109 lines
2.9 KiB
Plaintext
109 lines
2.9 KiB
Plaintext
# Policy gate configuration sample for trust lattice evaluation.
|
|
version: "1.0"
|
|
trustLattice:
|
|
weights:
|
|
provenance: 0.45
|
|
coverage: 0.35
|
|
replayability: 0.20
|
|
freshness:
|
|
halfLifeDays: 90
|
|
floor: 0.35
|
|
conflictPenalty: 0.25
|
|
|
|
gates:
|
|
minimumConfidence:
|
|
enabled: true
|
|
thresholds:
|
|
production: 0.75
|
|
staging: 0.60
|
|
development: 0.40
|
|
applyToStatuses:
|
|
- not_affected
|
|
- fixed
|
|
|
|
unknownsBudget:
|
|
enabled: true
|
|
maxUnknownCount: 5
|
|
maxCumulativeUncertainty: 2.0
|
|
escalateOnFail: true
|
|
|
|
sourceQuota:
|
|
enabled: true
|
|
maxInfluencePercent: 60
|
|
corroborationDelta: 0.10
|
|
requireCorroborationFor:
|
|
- not_affected
|
|
- fixed
|
|
|
|
reachabilityRequirement:
|
|
enabled: true
|
|
severityThreshold: CRITICAL
|
|
requiredForStatuses:
|
|
- not_affected
|
|
bypassReasons:
|
|
- component_not_present
|
|
- vulnerable_configuration_unused
|
|
|
|
# VEX Trust Gate - Enforces minimum VEX signature verification trust thresholds
|
|
# Order: 250 (after LatticeState/200, before UncertaintyTier/300)
|
|
vexTrust:
|
|
enabled: true # Feature flag - set false during initial rollout
|
|
|
|
# Per-environment trust thresholds
|
|
thresholds:
|
|
production:
|
|
minCompositeScore: 0.80 # Composite trust score minimum
|
|
requireIssuerVerified: true # Signature verification mandatory
|
|
minAccuracyRate: 0.85 # Issuer's historical accuracy threshold
|
|
acceptableFreshness:
|
|
- fresh # Only fresh VEX in production
|
|
failureAction: Block # Block if thresholds not met
|
|
|
|
staging:
|
|
minCompositeScore: 0.60
|
|
requireIssuerVerified: true
|
|
minAccuracyRate: null # Don't check accuracy in staging
|
|
acceptableFreshness:
|
|
- fresh
|
|
- stale
|
|
failureAction: Warn # Warn only in staging
|
|
|
|
development:
|
|
minCompositeScore: 0.40
|
|
requireIssuerVerified: false # Allow unsigned in dev
|
|
minAccuracyRate: null
|
|
acceptableFreshness:
|
|
- fresh
|
|
- stale
|
|
- superseded
|
|
failureAction: Warn
|
|
|
|
default: # Fallback for unknown environments
|
|
minCompositeScore: 0.70
|
|
requireIssuerVerified: true
|
|
minAccuracyRate: null
|
|
acceptableFreshness:
|
|
- fresh
|
|
- stale
|
|
failureAction: Warn
|
|
|
|
# VEX statuses to which this gate applies
|
|
applyToStatuses:
|
|
- not_affected
|
|
- fixed
|
|
|
|
# Behavior when VEX trust data is missing
|
|
# Options: Allow, Warn, Block
|
|
missingTrustBehavior: Warn
|
|
|
|
# Enable OpenTelemetry metrics
|
|
emitMetrics: true
|
|
|
|
# Tenant-specific overrides (optional)
|
|
# tenantOverrides:
|
|
# tenant-a:
|
|
# production:
|
|
# minCompositeScore: 0.90
|
|
# requireIssuerVerified: true
|
|
|