git.stella-ops.org/docs/features/checked/policy/policy-engine-with-proofs.md

Policy Engine with Proofs (Moat Score 3)

Module

Policy

Status

IMPLEMENTED

Description

Policy engine with gate levels, delta verdict statements, gateway endpoints, and exception approval rules.

Implementation Details

• PolicyGateEvaluator: src/Policy/StellaOps.Policy.Engine/Gates/PolicyGateEvaluator.cs
  • 5 sequential gates: Evidence Completeness, Lattice State, VEX Trust, Uncertainty Tier, Confidence Threshold
  • Gate results: Pass, PassWithNote, Warn, Block, Skip
  • Short-circuits on first Block; accumulates warnings
  • Lattice states: U (Unknown), SR (Safe-Reachable), SU (Safe-Unknown), RO (Reachable-Open), RU (Reachable-Unknown), CR (Conflicting-Reachable), CU (Conflicting-Unknown), X (Exploitable)
  • Uncertainty tiers: T1 (High), T2 (Medium), T3 (Low), T4 (Negligible)
  • Override support with justification requirements
• VexTrustGate: src/Policy/StellaOps.Policy.Engine/Gates/VexTrustGate.cs -- per-environment VEX trust thresholds with TrustBreakdown
• DeterminizationGate: src/Policy/StellaOps.Policy.Engine/Gates/Determinization/DeterminizationGate.cs -- confidence decay verification
• StabilityDampingGate: src/Policy/StellaOps.Policy.Engine/Gates/StabilityDampingGate.cs -- oscillation prevention
• DriftGateEvaluator: src/Policy/StellaOps.Policy.Engine/Gates/DriftGateEvaluator.cs -- SBOM drift evaluation
• WhatIfSimulationService: src/Policy/StellaOps.Policy.Engine/WhatIfSimulation/WhatIfSimulationService.cs -- delta verdict computation
• ConsoleSimulationDiffService: src/Policy/StellaOps.Policy.Engine/Console/ConsoleSimulationDiffService.cs -- deterministic delta statements
• ExceptionEvaluator: src/Policy/__Libraries/StellaOps.Policy.Exceptions/Services/ExceptionEvaluator.cs -- exception approval and application
• ExceptionEffectRegistry: src/Policy/StellaOps.Policy.Engine/Adapters/ExceptionEffectRegistry.cs -- 40 type+reason to effect mappings
• ExceptionRecheckGate: src/Policy/StellaOps.Policy.Engine/BuildGate/ExceptionRecheckGate.cs -- CI/CD recheck gate
• VerdictAttestationService: src/Policy/StellaOps.Policy.Engine/Attestation/VerdictAttestationService.cs -- DSSE-signed verdict proofs
• KnowledgeSnapshotManifest: src/Policy/__Libraries/StellaOps.Policy/Snapshots/KnowledgeSnapshotManifest.cs -- content-addressed evaluation input manifests
• Gateway endpoints: src/Policy/StellaOps.Policy.Engine/Endpoints/ -- 45+ endpoint files for policy evaluation, simulation, scoring, risk budgets, exceptions, staleness

E2E Test Plan

• Evaluate artifact through full 5-gate pipeline; verify each gate produces Pass/Warn/Block result
• Evaluate artifact with reachable vulnerability (RO state); verify Lattice State gate applies correct action
• Evaluate artifact with conflicting VEX claims (CR state); verify gate handles conflict appropriately
• Compute delta verdict via WhatIfSimulation; verify before/after decision changes are tracked
• Apply exception to finding; verify ExceptionEffectRegistry maps to correct effect (Suppress/Defer/Downgrade/RequireControl)
• Evaluate ExceptionRecheckGate with EPSSAbove condition triggered; verify gate blocks
• Generate DSSE-signed verdict attestation; verify signature and payload integrity
• Build KnowledgeSnapshotManifest; verify content-addressed SnapshotId is deterministic
• Override blocked gate with justification; verify PassWithNote result
• Verify StabilityDampingGate prevents oscillation between Pass and Block decisions