stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

save checkpoint

Browse Source
This commit is contained in:
master
2026-02-14 09:11:48 +02:00
parent 9ca2de05df
commit e9aeadc040
1512 changed files with 30863 additions and 4728 deletions
Download Patch File Download Diff File Expand all files Collapse all files

522
docs/qa/feature-checks/state/policy.json
View File

@@ -1,16 +1,16 @@
{
"module": "policy",
"featureCount": 88,
"lastUpdatedUtc": "2026-02-13T12:15:00Z",
"lastUpdatedUtc": "2026-02-13T17:50:00Z",
"summary": {
"passed": 56,
"passed": 88,
"failed": 0,
"blocked": 0,
"skipped": 0,
"done": 56,
"queued": 32
"done": 88,
"queued": 0
},
"buildNote": "Policy tests.slnf baseline: Scoring 263/263 pass, Policy.Tests 781/781 pass, Engine 1278/1278 pass, Determinization 438/438 pass, Exceptions 83/83 pass, Explainability 35/35 pass, PolicyDsl 140/140 pass, Interop 129/135 pass (6 pre-existing YAML failures) (2864 total across 7 projects). 56 features verified with full Tier 0+1+2d. Batch 12: policy-engine-with-proofs, policy-gate-with-evidence-linked-approval, policy-interop-framework, policy-simulation-engine.",
"buildNote": "ALL 88 POLICY FEATURES VERIFIED. Policy tests.slnf baseline: Scoring 263/263 pass, Policy.Tests 781/781 pass, Engine 1278/1278 pass, Determinization 438/438 pass, Exceptions 83/83 pass, Explainability 35/35 pass, PolicyDsl 140/140 pass, Interop 129/135 pass (6 pre-existing YAML failures), Unknowns 59/59 pass (2923 total across 8 projects). Batch 17: signature-required-policy-gate, signed-vex-override-enforcement-in-policy-engine, smart-diff-semantic-risk-delta, time-travel-replay-engine. Batch 18: unknown-budget-policy-enforcement, unknowns-budget-dashboard, unknowns-decay-and-triage-queue, unknowns-grey-queue-with-conflict-detection-and-reanalysis-fingerprints. Batch 19: unknowns-ranking-algorithm, verdict-explainability-rationale-renderer, versioned-weight-manifests, vex-decisioning-engine.",
"features": {
"adversarial-input-validation-for-scoring-inputs": {
"status": "done",
@@ -920,6 +920,518 @@
"[2026-02-13T05:06:00Z] checking: Tier 2d passed - 1278 Engine tests. RiskSimulationBreakdownService (19 tests: signal analysis, override analysis, score distribution with skewness/kurtosis/outliers, severity breakdown with HHI concentration, action breakdown with stability, component breakdown with ecosystems, Quick options, determinism hash, comparison with risk trends, empty findings, missing signals). WhatIfSimulationService (SBOM diffs: add/remove/upgrade/downgrade, decision changes, impact summary). ConsoleSimulationDiffService (schema 'console-policy-23-001', deterministic). 4 simulation endpoints.",
"[2026-02-13T12:15:00Z] done: Moved to checked/"
]
},
"prohibitedpatternanalyzer": {
"status": "done",
"tier": 2,
"retryCount": 0,
"sourceVerified": true,
"buildVerified": true,
"e2eVerified": true,
"skipReason": null,
"lastRunId": "run-002",
"lastUpdatedUtc": "2026-02-13T13:00:00Z",
"featureFile": "docs/features/checked/policy/prohibitedpatternanalyzer.md",
"notes": [
"[2026-02-13T13:00:00Z] checking: Tier 2d passed - 1278 Engine tests. ProhibitedPatternAnalyzer: 17 regex patterns across 8 violation categories (WallClock, RandomNumber, GuidGeneration, NetworkAccess, EnvironmentAccess, FileSystemAccess, FloatingPointHazard, UnstableIteration). 28 targeted tests in DeterminismGuardTests+DeterminismGuardDeepTests: DateTime.Now/UtcNow, DateTimeOffset.Now/UtcNow, Random/CryptoRandom, HttpClient/WebClient/Socket, File.Read/Write, Environment vars, Guid.NewGuid, comment skipping, exclusion filtering, line number tracking, multi-file aggregation, FailOnSeverity threshold (Warning/Error/Critical), remediation messages.",
"[2026-02-13T13:00:00Z] done: Moved to checked/"
]
},
"proof-replay-deterministic-verdict-replay": {
"status": "done",
"tier": 2,
"retryCount": 0,
"sourceVerified": true,
"buildVerified": true,
"e2eVerified": true,
"skipReason": null,
"lastRunId": "run-002",
"lastUpdatedUtc": "2026-02-13T13:05:00Z",
"featureFile": "docs/features/checked/policy/proof-replay-deterministic-verdict-replay.md",
"notes": [
"[2026-02-13T13:05:00Z] checking: Tier 2d passed - 781 Policy.Tests. ReplayEngine: 5-step pipeline (load snapshot -> resolve frozen inputs -> execute with frozen inputs -> compare with original -> generate delta report). 24 targeted tests: ReplayEngineTests (7: valid replay, non-existent snapshot ReplayFailed, NoComparison, 10-iteration determinism, different artifacts, duration), VerdictComparerTests (8: ExactMatch, Mismatch, MatchWithinTolerance, finding deltas Added/Removed, order-independent matching, confidence calculation), ReplayReportTests (8: rpt: prefix, IsDeterministic, confidence levels 1.0/0.9/0.5/0.0, recommendations, timing).",
"[2026-02-13T13:05:00Z] done: Moved to checked/"
]
},
"proof-studio-ux": {
"status": "done",
"tier": 2,
"retryCount": 0,
"sourceVerified": true,
"buildVerified": true,
