git.stella-ops.org/docs/modules/policy/README.md

StellaOps Policy Engine

Policy Engine compiles and evaluates Stella DSL policies deterministically, producing explainable findings with full provenance.

Responsibilities

• Compile stella-dsl@1 packs into executable graphs.
• Join advisories, VEX evidence, and SBOM inventories to derive effective findings.
• Expose simulation and diff APIs for UI/CLI workflows.
• Emit change-stream driven events for Notify/Scheduler integrations.

Key components

• StellaOps.Policy.Engine service host.
• Shared libraries under StellaOps.Policy.* for evaluation, storage, DSL tooling.

Integrations & dependencies

• PostgreSQL (schema policy) for findings, RustFS explain bundles.
• Scheduler for incremental re-evaluation triggers.
• CLI/UI for policy authoring and runs.

Operational notes

• DSL grammar and lifecycle docs in ../../policy/.
• Observability guidance in ../../observability/policy.md.
• Governance and scope mapping in ../../security/policy-governance.md.
• Readiness briefs: ../policy/secret-leak-detection-readiness.md, ../policy/windows-package-readiness.md.
• Readiness briefs: ../scanner/design/macos-analyzer.md, ../scanner/design/windows-analyzer.md, ../policy/secret-leak-detection-readiness.md, ../policy/windows-package-readiness.md.
• Ruby capability predicates design: ./design/ruby-capability-predicates.md.

Backlog references

• DOCS-POLICY-20-001 … DOCS-POLICY-20-012 (completed baseline).
• DOCS-POLICY-23-007 (upcoming command updates).

Implementation Status

Phase 1 – Deterministic evaluation core (Complete)

• DSL compiler with caching, static analysis, runtime guardrails
• Batch evaluator with deterministic ordering, change-stream inputs
• Append-only effective findings ledger
• Explain trace generation with evidence linking

Phase 2 – Orchestration & incremental runs (In Progress)

• Run scheduler with job leasing, fair-share per tenant/policy
• Determinism hash verification and replay validation
• Incremental delta processing with change-stream integration
• Time-travel snapshots and resume cursors

Phase 3 – Policy Studio workflows (Planned)

• Policy registry with draft/review/approved lifecycle
• Signed promotion pipeline with multi-step approvals
• Console integration: editor, simulation, approvals, explain viewer
• CLI parity for policy management operations

Phase 4 – Simulation & approvals (Planned)

• Diff/simulation APIs with rationale breakdown
• Approval queues with change management workflows
• Integration with CLI/Console for policy previews

Phase 5 – Exports & offline parity (Planned)

• Policy bundles with deterministic manifests
• Explain archives for audit and review
• Offline Kit assets with signed packages
• Export Center integration

Phase 6 – Observability & hardening (Planned)

• Metrics: run duration, evaluation verdict counts, simulation latency
• Guard violation detection and alerting
• Incident response runbooks and compliance attestations

Key Acceptance Criteria

• Evaluation deterministic across runs; effective findings materialised only by Policy Engine
• Incremental runs handle deltas within ≤5 min SLA; replay verification succeeds
• Policy Studio supports full lifecycle with signed promotions and explain traces
• Exports reproducible with signed manifests; Offline Kit delivers same tooling
• Guardrails prevent forbidden IO; static analysis integrated into CI

Technical Decisions & Risks

• Non-determinism prevented via strict static analysis, runtime guards, replay tests
• Policy drift managed through simulation previews, approval workflow, audit trail
• Scaling handled via sharded workers, incremental deltas, caching, queue fairness
• Guard bypass prevented by analyzers in CI and runtime rejection of forbidden operations

Epic alignment

• Epic 2 – Policy Engine & Editor: deliver deterministic evaluation, DSL infrastructure, explain traces, and incremental runs.
• Epic 4 – Policy Studio: integrate registry workflows, simulation at scale, approvals, and promotion semantics.