stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
822a92faeebbceea6fa005b7eddb7572a8b29b41
git.stella-ops.org/docs/features/checked/policy/vex-status-promotion-gate.md
master e9aeadc040 save checkpoint
2026-02-14 09:11:48 +02:00

41 lines
2.5 KiB
Markdown
Raw Blame History

# VEX Status Promotion Gate
## Module
Policy
## Status
IMPLEMENTED
## Description
Promotion gate that blocks environment promotions based on VEX status thresholds, ensuring only properly triaged artifacts can advance.
## Implementation Details
- **VexTrustGate**: `src/Policy/StellaOps.Policy.Engine/Gates/VexTrustGate.cs` (implements `IVexTrustGate`)
- `EvaluateAsync(VexTrustGateRequest)` evaluates VEX trust for status transitions
- VexTrustGateRequest: RequestedStatus, Environment, VexTrustStatus, TenantId
- VexTrustStatus: TrustScore (0.0-1.0), PolicyTrustThreshold, MeetsPolicyThreshold, TrustBreakdown
- Per-environment evaluation: production requires highest trust, development most permissive
- **VexTrustGateOptions**: `src/Policy/StellaOps.Policy.Engine/Gates/VexTrustGateOptions.cs`
- ApplyToStatuses: ["not_affected", "fixed"] -- statuses requiring trust verification
- Per-environment thresholds:
- Production: MinCompositeScore=0.80, RequireIssuerVerified=true, MinAccuracyRate=0.85, AcceptableFreshness=["fresh"], FailureAction=Block
- Staging: MinCompositeScore=0.60, RequireIssuerVerified=true, AcceptableFreshness=["fresh","stale"], FailureAction=Warn
- Development: MinCompositeScore=0.40, RequireIssuerVerified=false, AcceptableFreshness=["fresh","stale","superseded"], FailureAction=Warn
- MissingTrustBehavior: Allow, Warn, Block
- TenantOverrides for tenant-specific thresholds
- **PolicyGateEvaluator**: `src/Policy/StellaOps.Policy.Engine/Gates/PolicyGateEvaluator.cs`
- VEX Trust gate (3rd in pipeline) blocks promotion when trust insufficient
- VEX trust evaluation integrated with lattice state and uncertainty tier gates
## E2E Test Plan
- [ ] Request promotion to production with trust score 0.85; verify gate passes
- [ ] Request promotion to production with trust score 0.70; verify gate blocks (threshold 0.80)
- [ ] Request promotion to staging with trust score 0.65; verify gate passes (threshold 0.60)
- [ ] Request promotion with stale VEX in production; verify gate blocks (only "fresh" acceptable)
- [ ] Request promotion with stale VEX in staging; verify gate passes (stale acceptable)
- [ ] Request promotion with unverified issuer in production; verify gate blocks
- [ ] Request promotion with unverified issuer in development; verify gate passes
- [ ] Request promotion with MissingTrustBehavior=Block and no VEX data; verify gate blocks
- [ ] Verify tenant-specific overrides apply when TenantId matches
- [ ] Verify gate returns descriptive message identifying which threshold was not met
Reference in New Issue View Git Blame Copy Permalink