partly or unimplemented features - now implemented

2026-02-09 08:53:51 +02:00
parent 1bf6bbf395
commit 4bdc298ec1
674 changed files with 90194 additions and 2271 deletions
--- a/docs/features/unchecked/policy/delta-if-present-calculations-for-missing-signals.md
+++ b/docs/features/unchecked/policy/delta-if-present-calculations-for-missing-signals.md
@@ -0,0 +1,27 @@
+# Delta-If-Present Calculations for Missing Signals
+
+## Status
+NOT_FOUND
+
+## Description
+The advisory proposed computing "delta if present" values showing what would change if missing signals arrived (TSF-004). This was marked TODO and has not been implemented.
+
+## Why Not Implemented
+- The specific "delta-if-present" calculation (TSF-004) for showing hypothetical score changes is not implemented as a standalone feature
+- However, related infrastructure exists in the Policy Determinization module:
+  - `src/Policy/__Libraries/StellaOps.Policy.Determinization/Models/SignalGap.cs` -- models for missing/gap signals
+  - `src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/UncertaintyScoreCalculator.cs` -- calculates uncertainty from missing signals
+  - `src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/PriorDistribution.cs` -- prior distributions for gap handling
+  - `src/Policy/__Libraries/StellaOps.Policy.Determinization/DeterminizationOptions.cs` -- configuration for determinization behavior
+  - `src/Policy/StellaOps.Policy.Engine/Simulation/RiskSimulationBreakdown.cs` -- risk simulation with breakdown
+  - Tests: `src/Policy/__Tests/StellaOps.Policy.Engine.Tests/Simulation/RiskSimulationBreakdownServiceTests.cs`
+- The Determinization module handles missing signals by computing uncertainty scores but does not project "what would change if signal X arrived" as a delta preview
+- Graph module also tracks missing signals: `src/Graph/__Libraries/StellaOps.Graph.Core/ICveObservationNodeRepository.cs`
+
+## Source
+- Feature matrix scan
+
+## Notes
+- Module: Policy
+- Modules referenced: `src/Policy`
+- Related: `src/Policy/__Libraries/StellaOps.Policy.Determinization/` (uncertainty scoring for gaps)
--- a/docs/features/unchecked/policy/deterministic-trust-score-algebra.md
+++ b/docs/features/unchecked/policy/deterministic-trust-score-algebra.md
@@ -0,0 +1,57 @@
+# Deterministic Trust Score Algebra and Vulnerability Scoring
+
+## Module
+Policy (with Attestor TrustVerdict integration)
+
+## Status
+IMPLEMENTED
+
+## Description
+Comprehensive scoring infrastructure exists across Policy and Attestor modules: EWS engine, Determinization system with 6-dimension normalizers (RCH/RTS/BKP/XPL/SRC/MIT), K4Lattice trust algebra (Belnap four-valued logic), TrustScoreAggregator with uncertainty penalty, DecayedConfidenceCalculator, ClaimScoreMerger with conflict penalization, ScorePolicy model with basis-point weights, TrustVerdictService with composite scoring, and BackportProofGenerator confidence calculations. The unified facade API composing all scoring subsystems and the Score.v1 predicate format are not yet built.
+
+## What's Implemented
+- **TrustScoreAggregator**: `src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/TrustScoreAggregator.cs` -- weighted-average aggregation of 6 signal types (VEX, EPSS, Reachability, Runtime, Backport, SBOMLineage) with uncertainty penalty: `adjustedScore = baseScore * (1.0 - entropy)`
+- **UncertaintyScoreCalculator**: `src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/UncertaintyScoreCalculator.cs` -- entropy formula: `1.0 - (presentWeight / totalPossibleWeight)` with signal gap tracking
+- **SignalWeights**: `src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/SignalWeights.cs` -- configurable 6-dimension weights: VEX=0.25, EPSS=0.15, Reachability=0.25, Runtime=0.15, Backport=0.10, SBOMLineage=0.10
+- **K4Lattice trust algebra**: `src/Policy/__Libraries/StellaOps.Policy/TrustLattice/K4Lattice.cs` -- Belnap four-valued logic: Unknown=0, True=1, False=2, Conflict=3; Join, Meet, LessOrEqual
+- **ClaimScoreMerger**: `src/Policy/__Libraries/StellaOps.Policy/TrustLattice/ClaimScoreMerger.cs` -- deterministic merge with conflict penalization (0.25 penalty), PreferSpecificity, RequireReplayProofOnConflict
+- **ScorePolicy model**: `src/Policy/__Libraries/StellaOps.Policy/Scoring/ScorePolicyModels.cs` -- 4-factor basis-points scoring: BaseSeverity=1000, Reachability=4500, Evidence=3000, Provenance=1500 (sum=10000)
+- **ConflictDetector**: `src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/ConflictDetector.cs` (306 lines)
+- **DecayedConfidenceCalculator**: `src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/DecayedConfidenceCalculator.cs` -- exponential decay: `max(floor, baseConfidence * exp(-ln(2) * ageDays / halfLifeDays))`
+- **Trust Verdict Service**: `src/Attestor/__Libraries/StellaOps.Attestor.TrustVerdict/Services/TrustVerdictService.cs` (with `.Scoring`, `.BuildPredicate`, `.Builders`, `.Generate`) -- trust scoring combining origin, freshness, reputation
