# Audit - StellaOps.Policy.Gateway ## Project - Path: `src/Policy/StellaOps.Policy.Gateway/StellaOps.Policy.Gateway.csproj` - Module: `Policy` - Kind: `WebService` - SDK: `Microsoft.NET.Sdk.Web` - TargetFramework: `net10.0` - Audit date (UTC): 2026-01-30 ## Coding Standards Findings - Status: FAIL - Nullable: enable - TreatWarningsAsErrors: explicit true - Deterministic: inherited true - 100-line rule violations: 24 - Service locator usage (BuildServiceProvider/GetService): 3 - Analyzer enforcement: missing repo-wide (see summary). ### Details - 100-line files: - `src/Policy/StellaOps.Policy.Gateway/Endpoints/GatesEndpoints.cs` (1002 lines) - `src/Policy/StellaOps.Policy.Gateway/Endpoints/GovernanceEndpoints.cs` (931 lines) - `src/Policy/StellaOps.Policy.Gateway/Endpoints/ExceptionApprovalEndpoints.cs` (874 lines) - `src/Policy/StellaOps.Policy.Gateway/Program.cs` (664 lines) - `src/Policy/StellaOps.Policy.Gateway/Services/ExceptionService.cs` (605 lines) - `src/Policy/StellaOps.Policy.Gateway/Endpoints/ExceptionEndpoints.cs` (559 lines) - `src/Policy/StellaOps.Policy.Gateway/Endpoints/ScoreGateEndpoints.cs` (550 lines) - `src/Policy/StellaOps.Policy.Gateway/Contracts/ExceptionContracts.cs` (466 lines) - `src/Policy/StellaOps.Policy.Gateway/Contracts/ScoreGateContracts.cs` (445 lines) - `src/Policy/StellaOps.Policy.Gateway/Endpoints/RegistryWebhookEndpoints.cs` (406 lines) - `src/Policy/StellaOps.Policy.Gateway/Endpoints/GateEndpoints.cs` (400 lines) - `src/Policy/StellaOps.Policy.Gateway/Endpoints/DeltasEndpoints.cs` (373 lines) - `src/Policy/StellaOps.Policy.Gateway/Options/PolicyGatewayOptions.cs` (323 lines) - `src/Policy/StellaOps.Policy.Gateway/Contracts/DeltaContracts.cs` (293 lines) - `src/Policy/StellaOps.Policy.Gateway/Services/ApprovalWorkflowService.cs` (275 lines) - `src/Policy/StellaOps.Policy.Gateway/Clients/PolicyEngineClient.cs` (256 lines) - `src/Policy/StellaOps.Policy.Gateway/Contracts/GateContracts.cs` (243 lines) - `src/Policy/StellaOps.Policy.Gateway/Services/PolicyGatewayDpopProofGenerator.cs` (239 lines) - `src/Policy/StellaOps.Policy.Gateway/Services/ExceptionExpiryWorker.cs` (235 lines) - `src/Policy/StellaOps.Policy.Gateway/Services/IExceptionService.cs` (234 lines) - `src/Policy/StellaOps.Policy.Gateway/Services/ExceptionQueryService.cs` (227 lines) - `src/Policy/StellaOps.Policy.Gateway/Endpoints/ToolLatticeEndpoints.cs` (209 lines) - `src/Policy/StellaOps.Policy.Gateway/Services/InMemoryGateEvaluationQueue.cs` (184 lines) - `src/Policy/StellaOps.Policy.Gateway/Services/PolicyEngineTokenProvider.cs` (123 lines) - Service locator matches: - `src/Policy/StellaOps.Policy.Gateway/Services/InMemoryGateEvaluationQueue.cs`:147 var evaluator = scope.ServiceProvider.GetRequiredService(); - `src/Policy/StellaOps.Policy.Gateway/Program.cs`:246 var egressPolicy = serviceProvider.GetService(); - `src/Policy/StellaOps.Policy.Gateway/Program.cs`:598 var loggerFactory = provider.GetService(); ### Fix Guidance - Split files over 100 lines into smaller types or partials. - Replace service locator usage with constructor injection. ## Testing Fullness Findings - Status: FAIL - Expected layers: Unit, Integration, Security, Offline - Detected test projects: src/Policy/__Tests/StellaOps.Policy.Gateway.Tests/StellaOps.Policy.Gateway.Tests.csproj [Unit] - Missing layers: Integration, Security, Offline ### Manual checks required - Observability contract tests for WebService/Worker. - Intent tagging required for regulatory modules. - Offline execution (tests must run without network access). ### Fix Guidance - Add integration tests for cross-component flows. - Add security tests for authn/authz or input validation. - Add offline/airgap coverage with fixtures only.