git.stella-ops.org/docs/advisory-ai/guardrails-and-evidence.md

# Advisory AI Guardrails & Evidence Intake

_Updated: 2025-11-24 · Owner: Advisory AI Docs Guild · Status: Published (Sprint 0111)_

This note captures the guardrail behaviors and evidence intake boundaries required by Sprint 0111 tasks (`AIAI-DOCS-31-001`, `AIAI-RAG-31-003`). It binds Advisory AI guardrails to upstream evidence sources and clarifies how Link-Not-Merge (LNM) documents flow into Retrieval-Augmented Generation (RAG) payloads.

## 1) Evidence sources and contracts

**Upstream readiness gates (now satisfied)**

- CLI guardrail artefacts landed on 2025-11-19: `out/console/guardrails/cli-vuln-29-001/` (`sample-vuln-output.ndjson`, `sample-sbom-context.json`) and `out/console/guardrails/cli-vex-30-001/` (`sample-vex-output.ndjson`). Hashes are recorded in `docs/modules/cli/artefacts/guardrails-artefacts-2025-11-19.md` and must be copied into Offline Kits.
- Policy hash must be pinned (`policyVersion`, see `docs/policy/assistant-parameters.md`) before enabling non-default profiles.
- LNM linksets stay the single source of truth; Advisory AI refuses ad-hoc advisory payloads even if upstream artefacts drift.

- **Advisory observations (LNM)** — Consume immutable `advisory_observations` and `advisory_linksets` produced per `docs/modules/concelier/link-not-merge-schema.md` (frozen v1, 2025-11-17).
- **VEX statements** — Excititor + VEX Lens linksets with trust weights; treated as structured chunks with `source_id` and `confidence`.
- **SBOM context** — `SBOM-AIAI-31-001` contract: timelines and dependency paths retrieved via `ISbomContextRetriever` (`AddSbomContextHttpClient`), default clamps 500 timeline entries / 200 paths.
- **Policy explain traces** — Policy Engine digests referenced by `policyVersion`; cache keys include policy hash to keep outputs replayable.
- **Runtime posture (optional)** — Zastava signals (`exposure`, `admissionStatus`) when provided by Link-Not-Merge-enabled tenants; optional chunks tagged `runtime`.

All evidence items must carry `content_hash` + `source_id`; Advisory AI never mutates or merges upstream facts (Aggregation-Only Contract).

## 2) Guardrail stages

1. **Pre-flight sanitization**
   - Redact secrets (AWS-style keys, PEM blobs, generic tokens).
   - Strip prompt-injection phrases; enforce max input payload 16 kB (configurable, default).
   - Reject requests missing `advisoryKey` or linkset-backed evidence (LNM guard).
2. **Prompt assembly**
   - Deterministic section order: advisory excerpts → VEX statements → SBOM deltas → policy traces → runtime hints.
   - Vector previews capped at 600 chars + ellipsis; section budgets fixed per profile (`default`, `fips-local`, `gost-local`, `cloud-openai`); budgets live in `profiles.catalog.json` and are hashed into DSSE provenance.
3. **LLM invocation (local/remote)**
   - Profiles selected via `profile` field; remote profiles require Authority tenant consent and `advisory-ai:operate` + `aoc:verify`.
4. **Validation & citation enforcement**
   - Every emitted fact must map to an input chunk (`source_id` + `content_hash`); citations serialized as `[n]` in Markdown.
   - Block outputs lacking citations, exceeding section budgets, or including unredacted PII.
5. **Output sealing**
   - Store `outputHash`, `inputDigest`, `provenanceHash`; wrap in DSSE when configured.
   - Cache TTL defaults to 24h; regenerate only when inputs change or `forceRefresh=true`.

Metrics: `advisory_ai_guardrail_blocks_total`, `advisory_ai_outputs_stored_total`, `advisory_ai_citation_coverage_ratio`. Logs carry `output_hash`, `profile`, and block reason; no secrets or raw prompt bodies are logged.

## 3) RAG payload mapping to LNM (summary)

| LNM field | RAG chunk field | Notes |
| --- | --- | --- |
| `observation._id` | `source_id` | Used for citations and conflict surfacing. |
| `observation.advisoryId` | `advisory_key` | Keyed alongside task type in cache. |
| `observation.affected[].purl` | `purl` | Included for remediation + SBOM joins. |
| `observation.severities[]` | `severity` | Passed through unmerged; multiple severities allowed. |
| `linkset.conflicts[]` | `conflicts` | Rendered verbatim for conflict tasks; no inference merges. |
| `provenance.sourceArtifactSha` | `content_hash` | Drives determinism and replay. |

See `docs/advisory-ai/evidence-payloads.md` for full JSON examples and alignment rules.

## 4) Compliance with upstream artefacts

- References: `CONSOLE-VULN-29-001`, `CONSOLE-VEX-30-001`, `CLI-VULN-29-001`, `CLI-VEX-30-001`, `EXCITITOR-CONSOLE-23-001`, `DEVOPS-AIAI-31-001`.
- Guardrails must remain compatible with `docs/policy/assistant-parameters.md`; configuration knobs documented there are authoritative for env vars and defaults.
- Packaging tasks (AIAI-PACKAGING-31-002) must include this guardrail summary in DSSE metadata to keep Offline Kit parity.

## 5) Operator checklist

- [ ] LNM feed enabled and Concelier schemas at v1 (2025-11-17).
- [ ] SBOM retriever configured or `NullSbomContextClient` left as safe default.
- [ ] Policy hash pinned via `policyVersion` when reproducibility is required.
- [ ] CLI guardrail artefact hashes verified against `docs/modules/cli/artefacts/guardrails-artefacts-2025-11-19.md` and mirrored into Offline Kits.
- [ ] Remote profiles only after Authority consent and profile allowlist are set.
- [ ] Cache directories shared between web + worker hosts for DSSE sealing.