stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/policy/policy-engine-with-proofs.md

44 lines
3.5 KiB
Markdown
Raw Blame History

# Policy Engine with Proofs (Moat Score 3)
## Module
Policy
## Status
IMPLEMENTED
## Description
Policy engine with gate levels, delta verdict statements, gateway endpoints, and exception approval rules.
## Implementation Details
- **PolicyGateEvaluator**: `src/Policy/StellaOps.Policy.Engine/Gates/PolicyGateEvaluator.cs`
- 5 sequential gates: Evidence Completeness, Lattice State, VEX Trust, Uncertainty Tier, Confidence Threshold
- Gate results: Pass, PassWithNote, Warn, Block, Skip
- Short-circuits on first Block; accumulates warnings
- Lattice states: U (Unknown), SR (Safe-Reachable), SU (Safe-Unknown), RO (Reachable-Open), RU (Reachable-Unknown), CR (Conflicting-Reachable), CU (Conflicting-Unknown), X (Exploitable)
- Uncertainty tiers: T1 (High), T2 (Medium), T3 (Low), T4 (Negligible)
- Override support with justification requirements
- **VexTrustGate**: `src/Policy/StellaOps.Policy.Engine/Gates/VexTrustGate.cs` -- per-environment VEX trust thresholds with TrustBreakdown
- **DeterminizationGate**: `src/Policy/StellaOps.Policy.Engine/Gates/Determinization/DeterminizationGate.cs` -- confidence decay verification
- **StabilityDampingGate**: `src/Policy/StellaOps.Policy.Engine/Gates/StabilityDampingGate.cs` -- oscillation prevention
- **DriftGateEvaluator**: `src/Policy/StellaOps.Policy.Engine/Gates/DriftGateEvaluator.cs` -- SBOM drift evaluation
- **WhatIfSimulationService**: `src/Policy/StellaOps.Policy.Engine/WhatIfSimulation/WhatIfSimulationService.cs` -- delta verdict computation
- **ConsoleSimulationDiffService**: `src/Policy/StellaOps.Policy.Engine/Console/ConsoleSimulationDiffService.cs` -- deterministic delta statements
- **ExceptionEvaluator**: `src/Policy/__Libraries/StellaOps.Policy.Exceptions/Services/ExceptionEvaluator.cs` -- exception approval and application
- **ExceptionEffectRegistry**: `src/Policy/StellaOps.Policy.Engine/Adapters/ExceptionEffectRegistry.cs` -- 40 type+reason to effect mappings
- **ExceptionRecheckGate**: `src/Policy/StellaOps.Policy.Engine/BuildGate/ExceptionRecheckGate.cs` -- CI/CD recheck gate
- **VerdictAttestationService**: `src/Policy/StellaOps.Policy.Engine/Attestation/VerdictAttestationService.cs` -- DSSE-signed verdict proofs
- **KnowledgeSnapshotManifest**: `src/Policy/__Libraries/StellaOps.Policy/Snapshots/KnowledgeSnapshotManifest.cs` -- content-addressed evaluation input manifests
- **Gateway endpoints**: `src/Policy/StellaOps.Policy.Engine/Endpoints/` -- 45+ endpoint files for policy evaluation, simulation, scoring, risk budgets, exceptions, staleness
## E2E Test Plan
- [ ] Evaluate artifact through full 5-gate pipeline; verify each gate produces Pass/Warn/Block result
- [ ] Evaluate artifact with reachable vulnerability (RO state); verify Lattice State gate applies correct action
- [ ] Evaluate artifact with conflicting VEX claims (CR state); verify gate handles conflict appropriately
- [ ] Compute delta verdict via WhatIfSimulation; verify before/after decision changes are tracked
- [ ] Apply exception to finding; verify ExceptionEffectRegistry maps to correct effect (Suppress/Defer/Downgrade/RequireControl)
- [ ] Evaluate ExceptionRecheckGate with EPSSAbove condition triggered; verify gate blocks
- [ ] Generate DSSE-signed verdict attestation; verify signature and payload integrity
- [ ] Build KnowledgeSnapshotManifest; verify content-addressed SnapshotId is deterministic
- [ ] Override blocked gate with justification; verify PassWithNote result
- [ ] Verify StabilityDampingGate prevents oscillation between Pass and Block decisions
Reference in New Issue View Git Blame Copy Permalink