git.stella-ops.org/src/Policy/StellaOps.Policy.Engine/Gates/DriftGateOptions.cs

// -----------------------------------------------------------------------------
// DriftGateOptions.cs
// Sprint: SPRINT_3600_0005_0001_policy_ci_gate_integration
// Description: Configuration options for drift gate evaluation.
// -----------------------------------------------------------------------------

using System.Collections.Immutable;
using System.ComponentModel.DataAnnotations;

namespace StellaOps.Policy.Engine.Gates;

/// <summary>
/// Configuration options for drift gate evaluation.
/// </summary>
public sealed class DriftGateOptions
{
    /// <summary>
    /// Configuration section name.
    /// </summary>
    public const string SectionName = "SmartDiff:Gates";

    /// <summary>
    /// Whether drift gates are enabled.
    /// </summary>
    public bool Enabled { get; set; } = true;

    /// <summary>
    /// Custom gate definitions.
    /// </summary>
    public List<DriftGateDefinition> Gates { get; set; } = [];

    /// <summary>
    /// Default action when no gate matches.
    /// </summary>
    public DriftGateAction DefaultAction { get; set; } = DriftGateAction.Warn;

    /// <summary>
    /// Whether to block on KEV reachable by default.
    /// </summary>
    public bool BlockOnKev { get; set; } = true;

    /// <summary>
    /// Whether to block when affected vulnerabilities become reachable.
    /// </summary>
    public bool BlockOnAffectedReachable { get; set; } = true;

    /// <summary>
    /// Whether to auto-emit VEX candidates for unreachable sinks.
    /// </summary>
    public bool AutoEmitVexForUnreachable { get; set; } = true;

    /// <summary>
    /// Minimum CVSS score to trigger block action.
    /// </summary>
    public double? CvssBlockThreshold { get; set; } = 9.0;

    /// <summary>
    /// Minimum EPSS score to trigger block action.
    /// </summary>
    public double? EpssBlockThreshold { get; set; } = 0.5;
}

/// <summary>
/// A custom gate definition from policy configuration.
/// </summary>
public sealed class DriftGateDefinition
{
    /// <summary>
    /// Gate identifier.
    /// </summary>
    [Required]
    public string Id { get; set; } = string.Empty;

    /// <summary>
    /// Condition expression (e.g., "delta_reachable > 0 AND is_kev = true").
    /// </summary>
    [Required]
    public string Condition { get; set; } = string.Empty;

    /// <summary>
    /// Action to take when condition matches.
    /// </summary>
    public DriftGateAction Action { get; set; } = DriftGateAction.Warn;

    /// <summary>
    /// Message to display when gate triggers.
    /// </summary>
    public string Message { get; set; } = string.Empty;

    /// <summary>
    /// Severity level.
    /// </summary>
    public DriftGateSeverity Severity { get; set; } = DriftGateSeverity.Medium;

    /// <summary>
    /// Whether to auto-mitigate (emit VEX) when condition matches.
    /// </summary>
    public bool AutoMitigate { get; set; }
}

/// <summary>
/// Actions that can be taken by drift gates.
/// </summary>
public enum DriftGateAction
{
    /// <summary>
    /// Allow the drift to proceed.
    /// </summary>
    Allow,

    /// <summary>
    /// Allow with a warning.
    /// </summary>
    Warn,

    /// <summary>
    /// Block the drift.
    /// </summary>
    Block
}

/// <summary>
/// Severity levels for drift gates.
/// </summary>
public enum DriftGateSeverity
{
    /// <summary>
    /// Informational.
    /// </summary>
    Info,

    /// <summary>
    /// Low severity.
    /// </summary>
    Low,

    /// <summary>
    /// Medium severity.
    /// </summary>
    Medium,

    /// <summary>
    /// High severity.
    /// </summary>
    High,

    /// <summary>
    /// Critical severity.
    /// </summary>
    Critical
}