+- **Trust Composite**: `TrustVerdict/Predicates/TrustComposite.cs` -- composite trust score model
+- **Backport Proof Confidence**: `Generators/BackportProofGenerator.Confidence.cs` -- deterministic confidence scoring (Tier1: 0.98, Tier2: 0.80-0.95, Tier3: 0.80-0.90, Tier4: 0.55-0.85)
+- **Evidence Summary**: `ProofChain/Generators/EvidenceSummary.cs` -- evidence count and type summary
+- **Reachability Witness Evidence**: `ProofChain/Predicates/MicroWitnessFunctionEvidence.cs` -- reachability evidence inputs for scoring
+
+## What's Missing
+- **Unified facade API**: No single `ComputeTrustScore(artifact)` entry point composing TrustScoreAggregator + K4Lattice + ScorePolicy + TrustVerdictService into one deterministic pipeline (the "B+C+D composition" described in advisories)
+- **Score.v1 predicate format**: No standalone Score.v1 schema combining all scoring dimensions into a single DSSE-signable attestation format
+- **Basis-point fixed-point arithmetic**: Scoring uses floating-point doubles in some paths, not fixed-point basis-point representation for guaranteed bit-exact determinism across all dimensions
+- **ScoreGraph concept**: No graph-based score computation where each node contributes to a composite score with typed edges for score propagation
+- **Score replay verification**: No mechanism to replay a score computation with frozen inputs and verify it matches the original to the last basis point
+- **Score history and trending**: No persistence of score history for trend analysis over time
+- **Algebra verification tests**: No property-based tests proving commutativity, associativity, and idempotency of the trust score algebra
+- **Cross-scanner score normalization**: No normalization layer that maps different scanner confidence outputs to a unified scale
+- **Score attestation pipeline**: No pipeline producing DSSE-signed Score.v1 attestations as standalone evidence artifacts
+
+## Implementation Plan
+- Create `TrustScoreAlgebraFacade` composing TrustScoreAggregator + K4Lattice + ScorePolicy into a single deterministic pipeline
+- Define Score.v1 predicate schema with basis-point fixed-point representation
+- Implement basis-point fixed-point arithmetic with determinism guarantees across all scoring paths
+- Add score replay verification using VerdictReceiptPayload
+- Add property-based tests proving algebraic invariants (commutativity of merge, idempotency of lattice join)
+- Create score attestation pipeline producing DSSE-signed Score.v1 attestations
+- Document the formal algebra specification in `docs/modules/policy/trust-score-algebra.md`
+- Implement score history persistence with PostgreSQL for trend analysis
+
+## Related Documentation
+- Weight manifest: `etc/weights/v2026-01-22.weights.json`
+- Trust lattice engine: `src/Policy/__Libraries/StellaOps.Policy/TrustLattice/` (15 files)
+- Determinization library: `src/Policy/__Libraries/StellaOps.Policy.Determinization/`
+- TrustVerdict: `src/Attestor/__Libraries/StellaOps.Attestor.TrustVerdict/`
+
+## Merged From
+- `attestor/deterministic-score-from-reachability-evidence-provenance.md` (deleted)
+- `attestor/deterministic-trust-score-and-vulnerability-scoring.md` (deleted)
+- `attestor/deterministic-vulnerability-scoring.md` (deleted)
--- a/docs/features/unchecked/policy/evidence-weighted-score-model.md
+++ b/docs/features/unchecked/policy/evidence-weighted-score-model.md
@@ -0,0 +1,65 @@
+# Evidence-Weighted Score (EWS) Model (6-Dimension Scoring)
+
+## Module
+Policy
+
+## Status
+IMPLEMENTED
+
+## Description
+Scoring infrastructure with policy-driven weights, profiles, and explanations exists. The advisory proposed a new unified 6-dimension model (RCH/RTS/BKP/XPL/SRC/MIT) to replace 4 independent scoring systems. Core normalizers and guardrails engine appear partially built; full unification is in progress.
+
+## What's Implemented
+- **SignalWeights (6-dimension)**: `src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/SignalWeights.cs`
+  - 6 signal dimensions: VexWeight=0.25, EpssWeight=0.15, ReachabilityWeight=0.25, RuntimeWeight=0.15, BackportWeight=0.10, SbomLineageWeight=0.10
+  - `TotalWeight` computed property, `IsNormalized(tolerance)` validation
+- **Weight manifest file**: `etc/weights/v2026-01-22.weights.json`
+  - Legacy 6-dimension weights: RCH=0.30, RTS=0.25, BKP=0.15, XPL=0.15, SRC=0.10, MIT=0.10
+  - Advisory 5-dimension weights: CVSS=0.25, EPSS=0.30, Reachability=0.20, ExploitMaturity=0.10, PatchProof=0.15
+  - Guardrails: notAffectedCap (maxScore=15), runtimeFloor (minScore=60), speculativeCap (maxScore=45)
+  - Buckets: actNowMin=90, scheduleNextMin=70, investigateMin=40
+  - Subtractive dimensions: MIT, patchProof
