audit work, fixed StellaOps.sln warnings/errors, fixed tests, sprints work, new advisories

etc/facet-quotas.yaml.sample

@@ -0,0 +1,144 @@
+# Facet Quota Configuration
+# Sprint: SPRINT_20260105_002_003_FACET_perfacet_quotas
+# Task: QTA-021
+#
+# This file defines per-facet drift quotas that control how much change
+# is acceptable before triggering a policy action (warn, block, or auto-VEX).
+#
+# Facets represent logical groupings of files in a container image:
+# - binaries: Executable files and shared libraries
+# - lang-deps: Language package dependencies (npm, pip, maven, etc.)
+# - os-packages: OS-level packages (rpm, dpkg, apk)
+# - configs: Configuration files
+# - data: Static data files
+
+# Default quota applied when no facet-specific quota is defined
+defaults:
+  maxChurnPercent: 30       # Maximum percentage of files that can change
+  maxChangedFiles: 100      # Maximum absolute number of changed files
+  maxAddedFiles: 50         # Maximum number of new files
+  maxRemovedFiles: 50       # Maximum number of removed files
+  action: warn              # Action when quota exceeded: warn | block | auto-vex
+  
+# Per-facet quota overrides
+facets:
+  # Binaries facet - tight quota because binary changes are high-risk
+  binaries:
+    maxChurnPercent: 10
+    maxChangedFiles: 20
+    maxAddedFiles: 10
+    maxRemovedFiles: 5
+    action: block
+    # Files matching these patterns are excluded from quota calculation
+    allowlist:
+      - "**/__pycache__/**"
+      - "**/*.pyc"
+      - "**/node_modules/.cache/**"
+    
+  # Language dependencies - moderate quota
+  lang-deps:
+    maxChurnPercent: 25
+    maxChangedFiles: 50
+    maxAddedFiles: 30
+    maxRemovedFiles: 30
+    action: auto-vex
+    
+  # OS packages - strict quota
+  os-packages:
+    maxChurnPercent: 15
+    maxChangedFiles: 30
+    maxAddedFiles: 15
+    maxRemovedFiles: 15
+    action: block
+    
+  # Configuration files - moderate quota
+  configs:
+    maxChurnPercent: 50
+    maxChangedFiles: 100
+    maxAddedFiles: 50
+    maxRemovedFiles: 50
+    action: warn
+    
+  # Data files - permissive quota
+  data:
+    maxChurnPercent: 80
+    maxChangedFiles: 500
+    maxAddedFiles: 250
+    maxRemovedFiles: 250
+    action: warn
+
+# Quota profiles for quick configuration
+# Use: profile: strict | moderate | permissive
+profiles:
+  strict:
+    description: "Minimal change tolerance, blocks on most drift"
+    defaults:
+      maxChurnPercent: 10
+      maxChangedFiles: 20
+      action: block
+    facets:
+      binaries:
+        maxChurnPercent: 5
+        maxChangedFiles: 5
+        action: block
+      lang-deps:
+        maxChurnPercent: 10
+        maxChangedFiles: 20
+        action: block
+      os-packages:
+        maxChurnPercent: 5
+        maxChangedFiles: 10
+        action: block
+        
+  moderate:
+    description: "Balanced quota with auto-VEX for review"
+    defaults:
+      maxChurnPercent: 25
+      maxChangedFiles: 50
+      action: auto-vex
+    facets:
+      binaries:
+        maxChurnPercent: 15
+        maxChangedFiles: 25
+        action: auto-vex
+      lang-deps:
+        maxChurnPercent: 30
+        maxChangedFiles: 60
+        action: auto-vex
+      os-packages:
+        maxChurnPercent: 20
+        maxChangedFiles: 40
+        action: auto-vex
+        
+  permissive:
+    description: "Relaxed quota for development environments"
+    defaults:
+      maxChurnPercent: 50
+      maxChangedFiles: 200
+      action: warn
+    facets:
+      binaries:
+        maxChurnPercent: 30
+        maxChangedFiles: 100
+        action: warn
+      lang-deps:
+        maxChurnPercent: 60
+        maxChangedFiles: 200
+        action: warn
+      os-packages:
+        maxChurnPercent: 40
+        maxChangedFiles: 100
+        action: warn
+
+# Environment-specific overrides
+# These are applied on top of the selected profile
+environments:
+  production:
+    profile: strict
+    overrides:
+      binaries:
+        action: block
+  staging:
+    profile: moderate
+  development:
+    profile: permissive