stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/policy/policy-gate-with-evidence-linked-approval.md

2.7 KiB
Raw Blame History

Policy gate with evidence-linked approval

Module

Policy

Status

IMPLEMENTED

Description

Policy gates (CVE, EPSS, budget, reachability, signature-required) evaluate artifacts against configurable rules and produce evidence-linked attestations.

Implementation Details

  • PolicyGateEvaluator: src/Policy/StellaOps.Policy.Engine/Gates/PolicyGateEvaluator.cs
    • 5 sequential gates: Evidence Completeness, Lattice State, VEX Trust, Uncertainty Tier, Confidence Threshold
    • Each gate produces evidence-linked results with attestation references
    • Gate results: Pass, PassWithNote, Warn, Block, Skip
    • Override support with justification text and evidence requirements
  • VexTrustGate: src/Policy/StellaOps.Policy.Engine/Gates/VexTrustGate.cs
    • Evaluates VEX trust score against per-environment thresholds
    • Links VEX attestation references to gate decisions
    • VexTrustStatus with TrustScore, PolicyTrustThreshold, TrustBreakdown
  • ExceptionEvaluator: src/Policy/__Libraries/StellaOps.Policy.Exceptions/Services/ExceptionEvaluator.cs
    • Exception-based approvals with evidence references (sha256 digests, attestation URIs)
    • EvidenceRefs from all matching exceptions aggregated in result
  • EvidenceRequirementValidator: src/Policy/__Libraries/StellaOps.Policy.Exceptions/Services/EvidenceRequirementValidator.cs
    • Validates required evidence before approval: attestation IDs, VEX notes, reachability proofs
    • Evidence freshness (MaxAge), trust score threshold, DSSE signature verification
  • VerdictAttestationService: src/Policy/StellaOps.Policy.Engine/Attestation/VerdictAttestationService.cs
    • DSSE-signed attestations linking verdicts to evidence bundles
    • Each gate decision produces an attestation with proof references
  • KnowledgeSnapshotManifest: src/Policy/__Libraries/StellaOps.Policy/Snapshots/KnowledgeSnapshotManifest.cs
    • Content-addressed bundle linking all evaluation inputs to gate decisions

E2E Test Plan

  • Evaluate artifact through all gates; verify each gate result includes attestation references
  • Evaluate with VexTrustGate; verify VEX attestation IDs are linked in gate result
  • Approve exception with evidence refs; verify EvidenceRefs appear in ExceptionEvaluationResult.AllEvidenceRefs
  • Require attestation ID evidence for approval; provide valid attestation; verify validation passes
  • Require evidence with MaxAge; provide expired evidence; verify validation fails
  • Generate verdict attestation; verify DSSE signature covers gate decisions and evidence refs
  • Override gate with justification; verify PassWithNote result includes justification attestation
  • Verify KnowledgeSnapshotManifest links policy bundle digest and source digests to gate inputs