+- **ScoringRulesSnapshot**: `src/Policy/__Libraries/StellaOps.Policy/Scoring/ScoringRulesSnapshot.cs`
+  - 6-category ScoringWeights: Vulnerability=0.25, Exploitability=0.20, Reachability=0.20, Compliance=0.15, SupplyChain=0.10, Mitigation=0.10
+  - GradeThresholds (A>=90, B>=80, C>=70, D>=60, F<60)
+  - SeverityMultipliers: Critical=1.5, High=1.2, Medium=1.0, Low=0.8, Informational=0.5
+  - FreshnessDecayConfig: sbomDecayStartHours=168, feedDecayStartHours=24, decayRatePerHour=0.001, minimumFreshness=0.5
+  - CustomScoringRule support (Rego/SPL)
+  - Content-addressed digest via SHA256
+- **ScoringProfile enum**: `src/Policy/__Libraries/StellaOps.Policy/Scoring/ScoringProfile.cs`
+  - Simple (4-factor basis-points), Advanced (entropy + CVSS hybrid), Custom (user Rego)
+- **ScorePolicy (4-factor)**: `src/Policy/__Libraries/StellaOps.Policy/Scoring/ScorePolicyModels.cs`
+  - WeightsBps: BaseSeverity=1000, Reachability=4500, Evidence=3000, Provenance=1500 (sum=10000)
+  - ReachabilityPolicyConfig with HopBuckets and GateMultipliersBps
+  - EvidencePolicyConfig with FreshnessBuckets (7d=100%, 30d=90%, 90d=70%, 180d=50%, 365d=30%, >1y=10%)
+  - ProvenanceLevels: Unsigned=0, Signed=30, SignedWithSbom=60, SignedWithSbomAndAttestations=80, Reproducible=100
+- **ScorePolicyLoader**: `src/Policy/__Libraries/StellaOps.Policy/Scoring/ScorePolicyLoader.cs`
+  - YAML loading with version validation ("score.v1"), weight sum validation (10000 bps)
+- **ScorePolicyValidator**: `src/Policy/__Libraries/StellaOps.Policy/Scoring/ScorePolicyValidator.cs`
+  - JSON Schema validation against embedded score.v1 schema
+- **ScoreExplanation**: `src/Policy/__Libraries/StellaOps.Policy/Scoring/ScoreExplanation.cs`
+  - Factor-based explanations: reachability (hops), evidence (points + freshness), provenance (level), baseSeverity (CVSS)
+  - ScoreExplainBuilder with deterministic output (sorted by factor name)
+- **TrustSourceWeightService**: `src/Policy/__Libraries/StellaOps.Policy/Scoring/TrustSourceWeights.cs`
+  - 14 KnownSources with per-source weights (NVD=0.90, CISA-KEV=0.98, OSV=0.75, etc.)
+  - 7 SourceCategory weights (Government=0.95, Vendor=0.85, Distro=0.82, Community=0.70)
+  - Modifiers: signed data boost (1.05x), stale data penalty (>7d: 0.95x, >30d: 0.90x)
+  - Corroboration boost when multiple sources agree (1.1x per corroborating source, max 3)
+  - WeightedMergeResult with weighted CVSS averaging
+
+## What's Missing
+- **Unified 6-dimension RCH/RTS/BKP/XPL/SRC/MIT model**: The weight manifest defines both "legacy" (6D) and "advisory" (5D) weight sets, but there is no single unified normalizer that maps all signal inputs to the canonical 6-dimension space
+- **Dimension normalizers**: Individual signal-to-dimension normalization functions (e.g., raw EPSS probability -> XPL dimension score 0-100) are not formalized as pluggable normalizer interfaces
+- **Guardrails engine enforcement**: Weight manifest defines guardrails (notAffectedCap, runtimeFloor, speculativeCap) but the runtime engine that enforces these caps/floors during scoring is not confirmed as a standalone service
+- **Weight manifest loader integration**: `FileBasedWeightManifestLoader` exists in `src/Signals/StellaOps.Signals/EvidenceWeightedScore/` and `ScoringManifestVersioner` exists in `src/__Libraries/StellaOps.DeltaVerdict/Manifest/`, but neither is wired into the Policy scoring pipeline
+
+## Implementation Plan
+- Create `EwsDimensionNormalizer` interface with implementations for each of the 6 dimensions
+- Build `GuardrailsEngine` that applies caps/floors from the weight manifest after scoring
+- Add `WeightManifestLoader` with version discovery, schema validation, and content-hash verification
+- Unify the two weight systems (legacy 6D + advisory 5D) into a single configurable scoring pipeline
+
+## Related Documentation
+- Weight manifest: `etc/weights/v2026-01-22.weights.json`
+- Scoring rules snapshot: `src/Policy/__Libraries/StellaOps.Policy/Scoring/ScoringRulesSnapshot.cs`
+- Determinization scoring: `src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/`
--- a/docs/features/unchecked/policy/impact-scoring-for-unknowns.md
+++ b/docs/features/unchecked/policy/impact-scoring-for-unknowns.md
@@ -0,0 +1,45 @@
+# Impact Scoring for Unknowns
+
+## Module
+Policy
+
+## Status
+IMPLEMENTED
+
+## Description
+The advisory proposed weighted impact scoring with factors like environment exposure, data sensitivity, fleet prevalence, SLA tier, and CVSS severity. UncertaintyScoreCalculator and TrustScoreAggregator with configurable SignalWeights exist in the Determinization library, and ReachabilityScoringService exists in Signals. The exact multi-factor impact formula (w_env * EnvExposure + w_data * DataSensitivity + ...) is partially reflected through the existing signal weights system, though the specific per-factor normalization described in the advisory is not confirmed.
