stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
c52ca826528b63f38386a0adddecff0eaacfcf30
git.stella-ops.org/docs/features/checked/policy/vex-decisioning-engine.md
master e9aeadc040 save checkpoint
2026-02-14 09:11:48 +02:00

2.9 KiB
Raw Blame History

VEX Decisioning Engine (Not Just Ingestion) (Moat Score 4)

Module

Policy

Status

IMPLEMENTED

Description

Full VEX decisioning with consensus engine, trust scoring, OpenVEX and CSAF normalization, and trust lattice conflict resolution.

Implementation Details

  • TrustLatticeEngine: src/Policy/__Libraries/StellaOps.Policy/TrustLattice/TrustLatticeEngine.cs
    • Full VEX decisioning pipeline: VEX normalization -> claim ingestion -> K4 evaluation -> disposition selection -> proof bundle
    • Three VEX format normalizers: CycloneDX, OpenVEX, CSAF
    • Fluent ClaimBuilder: Assert, Present, Applies, Reachable, Mitigated, Fixed, Misattributed
    • Evaluate() with optional SubjectFilter and proof bundle generation
    • Disposition selection from K4 lattice values: True -> not_affected, False -> affected, Conflict -> disputed, Unknown -> under_investigation
  • K4Lattice: src/Policy/__Libraries/StellaOps.Policy/TrustLattice/K4Lattice.cs
    • Belnap four-valued logic: Unknown=0, True=1, False=2, Conflict=3
    • Join (consensus): T join F = Conflict; commutative, idempotent
    • Meet (agreement): T meet F = Unknown
    • FromSupport(): maps evidence support to K4 value
  • ClaimScoreMerger: src/Policy/__Libraries/StellaOps.Policy/TrustLattice/ClaimScoreMerger.cs
    • Deterministic claim merging with conflict penalization (0.25 penalty)
    • Merge ordering: adjusted score -> specificity -> original score -> source ID -> index
    • MergePolicy: ConflictPenalty, PreferSpecificity, RequireReplayProofOnConflict
    • Returns MergeResult: winning claim, conflicts, RequiresReplayProof flag
  • VexTrustGate: src/Policy/StellaOps.Policy.Engine/Gates/VexTrustGate.cs
    • Gates policy decisions based on VEX trust scores
    • Per-environment thresholds with FailureAction (Warn/Block)
  • PolicyGateEvaluator: src/Policy/StellaOps.Policy.Engine/Gates/PolicyGateEvaluator.cs
    • VEX Trust gate (3rd in 5-gate pipeline) evaluates trust lattice results

E2E Test Plan

  • Ingest CycloneDX VEX with not_affected status; verify K4 value=True after normalization
  • Ingest OpenVEX with affected status; verify K4 value=False after normalization
  • Ingest CSAF VEX with fixed status; verify K4 value=True after normalization
  • Ingest conflicting claims (CycloneDX not_affected + OpenVEX affected); verify K4 Conflict, disposition=disputed
  • Verify ClaimScoreMerger: signed claim (score 0.9) wins over unsigned claim (score 0.95) when PreferSpecificity enabled
  • Verify conflict penalization: conflicting claims receive 0.25 penalty
  • Evaluate with VexTrustGate in production (threshold 0.80); provide trust score 0.85; verify gate passes
  • Evaluate with VexTrustGate; provide trust score 0.60 in production; verify gate blocks
  • Build claim via fluent API: Assert("CVE-2024-1234").Present("pkg:npm/lodash@4.17.21").Mitigated(); verify claim correctly formed
  • Verify proof bundle includes all claims, scores, and K4 evaluations for audit