git.stella-ops.org/docs/implplan/SPRINT_7100_SUMMARY.md

SPRINT_7100 Summary — VEX Trust Lattice

Epic: VEX Trust Lattice for Explainable, Replayable Decisioning Total Duration: 12 weeks (6 sprints) Status: COMPLETE (6/6 sprints done) Last Updated: 2025-12-23 Source Advisory: docs/product-advisories/archived/22-Dec-2026 - Building a Trust Lattice for VEX Sources.md

---

Executive Summary

Implement a sophisticated 3-component trust vector model (Provenance, Coverage, Replayability) for VEX sources, enabling explainable and deterministically replayable vulnerability decisioning. This replaces the current single-weight trust model with a mathematically rigorous lattice-based approach that produces signed, auditable verdict manifests.

Key Features

1. Trust Vector (P/C/R): 3-component scoring per VEX source
2. Claim Scoring: ClaimScore = BaseTrust(S) * M * F with strength and freshness multipliers
3. Policy Gates: Minimum confidence, unknowns budget, source quotas, reachability requirements
4. Verdict Manifest: DSSE-signed, indexed, replayable verdicts
5. Trust Algebra UI: Visual explanation panel for trust decisions
6. Calibration: Rolling trust weight adjustment based on post-mortem truth

---

Sprint Overview

Sprint ID	Topic	Duration	Status	Key Deliverables
7100.0001.0001	Trust Vector Foundation	2 weeks	DONE ✓	TrustVector, ClaimStrength, FreshnessCalculator, ClaimScoreCalculator
7100.0001.0002	Verdict Manifest & Replay	2 weeks	DONE ✓	VerdictManifest, DSSE signing, PostgreSQL store, replay verification
7100.0002.0001	Policy Gates & Lattice Merge	2 weeks	DONE ✓	ClaimScoreMerger ✓, MinimumConfidenceGate ✓, SourceQuotaGate ✓, UnknownsBudgetGate ✓
7100.0002.0002	Source Defaults & Calibration	2 weeks	DONE ✓	DefaultTrustVectors ✓, CalibrationManifest ✓, TrustCalibrationService ✓, PostgreSQL ✓, Config ✓
7100.0003.0001	UI Trust Algebra Panel	2 weeks	DONE ✓	TrustAlgebraComponent ✓, ConfidenceMeter ✓, TrustVectorBars ✓, ClaimTable ✓, PolicyChips ✓, ReplayButton ✓, Service ✓, Accessibility ✓, E2E Tests ✓
7100.0003.0002	Integration & Documentation	2 weeks	DONE ✓	trust-lattice.md ✓, verdict-manifest.md ✓, JSON schemas ✓, Config files ✓, Architecture docs ✓, API reference ✓, Training docs ✓, E2E tests ✓

---

Gap Analysis (Advisory vs. Current Implementation)

Advisory Feature	Current State	Gap Severity	Sprint
3-Component Trust Vector (P/C/R)	Single weight per provider	MAJOR	7100.0001.0001
Claim Strength Multiplier (M)	Status-based adjustments only	MEDIUM	7100.0001.0001
Freshness Decay (F)	Fixed staleness penalties (-5%/-10%)	MEDIUM	7100.0001.0001
ClaimScore = BaseTrustMF	Not implemented	MAJOR	7100.0001.0001
Conflict Mode + Replay Proof	K4 conflict detection, no down-weight	MINOR	7100.0002.0001
Verdict Manifest (DSSE-signed)	Not implemented	MAJOR	7100.0001.0002
Policy Gates (min confidence, quotas)	Partial (jurisdiction rules)	MEDIUM	7100.0002.0001
Deterministic Replay Pinning	Determinism prioritized, no manifest	MEDIUM	7100.0001.0002
UI Trust Algebra Panel	Not implemented	MEDIUM	7100.0003.0001
Calibration Manifest	Not implemented	MINOR	7100.0002.0002

---

Batch A: Core Models (Sprints 7100.0001.0001–0002)

Sprint 7100.0001.0001: Trust Vector Foundation

Owner: Excititor Team + Policy Team Working Directory: src/Excititor/__Libraries/StellaOps.Excititor.Core/ Deliverables:

• TrustVector record with P/C/R components and configurable weights
• ClaimStrength enum with evidence-based multipliers (0.40–1.00)
• FreshnessCalculator with configurable half-life decay (default 90 days)
• ClaimScoreCalculator implementing BaseTrust(S) * M * F
• Extended VexProvider with TrustVector configuration
• Unit tests for scoring calculations (determinism validation)