+
+## What's Implemented
+- **UncertaintyScoreCalculator**: `src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/UncertaintyScoreCalculator.cs`
+  - Entropy-based uncertainty: `1.0 - (presentSignalWeight / totalPossibleWeight)`
+  - 6 signal gap categories: VEX, EPSS, Reachability, Runtime, Backport, SBOMLineage
+  - OpenTelemetry histogram: `stellaops_determinization_uncertainty_entropy`
+- **SignalWeights**: `src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/SignalWeights.cs`
+  - Configurable per-signal weights (VEX=0.25, Reachability=0.25, EPSS=0.15, Runtime=0.15, Backport=0.10, SBOM=0.10)
+- **TrustScoreAggregator**: `src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/TrustScoreAggregator.cs`
+  - Weighted average of present signals with uncertainty penalty
+  - No-signal fallback: `0.5 * (1.0 - entropy)`
+- **UnknownRanker** (from unchecked feature): scoring unknowns with two-factor formula `Uncertainty*50 + ExploitPressure*50`
+  - Containment reduction (capped at 40%), band assignment (Hot>=75, Warm>=50, Cold>=25)
+- **DecayedConfidenceCalculator**: `src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/DecayedConfidenceCalculator.cs`
+  - Exponential decay applied to confidence based on observation age
+- **Weight manifest guardrails**: `etc/weights/v2026-01-22.weights.json`
+  - Determinization thresholds: manualReviewEntropy=0.60, refreshEntropy=0.40
+
+## What's Missing
+- **Multi-factor impact formula**: The advisory-specified formula `w_env * EnvExposure + w_data * DataSensitivity + w_fleet * FleetPrevalence + w_sla * SLATier + w_cvss * CVSSSeverity` is not implemented as a dedicated calculator
+- **Environment exposure scoring**: No service that maps environment type (production/staging/dev) to a normalized exposure score (0.0-1.0)
+- **Data sensitivity classification**: No integration with data sensitivity labels (PII, financial, healthcare) for impact scoring
+- **Fleet prevalence factor**: No calculator that determines what percentage of the fleet is affected by a given unknown
+- **SLA tier weighting**: No mapping from SLA tier (Gold/Silver/Bronze) to impact weight
+- **Per-factor normalization functions**: Individual normalizers for each impact factor are not implemented as pluggable components
+
+## Implementation Plan
+- Create `ImpactScoreCalculator` with pluggable factor providers (EnvironmentExposure, DataSensitivity, FleetPrevalence, SLATier, CVSSSeverity)
+- Integrate with existing `UncertaintyScoreCalculator` to combine entropy-based uncertainty with multi-factor impact
+- Add environment exposure mapping service that reads from deployment metadata
+- Wire into `UnknownRanker` as an additional scoring dimension
+
+## Related Documentation
+- Determinization scoring: `src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/`
+- Unknowns ranking (unchecked): `docs/features/unchecked/policy/unknowns-ranking-algorithm.md`
--- a/docs/features/unchecked/policy/policy-dsl.md
+++ b/docs/features/unchecked/policy/policy-dsl.md
@@ -0,0 +1,60 @@
+# Policy DSL (stella-dsl@1)
+
+## Module
+Policy
+
+## Status
+IMPLEMENTED
+
+## Description
+Policy loading and evaluation exist but the full `.stella` file DSL format with dedicated parser/compiler/simulator (stella policy lint/compile/simulate) was not found as a standalone tool. Policy evaluation is implemented through structured configuration. However, a full DSL parser/compiler exists in the `StellaOps.PolicyDsl` library.
+
+## What's Implemented
+- **DslTokenizer**: `src/Policy/StellaOps.PolicyDsl/DslTokenizer.cs`
+  - Full lexer with token types: braces, parens, brackets, comma, semicolon, colon, operators
+  - Comment support: single-line (`//`) and multi-line (`/* */`)
+  - Source location tracking (line, column) for diagnostics
+  - `TokenizerResult` with tokens and diagnostics
+- **PolicyParser**: `src/Policy/StellaOps.PolicyDsl/PolicyParser.cs`
+  - Parses token stream into `PolicyDocumentNode` AST
+  - Metadata, settings, profiles, and rules sections
+- **PolicyCompiler**: `src/Policy/StellaOps.PolicyDsl/PolicyCompiler.cs`
+  - `Compile(source)` -> `PolicyCompilationResult` with Success, IR Document, SHA256 Checksum, CanonicalRepresentation, Diagnostics
+  - Pipeline: Parse -> Build IR -> Serialize canonical -> Compute SHA256 digest
+  - Error collection: any `PolicyIssueSeverity.Error` diagnostic fails compilation
+- **PolicyIr / PolicyIrSerializer**: `src/Policy/StellaOps.PolicyDsl/PolicyIr.cs`, `PolicyIrSerializer.cs`
+  - Intermediate representation: PolicyIrDocument, PolicyIrProfile (maps, envs, scalars), PolicyIrRule
+  - Canonical binary serialization for digest computation
+- **PolicySyntaxNodes**: `src/Policy/StellaOps.PolicyDsl/PolicySyntaxNodes.cs`
+  - AST node types for the DSL grammar
+- **DslCompletionProvider**: `src/Policy/StellaOps.PolicyDsl/DslCompletionProvider.cs`
+  - IDE-style completion suggestions for the DSL
+- **SignalContext**: `src/Policy/StellaOps.PolicyDsl/SignalContext.cs`
+  - Runtime signal value provider: HasSignal, GetSignal<T>, SetSignal
+  - Extension methods: `SecretSignalContextExtensions.cs`, `AiCodeGuardSignalContextExtensions.cs`
+- **PolicyEngineFactory**: `src/Policy/StellaOps.PolicyDsl/PolicyEngineFactory.cs`
+  - Factory for creating policy evaluation engines from compiled DSL
