stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
108d1c64b323808d6085fca05818fc581c6b003a
git.stella-ops.org/docs/modules/policy/prep/2025-11-20-policy-engine-30-001-prep.md
master d519782a8f
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
prep docs and service updates
2025-11-21 06:56:36 +00:00

1.6 KiB
Raw Blame History

Policy Engine · Overlay Projection Prep (POLICY-ENGINE-30-001)

  • Date: 2025-11-20
  • Depends on: Path/Scope schema (29-002) and observability contract (29-004)
  • Working directory: src/Policy/StellaOps.Policy.Engine

Projection contract

  • Input: PathScope documents (see 29-002) + PolicyRule definitions.
  • Output: OverlayProjection objects stored/snapshotted for replay:
    • tenant (string)
    • ruleId (string)
    • subject (purl/cpe, optional packagePath)
    • scope (copied from input)
    • decision (allow|deny|warn|defer)
    • reasons[] (machine-readable codes; e.g., path-match, severity-threshold, capability-needed)
    • artifacts (hash list) — evidenceHash, treeDigest?, dsseEnvelopeHash? used in evaluation
    • effectiveAt (ISO-8601 UTC) — time projection became active
    • expiresAt? (ISO-8601 UTC) — optional
    • version (int) — monotonic per ruleId

Ordering & determinism

  • Projection list sorted by (ruleId, subject.purl|cpe, scope.pathMatch, scope.pattern, effectiveAt).
  • Hash for artifacts.evidenceHash reused from input to keep replay stable.

Storage hints

  • Persist overlays as NDJSON under overlay/{tenant}/{ruleId}/{version}.ndjson for air-gapped export.
  • Snapshots include header line with schema version overlay-projection-v1 followed by sorted projections.

Acceptance for prep completion

  • Projection shape, ordering, and filenames are frozen for implementation tasks 30-001..30-003.
  • Downstream simulation/change-event work (30-002/30-003) must emit/consume this structure without mutation.