git.stella-ops.org/docs/advisory-ai/guardrails-and-evidence.md

Advisory AI Guardrails & Evidence Intake

Updated: 2025-11-24 · Owner: Advisory AI Docs Guild · Status: Published (Sprint 0111)

This note captures the guardrail behaviors and evidence intake boundaries required by Sprint 0111 tasks (AIAI-DOCS-31-001, AIAI-RAG-31-003). It binds Advisory AI guardrails to upstream evidence sources and clarifies how Link-Not-Merge (LNM) documents flow into Retrieval-Augmented Generation (RAG) payloads.

1) Evidence sources and contracts

Upstream readiness gates (now satisfied)

• CLI guardrail artefacts landed on 2025-11-19: out/console/guardrails/cli-vuln-29-001/ (sample-vuln-output.ndjson, sample-sbom-context.json) and out/console/guardrails/cli-vex-30-001/ (sample-vex-output.ndjson). Hashes are recorded in docs/modules/cli/artefacts/guardrails-artefacts-2025-11-19.md and must be copied into Offline Kits.

• Policy hash must be pinned (policyVersion, see docs/policy/assistant-parameters.md) before enabling non-default profiles.

• LNM linksets stay the single source of truth; Advisory AI refuses ad-hoc advisory payloads even if upstream artefacts drift.

• Advisory observations (LNM) — Consume immutable advisory_observations and advisory_linksets produced per docs/modules/concelier/link-not-merge-schema.md (frozen v1, 2025-11-17).

• VEX statements — Excititor + VEX Lens linksets with trust weights; treated as structured chunks with source_id and confidence.

• SBOM context — SBOM-AIAI-31-001 contract: timelines and dependency paths retrieved via ISbomContextRetriever (AddSbomContextHttpClient), default clamps 500 timeline entries / 200 paths.

• Policy explain traces — Policy Engine digests referenced by policyVersion; cache keys include policy hash to keep outputs replayable.

• Runtime posture (optional) — Zastava signals (exposure, admissionStatus) when provided by Link-Not-Merge-enabled tenants; optional chunks tagged runtime.

All evidence items must carry content_hash + source_id; Advisory AI never mutates or merges upstream facts (Aggregation-Only Contract).

2) Guardrail stages

1. Pre-flight sanitization
   • Redact secrets (AWS-style keys, PEM blobs, generic tokens).
   • Strip prompt-injection phrases; enforce max input payload 16 kB (configurable, default).
   • Reject requests missing advisoryKey or linkset-backed evidence (LNM guard).
2. Prompt assembly
   • Deterministic section order: advisory excerpts → VEX statements → SBOM deltas → policy traces → runtime hints.
   • Vector previews capped at 600 chars + ellipsis; section budgets fixed per profile (default, fips-local, gost-local, cloud-openai); budgets live in profiles.catalog.json and are hashed into DSSE provenance.
3. LLM invocation (local/remote)
   • Profiles selected via profile field; remote profiles require Authority tenant consent and advisory-ai:operate + aoc:verify.
4. Validation & citation enforcement
   • Every emitted fact must map to an input chunk (source_id + content_hash); citations serialized as [n] in Markdown.
   • Block outputs lacking citations, exceeding section budgets, or including unredacted PII.
5. Output sealing
   • Store outputHash, inputDigest, provenanceHash; wrap in DSSE when configured.
   • Cache TTL defaults to 24h; regenerate only when inputs change or forceRefresh=true.

Metrics: advisory_ai_guardrail_blocks_total, advisory_ai_outputs_stored_total, advisory_ai_citation_coverage_ratio. Logs carry output_hash, profile, and block reason; no secrets or raw prompt bodies are logged.

3) RAG payload mapping to LNM (summary)

LNM field	RAG chunk field	Notes
observation._id	source_id	Used for citations and conflict surfacing.
observation.advisoryId	advisory_key	Keyed alongside task type in cache.
observation.affected[].purl	purl	Included for remediation + SBOM joins.
observation.severities[]	severity	Passed through unmerged; multiple severities allowed.
linkset.conflicts[]	conflicts	Rendered verbatim for conflict tasks; no inference merges.
provenance.sourceArtifactSha	content_hash	Drives determinism and replay.

See docs/advisory-ai/evidence-payloads.md for full JSON examples and alignment rules.

4) Compliance with upstream artefacts

• References: CONSOLE-VULN-29-001, CONSOLE-VEX-30-001, CLI-VULN-29-001, CLI-VEX-30-001, EXCITITOR-CONSOLE-23-001, DEVOPS-AIAI-31-001.
• Guardrails must remain compatible with docs/policy/assistant-parameters.md; configuration knobs documented there are authoritative for env vars and defaults.
• Packaging tasks (AIAI-PACKAGING-31-002) must include this guardrail summary in DSSE metadata to keep Offline Kit parity.

5) Operator checklist

• LNM feed enabled and Concelier schemas at v1 (2025-11-17).
• SBOM retriever configured or NullSbomContextClient left as safe default.
• Policy hash pinned via policyVersion when reproducibility is required.
• CLI guardrail artefact hashes verified against docs/modules/cli/artefacts/guardrails-artefacts-2025-11-19.md and mirrored into Offline Kits.
• Remote profiles only after Authority consent and profile allowlist are set.
• Cache directories shared between web + worker hosts for DSSE sealing.