"e2eVerified": true,
"skipReason": null,
"lastRunId": "run-002",
"lastUpdatedUtc": "2026-02-13T13:10:00Z",
"featureFile": "docs/features/checked/policy/proof-studio-ux.md",
"notes": [
"[2026-02-13T13:10:00Z] checking: Tier 2d passed - 816 tests (35 Explainability + 781 Policy). VerdictRationaleRenderer: 4-line rationale template (Evidence/PolicyClause/Attestations/Decision), content-addressed RationaleId (rat:sha256:), PlainText/Markdown/JSON rendering, reachability details. ProofStudioService: proof graph composition (pg:sha256: GraphId), score breakdown dashboard (factors, guardrails, action buckets), counterfactual overlay nodes. CounterfactualEngine: 5 path types (VEX/Exception/Reachability/VersionUpgrade/CompensatingControl), effort scaling by severity, options control, FixedVersionLookup delegate. ScoreExplanation: per-factor breakdown with contributing digests.",
"[2026-02-13T13:10:00Z] done: Moved to checked/"
]
},
"property-based-tests": {
"status": "done",
"tier": 2,
"retryCount": 0,
"sourceVerified": true,
"buildVerified": true,
"e2eVerified": true,
"skipReason": null,
"lastRunId": "run-002",
"lastUpdatedUtc": "2026-02-13T13:15:00Z",
"featureFile": "docs/features/checked/policy/property-based-tests.md",
"notes": [
"[2026-02-13T13:15:00Z] checking: Tier 2d passed - 1716 tests (438 Determinization + 1278 Engine). 9 property test suites: DecayPropertyTests (10 tests: monotonicity, bounds, floor, half-life, strict 100-day decreasing, shorter half-life faster, invalid half-life edge cases), DeterminismPropertyTests (8 tests: same-snapshot determinism, cross-instance determinism, 100-task parallel consistency, weighted entropy determinism, construction-order independence), EntropyPropertyTests (8 tests: all 64 signal combinations bounded, extreme weights bounded, all-present=0.0, none=1.0, add-signal monotonic, remove-signal monotonic), VexLatticeMergePropertyTests (16 FsCheck@100: Join/Meet commutativity+idempotency+identity, absorption laws, IsHigher antisymmetry+reflexivity+top/bottom, conflict resolution validity+determinism+trust-wins), plus ScoreRuleMonotonicityPropertyTests, RiskBudgetMonotonicityPropertyTests, UnknownsBudgetPropertyTests, PolicyDslRoundtripPropertyTests, ClaimScoreMergerPropertyTests.",
"[2026-02-13T13:15:00Z] done: Moved to checked/"
]
},
"release-gate-levels": {
"status": "done",
"tier": 2,
"retryCount": 0,
"sourceVerified": true,
"buildVerified": true,
"e2eVerified": true,
"skipReason": null,
"lastRunId": "run-002",
"lastUpdatedUtc": "2026-02-13T14:40:00Z",
"featureFile": "docs/features/checked/policy/release-gate-levels.md",
"notes": [
"[2026-02-13T14:30:00Z] checking: Tier 2d passed - 2059 tests (781 Policy.Tests + 1278 Engine.Tests). GateLevel enum G0-G4 with escalating requirements. GateLevelTests: 12 tests (requirement counts per level, requirement content, descriptions). RiskPointScoringTests: 16 tests (base scores by tier, diff risk categories, operational context, mitigations, minimum score, gate level determination, budget escalation Yellow/Red/Exhausted). PolicyGateEvaluator: 22 tests (lattice states, uncertainty tiers). GateSelector: RRS computation + budget modifiers (Yellow G2+1, Red G1+1, Exhausted G4). BudgetConstraintEnforcer: release check with gate requirements.",
"[2026-02-13T14:40:00Z] done: Moved to checked/"
]
},
"replayable-verdict-evaluation": {
"status": "done",
"tier": 2,
"retryCount": 0,
"sourceVerified": true,
"buildVerified": true,
"e2eVerified": true,
"skipReason": null,
"lastRunId": "run-002",
"lastUpdatedUtc": "2026-02-13T14:40:00Z",
"featureFile": "docs/features/checked/policy/replayable-verdict-evaluation.md",
"notes": [
"[2026-02-13T14:32:00Z] checking: Tier 2d passed - 781 Policy.Tests. ReplayEngine: 5-step pipeline (load+verify snapshot, resolve frozen inputs, execute deterministic evaluation, load original verdict, compare+generate result). 7 ReplayEngineTests (valid replay, non-existent snapshot ReplayFailed, NoComparison, 10-iteration determinism, different artifacts, duration tracking, original verdict comparison). 8 VerdictComparerTests (ExactMatch, Mismatch with decision delta, MatchWithinTolerance score 0.0005<0.001, Mismatch score 0.5>0.001, finding deltas Added/Removed, order-independent, extra findings, confidence calculation). 9 ReplayReportTests (report ID, determinism flags, confidence levels 1.0/0.9/0.5/0.0, recommendations, timing).",
"[2026-02-13T14:40:00Z] done: Moved to checked/"
]
},
"risk-budget-api-endpoints": {
"status": "done",
"tier": 2,
"retryCount": 0,
"sourceVerified": true,
"buildVerified": true,
"e2eVerified": true,
"skipReason": null,
"lastRunId": "run-002",
"lastUpdatedUtc": "2026-02-13T14:40:00Z",
"featureFile": "docs/features/checked/policy/risk-budget-api-endpoints.md",
"notes": [
