stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
e716bc6adca8d1a3ac5a24ad491e5fa99e31cf1c
git.stella-ops.org/docs/features/unchecked/libraries/stellaverdict-unified-artifact-with-json-ld-context.md

3.3 KiB
Raw Blame History

StellaVerdict Unified Artifact with JSON-LD Context

Module

__Libraries

Status

IMPLEMENTED

Description

Consolidates multiple verdict-related artifacts (score, evidence, attestation, policy trace) into a single unified StellaVerdict schema with JSON-LD context. Includes VerdictAssemblyService for composing verdicts from PolicyVerdict + ProofBundle + KnowledgeInputs, content-addressable verdictId (urn:stella:verdict:sha256:...), and comprehensive sub-models for subjects, claims, inputs, evidence graphs, policy paths, results, provenance, and signatures.

Implementation Details

  • StellaVerdict: src/__Libraries/StellaOps.Verdict/Schema/StellaVerdict.cs -- sealed record with JSON-LD @context ("https://stella-ops.org/schema/verdict/v1") and @type ("StellaVerdict"); VerdictId (urn:stella:verdict:sha256:...), SchemaVersion ("1.0"), VerdictVersion (int); nested records: VerdictSubject (NodeId, Purl, ImageRef, Digest, Environment), VerdictClaim (VerdictStatus enum: Pass/Fail/Warn/Error/Unknown, Confidence 0-1, Summary, Details), VerdictInputs (Advisories, VexStatements, CvssScores, EpssScores, KevEntries, ReachabilityResults, PolicyRules, SbomComponents), VerdictEvidenceGraph (RootId, Nodes list, Edges list), VerdictPolicyStep (RuleId, RuleName, Input, Output, Decision enum: Allow/Block/Warn/Skip), VerdictResult (Verdict, PolicyPath list, Timestamp, Expiry, Deterministic bool), VerdictProvenance (GeneratorId, GeneratorVersion, BuildId, SourceCommit, Environment, GeneratedAt), VerdictSignature (Algorithm, KeyId, Value, Certificate, Timestamp)
  • VerdictAssemblyService: src/__Libraries/StellaOps.Verdict/Services/VerdictAssemblyService.cs -- implements IVerdictAssemblyService; AssembleVerdict(context) orchestrates composition via: BuildSubject(context), BuildClaim(context), BuildInputs(context), BuildEvidenceGraph(context), BuildPolicyPath(context), BuildResult(context), BuildProvenance(context); takes VerdictAssemblyContext with PolicyVerdict, ProofBundle, KnowledgeInputs (VerdictKnowledgeInputs record with advisory/VEX/CVSS/EPSS/KEV/reachability/policy/SBOM data); generates content-addressed VerdictId via SHA-256 of canonical JSON
  • IVerdictAssemblyService: src/__Libraries/StellaOps.Verdict/Services/VerdictAssemblyService.cs -- interface: AssembleVerdict(VerdictAssemblyContext) returns StellaVerdict
  • VerdictAssemblyContext: src/__Libraries/StellaOps.Verdict/Services/VerdictAssemblyService.cs -- record with PolicyVerdict, ProofBundle, KnowledgeInputs (VerdictKnowledgeInputs)
  • Source: SPRINT_1227_0014_0001_BE_stellaverdict_consolidation.md

E2E Test Plan

  • Verify StellaVerdict includes JSON-LD @context and @type fields
  • Test VerdictId is content-addressed (same inputs produce same urn:stella:verdict:sha256:...)
  • Verify VerdictAssemblyService composes verdict from PolicyVerdict + ProofBundle + KnowledgeInputs
  • Test VerdictClaim.VerdictStatus enum covers Pass/Fail/Warn/Error/Unknown
  • Verify VerdictInputs captures all knowledge sources (advisories, VEX, CVSS, EPSS, KEV, reachability)
  • Test VerdictEvidenceGraph contains linked nodes and edges
  • Verify VerdictPolicyStep records policy evaluation path with decisions
  • Test VerdictProvenance captures generator, build, and source commit information