Refactor code structure for improved readability and maintainability; optimize performance in key functions.

src/Policy/__Libraries/StellaOps.Policy.Unknowns/AGENTS.md

@@ -0,0 +1,40 @@
+# AGENTS.md - Policy Unknowns Library
+
+## Purpose
+- Provide deterministic ranking for unknown findings using uncertainty, exploit pressure, decay, and containment signals.
+- Maintain stable, reproducible scoring and band assignment.
+
+## Required Reading
+- docs/README.md
+- docs/07_HIGH_LEVEL_ARCHITECTURE.md
+- docs/modules/platform/architecture-overview.md
+- docs/modules/policy/architecture.md
+- docs/product-advisories/archived/2025-12-21-moat-gap-closure/14-Dec-2025 - Triage and Unknowns Technical Reference.md
+
+## Working Directory
+- src/Policy/__Libraries/StellaOps.Policy.Unknowns/
+
+## Signal Sources
+
+### BlastRadius
+- Source: Scanner/Signals module call graph analysis.
+- Dependents: count of packages in dependency tree.
+- NetFacing: reachability from network entrypoints (HTTP controllers, gRPC, etc).
+- Privilege: extracted from container config or runtime probes.
+
+### ContainmentSignals
+- Source: runtime probes (eBPF, Seccomp profiles, container inspection).
+- Seccomp: profile enforcement status.
+- FileSystem: mount mode from container spec or /proc/mounts.
+- NetworkPolicy: Kubernetes NetworkPolicy or firewall rules.
+
+### Data Flow
+1. Scanner generates BlastRadius during SBOM or call graph analysis.
+2. Runtime probes collect ContainmentSignals.
+3. Signals are stored in policy.unknowns columns.
+4. UnknownRanker reads signals for scoring and explainability.
+
+## Engineering Rules
+- Target net10.0 with preview features already enabled in repo.
+- Determinism: stable ordering, UTC timestamps, and decimal math for scoring.
+- No network dependencies inside ranking logic.