stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
1bf6bbf3955ecbd8d20f5eeb767da5c7f8324b57
git.stella-ops.org/docs/features/unchecked/attestor/vex-decisioning-as-first-class-policy-objects.md

3.0 KiB
Raw Blame History

VEX Decisioning as First-Class Policy Objects

Module

Attestor

Status

IMPLEMENTED

Description

VEX decisions are modeled as first-class policy objects with dedicated UI modal, decision service, history tracking, merge explanations, and backend attestable VEX override predicates with builder/parser infrastructure.

Implementation Details

  • VEX Override Predicate: src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/VexOverride/VexOverridePredicate.cs -- first-class predicate model for VEX override decisions.
  • VEX Override Decision: VexOverride/VexOverrideDecision.cs -- decision model (not_affected, affected, fixed) with justification, approver, and timestamp.
  • VEX Override Predicate Builder: VexOverride/VexOverridePredicateBuilder.cs (with .Build, .Serialize, .WithMethods) -- fluent builder for constructing VEX override predicates with evidence references and tool info.
  • VEX Override Predicate Parser: VexOverride/VexOverridePredicateParser.cs (with .DecisionValidation, .ExtractMetadata, .FieldValidation, .Helpers, .ParsePredicate, .Validation) -- parser for reading and validating VEX override predicates.
  • Evidence Reference: VexOverride/EvidenceReference.cs -- reference to supporting evidence (proof bundle, scan result, analysis report).
  • Tool Info: VexOverride/ToolInfo.cs -- information about the tool that generated the VEX decision.
  • Policy Decision Predicate: __Libraries/StellaOps.Attestor.ProofChain/Predicates/PolicyDecision.cs -- policy decision record for attestation binding.
  • VEX Merge Trace: Predicates/VexMergeTrace.cs -- trace of VEX merge operations explaining how multiple VEX sources were combined.
  • VEX Verdict Summary: Predicates/VexVerdictSummary.cs -- summary of final VEX verdicts after merge and override application.
  • Tests: __Tests/StellaOps.Attestor.StandardPredicates.Tests/VexOverride/

E2E Test Plan

  • Build a VEX override predicate via VexOverridePredicateBuilder with status=not_affected, justification, and evidence references; verify it serializes correctly
  • Parse a serialized VEX override predicate via VexOverridePredicateParser and verify all fields round-trip (status, justification, evidence, tool info)
  • Validate a VEX override decision via .DecisionValidation and verify it requires a justification for not_affected status
  • Create a VEX override with invalid status and verify field validation rejects it with specific error messages
  • Build a VEX override with multiple evidence references and verify each is correctly serialized and parsed
  • Verify merge trace: create two conflicting VEX decisions and verify VexMergeTrace explains the resolution
  • Create a policy decision referencing a VEX override and verify PolicyDecision links to the override predicate
  • Verify the builder's .WithMethods fluent API: chain .WithStatus(), .WithJustification(), .WithEvidence() and verify the predicate is complete