stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/excititor/vex-policy-controlled-trust-and-evidence-requirements.md

2.3 KiB
Raw Blame History

VEX Policy-Controlled Trust and Evidence Requirements

Module

Excititor

Status

IMPLEMENTED

Description

Policy-driven trust weights and evidence requirements for VEX claims, with guardrails ensuring safe statuses require evidence satisfaction.

Implementation Details

  • Modules: src/Excititor/__Libraries/StellaOps.Excititor.Core/, src/Excititor/StellaOps.Excititor.WebService/
  • Key Classes:
    • BaselineVexConsensusPolicy (src/Excititor/__Libraries/StellaOps.Excititor.Core/BaselineVexConsensusPolicy.cs) - baseline policy with evidence requirements for safe statuses
    • VexConsensusPolicyOptions (src/Excititor/__Libraries/StellaOps.Excititor.Core/VexConsensusPolicyOptions.cs) - configurable policy options for trust and evidence
    • TrustWeightRegistry (src/Excititor/__Libraries/StellaOps.Excititor.Core/Lattice/TrustWeightRegistry.cs) - per-source trust weight configuration
    • PolicyLatticeAdapter (src/Excititor/__Libraries/StellaOps.Excititor.Core/Lattice/PolicyLatticeAdapter.cs) - adapts policy engine rules for VEX trust evaluation
    • VexEvidenceLinkOptions (src/Excititor/__Libraries/StellaOps.Excititor.Core/Evidence/VexEvidenceLinkOptions.cs) - evidence linking requirements configuration
    • PolicyEndpoints (src/Excititor/StellaOps.Excititor.WebService/Endpoints/PolicyEndpoints.cs) - REST endpoints for VEX policy queries
    • PolicyContracts (src/Excititor/StellaOps.Excititor.WebService/Contracts/PolicyContracts.cs) - API contracts for policy data
  • Interfaces: IVexConsensusPolicy, IVexLatticeProvider
  • Source: Feature matrix scan

E2E Test Plan

  • Configure a policy requiring binary-diff evidence for not_affected status and verify claims without evidence are rejected
  • Verify TrustWeightRegistry applies configurable trust weights: increase vendor weight and verify vendor claims rank higher
  • Verify BaselineVexConsensusPolicy enforces minimum evidence requirements for safe statuses (not_affected, fixed)
  • Verify PolicyLatticeAdapter applies K4 lattice rules from the policy engine to VEX trust evaluation
  • Verify VexEvidenceLinkOptions requires specific evidence types (reachability, binary-diff) for specific statuses
  • Verify PolicyEndpoints returns the active VEX policy configuration