feat: add PolicyPackSelectorComponent with tests and integration
- Implemented PolicyPackSelectorComponent for selecting policy packs. - Added unit tests for component behavior, including API success and error handling. - Introduced monaco-workers type declarations for editor workers. - Created acceptance tests for guardrails with stubs for AT1–AT10. - Established SCA Failure Catalogue Fixtures for regression testing. - Developed plugin determinism harness with stubs for PL1–PL10. - Added scripts for evidence upload and verification processes.
This commit is contained in:
StellaOps Bot
44
docs/risk/factors.md
Normal file
44
docs/risk/factors.md
Normal file
@@ -0,0 +1,44 @@
|
||||
# Risk Factors (draft outline)
|
||||
|
||||
> Draft scaffold; fill once 66-002/66-003 inputs (engine contract + sample payloads) arrive. Keep fixtures deterministic and offline-friendly.
|
||||
|
||||
## Purpose
|
||||
- Catalog supported factors (exploit likelihood, VEX state, reachability, runtime facts, fix availability, asset criticality, provenance trust, tenant overrides) and how they normalize into risk math.
|
||||
|
||||
## Scope & Audience
|
||||
- Audience: risk engineers, policy authors, platform SREs.
|
||||
- In scope: factor definitions, required/optional fields, normalization rules, TTLs, provenance expectations.
|
||||
- Out of scope: full formula math (see `formulas.md`), API wiring (see `api.md`).
|
||||
|
||||
## Factor Catalog (to fill with schema-backed tables)
|
||||
- Exploit likelihood — fields: source, score, last_seen, confidence
|
||||
- VEX status — fields: status, justification, impact_statement
|
||||
- Reachability — fields: entrypoint, callgraph evidence, runtime observation
|
||||
- Runtime facts — fields: host, container, signal type, timestamp (UTC), provenance attestation
|
||||
- Fix availability — fields: advisory id, patch released at, mitigation guidance
|
||||
- Asset criticality — fields: business tier, data class, tenancy scope
|
||||
- Provenance trust — fields: signature status, key id, chain of custody
|
||||
- Custom/tenant overrides — fields: override reason, reviewer, expiry/TTL
|
||||
|
||||
## Normalization Rules (outline)
|
||||
- Input validation + schema versioning
|
||||
- Unit ranges (0–1) and clamping
|
||||
- Time decay / TTL handling
|
||||
- Precedence rules when multiple sources disagree
|
||||
|
||||
Interim notes: follow legacy profile guidance — preserve provenance, never mutate source evidence, and keep ordering stable so explainability hashes are repeatable across UI/CLI/exports.
|
||||
|
||||
## Determinism & Ordering
|
||||
- Sort factors by type then source; stable hashing rules for fixtures.
|
||||
- Record SHA256 for sample payloads once provided.
|
||||
|
||||
## Open Items
|
||||
- Engine contract and sample payloads for each factor
|
||||
- TTL/decay parameters from Risk Engine Guild
|
||||
- Provenance attestation examples
|
||||
|
||||
## References
|
||||
- `docs/risk/overview.md`
|
||||
- `docs/risk/profiles.md`
|
||||
- `docs/risk/formulas.md`
|
||||
- `docs/risk/api.md`
|
||||
Reference in New Issue
Block a user