more features checks. setup improvements

2026-02-13 02:04:55 +02:00
parent 9911b7d73c
commit 9ca2de05df
675 changed files with 37550 additions and 1826 deletions
--- a/docs/features/checked/policy/blast-radius-fleet-view.md
+++ b/docs/features/checked/policy/blast-radius-fleet-view.md
@@ -0,0 +1,42 @@
+# Blast radius / fleet view
+
+## Module
+Policy
+
+## Status
+VERIFIED
+
+## Description
+Blast radius containment schema and unknown ranker service assess impact across environments and services.
+
+## Implementation Details
+- **BlastRadius Model**: `src/Policy/__Libraries/StellaOps.Policy.Unknowns/Models/BlastRadius.cs` -- `BlastRadius` (sealed record)
+  - `Dependents` (int) -- number of packages that directly or transitively depend on this package; 0 indicates isolation
+  - `NetFacing` (bool) -- whether the package is reachable from network-facing entrypoints
+  - `Privilege` (string?) -- privilege level: root, user, none
+- **ContainmentSignals Model**: `src/Policy/__Libraries/StellaOps.Policy.Unknowns/Models/ContainmentSignals.cs` -- runtime containment posture
+  - Seccomp enforcement status, filesystem mode (ro/rw), network policy (isolated/connected)
+- **UnknownRanker Integration**: `src/Policy/__Libraries/StellaOps.Policy.Unknowns/Services/UnknownRanker.cs` -- blast radius is integrated into the `ComputeContainmentReduction` method
+  - Isolated package (Dependents=0): 15% risk reduction
+  - Not network-facing: 5% risk reduction
+  - Non-root privilege (user/none): 5% risk reduction
+  - Seccomp enforced: 10% reduction; read-only filesystem: 10% reduction; network isolated: 5% reduction
+  - Maximum containment reduction capped at 40%
+  - Applied after time-based decay: `finalScore = decayedScore * (1 - containmentReduction)`
+- **UnknownRankerOptions**: Configurable reductions via `IsolatedReduction`, `NotNetFacingReduction`, `NonRootReduction`, `SeccompEnforcedReduction`, `FsReadOnlyReduction`, `NetworkIsolatedReduction`, `MaxContainmentReduction`
+- **Unknown Model**: `src/Policy/__Libraries/StellaOps.Policy.Unknowns/Models/Unknown.cs` -- unknown entity with blast radius reference
+- **Unknowns Budget Enforcer**: `src/Policy/__Libraries/StellaOps.Policy.Unknowns/UnknownsBudgetEnforcer.cs` -- enforces blast radius-aware budget thresholds
+- **Unknowns Endpoints**: `src/Policy/StellaOps.Policy.Engine/Endpoints/UnknownsEndpoints.cs` -- REST API for querying unknowns with blast radius data
+
+## E2E Test Plan
+- [x] Rank an unknown with `Dependents=0, NetFacing=false, Privilege="none"` and verify containment reduction is 25% (15+5+5)
+- [x] Rank an unknown with `Dependents=50, NetFacing=true, Privilege="root"` and verify containment reduction is 0%
+- [x] Rank an unknown with full containment signals (seccomp=enforced, fs=ro, network=isolated) and blast radius isolation; verify capped at 40% max reduction
+- [x] Query unknowns API and verify each unknown includes blast radius data (dependents, netFacing, privilege)
+- [x] Verify a high-score unknown (HOT band) drops to WARM band when isolated package containment is applied
+- [x] Verify containment reduction is disabled when `EnableContainmentReduction=false` in options
+
+## Verification
+- **Run ID**: run-002
+- **Date**: 2026-02-12
+- **Result**: PASS - 708/708 tests pass. 9 targeted test methods in UnknownRankerTests verify blast radius fleet view behaviors including containment reduction percentages, 40% cap, band assignment, and disable option.