git.stella-ops.org/docs/features/checked/policy/diff-aware-release-gates.md

Diff-Aware Release Gates (Semantic Delta Computation)

Module

Policy

Status

IMPLEMENTED

Description

Full delta computation engine that computes semantic diffs across SBOMs, vulnerabilities, and risk scores. Includes component deltas, vulnerability status deltas, and risk score deltas.

Implementation Details

• WhatIfSimulationService: src/Policy/StellaOps.Policy.Engine/WhatIfSimulation/WhatIfSimulationService.cs -- computes delta between baseline and hypothetical states
  • SBOM diff operations: add, remove, upgrade, downgrade
  • Decision changes: status_changed, severity_changed, new, removed
  • Risk delta computation: increased/decreased/unchanged with blocked/warning deltas
  • VEX and reachability override handling in simulated decisions
• DriftGateEvaluator: src/Policy/StellaOps.Policy.Engine/Gates/DriftGateEvaluator.cs -- drift-based gate for cross-release delta
  • DriftGateContext.cs -- drift evaluation context with base/target references
  • DriftGateOptions.cs -- configurable drift thresholds
  • Evaluates whether drift between releases exceeds acceptable thresholds
• ConsoleSimulationDiffService: src/Policy/StellaOps.Policy.Engine/Console/ConsoleSimulationDiffService.cs -- deterministic delta diff
  • Before/After severity breakdown, delta (added/removed/regressed), rule impact analysis
• SimulationAnalyticsService: src/Policy/StellaOps.Policy.Engine/Simulation/SimulationAnalyticsService.cs -- delta summary computation with severity escalation tracking
• RiskSimulationService: src/Policy/StellaOps.Policy.Engine/Simulation/RiskSimulationService.cs -- CompareProfilesWithBreakdown for profile-level delta
  • Compares baseline and comparison risk profiles with trend analysis
  • Top movers analysis: identifies findings with greatest score change
• Effective Decision Map: src/Policy/StellaOps.Policy.Engine/EffectiveDecisionMap/ -- materialized baseline decisions for delta comparison
• Overlay Simulation: src/Policy/StellaOps.Policy.Engine/Endpoints/OverlaySimulationEndpoint.cs -- overlay-based simulation
• Merge Preview: src/Policy/StellaOps.Policy.Engine/Endpoints/MergePreviewEndpoints.cs -- merge preview for policy changes

E2E Test Plan

• Run what-if simulation with SBOM upgrade; verify component delta shows version change and advisory resolution
• Run what-if simulation with SBOM downgrade; verify new advisories detected and severity escalated
• Evaluate drift gate with base and target digests; verify gate passes when drift is within threshold
• Evaluate drift gate with excessive drift; verify gate blocks with explanation
• Run console simulation diff; verify severity breakdown before and after policy change
• Compare two risk profiles; verify trend analysis shows score deltas and top movers
• Run overlay simulation; verify hypothetical overlay applied without persisting
• Verify delta summary correctly counts: added, removed, regressed (escalated severity)
• Run merge preview; verify predicted impact of policy merge
• Verify what-if summary recommendation: "risk profile increases" when more blocks, "improves" when fewer