# Starter Day-1 Policy Pack
# Sprint: SPRINT_20260104_004_POLICY - Task PSD-010
#
# Comprehensive starter policy for day-1 security controls.

apiVersion: policy.stellaops.io/v1
kind: PolicyPack
metadata:
  name: starter-day1
  version: 1.0.0
  description: |
    Starter policy pack for day-1 security controls.
    Includes essential gates for vulnerabilities, reachability, and metadata quality.

spec:
  settings:
    defaultAction: warn
    unknownsThreshold: 0.05
    requireSignedSbom: true
    requireSignedVerdict: true

  rules:
    - name: block-reachable-high-critical
      description: "Block deployments with reachable HIGH or CRITICAL vulnerabilities"
      priority: 100
      match:
        severity:
          - CRITICAL
          - HIGH
        reachability: reachable
      unless:
        vexStatus: not_affected
        vexJustification:
          - vulnerable_code_not_present
          - vulnerable_code_cannot_be_controlled_by_adversary
          - inline_mitigations_already_exist
      action: block
      message: "Reachable {severity} vulnerability {cve} must be remediated or have VEX justification"

    - name: warn-reachable-medium
      description: "Warn on reachable MEDIUM severity vulnerabilities"
      priority: 90
      match:
        severity: MEDIUM
        reachability: reachable
      unless:
        vexStatus: not_affected
      action: warn
      message: "Reachable MEDIUM vulnerability {cve} should be reviewed"

    - name: allow-unreachable
      description: "Allow unreachable vulnerabilities but log for awareness"
      priority: 80
      match:
        reachability: unreachable
      action: allow
      log: true
      message: "Vulnerability {cve} is unreachable - allowing"

    - name: fail-on-unknowns
      description: "Block if too many packages have unknown metadata"
      priority: 70
      type: aggregate
      match:
        unknownsRatio:
          gt: ${settings.unknownsThreshold}
      action: block
      message: "Unknown packages exceed threshold ({unknownsRatio}% > {threshold}%)"

    - name: block-kev
      description: "Block images with Known Exploited Vulnerabilities"
      priority: 60
      match:
        kev: true
      action: block
      message: "Known Exploited Vulnerabilities (KEV) must be remediated before deployment"

    - name: default-allow
      description: "Allow everything not matched by above rules"
      priority: 0
      match:
        always: true
      action: allow