more features checks. setup improvements

2026-02-13 02:04:55 +02:00
parent 9911b7d73c
commit 9ca2de05df
675 changed files with 37550 additions and 1826 deletions
--- a/docs/qa/feature-checks/runs/policy/blast-radius-fleet-view/run-001/tier0-source-check.json
+++ b/docs/qa/feature-checks/runs/policy/blast-radius-fleet-view/run-001/tier0-source-check.json
@@ -0,0 +1,27 @@
+{
+  "tier": 0,
+  "type": "source_check",
+  "capturedAtUtc": "2026-02-12T22:10:00Z",
+  "feature": "blast-radius-fleet-view",
+  "module": "policy",
+  "result": "pass",
+  "filesExpected": [
+    "src/Policy/__Libraries/StellaOps.Policy.Unknowns/Models/BlastRadius.cs",
+    "src/Policy/__Libraries/StellaOps.Policy.Unknowns/Models/ContainmentSignals.cs",
+    "src/Policy/__Libraries/StellaOps.Policy.Unknowns/Services/UnknownRanker.cs",
+    "src/Policy/__Libraries/StellaOps.Policy.Unknowns/Models/Unknown.cs",
+    "src/Policy/__Libraries/StellaOps.Policy.Unknowns/UnknownsBudgetEnforcer.cs",
+    "src/Policy/StellaOps.Policy.Engine/Endpoints/UnknownsEndpoints.cs"
+  ],
+  "filesFound": [
+    "src/Policy/__Libraries/StellaOps.Policy.Unknowns/Models/BlastRadius.cs",
+    "src/Policy/__Libraries/StellaOps.Policy.Unknowns/Models/ContainmentSignals.cs",
+    "src/Policy/__Libraries/StellaOps.Policy.Unknowns/Services/UnknownRanker.cs",
+    "src/Policy/__Libraries/StellaOps.Policy.Unknowns/Models/Unknown.cs",
+    "src/Policy/__Libraries/StellaOps.Policy.Unknowns/UnknownsBudgetEnforcer.cs",
+    "src/Policy/StellaOps.Policy.Engine/Endpoints/UnknownsEndpoints.cs"
+  ],
+  "filesMissing": [],
+  "percentFound": 100,
+  "notes": "All 6 source files found. BlastRadius model (27 lines), ContainmentSignals model (24 lines), UnknownRanker service (369 lines) with ComputeContainmentReduction method."
+}
--- a/docs/qa/feature-checks/runs/policy/blast-radius-fleet-view/run-001/tier1-code-review.json
+++ b/docs/qa/feature-checks/runs/policy/blast-radius-fleet-view/run-001/tier1-code-review.json
@@ -0,0 +1,27 @@
+{
+  "tier": 1,
+  "type": "code_review",
+  "capturedAtUtc": "2026-02-12T22:12:00Z",
+  "feature": "blast-radius-fleet-view",
+  "module": "policy",
+  "claimsVerified": true,
+  "missingClaims": [],
+  "presentClaims": [
+    "BlastRadius.cs (27 lines): sealed record with Dependents (int), NetFacing (bool), Privilege (string?) fields",
+    "ContainmentSignals.cs (24 lines): sealed record with Seccomp, FileSystem, NetworkPolicy string fields",
+    "UnknownRanker.cs (369 lines): sealed class implementing IUnknownRanker with Rank(UnknownRankInput) method",
+    "ComputeContainmentReduction integrates BlastRadius: Dependents==0 -> 15%, !NetFacing -> 5%, non-root Privilege -> 5%",
+    "ContainmentSignals integration: Seccomp enforced -> 10%, FileSystem ro -> 10%, NetworkPolicy isolated -> 5%",
+    "MaxContainmentReduction capped at 40% via Math.Min",
+    "UnknownRankerOptions with configurable reduction values: IsolatedReduction=0.15m, NotNetFacingReduction=0.05m, NonRootReduction=0.05m",
+    "UnknownsBudgetEnforcer.cs exists for blast radius-aware budget thresholds",
+    "UnknownsEndpoints.cs exists for REST API querying unknowns with blast radius data",
+    "Tests: 35+ tests in UnknownRankerTests.cs covering containment reduction (6 tests), blast radius isolation, cap at 40%, determinism, disabled option"
+  ],
+  "testFiles": [
+    "src/Policy/__Tests/StellaOps.Policy.Unknowns.Tests/Services/UnknownRankerTests.cs"
+  ],
+  "testCount": "35+ tests in UnknownRankerTests.cs covering blast radius containment reduction specifically",
+  "verdict": "pass",
+  "notes": "Non-trivial implementation verified. BlastRadius model feeds into ComputeContainmentReduction in UnknownRanker. Isolated package (Dependents=0) gets 15% reduction, not network-facing gets 5%, non-root gets 5%. Containment signals add up to 25% more (seccomp 10%, ro fs 10%, isolated network 5%). Total capped at 40%. Tests verify specific reduction values, cap, determinism, and disable option."
+}
--- a/docs/qa/feature-checks/runs/policy/blast-radius-fleet-view/run-001/tier2-integration-check.json
+++ b/docs/qa/feature-checks/runs/policy/blast-radius-fleet-view/run-001/tier2-integration-check.json
@@ -0,0 +1,27 @@
+{
+  "tier": 2,
+  "type": "integration_check",
+  "subtype": "2d",
+  "capturedAtUtc": "2026-02-12T22:15:00Z",
+  "feature": "blast-radius-fleet-view",
+  "module": "policy",
+  "testCommand": "dotnet test src/Policy/StellaOps.Policy.tests.slnf --no-build --verbosity normal",
+  "testResult": "pass",
+  "totalTests": 708,
+  "passedTests": 708,
+  "failedTests": 0,
+  "skippedTests": 0,
+  "relevantTestBehaviors": [
+    "ComputeContainmentReduction_NullInputs_ReturnsZero - null blast radius and containment returns 0 reduction",
+    "ComputeContainmentReduction_IsolatedPackage_Returns15Percent - Dependents=0, NetFacing=true yields 15% reduction",
+    "ComputeContainmentReduction_AllContainmentFactors_CapsAt40Percent - full containment signals + blast radius isolation capped at 40%",
+    "Rank_WithContainment_AppliesReductionToScore - high score 60.00 reduced to 48.00 with 20% containment (Dependents=0 only)",
+    "Rank_ContainmentDisabled_NoReduction - EnableContainmentReduction=false yields 0 reduction and full score",
+    "Rank_ScoreAbove75_AssignsHotBand - maximum uncertainty + KEV pressure yields Hot band",
+    "Rank_ScoreBetween50And75_AssignsWarmBand - medium factors yield Warm band",
+    "Rank_ScoreBetween25And50_AssignsColdBand - lower factors yield Cold band",
+    "Rank_ScoreBelow25_AssignsResolvedBand - minimal factors yield Resolved band"
+  ],
+  "verdict": "pass",
+  "notes": "708/708 tests pass. Blast radius fleet view behaviors verified: BlastRadius model (Dependents/NetFacing/Privilege), ContainmentSignals (Seccomp/FileSystem/NetworkPolicy), reduction percentages (15%/5%/5%/10%/10%/5%), 40% cap, band assignment with containment integration, disable option."
+}