stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 1 Releases Wiki Activity
Files
main
git.stella-ops.org/docs/modules/policy/README.md
master b1e78fe412
Some checks are pending
Docs CI / lint-and-preview (push) Waiting to run
Details
feat: Implement vulnerability token signing and verification utilities 
- Added VulnTokenSigner for signing JWT tokens with specified algorithms and keys.
- Introduced VulnTokenUtilities for resolving tenant and subject claims, and sanitizing context dictionaries.
- Created VulnTokenVerificationUtilities for parsing tokens, verifying signatures, and deserializing payloads.
- Developed VulnWorkflowAntiForgeryTokenIssuer for issuing anti-forgery tokens with configurable options.
- Implemented VulnWorkflowAntiForgeryTokenVerifier for verifying anti-forgery tokens and validating payloads.
- Added AuthorityVulnerabilityExplorerOptions to manage configuration for vulnerability explorer features.
- Included tests for FilesystemPackRunDispatcher to ensure proper job handling under egress policy restrictions.
2025-11-03 10:04:10 +02:00

1.6 KiB
Raw Permalink Blame History

StellaOps Policy Engine

Policy Engine compiles and evaluates Stella DSL policies deterministically, producing explainable findings with full provenance.

Responsibilities

  • Compile stella-dsl@1 packs into executable graphs.
  • Join advisories, VEX evidence, and SBOM inventories to derive effective findings.
  • Expose simulation and diff APIs for UI/CLI workflows.
  • Emit change-stream driven events for Notify/Scheduler integrations.

Key components

  • StellaOps.Policy.Engine service host.
  • Shared libraries under StellaOps.Policy.* for evaluation, storage, DSL tooling.

Integrations & dependencies

  • MongoDB findings collections, RustFS explain bundles.
  • Scheduler for incremental re-evaluation triggers.
  • CLI/UI for policy authoring and runs.

Operational notes

  • DSL grammar and lifecycle docs in ../../policy/.
  • Observability guidance in ../../observability/policy.md.
  • Governance and scope mapping in ../../security/policy-governance.md.
  • Readiness briefs: ../policy/secret-leak-detection-readiness.md, ../policy/windows-package-readiness.md.
  • Readiness briefs: ../scanner/design/macos-analyzer.md, ../scanner/design/windows-analyzer.md, ../policy/secret-leak-detection-readiness.md, ../policy/windows-package-readiness.md.

Backlog references

  • DOCS-POLICY-20-001 … DOCS-POLICY-20-012 (completed baseline).
  • DOCS-POLICY-23-007 (upcoming command updates).

Epic alignment

  • Epic 2 Policy Engine & Editor: deliver deterministic evaluation, DSL infrastructure, explain traces, and incremental runs.
  • Epic 4 Policy Studio: integrate registry workflows, simulation at scale, approvals, and promotion semantics.