate without VEX trust data, MissingTrustBehavior=Warn; verify gate warns with descriptive message
- [ ] Evaluate without VEX trust data, MissingTrustBehavior=Block; verify gate blocks
- [ ] Evaluate without VEX trust data, MissingTrustBehavior=Allow; verify gate passes
- [ ] Configure TenantOverrides for tenant-A with custom staging threshold 0.70; evaluate in staging for tenant-A; verify custom threshold used
- [ ] Verify VexTrustGateMetrics emits gate decision metric with environment and decision tags
- [ ] Disable VexTrustGate (Enabled=false); evaluate; verify gate is skipped in pipeline