+- **DiagnosticCodes**: `src/Policy/StellaOps.PolicyDsl/DiagnosticCodes.cs`
+  - Structured diagnostic codes for parser/compiler errors
+- **SourceLocation**: `src/Policy/StellaOps.PolicyDsl/SourceLocation.cs`
+  - Position tracking (offset, line, column) for error reporting
+- **Tests**: `src/Policy/__Tests/StellaOps.PolicyDsl.Tests/` (7 test files)
+  - PolicyCompilerTests, PolicyEngineTests, SignalContextTests, DslCompletionProviderTests
+
+## What's Missing
+- **CLI commands**: No `stella policy lint`, `stella policy compile`, or `stella policy simulate` CLI commands wrapping the DSL library
+- **`.stella` file format specification**: No formal grammar specification or documentation of the DSL syntax
+- **Policy simulation with DSL**: The `PolicySimulationEngine` in the policy engine does not integrate with DSL-compiled policies
+- **DSL-to-PolicyPack bridge**: No converter from compiled DSL IR to the PolicyPackDocument format used by the interop framework
+- **Language server protocol (LSP)**: DslCompletionProvider exists but no LSP server for editor integration
+
+## Implementation Plan
+- Add CLI commands (`stella policy lint/compile/simulate`) that wrap the PolicyDsl library
+- Create DSL grammar specification document
+- Build bridge from compiled PolicyIrDocument to PolicyPackDocument for interop
+- Integrate DSL compilation into the policy bundle build pipeline
+
+## Related Documentation
+- PolicyDsl library: `src/Policy/StellaOps.PolicyDsl/` (16 source files)
+- PolicyDsl tests: `src/Policy/__Tests/StellaOps.PolicyDsl.Tests/`
+- Policy interop: `src/Policy/__Libraries/StellaOps.Policy.Interop/`
--- a/docs/features/unchecked/policy/policy-interop-framework.md
+++ b/docs/features/unchecked/policy/policy-interop-framework.md
@@ -0,0 +1,68 @@
+# Policy Interop Framework (JSON Export/Import)
+
+## Module
+Policy
+
+## Status
+IMPLEMENTED
+
+## Description
+Policy interoperability framework enabling bidirectional JSON export/import of policy rules. OPA/Rego export was planned but only JSON export confirmed in source. Includes PolicyPack document format for portable policy bundles. Full interop library exists with JSON import/export, Rego code generation, and schema validation.
+
+## What's Implemented
+- **JsonPolicyExporter**: `src/Policy/__Libraries/StellaOps.Policy.Interop/Export/JsonPolicyExporter.cs`
+  - `ExportToJsonAsync(PolicyPackDocument, PolicyExportRequest)`: canonical JSON export with deterministic output
+  - Environment filtering: merges environment-specific config into base config
+  - Remediation stripping option
+  - Content-addressed digest: `sha256:{hex}` via SHA256 of canonical JSON
+  - `ExportToRegoAsync()`: bridges to RegoCodeGenerator
+  - `SerializeCanonical()` / `SerializeToString()` static helpers
+- **JsonPolicyImporter**: `src/Policy/__Libraries/StellaOps.Policy.Interop/Import/JsonPolicyImporter.cs`
+  - `ImportAsync(Stream, PolicyImportOptions)` / `ImportFromStringAsync()`
+  - Format detection via `FormatDetector` (auto-detect JSON vs Rego)
+  - API version validation: `policy.stellaops.io/v2` (with v1 compatibility adapter warning)
+  - Kind validation: `PolicyPack` or `PolicyOverride`
+  - Structural validation: duplicate gate IDs, duplicate rule names
+  - Remediation hint validation (code, actions)
+  - Diagnostic codes: FORMAT_UNKNOWN, REGO_USE_IMPORTER, JSON_PARSE_ERROR, VERSION_UNKNOWN, KIND_INVALID, GATE_ID_DUPLICATE, RULE_NAME_DUPLICATE
+  - `PolicyImportResult` with Success, Document, DetectedFormat, Diagnostics, GateCount, RuleCount
+- **RegoCodeGenerator**: `src/Policy/__Libraries/StellaOps.Policy.Interop/Rego/RegoCodeGenerator.cs`
+  - Generates OPA Rego deny rules from PolicyPackDocument
+  - Gate type mappings: CvssThreshold, SignatureRequired, EvidenceFreshness, SbomPresence, MinimumConfidence, UnknownsBudget, ReachabilityRequirement
+  - Rego v1 syntax support (`import rego.v1`)
+  - Environment-specific config extraction
+  - Remediation hints as structured output rules
+  - Content-addressed digest of generated Rego source
+  - Warning collection for unmapped gate types
+- **RegoPolicyImporter**: `src/Policy/__Libraries/StellaOps.Policy.Interop/Import/RegoPolicyImporter.cs`
+  - Imports Rego source back into PolicyPackDocument
+- **FormatDetector**: `src/Policy/__Libraries/StellaOps.Policy.Interop/Import/FormatDetector.cs`
+  - Auto-detects policy format (JSON, Rego)
+- **PolicyPack v2 schema**: `src/Policy/__Libraries/StellaOps.Policy.Interop/Schemas/policy-pack-v2.schema.json`
+- **Abstractions**: `src/Policy/__Libraries/StellaOps.Policy.Interop/Abstractions/`
+  - `IPolicyExporter`, `IPolicyImporter`, `IRegoCodeGenerator` interfaces
+- **Contracts**: `src/Policy/__Libraries/StellaOps.Policy.Interop/Contracts/`
+  - `PolicyPackDocument`, `PolicyExportRequest`, `PolicyImportOptions`, `RegoGenerationOptions`, `RegoExportResult`, `PolicyDiagnostic`
+- **DI registration**: `src/Policy/__Libraries/StellaOps.Policy.Interop/DependencyInjection/PolicyInteropServiceCollectionExtensions.cs`
+- **Evaluation**: `src/Policy/__Libraries/StellaOps.Policy.Interop/Evaluation/`
+- **Tests**: `src/Policy/__Libraries/__Tests/StellaOps.Policy.Interop.Tests/`
+  - JsonPolicyExporterTests, JsonPolicyImporterTests, RegoPolicyImporterTests, RegoCodeGeneratorTests, FormatDetectorTests, PolicySchemaValidatorTests
