stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/policy/vex-status-promotion-gate.md

2.5 KiB
Raw Blame History

VEX Status Promotion Gate

Module

Policy

Status

IMPLEMENTED

Description

Promotion gate that blocks environment promotions based on VEX status thresholds, ensuring only properly triaged artifacts can advance.

Implementation Details

  • VexTrustGate: src/Policy/StellaOps.Policy.Engine/Gates/VexTrustGate.cs (implements IVexTrustGate)
    • EvaluateAsync(VexTrustGateRequest) evaluates VEX trust for status transitions
    • VexTrustGateRequest: RequestedStatus, Environment, VexTrustStatus, TenantId
    • VexTrustStatus: TrustScore (0.0-1.0), PolicyTrustThreshold, MeetsPolicyThreshold, TrustBreakdown
    • Per-environment evaluation: production requires highest trust, development most permissive
  • VexTrustGateOptions: src/Policy/StellaOps.Policy.Engine/Gates/VexTrustGateOptions.cs
    • ApplyToStatuses: ["not_affected", "fixed"] -- statuses requiring trust verification
    • Per-environment thresholds:
      • Production: MinCompositeScore=0.80, RequireIssuerVerified=true, MinAccuracyRate=0.85, AcceptableFreshness=["fresh"], FailureAction=Block
      • Staging: MinCompositeScore=0.60, RequireIssuerVerified=true, AcceptableFreshness=["fresh","stale"], FailureAction=Warn
      • Development: MinCompositeScore=0.40, RequireIssuerVerified=false, AcceptableFreshness=["fresh","stale","superseded"], FailureAction=Warn
    • MissingTrustBehavior: Allow, Warn, Block
    • TenantOverrides for tenant-specific thresholds
  • PolicyGateEvaluator: src/Policy/StellaOps.Policy.Engine/Gates/PolicyGateEvaluator.cs
    • VEX Trust gate (3rd in pipeline) blocks promotion when trust insufficient
    • VEX trust evaluation integrated with lattice state and uncertainty tier gates

E2E Test Plan

  • Request promotion to production with trust score 0.85; verify gate passes
  • Request promotion to production with trust score 0.70; verify gate blocks (threshold 0.80)
  • Request promotion to staging with trust score 0.65; verify gate passes (threshold 0.60)
  • Request promotion with stale VEX in production; verify gate blocks (only "fresh" acceptable)
  • Request promotion with stale VEX in staging; verify gate passes (stale acceptable)
  • Request promotion with unverified issuer in production; verify gate blocks
  • Request promotion with unverified issuer in development; verify gate passes
  • Request promotion with MissingTrustBehavior=Block and no VEX data; verify gate blocks
  • Verify tenant-specific overrides apply when TenantId matches
  • Verify gate returns descriptive message identifying which threshold was not met