feat: add PolicyPackSelectorComponent with tests and integration
- Implemented PolicyPackSelectorComponent for selecting policy packs. - Added unit tests for component behavior, including API success and error handling. - Introduced monaco-workers type declarations for editor workers. - Created acceptance tests for guardrails with stubs for AT1–AT10. - Established SCA Failure Catalogue Fixtures for regression testing. - Developed plugin determinism harness with stubs for PL1–PL10. - Added scripts for evidence upload and verification processes.
This commit is contained in:
StellaOps Bot
49
docs/risk/overview.md
Normal file
49
docs/risk/overview.md
Normal file
@@ -0,0 +1,49 @@
|
||||
# Risk Overview (draft outline)
|
||||
|
||||
> Draft scaffold only. Populate content after PLLG0104 risk profile schema approval and risk engine/API samples land. Keep all fixtures deterministic (UTC timestamps, stable ordering, sealed sample payloads) and avoid external assets.
|
||||
|
||||
## Purpose
|
||||
- Explain the risk model at a glance: factors, formulas, scoring semantics (0–100), and severity bands.
|
||||
- Show how risk flows through StellaOps services (ingest → evaluate → explain → export) and how provenance is preserved.
|
||||
|
||||
## Scope & Audience
|
||||
- Audience: policy authors, risk engineers, auditors, and SREs consuming risk outputs.
|
||||
- In scope: concepts, glossary, lifecycle, artifacts, cross-module data flow diagrams (add after schema approval).
|
||||
- Out of scope: detailed factor math (goes to `formulas.md`), API specifics (goes to `api.md`).
|
||||
|
||||
## Core Concepts (to fill)
|
||||
- Risk factor vs. evidence vs. signal
|
||||
- Profile vs. formula vs. severity mapping
|
||||
- Provenance and attestations
|
||||
- Explainability payloads and UI/CLI displays
|
||||
- Determinism expectations (ordering, timestamps, hashing)
|
||||
|
||||
Interim notes (from legacy doc and sprint context): profiles take normalized factors (exploit likelihood, VEX status, reachability, runtime evidence, fix availability, asset criticality, provenance trust) and output 0–100 scores with severity buckets; same code path for simulation and production to ensure determinism.
|
||||
|
||||
## Lifecycle (outline)
|
||||
1. Evidence ingestion (signals, VEX, reachability, runtime)
|
||||
2. Factor normalization
|
||||
3. Profile evaluation
|
||||
4. Severity assignment + gating
|
||||
5. Explainability + observability
|
||||
6. Export/archival paths
|
||||
|
||||
## Artifacts & Schemas (pending)
|
||||
- Risk profile schema: `<pending PLLG0104>`
|
||||
- Risk factor catalog: shared shapes reused by `factors.md`
|
||||
- Explainability envelope: shared with UI/CLI; add JSON examples once provided.
|
||||
|
||||
## Determinism & Offline Posture
|
||||
- Use frozen fixture sets with SHA256 tables.
|
||||
- Document regeneration steps (no live network calls) once payloads arrive.
|
||||
|
||||
## Open Items
|
||||
- PLLG0104 schema approval
|
||||
- Risk engine API payload samples
|
||||
- UI telemetry captures for explainability walkthroughs
|
||||
|
||||
## References (to link once available)
|
||||
- `docs/risk/profiles.md`
|
||||
- `docs/risk/factors.md`
|
||||
- `docs/risk/formulas.md`
|
||||
- `docs/risk/api.md`
|
||||
Reference in New Issue
Block a user