"[2026-02-13T14:34:00Z] checking: Tier 2d passed - 1337 tests (1278 Engine.Tests + 59 Unknowns.Tests). BudgetEndpoints: 5 routes (ListBudgets, GetBudget, GetBudgetStatus, CheckBudget, GetDefaultBudgets) at /api/v1/policy/budgets. RiskBudgetEndpoints: 6 routes (GetBudgetStatus, ConsumeBudget, CheckRelease, GetBudgetHistory, AdjustBudget, ListBudgets) at /api/v1/policy/budget. RiskProfileEndpoints, RiskProfileSchemaEndpoints, RiskProfileAirGapEndpoints. LedgerExportService: NDJSON export with schema policy-ledger-export-v1. 24 BudgetEnforcementIntegrationTests (windows, consumption, thresholds, earned capacity, history, concurrent safety, tier allocations). UnknownBudgetServiceTests (budget retrieval, within-limit, exceeds-total, reason-limit violations, escalation with exceptions). FsCheck property tests.",
"[2026-02-13T14:40:00Z] done: Moved to checked/"
]
},
"risk-budget-management": {
"status": "done",
"tier": 2,
"retryCount": 0,
"sourceVerified": true,
"buildVerified": true,
"e2eVerified": true,
"skipReason": null,
"lastRunId": "run-002",
"lastUpdatedUtc": "2026-02-13T14:40:00Z",
"featureFile": "docs/features/checked/policy/risk-budget-management.md",
"notes": [
"[2026-02-13T14:36:00Z] checking: Tier 2d passed - 2118 tests (781 Policy.Tests + 1278 Engine.Tests + 59 Unknowns.Tests). RiskBudget model: Green/Yellow/Red/Exhausted status thresholds (0-39/40-69/70-99/100%). 7 RiskBudgetTests (Green/Yellow/Red/Exhausted status, overconsumed, default allocations). 8 BudgetLedgerTests (create default, return existing, consume/deduct, insufficient fails, history, adjust increase/decrease, floor at 0). 24 BudgetEnforcementIntegrationTests (threshold transitions Green->Yellow->Red->Exhausted, 7 boundary cases, earned capacity replenishment Red->Yellow, capacity penalty, window isolation, concurrent safety). UnknownBudgetService (per-reason-code limits, violations, escalation with exceptions). UnknownsBudgetEnforcer (Critical/High/Medium/Low thresholds, Block/Warn/Log actions, environment overrides). LedgerExportService (deterministic NDJSON). Gate escalation verified via RiskPointScoringTests.",
"[2026-02-13T14:40:00Z] done: Moved to checked/"
]
},
"risk-budget-model": {
"status": "done",
"tier": 2,
"retryCount": 0,
"sourceVerified": true,
"buildVerified": true,
"e2eVerified": true,
"skipReason": null,
"lastRunId": "run-002",
"lastUpdatedUtc": "2026-02-13T16:30:00Z",
"featureFile": "docs/features/checked/policy/risk-budget-model.md",
"notes": [
"[2026-02-13T16:30:00Z] checking: Tier 2d passed - 1278 Engine.Tests. RiskBudgetMonotonicityPropertyTests (6 FsCheck properties x100: critical/high/risk-score/magnitude tightening monotonicity, blocked CVE monotonicity, violation count non-decreasing). RiskSimulationBreakdownServiceTests (19 tests: 10-bucket score distribution, percentile computation p50/p90/p99, severity breakdown totals, HHI concentration, determinism hash). BudgetEnforcementIntegrationTests (24 tests: Green/Yellow/Red/Exhausted threshold transitions at 40%/70%/100%, tier-based allocations Internal=300/CustomerFacing=200/Critical=120/Safety=80, capacity replenishment, concurrent safety).",
"[2026-02-13T16:30:00Z] done: Moved to checked/"
]
},
"risk-point-scoring": {
"status": "done",
"tier": 2,
"retryCount": 0,
"sourceVerified": true,
"buildVerified": true,
"e2eVerified": true,
"skipReason": null,
"lastRunId": "run-002",
"lastUpdatedUtc": "2026-02-13T16:30:00Z",
"featureFile": "docs/features/checked/policy/risk-point-scoring.md",
"notes": [
"[2026-02-13T16:30:00Z] checking: Tier 2d passed - 1278 Engine.Tests. SimpleScoringEngineTests (17 tests: baseSeverity CVSS mapping, reachability hopCount scoring, gate multiplier, weighted signals, severity mapping, overrides, determinism). AdvancedScoringEngineTests (15 tests: CVSS version adjustment, KEV boost +20, uncertainty penalty, semantic category multiplier, multi-evidence overlap, determinism). UnknownRankerTests: two-factor formula Score=(Uncertainty*50)+(ExploitPressure*50), exact scores verified (45.00, 92.50, 0.00), EPSS mutual exclusivity.",
"[2026-02-13T16:30:00Z] done: Moved to checked/"
]
},
"risk-verdict-attestation-contract": {
"status": "done",
"tier": 2,
"retryCount": 0,
"sourceVerified": true,
"buildVerified": true,
"e2eVerified": true,
"skipReason": null,
"lastRunId": "run-002",
"lastUpdatedUtc": "2026-02-13T16:30:00Z",
"featureFile": "docs/features/checked/policy/risk-verdict-attestation-contract.md",
"notes": [
"[2026-02-13T16:30:00Z] checking: Tier 2d passed - 1278 Engine.Tests. VerdictAttestationIntegrationTests (5: end-to-end DSSE attestation, deterministic JSON, graceful failure). PolicyDecisionAttestationServiceTests (10: signer client sha256 digest, Rekor submission, unsigned fallback). RvaVerifierTests (10: valid/tampered/expired attestation, reason codes Pass/Fail/Exception/Indeterminate). ScoringDeterminismVerifierTests (18: proof reproducibility, boundary scores, custom weights, factory).",
"[2026-02-13T16:30:00Z] done: Moved to checked/"
]
},
"runtime-containment-signals-for-unknowns-scoring": {
"status": "done",
