43 lines
2.7 KiB
Markdown
43 lines
2.7 KiB
Markdown
# Policy gate with evidence-linked approval
|
|
|
|
## Module
|
|
Policy
|
|
|
|
## Status
|
|
IMPLEMENTED
|
|
|
|
## Description
|
|
Policy gates (CVE, EPSS, budget, reachability, signature-required) evaluate artifacts against configurable rules and produce evidence-linked attestations.
|
|
|
|
## Implementation Details
|
|
- **PolicyGateEvaluator**: `src/Policy/StellaOps.Policy.Engine/Gates/PolicyGateEvaluator.cs`
|
|
- 5 sequential gates: Evidence Completeness, Lattice State, VEX Trust, Uncertainty Tier, Confidence Threshold
|
|
- Each gate produces evidence-linked results with attestation references
|
|
- Gate results: Pass, PassWithNote, Warn, Block, Skip
|
|
- Override support with justification text and evidence requirements
|
|
- **VexTrustGate**: `src/Policy/StellaOps.Policy.Engine/Gates/VexTrustGate.cs`
|
|
- Evaluates VEX trust score against per-environment thresholds
|
|
- Links VEX attestation references to gate decisions
|
|
- VexTrustStatus with TrustScore, PolicyTrustThreshold, TrustBreakdown
|
|
- **ExceptionEvaluator**: `src/Policy/__Libraries/StellaOps.Policy.Exceptions/Services/ExceptionEvaluator.cs`
|
|
- Exception-based approvals with evidence references (sha256 digests, attestation URIs)
|
|
- EvidenceRefs from all matching exceptions aggregated in result
|
|
- **EvidenceRequirementValidator**: `src/Policy/__Libraries/StellaOps.Policy.Exceptions/Services/EvidenceRequirementValidator.cs`
|
|
- Validates required evidence before approval: attestation IDs, VEX notes, reachability proofs
|
|
- Evidence freshness (MaxAge), trust score threshold, DSSE signature verification
|
|
- **VerdictAttestationService**: `src/Policy/StellaOps.Policy.Engine/Attestation/VerdictAttestationService.cs`
|
|
- DSSE-signed attestations linking verdicts to evidence bundles
|
|
- Each gate decision produces an attestation with proof references
|
|
- **KnowledgeSnapshotManifest**: `src/Policy/__Libraries/StellaOps.Policy/Snapshots/KnowledgeSnapshotManifest.cs`
|
|
- Content-addressed bundle linking all evaluation inputs to gate decisions
|
|
|
|
## E2E Test Plan
|
|
- [ ] Evaluate artifact through all gates; verify each gate result includes attestation references
|
|
- [ ] Evaluate with VexTrustGate; verify VEX attestation IDs are linked in gate result
|
|
- [ ] Approve exception with evidence refs; verify EvidenceRefs appear in ExceptionEvaluationResult.AllEvidenceRefs
|
|
- [ ] Require attestation ID evidence for approval; provide valid attestation; verify validation passes
|
|
- [ ] Require evidence with MaxAge; provide expired evidence; verify validation fails
|
|
- [ ] Generate verdict attestation; verify DSSE signature covers gate decisions and evidence refs
|
|
- [ ] Override gate with justification; verify PassWithNote result includes justification attestation
|
|
- [ ] Verify KnowledgeSnapshotManifest links policy bundle digest and source digests to gate inputs
|