Tests: ≥90% coverage, determinism assertions

---

Sprint 7100.0001.0002: Verdict Manifest & Replay

Owner: Authority Team + Excititor Team Working Directory: src/Authority/__Libraries/StellaOps.Authority.Core/ Deliverables:

• VerdictManifest model with inputs pinning
• VerdictManifestBuilder for deterministic assembly
• DSSE signing for verdict manifests via Signer module
• IVerdictManifestStore interface and PostgreSQL implementation
• Indexing by (asset_digest, CVE, policy_hash, lattice_version)
• Replay verification endpoint
• Integration tests with determinism assertions

Tests: DSSE signing tests, replay verification tests

---

Batch B: Policy Integration (Sprints 7100.0002.0001–0002)

Sprint 7100.0002.0001: Policy Gates & Lattice Merge

Owner: Policy Team Working Directory: src/Policy/__Libraries/StellaOps.Policy/ Deliverables:

• Extend TrustLatticeEngine with ClaimScore-based merge
• Implement conflict penalty (delta=0.25) on contradictory claims
• MinimumConfidenceGate policy hook (prod requires ≥0.75)
• UnknownsBudgetGate policy hook (fail if unknowns > N)
• SourceQuotaGate (cap influence at 60% unless corroborated)
• ReachabilityRequirementGate for criticals
• Policy configuration schema (YAML/JSON)
• Unit tests for all gates with edge cases

Tests: Gate edge cases, conflict scenarios

---

Sprint 7100.0002.0002: Source Defaults & Calibration

Owner: Excititor Team Working Directory: src/Excititor/__Libraries/StellaOps.Excititor.Core/ Deliverables:

• Default trust vectors for Vendor/Distro/Internal source classes
• SourceClassification service for auto-classification
• CalibrationManifest model for tuning history
• Calibration comparison (claim vs. post-mortem truth)
• Learning rate adjustment (±0.02/epoch)
• Configuration for calibration policy

Tests: Default vector tests, calibration accuracy tests

---

Batch C: UI & Integration (Sprints 7100.0003.0001–0002)

Sprint 7100.0003.0001: UI Trust Algebra Panel

Owner: UI Team Working Directory: src/Web/StellaOps.Web/ Deliverables:

• TrustAlgebraComponent Angular component
• Confidence meter visualization (0–1 scale)
• P/C/R stacked bar chart for winning claim
• Claim comparison table with conflict toggle
• Policy chips display with YAML viewer (read-only in replay)
• "Reproduce verdict" replay button
• E2E tests for trust algebra panel

Tests: Component tests, accessibility tests

---

Sprint 7100.0003.0002: Integration & Documentation

Owner: Docs Guild + All Teams Working Directory: docs/ and cross-module integration Deliverables:

• Update docs/modules/excititor/architecture.md with trust lattice
• Create docs/modules/excititor/trust-lattice.md specification
• Update docs/modules/policy/architecture.md with gates
• Create docs/modules/authority/verdict-manifest.md specification
• Add JSON Schema for VerdictManifest to docs/attestor/
• Update API reference with verdict manifest endpoints
• Integration tests: end-to-end trust lattice flow
• Update etc/*.yaml.sample configuration files

Tests: Documentation review, E2E integration tests

---

Dependencies

graph TD
    A[7100.0001.0001 Trust Vector] --> B[7100.0001.0002 Verdict Manifest]
    A --> C[7100.0002.0001 Policy Gates]
    B --> D[7100.0002.0002 Calibration]
    C --> D
    B --> E[7100.0003.0001 UI Panel]
    C --> E
    D --> F[7100.0003.0002 Integration]
    E --> F

---

Technical Design

Trust Vector Formula

BaseTrust(S) = wP*P + wC*C + wR*R

Where:
- P = Provenance score [0..1]
- C = Coverage score [0..1]
- R = Replayability score [0..1]
- wP = 0.45 (default)
- wC = 0.35 (default)
- wR = 0.20 (default)

Claim Score Formula

ClaimScore = BaseTrust(S) * M * F

Where:
- M = Claim strength multiplier [0.40..1.00]
- F = Freshness decay = max(exp(-ln(2) * age_days / half_life), floor)
- half_life = 90 days (default)
- floor = 0.35 (minimum freshness)

