stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
7503c19b8ffa7f2891e5e672f9cfbf7efa4e2efb
git.stella-ops.org/docs/api/exceptions.md
StellaOps Bot 7503c19b8f Add determinism tests for verdict artifact generation and update SHA256 sums script 
- Implemented comprehensive tests for verdict artifact generation to ensure deterministic outputs across various scenarios, including identical inputs, parallel execution, and change ordering.
- Created helper methods for generating sample verdict inputs and computing canonical hashes.
- Added tests to validate the stability of canonical hashes, proof spine ordering, and summary statistics.
- Introduced a new PowerShell script to update SHA256 sums for files, ensuring accurate hash generation and file integrity checks.
2025-12-24 02:17:34 +02:00

2.0 KiB
Raw Blame History

Exceptions API

Exceptions are time-bound, tenant-scoped, auditable objects that change policy outcomes without mutating upstream evidence. They are used for waivers, compensating controls, and scoped suppressions in a way that is replayable offline.

This document is the entry point for exception contracts. Concrete shapes live in the gateway and Console schemas listed below.

Core Concepts

  • Exception object: { exceptionId, tenantId, scope, vuln, effect, justification, owner, expiration, evidenceRefs, policyBinding, status }
  • Append-only history: changes are recorded as transitions; revoke/expire supersedes instead of delete.
  • Two-phase activation (recommended): draft → staged → active to support simulation and controlled rollout.
  • Effects: examples include suppress, defer, downgrade, requireControl (exact effect catalog is policy-driven).

API Surfaces

  • Console CRUD/workflow (gateway-proxied): see docs/api/console/exception-schema.md
  • Policy + Exceptions gateway contract: docs/api/gateway/policy-exceptions.md
  • Exception workflow events (SSE stream): docs/api/gateway/exception-events.md

Security & Headers

Common requirements across endpoints:

  • Authorization: Bearer <token> (or DPoP where configured)
  • X-StellaOps-Tenant: <tenantId> (required)

Scopes vary by deployment, but typically follow:

  • Read: exception:read
  • Create/edit: exception:write
  • Approve/reject/revoke: exception:approve
  • Simulation endpoints: policy:simulate (plus exception:read when simulating with overrides)

Offline / Air-Gap

  • Imports/exports are file-based (NDJSON or JSON) with deterministic ordering and UTC timestamps.
  • Signed exports (DSSE) are supported when Attestor is enabled; when disabled, exports remain hash-addressed and reproducible.

Related Docs

  • Exception Governance migration guide: docs/migration/exception-governance.md
  • CLI usage guide: docs/modules/cli/guides/exceptions.md