git.stella-ops.org/docs/features/checked/policy/deterministic-sbom-to-vex-pipeline-with-signed-state-transitions.md

Deterministic SBOM-to-VEX Pipeline with Signed State Transitions

Module

Policy

Status

VERIFIED

Verification Summary

Full verdict pipeline determinism verified across 2 test projects (1716 tests total, 0 failures):

• DeterminizationGate: signal snapshot-based evaluation with uncertainty/trust/decay/guardrail metadata
• DeterminismGuardService: static analysis (ProhibitedPatternAnalyzer) and runtime monitoring
• VerdictAttestationService: DSSE-signed verdict decisions with deterministic predicate JSON
• ScoringDeterminismVerifier: scoring drift detection on weight changes
• KnowledgeSnapshotManifest: content-addressed snapshot pinning all inputs
• PolicyGateEvaluator: VEX state transition validation with DSSE-attested graphHash and path analysis
• Error handling: attestor unavailable and timeout return null (soft failure when FailOnError=false)

Evidence

• docs/qa/feature-checks/runs/policy/deterministic-sbom-to-vex-pipeline-with-signed-state-transitions/run-002/