3.7 KiB
3.7 KiB
Delta Verdict Engine
Module
Policy
Status
IMPLEMENTED
Description
Full delta verdict computation comparing two evaluation states, with signed delta JSON, API endpoints for delta generation, and verdict ID generation.
Implementation Details
- WhatIfSimulationService:
src/Policy/StellaOps.Policy.Engine/WhatIfSimulation/WhatIfSimulationService.cs--WhatIfSimulationService(internal sealed class)SimulateAsync(WhatIfSimulationRequest)computes delta between baseline and simulated evaluation states- Supports SBOM diffs: add, remove, upgrade, downgrade operations
- Computes
WhatIfDecisionChange: status_changed, severity_changed, new, removed - Decision simulation: new components checked against advisory count, VEX override, reachability downgrade
- Upgrade simulation: fixed-all -> allow, remaining advisories -> warn
- Downgrade simulation: with advisories -> deny (higher priority 150)
WhatIfSummary: TotalEvaluated, TotalChanged, NewlyAffected, NoLongerAffected, StatusChanges, SeverityChanges, ImpactWhatIfImpact: risk delta (increased/decreased/unchanged), blocked/warning deltas, recommendation text- Simulation ID generation:
whatif-{SHA256(seed)[..16]}
- WhatIfSimulationModels:
src/Policy/StellaOps.Policy.Engine/WhatIfSimulation/WhatIfSimulationModels.cs-- request/response DTOsWhatIfSimulationRequest: TenantId, BaseSnapshotId, SbomDiffs, DraftPolicy, TargetPurls, IncludeExplanations, Limit, CorrelationIdWhatIfSbomDiff: Purl, Operation, OriginalVersion, NewVersion, AdvisoryIds, VexStatus, ReachabilityWhatIfDecision: Status, Severity, RuleName, Priority, HasExceptionWhatIfExplanation: MatchedRules, Factors, VexEvidence, Reachability
- ConsoleSimulationDiffService:
src/Policy/StellaOps.Policy.Engine/Console/ConsoleSimulationDiffService.cs-- deterministic delta diff for console surface- Before/After severity breakdowns, delta (added/removed/regressed), rule impact, explain samples
- SimulationAnalyticsService:
src/Policy/StellaOps.Policy.Engine/Simulation/SimulationAnalyticsService.cs-- delta summary computation with severity change tracking - Effective Decision Map:
src/Policy/StellaOps.Policy.Engine/EffectiveDecisionMap/-- materialized baseline decisions for delta comparison - Simulation Endpoints:
src/Policy/StellaOps.Policy.Engine/Endpoints/ConsoleSimulationEndpoint.cs-- console surface simulation diffOverlaySimulationEndpoint.cs-- overlay-based simulationRiskSimulationEndpoints.cs-- risk simulation with breakdowns
- Attestation:
src/Policy/StellaOps.Policy.Engine/Attestation/-- verdict attestation for signed delta output
E2E Test Plan
- POST what-if simulation with add component (3 advisories); verify deny decision with severity=high
- POST what-if simulation with remove component; verify decision=allow and change_type=removed
- POST what-if simulation with upgrade component fixing all CVEs; verify decision=allow
- POST what-if simulation with downgrade component with advisories; verify decision=deny with priority 150
- POST what-if simulation with VEX not_affected override; verify deny overridden to allow
- POST what-if simulation with unreachable finding; verify deny downgraded to warn
- Verify delta summary: TotalChanged matches actual number of decision changes
- Verify impact: risk delta is "increased" when blocked count goes up, "decreased" when it goes down
- POST with IncludeExplanations=true; verify explanations contain matched rules, SBOM factors, VEX evidence, and reachability
- POST console simulation diff with two policy versions; verify deterministic before/after severity breakdowns and delta counts