# StellaOps Policy Engine Policy Engine compiles and evaluates Stella DSL policies deterministically, producing explainable findings with full provenance. ## Responsibilities - Compile `stella-dsl@1` packs into executable graphs. - Join advisories, VEX evidence, and SBOM inventories to derive effective findings. - Expose simulation and diff APIs for UI/CLI workflows. - Emit change-stream driven events for Notify/Scheduler integrations. ## Key components - `StellaOps.Policy.Engine` service host. - Shared libraries under `StellaOps.Policy.*` for evaluation, storage, DSL tooling. ## Integrations & dependencies - PostgreSQL (schema `policy`) for findings, RustFS explain bundles. - Scheduler for incremental re-evaluation triggers. - CLI/UI for policy authoring and runs. ## Operational notes - DSL grammar and lifecycle docs in ../../policy/. - Observability guidance in ../../observability/policy.md. - Governance and scope mapping in ../../security/policy-governance.md. - Readiness briefs: ../policy/secret-leak-detection-readiness.md, ../policy/windows-package-readiness.md. - Readiness briefs: ../scanner/design/macos-analyzer.md, ../scanner/design/windows-analyzer.md, ../policy/secret-leak-detection-readiness.md, ../policy/windows-package-readiness.md. - Ruby capability predicates design: ./design/ruby-capability-predicates.md. ## Backlog references - DOCS-POLICY-20-001 … DOCS-POLICY-20-012 (completed baseline). - DOCS-POLICY-23-007 (upcoming command updates). ## Implementation Status ### Phase 1 – Deterministic evaluation core (Complete) - DSL compiler with caching, static analysis, runtime guardrails - Batch evaluator with deterministic ordering, change-stream inputs - Append-only effective findings ledger - Explain trace generation with evidence linking ### Phase 2 – Orchestration & incremental runs (In Progress) - Run scheduler with job leasing, fair-share per tenant/policy - Determinism hash verification and replay validation - Incremental delta processing with change-stream integration - Time-travel snapshots and resume cursors ### Phase 3 – Policy Studio workflows (Planned) - Policy registry with draft/review/approved lifecycle - Signed promotion pipeline with multi-step approvals - Console integration: editor, simulation, approvals, explain viewer - CLI parity for policy management operations ### Phase 4 – Simulation & approvals (Planned) - Diff/simulation APIs with rationale breakdown - Approval queues with change management workflows - Integration with CLI/Console for policy previews ### Phase 5 – Exports & offline parity (Planned) - Policy bundles with deterministic manifests - Explain archives for audit and review - Offline Kit assets with signed packages - Export Center integration ### Phase 6 – Observability & hardening (Planned) - Metrics: run duration, evaluation verdict counts, simulation latency - Guard violation detection and alerting - Incident response runbooks and compliance attestations ### Key Acceptance Criteria - Evaluation deterministic across runs; effective findings materialised only by Policy Engine - Incremental runs handle deltas within ≤5 min SLA; replay verification succeeds - Policy Studio supports full lifecycle with signed promotions and explain traces - Exports reproducible with signed manifests; Offline Kit delivers same tooling - Guardrails prevent forbidden IO; static analysis integrated into CI ### Technical Decisions & Risks - Non-determinism prevented via strict static analysis, runtime guards, replay tests - Policy drift managed through simulation previews, approval workflow, audit trail - Scaling handled via sharded workers, incremental deltas, caching, queue fairness - Guard bypass prevented by analyzers in CI and runtime rejection of forbidden operations ## Epic alignment - **Epic 2 – Policy Engine & Editor:** deliver deterministic evaluation, DSL infrastructure, explain traces, and incremental runs. - **Epic 4 – Policy Studio:** integrate registry workflows, simulation at scale, approvals, and promotion semantics.