Explore Help

Register Sign In

stella-ops.org/git.stella-ops.org

1

0

You've already forked git.stella-ops.org

Code Issues Pull Requests Actions 2 Releases Wiki Activity

Files

1bf6bbf3955ecbd8d20f5eeb767da5c7f8324b57

git.stella-ops.org/docs/features/unchecked/policy/risk-verdict-attestation-contract.md

master 1bf6bbf395 semi implemented and features implemented save checkpoint

2026-02-08 18:00:49 +02:00

2.8 KiB

Raw Blame History

Risk Verdict Attestation (RVA) Contract

Module

Policy

Status

IMPLEMENTED

Description

Structured Risk Verdict Attestation with PASS/FAIL/PASS_WITH_EXCEPTIONS/INDETERMINATE verdicts, policy references, knowledge snapshot bindings, evidence references, and reason codes as a first-class product artifact.

Implementation Details

VerdictAttestationService: src/Policy/StellaOps.Policy.Engine/Attestation/VerdictAttestationService.cs
- Generates DSSE-signed attestations for policy verdicts
- Verdict types: PASS, FAIL, PASS_WITH_EXCEPTIONS, INDETERMINATE
- Policy reference binding: PolicyBundleDigest links attestation to specific policy version
- Knowledge snapshot binding: SnapshotId links to frozen evaluation inputs
- Evidence references: content-addressed digests for all evidence used
- Reason codes for verdict justification
PolicyDecisionAttestationService: src/Policy/StellaOps.Policy.Engine/Attestation/PolicyDecisionAttestationService.cs
- Creates attestations for individual policy decisions within a verdict
RvaService: src/Policy/StellaOps.Policy.Engine/Attestation/RvaService.cs -- Risk Verdict Attestation service
ScoringDeterminismVerifier: src/Policy/StellaOps.Policy.Engine/Attestation/ScoringDeterminismVerifier.cs -- verifies scoring determinism before attestation
ReplayedVerdict model: src/Policy/__Libraries/StellaOps.Policy/Replay/ReplayResult.cs
- ReplayDecision enum: Unknown, Pass, Fail, PassWithExceptions, Indeterminate
- Verdict includes Score, FindingIds, KnowledgeSnapshotId
KnowledgeSnapshotManifest: src/Policy/__Libraries/StellaOps.Policy/Snapshots/KnowledgeSnapshotManifest.cs
- Content-addressed snapshot binding: SnapshotId (ksm:sha256:{hash})
Attestation directory: src/Policy/StellaOps.Policy.Engine/Attestation/ -- 28 files for attestation generation, verification, and management

E2E Test Plan

Generate RVA for artifact with all gates passing; verify verdict=PASS with reason codes
Generate RVA for artifact with blocked gate; verify verdict=FAIL with blocking gate in reason
Generate RVA for artifact with exception applied; verify verdict=PASS_WITH_EXCEPTIONS
Generate RVA with indeterminate state (missing evidence); verify verdict=INDETERMINATE
Verify RVA includes PolicyBundleDigest matching the policy used for evaluation
Verify RVA includes SnapshotId matching the KnowledgeSnapshotManifest
Verify RVA includes evidence references (content-addressed digests)
Verify DSSE signature on RVA is valid and covers all verdict fields
Verify ScoringDeterminismVerifier passes before attestation generation
Parse RVA JSON; verify all required fields are present (verdict, policy_ref, snapshot_id, evidence_refs, reason_codes, generated_at)

Powered by Gitea Version: 1.24.5 Page: 24ms Template: 1ms

English

Bahasa Indonesia Deutsch English Español Français Gaeilge Italiano Latviešu Magyar nyelv Nederlands Polski Português de Portugal Português do Brasil Suomi Svenska Türkçe Čeština Ελληνικά Български Русский Українська فارسی മലയാളം 日本語简体中文繁體中文（台灣）繁體中文（香港） 한국어

Licenses API