"tier": 2,
"retryCount": 0,
"sourceVerified": true,
"buildVerified": true,
"e2eVerified": true,
"skipReason": null,
"lastRunId": "run-002",
"lastUpdatedUtc": "2026-02-13T16:30:00Z",
"featureFile": "docs/features/checked/policy/runtime-containment-signals-for-unknowns-scoring.md",
"notes": [
"[2026-02-13T16:30:00Z] checking: Tier 2d passed - 59 Unknowns.Tests. UnknownRankerTests containment reduction: null=0%, Isolated=15%, all factors capped at 40%, Seccomp+FsRO=20% (score 60->48), disabled option. Signal weights: Isolated 15%, NotNetFacing 5%, NonRoot 5%, Seccomp 10%, FsRO 10%, NetworkIsolated 5%. Formula: containmentBps=min(Sum(signal_bps),4000); score*=(10000-containmentBps)/10000. Band assignment after containment: Hot>=75, Warm>=50, Cold>=25, Resolved<25. 100-iteration determinism.",
"[2026-02-13T16:30:00Z] done: Moved to checked/"
]
},
"sbom-presence-policy-gate": {
"status": "done",
"tier": 2,
"retryCount": 0,
"sourceVerified": true,
"buildVerified": true,
"e2eVerified": true,
"skipReason": null,
"lastRunId": "run-002",
"lastUpdatedUtc": "2026-02-13T16:35:00Z",
"featureFile": "docs/features/checked/policy/sbom-presence-policy-gate.md",
"notes": [
"[2026-02-13T16:30:00Z] checking: Tier 2d passed - 781 Policy.Tests. SbomPresenceGate: 20 tests covering disabled gate, optional/recommended/required enforcement per environment, missing SBOM blocks/warns, valid CycloneDX (1.4-1.7) and SPDX (2.2/2.3/3.0.1) formats, invalid format rejection, minimum component count threshold, schema validation, signature requirement (missing/invalid/valid), primary component requirement, format normalization (case/alias handling), metadata fallback, optional metadata inclusion (document_uri, created_at).",
"[2026-02-13T16:35:00Z] done: Moved to checked/"
]
},
"score-attestation-and-proof-ledger": {
"status": "done",
"tier": 2,
"retryCount": 0,
"sourceVerified": true,
"buildVerified": true,
"e2eVerified": true,
"skipReason": null,
"lastRunId": "run-002",
"lastUpdatedUtc": "2026-02-13T16:35:00Z",
"featureFile": "docs/features/checked/policy/score-attestation-and-proof-ledger.md",
"notes": [
"[2026-02-13T16:32:00Z] checking: Tier 2d passed - 1278 Engine.Tests. VerdictAttestationIntegrationTests (5: DSSE-signed attestation end-to-end, deterministic JSON, attestor 503 returns null, timeout returns null, valid predicate JSON). LedgerExportServiceTests (1: ordered NDJSON with schema policy-ledger-export-v1, manifest + records). ScoringDeterminismVerifierTests (20+: valid proof verification, high/low/boundary scores reproducible, null/missing proof handling, 4-combo input parameterized tests, custom weights, factory, ScoreMismatch/MissingProof/Skipped result types).",
"[2026-02-13T16:35:00Z] done: Moved to checked/"
]
},
"score-v1-policy-format": {
"status": "done",
"tier": 2,
"retryCount": 0,
"sourceVerified": true,
"buildVerified": true,
"e2eVerified": true,
"skipReason": null,
"lastRunId": "run-002",
"lastUpdatedUtc": "2026-02-13T16:35:00Z",
"featureFile": "docs/features/checked/policy/score-v1-policy-format.md",
"notes": [
"[2026-02-13T16:33:00Z] checking: Tier 2d passed - 1278 Engine.Tests. ScorePolicyServiceCachingTests (13: per-tenant caching, sha256 digest format, deterministic digest, different policies differ, reload clears cache, concurrent thread safety, null/empty tenant throws, null policy throws). ScorePolicyDigestReplayIntegrationTests (7: ReplayManifest.ScorePolicyDigest field, null handling, JSON serialization/omission/roundtrip, separate from PolicyDigest, content-addressed format). ScoreBasedRuleTests (54+: score value comparisons 11 cases, bucket flags 10 cases, dimension access 13 cases, has_flag 7 cases, between 7 cases, compound expressions 6 cases, null score, edge cases 0/100). Schema at score-policy.v1.schema.json.",
"[2026-02-13T16:35:00Z] done: Moved to checked/"
]
},
"security-state-delta": {
"status": "done",
"tier": 2,
"retryCount": 0,
"sourceVerified": true,
"buildVerified": true,
"e2eVerified": true,
"skipReason": null,
"lastRunId": "run-002",
"lastUpdatedUtc": "2026-02-13T16:35:00Z",
"featureFile": "docs/features/checked/policy/security-state-delta.md",
"notes": [
"[2026-02-13T16:34:00Z] checking: Tier 2d passed - 2059 tests (781 Policy.Tests + 1278 Engine.Tests). SecurityStateDeltaTests (5: delta model with content-addressed DeltaId delta:sha256:, SbomDelta package changes, ReachabilityDelta per-CVE tracking, DeltaDriver severity classification, DeltaSummary risk direction with score). ConsoleSimulationDiffServiceTests (1: deterministic delta via JSON equality, schema console-policy-23-001, before/after summary, rule impact, budget enforcement). DriftGateEvaluator: SBOM drift between baseline/target. WhatIfSimulationService: baseline vs target deltas with decision changes.",
"[2026-02-13T16:35:00Z] done: Moved to checked/"
]
},
"signature-required-policy-gate": {
"status": "done",
"tier": 2,
"retryCount": 0,
