3.5 KiB
3.5 KiB
Policy Engine with Proofs (Moat Score 3)
Module
Policy
Status
IMPLEMENTED
Description
Policy engine with gate levels, delta verdict statements, gateway endpoints, and exception approval rules.
Implementation Details
- PolicyGateEvaluator:
src/Policy/StellaOps.Policy.Engine/Gates/PolicyGateEvaluator.cs- 5 sequential gates: Evidence Completeness, Lattice State, VEX Trust, Uncertainty Tier, Confidence Threshold
- Gate results: Pass, PassWithNote, Warn, Block, Skip
- Short-circuits on first Block; accumulates warnings
- Lattice states: U (Unknown), SR (Safe-Reachable), SU (Safe-Unknown), RO (Reachable-Open), RU (Reachable-Unknown), CR (Conflicting-Reachable), CU (Conflicting-Unknown), X (Exploitable)
- Uncertainty tiers: T1 (High), T2 (Medium), T3 (Low), T4 (Negligible)
- Override support with justification requirements
- VexTrustGate:
src/Policy/StellaOps.Policy.Engine/Gates/VexTrustGate.cs-- per-environment VEX trust thresholds with TrustBreakdown - DeterminizationGate:
src/Policy/StellaOps.Policy.Engine/Gates/Determinization/DeterminizationGate.cs-- confidence decay verification - StabilityDampingGate:
src/Policy/StellaOps.Policy.Engine/Gates/StabilityDampingGate.cs-- oscillation prevention - DriftGateEvaluator:
src/Policy/StellaOps.Policy.Engine/Gates/DriftGateEvaluator.cs-- SBOM drift evaluation - WhatIfSimulationService:
src/Policy/StellaOps.Policy.Engine/WhatIfSimulation/WhatIfSimulationService.cs-- delta verdict computation - ConsoleSimulationDiffService:
src/Policy/StellaOps.Policy.Engine/Console/ConsoleSimulationDiffService.cs-- deterministic delta statements - ExceptionEvaluator:
src/Policy/__Libraries/StellaOps.Policy.Exceptions/Services/ExceptionEvaluator.cs-- exception approval and application - ExceptionEffectRegistry:
src/Policy/StellaOps.Policy.Engine/Adapters/ExceptionEffectRegistry.cs-- 40 type+reason to effect mappings - ExceptionRecheckGate:
src/Policy/StellaOps.Policy.Engine/BuildGate/ExceptionRecheckGate.cs-- CI/CD recheck gate - VerdictAttestationService:
src/Policy/StellaOps.Policy.Engine/Attestation/VerdictAttestationService.cs-- DSSE-signed verdict proofs - KnowledgeSnapshotManifest:
src/Policy/__Libraries/StellaOps.Policy/Snapshots/KnowledgeSnapshotManifest.cs-- content-addressed evaluation input manifests - Gateway endpoints:
src/Policy/StellaOps.Policy.Engine/Endpoints/-- 45+ endpoint files for policy evaluation, simulation, scoring, risk budgets, exceptions, staleness
E2E Test Plan
- Evaluate artifact through full 5-gate pipeline; verify each gate produces Pass/Warn/Block result
- Evaluate artifact with reachable vulnerability (RO state); verify Lattice State gate applies correct action
- Evaluate artifact with conflicting VEX claims (CR state); verify gate handles conflict appropriately
- Compute delta verdict via WhatIfSimulation; verify before/after decision changes are tracked
- Apply exception to finding; verify ExceptionEffectRegistry maps to correct effect (Suppress/Defer/Downgrade/RequireControl)
- Evaluate ExceptionRecheckGate with EPSSAbove condition triggered; verify gate blocks
- Generate DSSE-signed verdict attestation; verify signature and payload integrity
- Build KnowledgeSnapshotManifest; verify content-addressed SnapshotId is deterministic
- Override blocked gate with justification; verify PassWithNote result
- Verify StabilityDampingGate prevents oscillation between Pass and Block decisions