stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
9ca2de05dff9c7db11eb49df6d4e47bbfe7a99f6
git.stella-ops.org/docs/features/checked/policy/policy-bundles-with-proof-objects.md
master 9ca2de05df more features checks. setup improvements
2026-02-13 02:04:55 +02:00

3.0 KiB
Raw Blame History

Policy Bundles with Proof Objects

Module

Policy

Status

IMPLEMENTED

Description

Policy bundles with proof objects, security atoms, claims, and subjects forming the trust lattice algebra substrate.

Implementation Details

  • TrustLatticeEngine: src/Policy/__Libraries/StellaOps.Policy/TrustLattice/TrustLatticeEngine.cs
    • Pipeline: VEX normalization -> claim ingestion -> K4 evaluation -> disposition selection -> proof bundle generation
    • Evaluate() returns TrustLatticeResult with proof bundle containing all claims, evidence, and K4 lattice evaluations
    • Proof bundle includes: claims with scores, VEX sources, reachability signals, K4 lattice values per subject
    • Claims built via fluent ClaimBuilder: Assert, Present, Applies, Reachable, Mitigated, Fixed, Misattributed
  • K4Lattice: src/Policy/__Libraries/StellaOps.Policy/TrustLattice/K4Lattice.cs
    • Four-valued logic (Unknown=0, True=1, False=2, Conflict=3)
    • Algebraic operations: Join (T join F = Conflict), Meet (T meet F = Unknown), Negate, LessOrEqual
    • FromSupport() converts evidence support to K4 value
  • ClaimScoreMerger: src/Policy/__Libraries/StellaOps.Policy/TrustLattice/ClaimScoreMerger.cs
    • Deterministic merge with conflict penalization (0.25 penalty)
    • Ordering: adjusted score -> specificity -> original score -> source ID -> index
    • Returns MergeResult with winning claim, conflicts, RequiresReplayProof flag
  • KnowledgeSnapshotManifest: src/Policy/__Libraries/StellaOps.Policy/Snapshots/KnowledgeSnapshotManifest.cs
    • Content-addressed bundle capturing all policy evaluation inputs
    • PolicyBundleRef (PolicyId, Digest, Uri) for bundle identification
    • ScoringRulesRef, TrustBundleRef for scoring and trust configuration
  • PolicyGateEvaluator: src/Policy/StellaOps.Policy.Engine/Gates/PolicyGateEvaluator.cs
    • Uses trust lattice results in Lattice State gate
    • Uses proof bundles for evidence completeness verification
  • VerdictAttestationService: src/Policy/StellaOps.Policy.Engine/Attestation/VerdictAttestationService.cs -- DSSE-signed attestations referencing proof bundles

E2E Test Plan

  • Evaluate trust lattice with 3 VEX claims; verify proof bundle contains all 3 claims with scores
  • Evaluate trust lattice with conflicting claims; verify proof bundle includes conflict markers and K4 Conflict value
  • Build policy bundle with PolicyBundleRef; verify Digest is content-addressed
  • Verify proof bundle includes K4 lattice values for each subject (CVE + component)
  • Verify ClaimScoreMerger produces deterministic merge result for identical inputs
  • Verify claim with higher specificity wins over claim with higher raw score when conflict exists
  • Evaluate with RequiresReplayProof=true; verify proof bundle is flagged for replay verification
  • Reference proof bundle from VerdictAttestationService; verify attestation includes bundle digest
  • Evaluate PolicyGateEvaluator Evidence gate; verify it checks proof bundle completeness