stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

save checkpoint

Browse Source
This commit is contained in:
master
2026-02-14 09:11:48 +02:00
parent 9ca2de05df
commit e9aeadc040
1512 changed files with 30863 additions and 4728 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
docs/features/checked/policy/risk-budget-model.md Normal file
View File

@@ -0,0 +1,41 @@
# Risk Budget Model (Service Tiers + Risk Points)
## Module
Policy
## Status
IMPLEMENTED
## Description
Complete risk budget system with service tier-based scoring, risk point computation, budget ledger tracking, constraint enforcement, threshold notifications, capacity replenishment, and persistence. Includes API endpoints and property-based tests for monotonicity.
## Implementation Details
- **RiskSimulationService**: `src/Policy/StellaOps.Policy.Engine/Simulation/RiskSimulationService.cs`
- Signal-based risk point computation: Boolean (0/1), Numeric (direct), Categorical (mapped weight)
- Severity mapping: Critical>=90, High>=70, Medium>=40, Low>=10
- Distribution calculation with 10 buckets, 6 percentiles (p25/p50/p75/p90/p95/p99)
- Aggregate metrics: total, mean, median, stddev, severity breakdown
- **UnknownRanker**: `src/Policy/__Libraries/StellaOps.Policy.Unknowns/Services/UnknownRanker.cs`
- Two-factor risk score: Score = (Uncertainty * 50) + (ExploitPressure * 50)
- Band assignment: Hot >= 75, Warm >= 50, Cold >= 25, Negligible < 25
- Containment reduction capped at 40% (Seccomp 10%, FsRO 10%, Isolated 15%, etc.)
- Decay buckets for time-based scoring adjustments
- **UnknownBudgetService** / **UnknownsBudgetEnforcer**: `src/Policy/__Libraries/StellaOps.Policy.Unknowns/`
- Per-service budget constraints with Green/Yellow/Red/Exhausted thresholds
- Budget enforcement blocks releases when Exhausted
- **LedgerExportService**: `src/Policy/StellaOps.Policy.Engine/Ledger/LedgerExportService.cs` -- budget ledger persistence
- **BudgetEndpoints** / **RiskBudgetEndpoints**: `src/Policy/StellaOps.Policy.Engine/Endpoints/` -- API for budget CRUD and evaluation
- **Scoring engines**: `src/Policy/StellaOps.Policy.Engine/Scoring/Engines/` -- SimpleScoringEngine, AdvancedScoringEngine, ProofAwareScoringEngine
- **ScoringProfileService**: `src/Policy/StellaOps.Policy.Engine/Scoring/ScoringProfileService.cs` -- configurable scoring profiles with weighted signals
## E2E Test Plan
- [ ] Compute risk points for finding with Critical severity (CVSS>=9.0, EPSS>=0.90); verify score >= 90
- [ ] Compute risk points for finding with Low severity (CVSS=3.0); verify score maps to Low range (10-39)
- [ ] Compute risk points with containment reduction (Seccomp + FsRO); verify 20% reduction applied
- [ ] Verify score monotonicity: higher CVSS/EPSS always produces higher or equal score
- [ ] Compute aggregate risk for 10 findings; verify distribution has 10 buckets, valid percentiles
- [ ] Verify severity breakdown: Critical count + High count + Medium count + Low count = total findings
- [ ] Create budget with tier-based limits; consume RP; verify threshold transitions (Green -> Yellow -> Red -> Exhausted)
- [ ] Verify budget capacity replenishment: resolve 5 findings; verify remaining capacity increases
- [ ] Verify ProofAwareScoringEngine includes proof references in scored output
- [ ] Verify scoring profile weights CVSS, EPSS, reachability contributions correctly