"sourceVerified": true,
"buildVerified": true,
"e2eVerified": true,
"skipReason": null,
"lastRunId": "run-002",
"lastUpdatedUtc": "2026-02-13T17:10:00Z",
"featureFile": "docs/features/checked/policy/signature-required-policy-gate.md",
"notes": [
"[2026-02-13T17:10:00Z] checking: Tier 2d passed - 2059 tests (781 Policy.Tests + 1278 Engine.Tests). SignatureRequiredGateTests (15+): disabled returns pass, missing signature blocks, valid signatures pass, invalid signature fails with details, non-required types pass without signature, issuer allowlist with exact match and wildcard patterns (*@company.com), algorithm validation (ES256/RS256/EdDSA/reject unknown), key ID validation, keyless signature valid with transparency log, keyless fails without log, keyless disabled rejects, environment overrides skip types and add issuers, invalid certificate chain fails. PolicyGateEvaluator evidence completeness gate verifies graphHash/pathLength for not_affected. DSSE-attested evidence referenced in gate decisions.",
"[2026-02-13T17:10:00Z] done: Moved to checked/"
]
},
"signed-vex-override-enforcement-in-policy-engine": {
"status": "done",
"tier": 2,
"retryCount": 0,
"sourceVerified": true,
"buildVerified": true,
"e2eVerified": true,
"skipReason": null,
"lastRunId": "run-002",
"lastUpdatedUtc": "2026-02-13T17:12:00Z",
"featureFile": "docs/features/checked/policy/signed-vex-override-enforcement-in-policy-engine.md",
"notes": [
"[2026-02-13T17:12:00Z] checking: Tier 2d passed - 2059 tests (781 Policy.Tests + 1278 Engine.Tests). VexTrustGateTests (16+): disabled returns Allow, skips non-applicable statuses, evaluates case-insensitively, MissingTrustBehavior Allow/Warn/Block, production high trust 0.85 allows, production low trust 0.65 blocks (threshold 0.80), production unverified signature blocks, production stale freshness blocks, staging medium trust 0.65 allows (threshold 0.60), staging low trust 0.45 warns, development low trust 0.45 allows (threshold 0.40), trust tier VeryHigh/High/Medium/Low/VeryLow, all checks populated (composite_score, issuer_verified, freshness, accuracy_rate), default thresholds for unknown envs. ClaimScoreMerger conflict penalty 0.25. TrustLatticeEngine: CycloneDX/OpenVEX/CSAF normalizers -> claims -> K4 lattice -> disposition.",
"[2026-02-13T17:12:00Z] done: Moved to checked/"
]
},
"smart-diff-semantic-risk-delta": {
"status": "done",
"tier": 2,
"retryCount": 0,
"sourceVerified": true,
"buildVerified": true,
"e2eVerified": true,
"skipReason": null,
"lastRunId": "run-002",
"lastUpdatedUtc": "2026-02-13T17:14:00Z",
"featureFile": "docs/features/checked/policy/smart-diff-semantic-risk-delta.md",
"notes": [
"[2026-02-13T17:14:00Z] checking: Tier 2d passed - 2059 tests (781 Policy.Tests + 1278 Engine.Tests). WhatIfSimulationService: SBOM diff ops (add/remove/upgrade/downgrade), decision changes (status_changed/severity_changed/new/removed), impact summary (increased/decreased/unchanged), recommendations. ConsoleSimulationDiffService: deterministic schema console-policy-23-001, severity breakdowns, rule impact. CounterfactualEngine: 5 fix paths (VEX/Exception/Reachability/VersionUpgrade/CompensatingControl) with effort scaling (Critical=5, High=4, Medium=3, Low=2, CompensatingControl=4). RiskSimulationBreakdownService: signal analysis, score distribution, CompareProfilesWithBreakdown. DriftGateEvaluator: SBOM drift as semantic risk. PolicyEngineDeterminism: canonical JSON, verdict hash.",
"[2026-02-13T17:14:00Z] done: Moved to checked/"
]
},
"time-travel-replay-engine": {
"status": "done",
"tier": 2,
"retryCount": 0,
"sourceVerified": true,
"buildVerified": true,
"e2eVerified": true,
"skipReason": null,
"lastRunId": "run-002",
"lastUpdatedUtc": "2026-02-13T17:16:00Z",
"featureFile": "docs/features/checked/policy/time-travel-replay-engine.md",
"notes": [
"[2026-02-13T17:16:00Z] checking: Tier 2d passed - 781 Policy.Tests. ReplayEngineTests (7): valid snapshot replay with correct SnapshotId and non-null ReplayedVerdict, non-existent snapshot returns ReplayFailed, missing original verdict returns NoComparison, 10-iteration determinism verification, different artifacts produce different results, duration tracking (TimeSpan > 0), original verdict comparison. VerdictComparerTests (8): identical verdicts ExactMatch with DeterminismConfidence=1.0, different decisions Mismatch (Critical), score within tolerance MatchWithinTolerance, score beyond tolerance Mismatch, finding deltas detect Added/Removed, order-independent matching, confidence calculation with Critical/Minor/Finding penalties. ReplayReportTests (8): report ID, determinism flags, confidence levels. SnapshotBuilderTests + SnapshotIdGeneratorTests (21): content-addressed ksm:sha256: IDs. Frozen inputs (AllowNetworkFetch=false) prevent time-dependent drift.",
"[2026-02-13T17:16:00Z] done: Moved to checked/"
]
},
"vex-format-normalization": {
"status": "done",
"tier": 2,
"retryCount": 0,
