stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 12 Releases Wiki Activity
Files
6bee1fdcf58fe6c2fd8dae6201f5f71eb504710f
git.stella-ops.org/docs/modules/cli/guides/commands/policy.md
StellaOps Bot 6bee1fdcf5
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
work
2025-11-25 08:01:23 +02:00

1.2 KiB
Raw Blame History

stella policy — Command Guide

Commands

  • stella policy eval --input <bundle> --subject <sbom|vex|vuln> [--offline] [--output json|ndjson|table]
  • stella policy simulate --from <bundleA> --to <bundleB> [--budget <ms>] [--offline]
  • stella policy publish --input <bundle> --sign --attest

Flags (common)

  • --offline / STELLA_OFFLINE=1: forbid network calls; use cached bundles only.
  • --tenant <id>: scope evaluation to tenant; RLS enforcement required on the server.
  • --rationale: include rationale IDs in responses.
  • --output: json (default), ndjson, or table.

Inputs/outputs

  • Inputs: policy bundles (signed), subject artifacts (SBOM/VEX/Vuln snapshots).
  • Outputs: deterministic JSON/NDJSON or tables; includes correlationId, policyVersion, rationaleIds when requested.
  • Exit codes follow output-and-exit-codes.md.

Determinism rules

  • Sort evaluation results by subject key; timestamps UTC ISO-8601.
  • No inferred verdicts beyond Policy Engine response.

Offline/air-gap notes

  • When --offline, evaluation must use locally cached bundles and subject artifacts; fail with exit code 5 if network would be needed.
  • Trust roots loaded from STELLA_TRUST_ROOTS when verifying signed bundles.