stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
main
git.stella-ops.org/docs/features/checked/policy/evidence-hooks-for-exception-approval.md
master 9ca2de05df more features checks. setup improvements
2026-02-13 02:04:55 +02:00

2.9 KiB
Raw Permalink Blame History

Evidence Hooks for Exception Approval

Module

Policy

Status

IMPLEMENTED

Description

Requires specific attestations before exception approval with 7 evidence types (feature flag disabled, backport merged, compensating control, security review, runtime mitigation, WAF rule deployed, custom attestation). Validates evidence freshness (MaxAge), trust score, DSSE signature verification, and schema compliance. Mandatory hooks block approval until satisfied.

Implementation Details

  • EvidenceHook Model: src/Policy/__Libraries/StellaOps.Policy.Exceptions/Models/EvidenceHook.cs
    • Sprint: SPRINT_3900_0003_0002_recheck_policy_evidence_hooks
    • Evidence types: feature_flag_disabled, backport_merged, compensating_control, security_review, runtime_mitigation, waf_rule_deployed, custom_attestation
    • Mandatory flag: blocks exception approval until hook is satisfied
    • MaxAge: maximum evidence age for freshness validation
    • Trust score threshold: minimum trust score for evidence acceptance
    • DSSE signature verification: requires valid signature on evidence attestation
    • Schema compliance: validates evidence against expected schema
  • EvidenceRequirementValidator: src/Policy/__Libraries/StellaOps.Policy.Exceptions/Services/EvidenceRequirementValidator.cs
    • Validates all required evidence is present and valid
    • Checks freshness (evidence age vs MaxAge)
    • Checks trust score against threshold
    • Checks DSSE signature verification status
    • Returns validation result with per-hook pass/fail status
  • ExceptionObject: src/Policy/__Libraries/StellaOps.Policy.Exceptions/Models/ExceptionObject.cs -- contains evidence hook configuration
  • ExceptionEvaluator: src/Policy/__Libraries/StellaOps.Policy.Exceptions/Services/ExceptionEvaluator.cs -- evaluates exception with hooks
  • RecheckPolicy: src/Policy/__Libraries/StellaOps.Policy.Exceptions/Models/RecheckPolicy.cs -- recheck policy including evidence hook revalidation

E2E Test Plan

  • Configure exception with mandatory evidence hook (security_review); attempt approval without evidence; verify blocked
  • Provide security_review attestation; verify exception approval succeeds
  • Provide evidence with age exceeding MaxAge; verify freshness validation fails
  • Provide evidence with trust score below threshold; verify trust validation fails
  • Provide evidence without DSSE signature when signature required; verify signature validation fails
  • Configure 3 hooks (2 mandatory, 1 optional); satisfy mandatory hooks only; verify approval succeeds
  • Configure custom_attestation hook with schema; provide non-compliant evidence; verify schema validation fails
  • Verify all 7 evidence types are accepted by the validator
  • Recheck exception after evidence expires (MaxAge exceeded); verify recheck fails
  • Verify EvidenceRequirementValidator returns per-hook pass/fail status in result