"sourceVerified": true,
"buildVerified": true,
"e2eVerified": true,
"skipReason": null,
"lastRunId": "run-002",
"lastUpdatedUtc": "2026-02-13T07:42:00Z",
"featureFile": "docs/features/checked/policy/vex-format-normalization.md",
"notes": [
"[2026-02-13T07:38:00Z] checking: Tier 2d passed - 781 Policy.Tests. VexNormalizerTests (25 tests): CycloneDX (Affected->Present+Applies true, NotAffected->Applies false, Fixed->Fixed true, FixAvailable->Fixed false, InTriage->empty, CodeNotPresent->Present false, CodeNotReachable->Reachable false, ProtectedByMitigatingControl->Mitigated true, detail in justification), OpenVEX (Affected->Present+Applies true, NotAffected->Applies false, Fixed->Fixed true, UnderInvestigation->empty, VulnerableCodeNotInExecutePath->Reachable false, ComponentNotPresent->Present false, action+impact in justification), CSAF (KnownAffected->Present+Applies true, KnownNotAffected->Applies false, Fixed->Fixed true, UnderInvestigation->empty, VulnerableCodeNotInExecutePath->Reachable false, ComponentNotPresent->Present false), format property tests. All 3 normalizers registered in TrustLatticeEngine.",
"[2026-02-13T07:42:00Z] done: Moved to checked/"
]
},
"vex-status-promotion-gate": {
"status": "done",
"tier": 2,
"retryCount": 0,
"sourceVerified": true,
"buildVerified": true,
"e2eVerified": true,
"skipReason": null,
"lastRunId": "run-002",
"lastUpdatedUtc": "2026-02-13T07:42:00Z",
"featureFile": "docs/features/checked/policy/vex-status-promotion-gate.md",
"notes": [
"[2026-02-13T07:38:00Z] checking: Tier 2d passed - 1278 Engine.Tests. VexTrustGateTests (20+ tests): production high trust 0.85 allows, production low trust 0.65 blocks (threshold 0.80), staging medium trust 0.65 allows (threshold 0.60), staging low trust 0.45 warns (FailureAction=Warn), development low trust 0.45 allows (threshold 0.40), production stale freshness blocks, production unverified signature blocks, MissingTrustBehavior Allow/Warn/Block all 3 variants, status not in ApplyToStatuses skipped, trust tier computation VeryHigh/High/Medium/Low/VeryLow, checks populated (composite_score, issuer_verified, freshness, accuracy_rate), unknown environment uses default thresholds, gate ID format.",
"[2026-02-13T07:42:00Z] done: Moved to checked/"
]
},
"vex-trust-lattice-with-provenance-coverage-replayability-scoring": {
"status": "done",
"tier": 2,
"retryCount": 0,
"sourceVerified": true,
"buildVerified": true,
"e2eVerified": true,
"skipReason": null,
"lastRunId": "run-002",
"lastUpdatedUtc": "2026-02-13T07:42:00Z",
"featureFile": "docs/features/checked/policy/vex-trust-lattice-with-provenance-coverage-replayability-scoring.md",
"notes": [
"[2026-02-13T07:38:00Z] checking: Tier 2d passed - 781 Policy.Tests. K4LatticeTests (30+ tests): Join(True,False)=Conflict, Meet(True,False)=Unknown, commutativity (4x4 all pairs), associativity (4x4x4 all triples), LessOrEqual reflexive/transitive/T-F-incomparable, Negate involutive, FromSupport (4 combos), HasTrueSupport/HasFalseSupport/IsDefinite/IsIndeterminate (16 parameterized). ClaimScoreMergerTests (3 tests): highest score selection, conflict penalty 0.25 (source-b adjusted 0.7*0.75=0.525), 1000-iteration deterministic merge. TrustLatticeEngineIntegrationTests: vendor vs scanner conflict detection, multi-source aggregation, proof bundle generation. TrustLabel.ComputeScore() weighted (Assurance*100+Evidence*10+Freshness). P/C/R model integrated via ClaimScoreResult (BaseTrust, StrengthMultiplier, FreshnessMultiplier).",
"[2026-02-13T07:42:00Z] done: Moved to checked/"
]
},
"vextrustgate-policy-integration": {
"status": "done",
"tier": 2,
"retryCount": 0,
"sourceVerified": true,
"buildVerified": true,
"e2eVerified": true,
"skipReason": null,
"lastRunId": "run-002",
"lastUpdatedUtc": "2026-02-13T07:42:00Z",
"featureFile": "docs/features/checked/policy/vextrustgate-policy-integration.md",
"notes": [
"[2026-02-13T07:38:00Z] checking: Tier 2d passed - 1278 Engine.Tests. VexTrustGate implements IVexTrustGate, GateOrder=250 (3rd in 5-gate pipeline after EvidenceCompleteness and LatticeState). VexTrustGateTests (20+ tests): gate disabled returns Allow 'gate_disabled', status not in ApplyToStatuses returns Allow, MissingTrustBehavior Allow/Warn/Block, production 0.85 allows, production 0.65 blocks, staging 0.65 allows, staging 0.45 warns, development 0.45 allows, unverified signature blocks, stale freshness blocks, accuracy rate check included when threshold set, trust tier VeryHigh/High/Medium/Low/VeryLow, gate ID format vex-trust:status:timestamp. VexTrustGateMetrics: 4 OTel instruments (evaluations.total, decisions.total, trust_score histogram, evaluation_duration_ms). VexTrustGateOptions: SectionKey 'Policy:Gates:VexTrust', Enabled, ApplyToStatuses, per-env Thresholds, MissingTrustBehavior, EmitMetrics, TenantOverrides. PolicyGateEvaluator integration: VexTrust gate at position 2.5 (after Lattice, before UncertaintyTier).",