+  - Golden file: `Fixtures/golden-policy-pack-v2.json`
+
+## What's Missing
+- **YAML import/export**: Only JSON and Rego formats are supported; no YAML PolicyPack format
+- **Policy diff/merge**: No tool to diff two PolicyPackDocuments and produce a delta or merge two packs
+- **CLI integration**: No `stella policy export --format rego` or `stella policy import` CLI commands wrapping the interop library
+- **Round-trip validation**: No automated tests proving JSON -> Rego -> JSON round-trip produces identical PolicyPackDocument
+- **OPA evaluation bridge**: Rego code is generated but there is no OPA evaluation service that runs the generated Rego against actual inputs
+
+## Implementation Plan
+- Add CLI commands wrapping export/import operations
+- Build round-trip test suite (JSON -> Rego -> JSON identity check)
+- Consider YAML format support using existing ScorePolicyLoader YAML infrastructure
+- Add policy diff/merge utility for comparing policy versions
+
+## Related Documentation
+- Interop library: `src/Policy/__Libraries/StellaOps.Policy.Interop/` (6 subdirectories)
+- Interop tests: `src/Policy/__Libraries/__Tests/StellaOps.Policy.Interop.Tests/`
+- Policy registry: `src/Policy/StellaOps.Policy.Registry/`
--- a/docs/features/unchecked/policy/proof-studio-ux.md
+++ b/docs/features/unchecked/policy/proof-studio-ux.md
@@ -0,0 +1,63 @@
+# Proof Studio UX (Explainable Confidence Scoring)
+
+## Module
+Policy
+
+## Status
+IMPLEMENTED
+
+## Description
+Backend confidence calculation, verdict rationale rendering, and counterfactual engine exist. The advisory identified frontend proof studio UI as a remaining gap.
+
+## What's Implemented
+- **VerdictRationaleRenderer**: `src/Policy/__Libraries/StellaOps.Policy.Explainability/VerdictRationaleRenderer.cs`
+  - 4-line rationale template: Evidence, Policy Clause, Attestations, Decision
+  - Multi-format output: RenderPlainText, RenderMarkdown, RenderJson (RFC 8785 canonical)
+  - Content-addressed RationaleId: `rat:sha256:{hash}`
+- **VerdictRationale model**: `src/Policy/__Libraries/StellaOps.Policy.Explainability/VerdictRationale.cs`
+  - Structured rationale: VerdictReference, RationaleEvidence (ComponentIdentity, ReachabilityDetail), RationalePolicyClause, RationaleAttestations (AttestationReference list), RationaleDecision (MitigationGuidance)
+  - RationaleInputDigests for deterministic replay
+- **IVerdictRationaleRenderer**: `src/Policy/__Libraries/StellaOps.Policy.Explainability/IVerdictRationaleRenderer.cs`
+  - Interface + VerdictRationaleInput record
+- **CounterfactualEngine**: `src/Policy/__Libraries/StellaOps.Policy/Counterfactuals/CounterfactualEngine.cs`
+  - `ComputeAsync(finding, verdict, document, scoringConfig, options)` -> CounterfactualResult
+  - 5 counterfactual path types: VexStatus, Exception, Reachability, VersionUpgrade, CompensatingControl
+  - Each path: type, description, conditions (field/current/required), estimated effort (1-5), actor, action URI
+  - Policy simulation: creates simulated findings with modified VEX/reachability tags and re-evaluates via `PolicyEvaluation.EvaluateFinding()`
+  - Effort estimation: severity-based for exceptions (Critical=5, High=4, Medium=3, Low=2)
+- **CounterfactualResult**: `src/Policy/__Libraries/StellaOps.Policy/Counterfactuals/CounterfactualResult.cs`
+  - AlreadyPassing / Blocked factory methods
+  - RecommendedPath (lowest effort), HasPaths
+  - 7 CounterfactualTypes: VexStatus, Exception, Reachability, VersionUpgrade, PolicyChange, ComponentRemoval, CompensatingControl
+  - CounterfactualCondition: Field, CurrentValue, RequiredValue, IsMet
+- **ScoreExplanation**: `src/Policy/__Libraries/StellaOps.Policy/Scoring/ScoreExplanation.cs`
+  - Per-factor explanation: Factor, Value (0-100), Reason, ContributingDigests
+  - ScoreExplainBuilder: AddReachability, AddEvidence, AddProvenance, AddBaseSeverity
+  - Deterministic output (sorted by factor name + digest)
+- **DecayedConfidenceCalculator**: `src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/DecayedConfidenceCalculator.cs`
+  - Exponential confidence decay for time-based scoring
+
+## What's Missing
+- **Proof graph visualization**: No visual representation of the full evidence graph (ProofGraphNode/Edge/Path) in the UI -- the proof-studio has confidence breakdown but not the graph
+- **Interactive counterfactual explorer**: CounterfactualEngine exists in backend and `what-if-slider` component exists in proof-studio, but the full interactive "toggle what-if scenarios" UX may not be fully wired to the backend
+- **Score breakdown dashboard**: ScoreExplanation data exists but no dashboard visualizing per-factor contributions with charts
+- **Confidence timeline**: DecayedConfidenceCalculator computes decay but no UI showing confidence over time
+
+## Additional Implementation Found
+- **Proof Studio Container**: `src/Web/StellaOps.Web/src/app/features/proof-studio/components/proof-studio-container/proof-studio-container.component.ts` -- main container component
+- **Confidence Breakdown**: `src/Web/StellaOps.Web/src/app/features/proof-studio/components/confidence-breakdown/confidence-breakdown.component.ts` -- per-factor confidence visualization
