Explore Help

Register Sign In

stella-ops.org/git.stella-ops.org

1

0

You've already forked git.stella-ops.org

Code Issues Pull Requests Actions 2 Releases Wiki Activity

Files

cf5b72974f923126944f4dcd47e85864ebb31a3b

git.stella-ops.org/docs/features/unchecked/policy/jurisdiction-specific-vex-trust-rules.md

master 1bf6bbf395 semi implemented and features implemented save checkpoint

2026-02-08 18:00:49 +02:00

3.1 KiB

Raw Blame History

Jurisdiction-Specific VEX Trust Rules (US/EU/RU/CN)

Module

Policy

Status

IMPLEMENTED

Description

Configurable jurisdiction-specific trust rules for VEX statements, enabling different trust levels and source preferences for US, EU, Russia, and China regulatory contexts.

Implementation Details

VexTrustGate: src/Policy/StellaOps.Policy.Engine/Gates/VexTrustGate.cs (implements IVexTrustGate)
- EvaluateAsync(VexTrustGateRequest) evaluates trust score against per-environment thresholds
- VexTrustStatus with TrustScore (0.0-1.0), PolicyTrustThreshold, MeetsPolicyThreshold, TrustBreakdown
- Checks: composite score >= threshold, issuer verification, accuracy rate, freshness
VexTrustGateOptions: src/Policy/StellaOps.Policy.Engine/Gates/VexTrustGateOptions.cs
- Per-environment thresholds: production (MinCompositeScore=0.80, RequireIssuerVerified=true, MinAccuracyRate=0.85, FailureAction=Block), staging (0.60, verified, Warn), development (0.40, unverified OK, Warn), default (0.70, verified, Warn)
- ApplyToStatuses: ["not_affected", "fixed"]
- MissingTrustBehavior: Allow, Warn, or Block when VEX trust data is absent
- TenantOverrides: tenant-specific threshold overrides per environment
- Acceptable freshness states per environment (prod: fresh only; dev: fresh, stale, superseded)
- MaxAge per environment (optional time-based freshness)
- FailureAction enum: Warn, Block
TrustLatticeEngine: src/Policy/__Libraries/StellaOps.Policy/TrustLattice/TrustLatticeEngine.cs
- Three VEX normalizers for different formats: CycloneDX, OpenVEX, CSAF
- Jurisdiction-aware VEX source trust via normalizer selection and claim scoring
- ClaimScoreMerger with conflict penalization for multi-source VEX
PolicyGateEvaluator VEX Trust gate: src/Policy/StellaOps.Policy.Engine/Gates/PolicyGateEvaluator.cs
- VEX Trust gate evaluates per-environment thresholds with MissingTrustBehavior fallback
- Integrated into 5-gate sequential pipeline
VexTrustGateMetrics: src/Policy/StellaOps.Policy.Engine/Gates/VexTrustGateMetrics.cs -- OpenTelemetry metrics for gate decisions

E2E Test Plan

Configure production threshold MinCompositeScore=0.80; evaluate VEX with score 0.75; verify gate blocks
Configure staging threshold MinCompositeScore=0.60; evaluate VEX with score 0.65; verify gate passes
Configure production RequireIssuerVerified=true; evaluate unsigned VEX; verify gate blocks
Configure development RequireIssuerVerified=false; evaluate unsigned VEX; verify gate passes
Configure production MinAccuracyRate=0.85; evaluate issuer with 0.80 accuracy; verify gate warns/blocks
Configure production AcceptableFreshness=["fresh"]; evaluate stale VEX; verify gate blocks
Configure MissingTrustBehavior=Block; evaluate without VEX trust data; verify gate blocks
Configure MissingTrustBehavior=Allow; evaluate without VEX trust data; verify gate passes
Configure TenantOverrides with custom thresholds for tenant-A; verify tenant-A uses custom thresholds
Verify VexTrustGateMetrics records gate decisions with trust_score, environment, and decision tags

Powered by Gitea Version: 1.24.5 Page: 1732ms Template: 31ms

English

Bahasa Indonesia Deutsch English Español Français Gaeilge Italiano Latviešu Magyar nyelv Nederlands Polski Português de Portugal Português do Brasil Suomi Svenska Türkçe Čeština Ελληνικά Български Русский Українська فارسی മലയാളം 日本語简体中文繁體中文（台灣）繁體中文（香港） 한국어

Licenses API