"[2026-02-13T07:42:00Z] done: Moved to checked/"
]
},
"unknowns-ranking-algorithm": {
"status": "done",
"tier": 2,
"retryCount": 0,
"sourceVerified": true,
"buildVerified": true,
"e2eVerified": true,
"skipReason": null,
"lastRunId": "run-002",
"lastUpdatedUtc": "2026-02-13T07:42:00Z",
"featureFile": "docs/features/checked/policy/unknowns-ranking-algorithm.md",
"notes": [
"[2026-02-13T07:42:00Z] checking: Tier 2d passed - 59 Unknowns.Tests. UnknownRankerTests: two-factor formula Score=(Uncertainty*50)+(ExploitPressure*50). Uncertainty factors: MissingVEX +0.40, MissingReachability +0.30, ConflictingSources +0.20, StaleAdvisory +0.10 (capped 1.0). Exploit pressure: KEV +0.50, EPSS>=0.90 +0.30, EPSS>=0.50 +0.15, CVSS>=9.0 +0.05 (mutually exclusive EPSS, capped 1.0). Time decay buckets: 7d=100%, 30d=90%, 90d=75%, 180d=60%, 365d=40%, >365d=20%. Containment reduction: Isolated=15%, NotNetFacing=5%, NonRoot=5%, Seccomp=10%, FsRO=10%, NetworkIsolated=5% (capped 40%). Band assignment: Hot>=75, Warm>=50, Cold>=25, Resolved<25. Reason codes: AnalyzerLimit, Reachability, Identity, Provenance, VexConflict, FeedGap, ConfigUnknown. 100-iteration determinism verified.",
"[2026-02-13T07:42:00Z] done: Moved to checked/"
]
},
"verdict-explainability-rationale-renderer": {
"status": "done",
"tier": 2,
"retryCount": 0,
"sourceVerified": true,
"buildVerified": true,
"e2eVerified": true,
"skipReason": null,
"lastRunId": "run-002",
"lastUpdatedUtc": "2026-02-13T07:42:00Z",
"featureFile": "docs/features/checked/policy/verdict-explainability-rationale-renderer.md",
"notes": [
"[2026-02-13T07:42:00Z] checking: Tier 2d passed - 35 Explainability.Tests. VerdictRationaleRendererTests: sealed class implements IVerdictRationaleRenderer. Render produces structured 4-line rationale (Evidence, PolicyClause, Attestations, Decision). Content-addressed RationaleId rat:sha256:{hash} from SHA256 of canonical JSON (RFC 8785 via CanonJson). RenderPlainText 4-line output. RenderMarkdown with ## and ### headers. RenderJson canonical JSON. Evidence: CVE, component PURL/name/version, reachability (vulnerable function, entry point, path summary). Attestations: path witness, VEX statements, provenance; fallback 'No attestations available.' Decision: verdict, score, recommendation, mitigation. Same input deterministically produces same RationaleId.",
"[2026-02-13T07:42:00Z] done: Moved to checked/"
]
},
"versioned-weight-manifests": {
"status": "done",
"tier": 2,
"retryCount": 0,
"sourceVerified": true,
"buildVerified": true,
"e2eVerified": true,
"skipReason": null,
"lastRunId": "run-002",
"lastUpdatedUtc": "2026-02-13T07:42:00Z",
"featureFile": "docs/features/checked/policy/versioned-weight-manifests.md",
"notes": [
"[2026-02-13T07:42:00Z] checking: Tier 2d passed - 438 Determinization.Tests. WeightManifestLoaderTests (22 tests): manifest discovery in directory sorted by effectiveFrom descending, single/multiple manifest loading, invalid JSON skipped, nonexistent directory returns empty. LoadAsync: valid file returns LoadResult with version/schemaVersion/computedHash, auto placeholder detection, strict hash verification mode rejects mismatches. SelectEffectiveAsync: most recent effective at reference date, null if none effective, exact date matches. Validate: valid manifests no issues, unsupported schema reported, unnormalized legacy weights reported, auto placeholder flagged. Diff: identical manifests no differences, version/weight changes detected, added fields shown. WeightManifestHashComputerTests: sha256:auto replacement. SignalWeights record, ScoringRulesSnapshot content-addressed, ScorePolicyLoader YAML validation.",
"[2026-02-13T07:42:00Z] done: Moved to checked/"
]
},
"vex-decisioning-engine": {
"status": "done",
"tier": 2,
"retryCount": 0,
"sourceVerified": true,
"buildVerified": true,
"e2eVerified": true,
"skipReason": null,
"lastRunId": "run-002",
"lastUpdatedUtc": "2026-02-13T07:42:00Z",
"featureFile": "docs/features/checked/policy/vex-decisioning-engine.md",
"notes": [
"[2026-02-13T07:42:00Z] checking: Tier 2d passed - 2059 tests (781 Policy.Tests + 1278 Engine.Tests). TrustLatticeEngine: full VEX decisioning pipeline with VEX normalization, claim ingestion, K4 evaluation, disposition selection, proof bundle generation. K4LatticeTests: Belnap 4-valued logic (Unknown/True/False/Conflict), Join(T,F)=Conflict, Meet(T,F)=Unknown, commutativity, FromSupport. ClaimScoreMergerTests: highest score selection, conflict penalty 0.25, 1000-iteration determinism. TrustLatticeEngineIntegrationTests: vendor vs scanner conflict detection (APPLIES conflict -> InTriage), all sources agree -> Exploitable, Fixed overrides exploitability -> ResolvedWithPedigree, Misattributed -> FalsePositive, NotReachable -> NotAffected, Mitigated -> NotAffected, InsufficientData -> InTriage. Multi-subject evaluation (3 subjects, 3 different dispositions). Proof bundle content-addressable. Fluent ClaimBuilder API. VexTrustGate per-environment thresholds. PolicyGateEvaluator 5-gate pipeline.",