+- **Confidence Factor Chip**: `src/Web/StellaOps.Web/src/app/features/proof-studio/components/confidence-factor-chip/confidence-factor-chip.component.ts`
+- **What-If Slider**: `src/Web/StellaOps.Web/src/app/features/proof-studio/components/what-if-slider/what-if-slider.component.ts` -- counterfactual slider control
+- **Proof Studio Service**: `src/Web/StellaOps.Web/src/app/features/proof-studio/services/proof-studio.service.ts` -- API service
+- **Proof Trace Model**: `src/Web/StellaOps.Web/src/app/features/proof-studio/models/proof-trace.model.ts`
+
+## Implementation Plan
+- Wire what-if-slider to CounterfactualEngine backend API
+- Add proof graph visualization using D3.js or similar for evidence graph rendering
+- Add confidence timeline chart using DecayedConfidenceCalculator data
+- Verify proof-studio-container is fully wired to VerdictRationale API endpoint
+
+## Related Documentation
+- Explainability library: `src/Policy/__Libraries/StellaOps.Policy.Explainability/`
+- Counterfactuals: `src/Policy/__Libraries/StellaOps.Policy/Counterfactuals/`
+- Score explanations: `src/Policy/__Libraries/StellaOps.Policy/Scoring/ScoreExplanation.cs`
--- a/docs/features/unchecked/policy/unknowns-decay-and-triage-queue.md
+++ b/docs/features/unchecked/policy/unknowns-decay-and-triage-queue.md
@@ -0,0 +1,49 @@
+# Unknowns Decay and Triage Queue
+
+## Module
+Policy
+
+## Status
+IMPLEMENTED
+
+## Description
+Unknowns ranking and API endpoints exist. BlastRadius model present with database migration. The full time-based decay algorithm and containment signals ranking were identified as gaps in the archive manifest.
+
+## What's Implemented
+- **DecayedConfidenceCalculator**: `src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/DecayedConfidenceCalculator.cs`
+  - Exponential decay formula: `max(floor, baseConfidence * exp(-ln(2) * ageDays / halfLifeDays))`
+  - Configurable half-life (default 14 days) and floor
+  - OpenTelemetry histogram: `stellaops_determinization_decay_multiplier`
+- **ObservationDecay**: `src/Policy/__Libraries/StellaOps.Policy.Determinization/Models/ObservationDecay.cs`
+  - Per-observation decay state: BaseConfidence, ObservedAt, HalfLifeDays=14, Floor=0.35, StalenessThreshold=0.50
+  - `CalculateDecay(now)`: computes current decayed confidence
+  - `CheckIsStale(now)`: returns true when decayed confidence falls below staleness threshold
+  - Factory methods: `Create()`, `Fresh()`, `WithSettings()`
+- **UnknownRanker** (from unchecked features): two-factor scoring `Uncertainty*50 + ExploitPressure*50`
+  - Containment reduction capped at 40%
+  - Band assignment: Hot>=75, Warm>=50, Cold>=25, Ice<25
+- **UncertaintyScoreCalculator**: `src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/UncertaintyScoreCalculator.cs`
+  - Entropy-based uncertainty from 6 signal dimensions
+  - Signal gap tracking (which signals are missing)
+- **Risk budget API endpoints** (from unchecked features): budget tracking, ledger, Green/Yellow/Red/Exhausted thresholds
+- **Unknown budget policy enforcement** (from unchecked features): UncertaintyTierGate (gate 4 in pipeline)
+
+## What's Missing
+- **Time-based decay triage queue**: No service that automatically re-queues unknowns for triage when their confidence decays below the staleness threshold
+- **Triage queue UI**: No frontend triage interface showing unknowns sorted by decay urgency
+- **Automated re-analysis triggering**: ObservationDecay tracks staleness but no event-driven mechanism triggers re-analysis when an unknown becomes stale
+- **Containment signal integration**: The advisory describes containment signals (WAF rules, network segmentation, runtime controls) reducing unknown scores -- this is partially in UnknownRanker but not connected to real containment data sources
+- **Decay notification**: No notification system alerting when high-priority unknowns decay below acceptable confidence
+- **Historical decay tracking**: DecayedConfidenceCalculator computes point-in-time decay but no ledger tracks confidence decay history over time
+
+## Implementation Plan
+- Create `UnknownTriageQueueService` that periodically evaluates ObservationDecay.CheckIsStale() and queues stale unknowns for re-analysis
+- Add event-driven triggers (e.g., background job or message queue) when confidence drops below threshold
+- Build triage queue frontend component showing unknowns sorted by urgency (band + decay rate)
+- Integrate containment signal sources (WAF, network, runtime) as inputs to UnknownRanker
+- Add decay history ledger for audit trail
+
+## Related Documentation
+- Decay calculator: `src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/DecayedConfidenceCalculator.cs`
+- Observation decay model: `src/Policy/__Libraries/StellaOps.Policy.Determinization/Models/ObservationDecay.cs`
+- Unknowns ranking (unchecked): `docs/features/unchecked/policy/unknowns-ranking-algorithm.md`
--- a/docs/features/unchecked/policy/versioned-weight-manifests.md
+++ b/docs/features/unchecked/policy/versioned-weight-manifests.md
@@ -0,0 +1,58 @@
+# Versioned Weight Manifests
+
+## Module
+Policy
+
+## Status
+IMPLEMENTED
+
+## Description
+Initial weight manifest file exists, but the weight manifest infrastructure (loading, versioning, hashing, CLI management) is marked TODO in the sprint (TSF-001).
