more audit work

docs/modules/policy/guides/starter-guide.md

@@ -81,7 +81,7 @@ The starter policy implements a sensible security posture:
 ### Rule 3: Allow Unreachable
 
 ```yaml
-- name: ignore-unreachable
+- name: allow-unreachable
   description: "Allow unreachable vulnerabilities but log for awareness"
   match:
     reachability: unreachable
@@ -165,16 +165,14 @@ spec:
   settings:
     defaultAction: warn          # Never block in dev
     unknownsThreshold: 0.20      # Allow more unknowns (20%)
+    requireSignedSbom: false
+    requireSignedVerdict: false
 
   ruleOverrides:
     - name: block-reachable-high-critical
       action: warn               # Downgrade to warn
-
-    - name: require-signed-sbom-prod
-      enabled: false             # Disable signing requirements
-
-    - name: require-signed-verdict-prod
-      enabled: false
+    - name: block-kev
+      action: warn
 ```
 
 ### Staging (`overrides/staging.yaml`)
@@ -189,11 +187,10 @@ metadata:
 
 spec:
   settings:
+    defaultAction: warn
     unknownsThreshold: 0.10      # 10% unknowns budget
-
-  ruleOverrides:
-    - name: require-signed-sbom-prod
-      enabled: false             # No signing in staging
+    requireSignedSbom: false
+    requireSignedVerdict: false
 ```
 
 ### Production (Default)