462565fdab
Sprint SPRINT_20260415_006_DOCS_policy_findings_signer_real_backend_cutover
(findings portion landed in commit e60d5e0fc).
- Policy.Engine: Postgres stores for airgap state, attestation reports,
verification policy, console export, policy pack repo, risk scoring job,
violation events; messaging-backed evaluation + reachability facts cache;
governance / violation / simulation endpoints; UnsupportedVerdictRekorClient.
- Policy.Persistence: migrations 010 (policy pack runtime state),
011 (violation fusion results), 012 (runtime canonical state).
- Policy.Gateway: governance + simulation endpoints + rekor/token-cache
runtime wiring tests.
- Policy.Registry: in-memory store scaffolding + testing harness.
- Signer: Postgres ceremony repo + audit sink, structured logging sink,
stateless quota service, configured POE introspector, runtime proof /
wiring / key rotation / observability / negative / contract tests.
- Signer.KeyManagement: migrations 002 ceremony runtime state,
003 trust anchor runtime state, 004 key audit log shape fix.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Policy
Container(s): stellaops-policy-engine Slot: 14 | Port: 8080 | Consumer Group: policy-engine Resource Tier: medium
Purpose
The Policy Engine evaluates security policies against scan results, computes risk scores (CVSS v4, EPSS, EWS), manages exceptions with approval workflows, and produces go/no-go gate decisions for release promotions. It includes merged Policy Gateway functionality (delta computation, drift gates, unknowns gates, score-based gates, tool lattice access control).
API Surface
policy-engine(via Router) — policy compilation, evaluation, simulation, batch context, risk profiles, CVSS receipts, exception management, delta/snapshot endpoints, gate evaluation (drift, unknowns, score-based), overlay projection, trust weighting, advisory AI knobs, sealed-mode, air-gap bundle import/export, governance, tool lattice, verification policies, attestation reports, registry webhooks
Storage
PostgreSQL schema policy (via Postgres:Policy); Valkey for cache
Background Workers
ExceptionLifecycleWorker— exception state machine transitionsExceptionExpiryWorker— auto-expire stale exceptionsIncidentModeExpirationWorker— incident mode TTL enforcementPolicyEngineBootstrapWorker— startup initializationGateEvaluationWorker— async gate evaluation queue processing