Default Trust Vectors by Source Class

Source Class	P	C	R
Vendor	0.90	0.70	0.60
Distro	0.80	0.85	0.60
Internal	0.85	0.95	0.90

Claim Strength Values

Evidence Type	Strength (M)
Exploitability analysis + reachability proof	1.00
Config/feature-flag reason with evidence	0.80
Vendor blanket statement	0.60
Under investigation	0.40

---

Success Metrics

Technical Metrics

• Determinism: 100% bit-identical verdict manifests for same inputs
• Performance: Verdict computation <100ms for 1k claims (p95)
• Accuracy: Calibration drift <5% per epoch
• Scalability: 100k verdicts/day without degradation

Business Metrics

• Explainability: 100% of verdicts include full audit trail
• Compliance: DSSE-signed verdicts meet audit requirements
• Customer adoption: ≥30% enable trust algebra UI (12 months)

---

Architectural Decisions

Decision	Rationale
Extend, don't replace	Build trust vectors alongside existing append-only linksets
Backward compatibility	Existing VexProvider.Trust.Weight maps to legacy mode
Scoring at evaluation time	No ingestion-time decisioning per AOC-19
Air-gap support	Trust vectors work offline with local signature verification
Calibration as separate manifest	Allows auditable tuning history

---

Quick Links

Sprint Files (All Archived):

• SPRINT_7100_0001_0001 - Trust Vector Foundation ✓ DONE
• SPRINT_7100_0001_0002 - Verdict Manifest & Replay ✓ DONE
• SPRINT_7100_0002_0001 - Policy Gates & Merge ✓ DONE
• SPRINT_7100_0002_0002 - Source Defaults & Calibration ✓ DONE
• SPRINT_7100_0003_0001 - UI Trust Algebra Panel ✓ DONE
• SPRINT_7100_0003_0002 - Integration & Documentation ✓ DONE

Documentation:

• Trust Lattice Specification
• Verdict Manifest Specification
• Excititor Architecture

Source Advisory:

• 22-Dec-2026 - Building a Trust Lattice for VEX Sources

---

---

Implementation Progress Report (2025-12-22)

Completed Work

• SPRINT_7100_0001_0001: All 9 tasks completed and tested (78/79 tests passing)
  • Fixed compilation errors in VexConsensusResolver, TrustCalibrationService
  • Fixed namespace conflicts in test projects
  • All trust vector scoring components functional
• SPRINT_7100_0002_0001: All 9 tasks completed
  • ClaimScoreMerger with conflict detection and penalty application
  • All policy gates: MinimumConfidence, UnknownsBudget, SourceQuota, ReachabilityRequirement
  • PolicyGateRegistry for gate orchestration
  • Configuration file: policy-gates.yaml.sample
  • Unit tests with determinism assertions
• SPRINT_7100_0002_0002: All 9 tasks completed
  • DefaultTrustVectors with Vendor/Distro/Internal/Hub/Attestation presets
  • SourceClassificationService with domain-based auto-classification
  • CalibrationManifest and CalibrationComparisonEngine
  • TrustVectorCalibrator with learning rate and momentum
  • TrustCalibrationService for epoch orchestration
  • PostgreSQL schema (002_calibration_schema.sql)
  • Configuration files: trust-lattice.yaml.sample, excititor-calibration.yaml.sample
  • Comprehensive unit tests

All Work Complete

• Documentation (Sprint 7100.0003.0002): All 9/9 tasks complete. Deliverables: trust-lattice.md, verdict-manifest.md, JSON schemas, config files, architecture docs, API reference, training docs, E2E integration tests.
• UI/Web Module (Sprint 7100.0003.0001): All 9/9 tasks complete. Components: TrustAlgebraComponent, ConfidenceMeter, TrustVectorBars, ClaimTable, PolicyChips, ReplayButton, TrustAlgebraService, accessibility improvements, and E2E tests.
• Authority Module (Sprint 7100.0001.0002): VerdictManifest, VerdictManifestBuilder, IVerdictManifestSigner, IVerdictManifestStore, VerdictReplayVerifier, PostgreSQL schema, unit tests (17 tests passing)
• All prior sprints (7100.0001.0001, 7100.0002.0001, 7100.0002.0002): Complete with all deliverables and tests.

Post-Completion Tasks

1. Archive completed sprint files to docs/implplan/archived/
2. Update advisory status to fully implemented
3. Schedule GA release review

---

Last Updated: 2025-12-23 Next Review: Weekly during sprint execution