git.stella-ops.org/docs/features/unchecked/policy/deterministic-sbom-to-vex-pipeline-with-signed-state-transitions.md

Deterministic SBOM-to-VEX Pipeline with Signed State Transitions

Module

Policy

Status

IMPLEMENTED

Description

Full verdict pipeline determinism tests, SBOM determinism validation, determinism gate infrastructure, baseline store, and manifest writer for verifying byte-identical outputs from identical inputs.

Implementation Details

• Determinization Gate: src/Policy/StellaOps.Policy.Engine/Gates/Determinization/DeterminizationGate.cs -- determinization gate implementation
  • ISignalSnapshotBuilder interface for building signal snapshots
  • SignalSnapshotBuilder.cs -- builds signal snapshots for deterministic evaluation
  • DeterminizationGateMetrics.cs -- metrics tracking for determinization gates
• Determinism Guard Service: src/Policy/StellaOps.Policy.Engine/DeterminismGuard/DeterminismGuardService.cs
  • Static analysis via ProhibitedPatternAnalyzer detects non-deterministic patterns
  • Runtime monitoring via RuntimeDeterminismMonitor
  • GuardedPolicyEvaluator wraps evaluation with pre/post determinism checks
• Determinization Library: src/Policy/__Libraries/StellaOps.Policy.Determinization/
  • DeterminizationOptions.cs -- configuration for determinization behavior
  • IDeterminizationConfigStore.cs -- persisted configuration for reanalysis rules
  • Evidence/ -- evidence models for determinization decisions
  • Models/ -- determinization data models
  • Scoring/ -- scoring models for determinization
• Knowledge Snapshot Pipeline: src/Policy/__Libraries/StellaOps.Policy/Snapshots/
  • KnowledgeSnapshotManifest.cs -- pins all inputs (SBOM, feeds, policy) via digests
  • SnapshotAwarePolicyEvaluator.cs -- evaluates against frozen snapshot state
  • SnapshotIdGenerator.cs -- content-addressed snapshot IDs
• VEX State Transitions: src/Policy/StellaOps.Policy.Engine/Gates/PolicyGateEvaluator.cs
  • Validates VEX status transitions (not_affected, affected, under_investigation, fixed)
  • Requires DSSE-attested graphHash and path analysis for not_affected transitions
• Attestation Services: src/Policy/StellaOps.Policy.Engine/Attestation/
  • VerdictAttestationService.cs -- signs verdict decisions with DSSE
  • PolicyDecisionAttestationService.cs -- signs policy decisions
  • ScoringDeterminismVerifier.cs -- verifies scoring determinism
• Determinism Verification Endpoints: src/Policy/StellaOps.Policy.Engine/Endpoints/VerifyDeterminismEndpoints.cs
• Determinization Config Endpoints: src/Policy/StellaOps.Policy.Engine/Endpoints/DeterminizationConfigEndpoints.cs

E2E Test Plan

• Run verdict pipeline twice with identical SBOM and advisory inputs; verify byte-identical output digests
• Build signal snapshot using SignalSnapshotBuilder; verify snapshot captures all evaluation signals
• Run determinism guard analysis on evaluation code; verify no prohibited patterns detected
• Modify SBOM input and re-run pipeline; verify output digest changes
• Verify VEX state transition from under_investigation to not_affected requires graphHash and pathAnalysis evidence
• Sign verdict with VerdictAttestationService; verify DSSE envelope is valid
• Verify ScoringDeterminismVerifier detects scoring drift when weights change
• POST to determinization config endpoint; verify configuration is persisted and retrievable
• Run determinization gate with signal snapshot; verify gate uses snapshot signals not live data
• Verify knowledge snapshot manifest contains content-addressed IDs for all input sources