stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity
Files
9ca2de05dff9c7db11eb49df6d4e47bbfe7a99f6
git.stella-ops.org/docs/features/checked/policy/jurisdiction-specific-vex-trust-rules.md
master 9ca2de05df more features checks. setup improvements
2026-02-13 02:04:55 +02:00

45 lines
3.1 KiB
Markdown
Raw Blame History

# Jurisdiction-Specific VEX Trust Rules (US/EU/RU/CN)
## Module
Policy
## Status
IMPLEMENTED
## Description
Configurable jurisdiction-specific trust rules for VEX statements, enabling different trust levels and source preferences for US, EU, Russia, and China regulatory contexts.
## Implementation Details
- **VexTrustGate**: `src/Policy/StellaOps.Policy.Engine/Gates/VexTrustGate.cs` (implements `IVexTrustGate`)
- `EvaluateAsync(VexTrustGateRequest)` evaluates trust score against per-environment thresholds
- VexTrustStatus with TrustScore (0.0-1.0), PolicyTrustThreshold, MeetsPolicyThreshold, TrustBreakdown
- Checks: composite score >= threshold, issuer verification, accuracy rate, freshness
- **VexTrustGateOptions**: `src/Policy/StellaOps.Policy.Engine/Gates/VexTrustGateOptions.cs`
- Per-environment thresholds: production (MinCompositeScore=0.80, RequireIssuerVerified=true, MinAccuracyRate=0.85, FailureAction=Block), staging (0.60, verified, Warn), development (0.40, unverified OK, Warn), default (0.70, verified, Warn)
- `ApplyToStatuses`: ["not_affected", "fixed"]
- `MissingTrustBehavior`: Allow, Warn, or Block when VEX trust data is absent
- `TenantOverrides`: tenant-specific threshold overrides per environment
- Acceptable freshness states per environment (prod: fresh only; dev: fresh, stale, superseded)
- MaxAge per environment (optional time-based freshness)
- FailureAction enum: Warn, Block
- **TrustLatticeEngine**: `src/Policy/__Libraries/StellaOps.Policy/TrustLattice/TrustLatticeEngine.cs`
- Three VEX normalizers for different formats: CycloneDX, OpenVEX, CSAF
- Jurisdiction-aware VEX source trust via normalizer selection and claim scoring
- ClaimScoreMerger with conflict penalization for multi-source VEX
- **PolicyGateEvaluator VEX Trust gate**: `src/Policy/StellaOps.Policy.Engine/Gates/PolicyGateEvaluator.cs`
- VEX Trust gate evaluates per-environment thresholds with MissingTrustBehavior fallback
- Integrated into 5-gate sequential pipeline
- **VexTrustGateMetrics**: `src/Policy/StellaOps.Policy.Engine/Gates/VexTrustGateMetrics.cs` -- OpenTelemetry metrics for gate decisions
## E2E Test Plan
- [ ] Configure production threshold MinCompositeScore=0.80; evaluate VEX with score 0.75; verify gate blocks
- [ ] Configure staging threshold MinCompositeScore=0.60; evaluate VEX with score 0.65; verify gate passes
- [ ] Configure production RequireIssuerVerified=true; evaluate unsigned VEX; verify gate blocks
- [ ] Configure development RequireIssuerVerified=false; evaluate unsigned VEX; verify gate passes
- [ ] Configure production MinAccuracyRate=0.85; evaluate issuer with 0.80 accuracy; verify gate warns/blocks
- [ ] Configure production AcceptableFreshness=["fresh"]; evaluate stale VEX; verify gate blocks
- [ ] Configure MissingTrustBehavior=Block; evaluate without VEX trust data; verify gate blocks
- [ ] Configure MissingTrustBehavior=Allow; evaluate without VEX trust data; verify gate passes
- [ ] Configure TenantOverrides with custom thresholds for tenant-A; verify tenant-A uses custom thresholds
- [ ] Verify VexTrustGateMetrics records gate decisions with trust_score, environment, and decision tags
Reference in New Issue View Git Blame Copy Permalink