feat: add PolicyPackSelectorComponent with tests and integration
- Implemented PolicyPackSelectorComponent for selecting policy packs. - Added unit tests for component behavior, including API success and error handling. - Introduced monaco-workers type declarations for editor workers. - Created acceptance tests for guardrails with stubs for AT1–AT10. - Established SCA Failure Catalogue Fixtures for regression testing. - Developed plugin determinism harness with stubs for PL1–PL10. - Added scripts for evidence upload and verification processes.
This commit is contained in:
StellaOps Bot
50
docs/risk/formulas.md
Normal file
50
docs/risk/formulas.md
Normal file
@@ -0,0 +1,50 @@
|
||||
# Risk Formulas (draft outline)
|
||||
|
||||
> Draft scaffold; fill once 66-003/66-004 inputs (engine rollout notes + factor contract) are available. Keep math examples deterministic with fixed fixtures.
|
||||
|
||||
## Purpose
|
||||
- Describe how normalized factors combine into a 0–100 risk score with severity bands.
|
||||
- Capture gating, weighting, normalization, and override rules.
|
||||
|
||||
## Scope & Audience
|
||||
- Audience: risk engineers, policy authors, auditors.
|
||||
- In scope: weighting strategies, aggregation functions, severity thresholds, gating rules, tie-breakers.
|
||||
- Out of scope: full API payloads (see `api.md`), factor definitions (see `factors.md`).
|
||||
|
||||
## Formula Building Blocks (to fill)
|
||||
- Weighted sum / capped contribution
|
||||
- Max/min guards per factor family
|
||||
- Threshold gates (e.g., block if exploitability + reachability high)
|
||||
- Decay/time weighting
|
||||
- Tenant/asset overrides and imposed rules
|
||||
|
||||
## Severity Mapping (outline)
|
||||
- Proposed bands (example placeholder):
|
||||
- Critical: 90–100
|
||||
- High: 70–89
|
||||
- Medium: 40–69
|
||||
- Low: 1–39
|
||||
- Info: 0
|
||||
- Final bands pending governance approval; update once PLLG0104 confirms.
|
||||
|
||||
## Determinism
|
||||
- Stable ordering of factors before aggregation.
|
||||
- Use fixed precision (e.g., 4 decimals) before severity mapping.
|
||||
- Hash fixtures and record SHA256 for every example payload.
|
||||
|
||||
Interim notes: mirror legacy rule — simulation and production must share the exact evaluation codepath; no per-environment divergences. Severity buckets must be deterministic and governed by Authority scopes.
|
||||
|
||||
## Examples (placeholders)
|
||||
- TBD sample JSON: input factors + output score + contributions table.
|
||||
- TBD CLI/Console screenshots once telemetry assets provided.
|
||||
|
||||
## Open Items
|
||||
- Engine rollout notes for gating/weighting defaults
|
||||
- Severity band approval
|
||||
- Sample payloads and UI traces
|
||||
|
||||
## References
|
||||
- `docs/risk/overview.md`
|
||||
- `docs/risk/profiles.md`
|
||||
- `docs/risk/factors.md`
|
||||
- `docs/risk/api.md`
|
||||
Reference in New Issue
Block a user