"[2026-02-13T07:42:00Z] done: Moved to checked/"
]
},
"unknown-budget-policy-enforcement": {
"status": "done",
"tier": 2,
"retryCount": 0,
"sourceVerified": true,
"buildVerified": true,
"e2eVerified": true,
"skipReason": null,
"lastRunId": "run-002",
"lastUpdatedUtc": "2026-02-13T07:44:00Z",
"featureFile": "docs/features/checked/policy/unknown-budget-policy-enforcement.md",
"notes": [
"[2026-02-13T07:41:00Z] checking: Tier 2d passed - 1337 tests (59 Unknowns.Tests + 1278 Engine.Tests). UnknownsBudgetEnforcer: Critical/High/Medium/Low severity thresholds, Block/Warn/Log actions, environment-aware overrides. UnknownBudgetService: per-reason-code limits (Reachability/Identity/Provenance/VexConflict/FeedGap/ConfigUnknown/AnalyzerLimit), CheckBudgetWithEscalation (exception coverage), GetBudgetStatus (PercentageUsed, ByReasonCode). UnknownRanker: two-factor formula Score=(Uncertainty*50)+(ExploitPressure*50), Hot>=75/Warm>=50/Cold>=25/Resolved<25. PolicyGateEvaluator: UncertaintyTier gate (4th in pipeline) T1 blocks not_affected, T4 passes. BudgetEndpoints: 5-route API at /api/v1/policy/budgets. RiskBudgetEndpoints: 6-route API at /api/v1/policy/budget.",
"[2026-02-13T07:44:00Z] done: Moved to checked/"
]
},
"unknowns-budget-dashboard": {
"status": "done",
"tier": 2,
"retryCount": 0,
"sourceVerified": true,
"buildVerified": true,
"e2eVerified": true,
"skipReason": null,
"lastRunId": "run-002",
"lastUpdatedUtc": "2026-02-13T07:44:00Z",
"featureFile": "docs/features/checked/policy/unknowns-budget-dashboard.md",
"notes": [
"[2026-02-13T07:42:00Z] checking: Tier 2d passed - 1337 tests (59 Unknowns.Tests + 1278 Engine.Tests). Budget dashboard API at /api/v1/policy/budgets: ListBudgets, GetBudget, GetBudgetStatus, CheckBudget, GetDefaultBudgets. BudgetStatusResponse: Environment, TotalUnknowns, TotalLimit, PercentageUsed, IsExceeded, ViolationCount, ByReasonCode. UnknownRanker: HOT/WARM/COLD/Resolved priority bands with 7 reason codes. SLA monitoring via consumption percentage. Budget CRUD + escalation with exceptions. BlastRadius (Dependents, NetFacing, Privilege) and ContainmentSignals (Seccomp, FileSystem, NetworkPolicy) models. DefaultBudgets per environment.",
"[2026-02-13T07:44:00Z] done: Moved to checked/"
]
},
"unknowns-decay-and-triage-queue": {
"status": "done",
"tier": 2,
"retryCount": 0,
"sourceVerified": true,
"buildVerified": true,
"e2eVerified": true,
"skipReason": null,
"lastRunId": "run-002",
"lastUpdatedUtc": "2026-02-13T07:44:00Z",
"featureFile": "docs/features/checked/policy/unknowns-decay-and-triage-queue.md",
"notes": [
"[2026-02-13T07:43:00Z] checking: Tier 2d passed - 497 tests (438 Determinization.Tests + 59 Unknowns.Tests). DecayedConfidenceCalculator: exp(-ln(2)*age/halfLife) with histogram metric stellaops_determinization_decay_multiplier. ObservationDecay: HalfLifeDays=14, Floor=0.35, StalenessThreshold=0.50, CalculateDecay(now), CheckIsStale(now), Create/Fresh/WithSettings factories. TriageQueueEvaluator: priority classification (Critical/High/Medium/Low/None), deterministic sorting, DaysUntilStale formula, recommended actions with signal gaps. UnknownTriageQueueService: cycle-based re-analysis triggering via ITriageReanalysisSink, only Medium/High/Critical enqueued. InMemoryTriageReanalysisSink for testing. DecayPropertyTests: 10 FsCheck properties. Note: triage queue UI, containment data source integration, decay notification, and historical decay ledger are documented future enhancements.",
"[2026-02-13T07:44:00Z] done: Moved to checked/"
]
},
"unknowns-grey-queue-with-conflict-detection-and-reanalysis-fingerprints": {
"status": "done",
"tier": 2,
"retryCount": 0,
"sourceVerified": true,
"buildVerified": true,
"e2eVerified": true,
"skipReason": null,
"lastRunId": "run-002",
"lastUpdatedUtc": "2026-02-13T07:44:00Z",
"featureFile": "docs/features/checked/policy/unknowns-grey-queue-with-conflict-detection-and-reanalysis-fingerprints.md",
"notes": [
"[2026-02-13T07:44:00Z] checking: Tier 2d passed - 1278 tests (781 Policy.Tests + 438 Determinization.Tests + 59 Unknowns.Tests). K4Lattice: K4Value.Conflict=3 when True join False, full 4-valued algebra. ClaimScoreMerger: deterministic merge ordering, ConflictPenalizer 0.25 penalty, RequiresReplayProof=true on conflicts. ConflictDetector: signal conflict detection. ReanalysisFingerprintBuilder: content-addressed sha256: fingerprint from canonical JSON, sorted evidence digests + tool versions + triggers, deduped. ReanalysisTrigger: versioned signal events with EventType/EventVersion/Source/CorrelationId. UnknownRanker: +0.20 uncertainty for VexConflict, +0.10 for stale evidence. ObservationDecay.CheckIsStale: triggers reanalysis when decay below 0.50. 8 ReanalysisFingerprintTests verify determinism + content-addressing.",
"[2026-02-13T07:44:00Z] done: Moved to checked/"
]
}
}
}