stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/policy/vextrustgate-policy-integration.md

2.8 KiB
Raw Blame History

VexTrustGate Policy Integration

Module

Policy

Status

IMPLEMENTED

Description

Integrates VEX trust evaluation as a named policy gate in the policy evaluation chain. VexTrustGate validates VEX statement trust levels against configurable thresholds before accepting VEX-based risk reductions. Registered in the GateSelector alongside existing gates. Distinct from known "VEX Trust Scoring" (which computes scores) -- this gates policy decisions based on those scores.

Implementation Details

  • VexTrustGate: src/Policy/StellaOps.Policy.Engine/Gates/VexTrustGate.cs (implements IVexTrustGate)
    • EvaluateAsync(VexTrustGateRequest) evaluates trust score against thresholds
    • Returns VexTrustGateResult with decision (Pass/Warn/Block), details, and recommendations
    • Checks: composite score >= threshold, issuer verified, accuracy rate, freshness
  • VexTrustGateOptions: src/Policy/StellaOps.Policy.Engine/Gates/VexTrustGateOptions.cs
    • Section key: "Policy:Gates:VexTrust"
    • Enabled flag (default true)
    • ApplyToStatuses: ["not_affected", "fixed"]
    • Per-environment thresholds (production/staging/development/default)
    • MissingTrustBehavior: Allow, Warn, Block
    • EmitMetrics: true (OpenTelemetry)
    • TenantOverrides for multi-tenant deployments
  • PolicyGateEvaluator integration: src/Policy/StellaOps.Policy.Engine/Gates/PolicyGateEvaluator.cs
    • VEX Trust gate is 3rd in the 5-gate sequential pipeline
    • Evaluates after Evidence Completeness and Lattice State gates
    • Per-environment thresholds with MissingTrustBehavior fallback
  • VexTrustGateMetrics: src/Policy/StellaOps.Policy.Engine/Gates/VexTrustGateMetrics.cs
    • OpenTelemetry metrics: gate decisions, trust scores, evaluation duration
    • Tags: environment, decision, trust_score_bucket

E2E Test Plan

  • Evaluate VEX trust in production with score 0.85 (above 0.80 threshold); verify gate passes
  • Evaluate VEX trust in production with score 0.75 (below 0.80 threshold); verify gate blocks
  • Evaluate VEX trust in staging with score 0.55 (below 0.60 threshold); verify gate warns (FailureAction=Warn)
  • Evaluate VEX trust in development with score 0.35 (below 0.40 threshold); verify gate warns
  • Evaluate without VEX trust data, MissingTrustBehavior=Warn; verify gate warns with descriptive message
  • Evaluate without VEX trust data, MissingTrustBehavior=Block; verify gate blocks
  • Evaluate without VEX trust data, MissingTrustBehavior=Allow; verify gate passes
  • Configure TenantOverrides for tenant-A with custom staging threshold 0.70; evaluate in staging for tenant-A; verify custom threshold used
  • Verify VexTrustGateMetrics emits gate decision metric with environment and decision tags
  • Disable VexTrustGate (Enabled=false); evaluate; verify gate is skipped in pipeline