+
+## What's Implemented
+- **Weight manifest file**: `etc/weights/v2026-01-22.weights.json`
+  - Schema: `https://stella-ops.org/schemas/weight-manifest/v1.0.0`
+  - Schema version: 1.0.0, version: v2026-01-22, profile: production
+  - Legacy 6-dimension weights: RCH=0.30, RTS=0.25, BKP=0.15, XPL=0.15, SRC=0.10, MIT=0.10
+  - Advisory 5-dimension weights: CVSS=0.25, EPSS=0.30, Reachability=0.20, ExploitMaturity=0.10, PatchProof=0.15
+  - Dimension names mapping (human-readable)
+  - Subtractive dimensions: MIT, patchProof
+  - Guardrails: notAffectedCap (maxScore=15, requires BKP>=1.0 and RTS<=0.6), runtimeFloor (minScore=60, requires RTS>=0.8), speculativeCap (maxScore=45, requires RCH<=0.0 and RTS<=0.0)
+  - Priority buckets: actNowMin=90, scheduleNextMin=70, investigateMin=40
+  - Determinization thresholds: manualReviewEntropy=0.60, refreshEntropy=0.40
+  - Signal weights for entropy: VEX=0.25, Reachability=0.25, EPSS=0.15, Runtime=0.15, Backport=0.10, SBOMLineage=0.10
+  - Content hash: `sha256:auto` (placeholder for computed hash)
+  - Metadata: changelog, creation date, notes
+- **SignalWeights record**: `src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/SignalWeights.cs`
+  - Matches the signalWeightsForEntropy values from the manifest
+- **ScoringRulesSnapshot**: `src/Policy/__Libraries/StellaOps.Policy/Scoring/ScoringRulesSnapshot.cs`
+  - Content-addressed snapshots with SHA256 digest
+  - Builder pattern with WithWeights, WithThresholds, WithSeverityMultipliers, etc.
+  - `IScoringRulesSnapshotService` interface for CRUD operations
+- **ScorePolicyLoader**: `src/Policy/__Libraries/StellaOps.Policy/Scoring/ScorePolicyLoader.cs`
+  - YAML policy loading with version and weight sum validation
+- **ScorePolicyValidator**: `src/Policy/__Libraries/StellaOps.Policy/Scoring/ScorePolicyValidator.cs`
+  - JSON Schema validation for score policies
+
+## Additional Implementation Found
+- **FileBasedWeightManifestLoader**: `src/Signals/StellaOps.Signals/EvidenceWeightedScore/FileBasedWeightManifestLoader.cs` -- loads manifests from `etc/weights/*.json` files, implements `IWeightManifestLoader`
+- **ScoringManifestVersioner**: `src/__Libraries/StellaOps.DeltaVerdict/Manifest/ScoringManifestVersioner.cs` (with `.Compare.cs`, `.Compare.Helpers.cs`) -- manifest versioning with compare, bump, and generate-next-version capabilities
+- **ScoringManifestSigningService**: `src/__Libraries/StellaOps.DeltaVerdict/` -- manifest signing with KMS integration and Rekor anchoring
+- **Extensive tests**: `src/__Libraries/__Tests/StellaOps.DeltaVerdict.Tests/Manifest/` -- 7 test files covering versioning, comparison, bumping, signing
+
+## What's Missing
+- **CLI management commands**: No `stella weights list`, `stella weights validate`, `stella weights diff`, or `stella weights activate` CLI commands wrapping the existing loader/versioner
+- **Content hash auto-compute at build**: Manifest has `"contentHash": "sha256:auto"` placeholder -- no build step replaces it with actual computed hash
+- **Unified binding**: FileBasedWeightManifestLoader is in Signals, ScoringManifestVersioner is in DeltaVerdict; no unified service in the Policy module that binds manifest loading, versioning, signing, and runtime configuration together
+
+## Implementation Plan
+- Create `WeightManifestLoader` service that discovers manifests in `etc/weights/`, validates schema, computes/verifies content hash, and selects by `effectiveFrom` date
+- Add build step to compute content hash and replace `sha256:auto` placeholder
+- Create CLI commands for manifest lifecycle management
+- Build manifest-to-runtime binding that configures SignalWeights and ScoringRulesSnapshot from the active manifest
+- Add manifest diff utility for comparing versions
+
+## Related Documentation
+- Weight manifest: `etc/weights/v2026-01-22.weights.json`
+- Signal weights: `src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/SignalWeights.cs`
+- Scoring rules snapshot: `src/Policy/__Libraries/StellaOps.Policy/Scoring/ScoringRulesSnapshot.cs`