# SBOM Presence Policy Gate (SbomPresenceGate)

## Module
Policy

## Status
IMPLEMENTED

## Description
Policy gate that blocks releases lacking a valid SBOM document, with configurable format requirements (CycloneDX/SPDX), minimum component count thresholds, and freshness checks.

## Implementation Details
- **PolicyGateEvaluator Evidence Completeness gate**: `src/Policy/StellaOps.Policy.Engine/Gates/PolicyGateEvaluator.cs`
  - Evidence Completeness gate (first in 5-gate pipeline) checks for SBOM presence
  - Missing SBOM triggers Block or Warn based on gate configuration
  - Evaluates SBOM format, component count, and freshness as part of evidence checks
- **DriftGateEvaluator**: `src/Policy/StellaOps.Policy.Engine/Gates/DriftGateEvaluator.cs`
  - Evaluates SBOM drift between baseline and target
  - SBOM format validation (CycloneDX/SPDX) as part of drift analysis
- **DriftGateOptions**: `src/Policy/StellaOps.Policy.Engine/Gates/DriftGateOptions.cs` -- configurable SBOM requirements
- **EvidenceTtlEnforcer**: `src/Policy/__Libraries/StellaOps.Policy/Freshness/EvidenceTtlEnforcer.cs`
  - SBOM/Provenance freshness: checks BuildTime against TTL
  - Freshness statuses: Fresh, Warning, Stale
- **WhatIfSimulationService**: `src/Policy/StellaOps.Policy.Engine/WhatIfSimulation/WhatIfSimulationService.cs`
  - SBOM diff operations verify SBOM presence before simulation

## E2E Test Plan
- [ ] Evaluate artifact without SBOM; verify Evidence Completeness gate blocks
- [ ] Evaluate artifact with valid CycloneDX SBOM; verify gate passes
- [ ] Evaluate artifact with valid SPDX SBOM; verify gate passes
- [ ] Configure minimum component count threshold=10; provide SBOM with 5 components; verify gate warns/blocks
- [ ] Configure minimum component count threshold=10; provide SBOM with 15 components; verify gate passes
- [ ] Evaluate artifact with stale SBOM (BuildTime exceeds TTL); verify freshness check warns
- [ ] Evaluate artifact with fresh SBOM (BuildTime within TTL); verify freshness check passes
- [ ] Verify gate result message indicates SBOM format and component count when present
- [ ] Verify DriftGateEvaluator detects missing SBOM in drift analysis