Explore Help

Register Sign In

stella-ops.org/git.stella-ops.org

1

0

You've already forked git.stella-ops.org

Code Issues Pull Requests Actions 2 Releases Wiki Activity

Files

f4eb64fefcd7d2353b42aed44cb732780e861ea4

git.stella-ops.org/docs/features/checked/policy/verdict-explainability-rationale-renderer.md

master e9aeadc040 save checkpoint

2026-02-14 09:11:48 +02:00

2.9 KiB

Raw Blame History

Verdict Explainability / Rationale Renderer

Module

Policy

Status

IMPLEMENTED

Description

Verdict rationale renderer and rationale model in Policy Explainability library. Testing infrastructure includes explainability assertions, IExplainableDecision interface, and explainability models.

Implementation Details

VerdictRationaleRenderer: src/Policy/__Libraries/StellaOps.Policy.Explainability/VerdictRationaleRenderer.cs (sealed class implements IVerdictRationaleRenderer)
- Render(VerdictRationaleInput) produces structured 4-line rationale
- RenderPlainText(rationale) produces 4-line plain text output
- RenderMarkdown(rationale) produces Markdown with ## headers (Evidence, Policy Clause, Attestations, Decision)
- RenderJson(rationale) produces canonical JSON (RFC 8785) via CanonJson.Serialize
- Content-addressed RationaleId: rat:sha256:{hash} computed from SHA256 of canonical JSON
- Evidence rendering: CVE ID, component PURL/name/version, reachability (vulnerable function, entry point, path summary)
- Policy clause rendering: ClauseId, RuleDescription, Conditions
- Attestation rendering: path witness, VEX statements, provenance references
- Decision rendering: verdict, score, recommendation, mitigation (action, details)
VerdictRationale model: src/Policy/__Libraries/StellaOps.Policy.Explainability/VerdictRationale.cs
- SchemaVersion: "1.0"
- 4-line template: RationaleEvidence, RationalePolicyClause, RationaleAttestations, RationaleDecision
- RationaleInputDigests: VerdictDigest, PolicyDigest, EvidenceDigest for reproducibility
- Supporting records: ComponentIdentity, ReachabilityDetail, AttestationReference, MitigationGuidance
IVerdictRationaleRenderer: src/Policy/__Libraries/StellaOps.Policy.Explainability/IVerdictRationaleRenderer.cs
- Interface with Render, RenderPlainText, RenderMarkdown, RenderJson methods
- VerdictRationaleInput record with full input specification

E2E Test Plan

Render rationale for CVE-2024-1234 in lodash@4.17.21 with reachability; verify Evidence.FormattedText contains CVE, component, vulnerable function
Render rationale with policy clause "require-vex-for-critical"; verify PolicyClause.FormattedText includes clause ID and conditions
Render rationale with 2 VEX attestation references; verify Attestations.FormattedText includes both
Render rationale without attestations; verify FormattedText says "No attestations available."
Render same input twice; verify RationaleId is identical (content-addressed determinism)
Render with score=0.85 and mitigation; verify Decision.FormattedText includes "score 0.85" and mitigation action
RenderPlainText produces 4-line output (evidence, clause, attestations, decision)
RenderMarkdown produces valid Markdown with ## headers
RenderJson produces valid JSON parseable by standard parser
Verify RationaleId matches format rat:sha256:{64 hex chars}

Powered by Gitea Version: 1.24.5 Page: 48ms Template: 1ms

English

Bahasa Indonesia Deutsch English Español Français Gaeilge Italiano Latviešu Magyar nyelv Nederlands Polski Português de Portugal Português do Brasil Suomi Svenska Türkçe Čeština Ελληνικά Български Русский Українська فارسی മലയാളം 日本語简体中文繁體中文（台灣）繁體中文（香港） 한국어

Licenses API