stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
82a49f6743202b4828f46f369474f26ec0a0edf9
git.stella-ops.org/docs/modules/policy/README.md
StellaOps Bot 82a49f6743 docs consolidation work
2025-12-25 18:50:33 +02:00

84 lines
4.0 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# StellaOps Policy Engine
Policy Engine compiles and evaluates Stella DSL policies deterministically, producing explainable findings with full provenance.
## Responsibilities
- Compile `stella-dsl@1` packs into executable graphs.
- Join advisories, VEX evidence, and SBOM inventories to derive effective findings.
- Expose simulation and diff APIs for UI/CLI workflows.
- Emit change-stream driven events for Notify/Scheduler integrations.
## Key components
- `StellaOps.Policy.Engine` service host.
- Shared libraries under `StellaOps.Policy.*` for evaluation, storage, DSL tooling.
## Integrations & dependencies
- PostgreSQL (schema `policy`) for findings, RustFS explain bundles.
- Scheduler for incremental re-evaluation triggers.
- CLI/UI for policy authoring and runs.
## Operational notes
- DSL grammar and lifecycle docs in ../../policy/.
- Observability guidance in ../../observability/policy.md.
- Governance and scope mapping in ../../security/policy-governance.md.
- Readiness briefs: ../policy/secret-leak-detection-readiness.md, ../policy/windows-package-readiness.md.
- Readiness briefs: ../scanner/design/macos-analyzer.md, ../scanner/design/windows-analyzer.md, ../policy/secret-leak-detection-readiness.md, ../policy/windows-package-readiness.md.
- Ruby capability predicates design: ./design/ruby-capability-predicates.md.
## Backlog references
- DOCS-POLICY-20-001 … DOCS-POLICY-20-012 (completed baseline).
- DOCS-POLICY-23-007 (upcoming command updates).
## Implementation Status
### Phase 1 Deterministic evaluation core (Complete)
- DSL compiler with caching, static analysis, runtime guardrails
- Batch evaluator with deterministic ordering, change-stream inputs
- Append-only effective findings ledger
- Explain trace generation with evidence linking
### Phase 2 Orchestration & incremental runs (In Progress)
- Run scheduler with job leasing, fair-share per tenant/policy
- Determinism hash verification and replay validation
- Incremental delta processing with change-stream integration
- Time-travel snapshots and resume cursors
### Phase 3 Policy Studio workflows (Planned)
- Policy registry with draft/review/approved lifecycle
- Signed promotion pipeline with multi-step approvals
- Console integration: editor, simulation, approvals, explain viewer
- CLI parity for policy management operations
### Phase 4 Simulation & approvals (Planned)
- Diff/simulation APIs with rationale breakdown
- Approval queues with change management workflows
- Integration with CLI/Console for policy previews
### Phase 5 Exports & offline parity (Planned)
- Policy bundles with deterministic manifests
- Explain archives for audit and review
- Offline Kit assets with signed packages
- Export Center integration
### Phase 6 Observability & hardening (Planned)
- Metrics: run duration, evaluation verdict counts, simulation latency
- Guard violation detection and alerting
- Incident response runbooks and compliance attestations
### Key Acceptance Criteria
- Evaluation deterministic across runs; effective findings materialised only by Policy Engine
- Incremental runs handle deltas within ≤5 min SLA; replay verification succeeds
- Policy Studio supports full lifecycle with signed promotions and explain traces
- Exports reproducible with signed manifests; Offline Kit delivers same tooling
- Guardrails prevent forbidden IO; static analysis integrated into CI
### Technical Decisions & Risks
- Non-determinism prevented via strict static analysis, runtime guards, replay tests
- Policy drift managed through simulation previews, approval workflow, audit trail
- Scaling handled via sharded workers, incremental deltas, caching, queue fairness
- Guard bypass prevented by analyzers in CI and runtime rejection of forbidden operations
## Epic alignment
- **Epic 2 Policy Engine & Editor:** deliver deterministic evaluation, DSL infrastructure, explain traces, and incremental runs.
- **Epic 4 Policy Studio:** integrate registry workflows, simulation at scale, approvals, and promotion semantics.
Reference in New Issue View Git Blame Copy Permalink