# Confidence Decay Controls · Signals Runtime **Compiled:** 2025-12-01 (UTC) **Scope:** Close U1–U10 gaps from `docs/product-advisories/31-Nov-2025 FINDINGS.md` for confidence decay of unknowns/signals. **Status:** Draft for review on 2025-12-03; to be signed (DSSE) after sign-off. ## Decisions (U1–U10) - **τ governance (U1):** All τ values live in `confidence_decay_config.yaml`, change-controlled via DSSE-signed PRs; allowable τ range 1–90 days. Changes require dual approval (Signals + Policy), recorded in history. - **Floor / freeze (U2):** `confidence_floor` per severity; `is_confidence_frozen=true` when SLA-bound or manual pin. Floors: Critical 0.60, High 0.45, Medium 0.30, Low 0.20. Freeze auto-expires at `freeze_until`. - **Weighted signals (U3):** Signal taxonomy with weights: exploit=1.0, customer_incident=0.9, threat_intel=0.7, code_change=0.4, artifact_refresh=0.3, metadata_touch=0.1. `last_signal_weighted_at` uses max(weighted timestamp). - **Time source / drift (U4):** All timestamps in UTC; decay uses monotonic clock fallback; reject events >5 minutes in the future or >30 days backdated, log corrections. - **Deterministic recompute (U5):** Nightly job at 03:00 UTC recomputes decay for all items; emits `decay_snapshot_YYYY-MM-DD.ndjson` with SHA256 and checksum record. On-read recompute only if snapshot is older than 24h. - **SLA coupling (U6):** Items with active SLA clamp to `sla_floor` (0.60 Critical, 0.50 High) until SLA met. SLA flag and floor are emitted in API. - **Uncertainty linkage (U7):** Confidence is capped by `(1 - uncertainty_score)`; if uncertainty_score ≥0.4, band forced to "under_review" and alerts fire. - **Backfill & migration (U8):** Initial migration seeds `last_signal_at` from latest activity; default τ from entity profile; dry-run impact report required; backfill script outputs before/after bands. - **API/UX surfacing (U9):** New fields: `confidence`, `confidence_band` (critical/high/medium/low/under_review), `tau_days`, `is_frozen`, `confidence_floor`, `uncertainty_score`, `last_signal_weighted_at`. Sort default: `priority * confidence`. - **Observability & alerts (U10):** Counters/gauges: `confidence_recalc_latency`, `items_below_floor`, `signals_weighted_by_type{type}`, `decay_snapshots_age_hours`, `uncertainty_forced_under_review`. Alerts on missing nightly snapshot, decay drift >1 band, or SLA items below floor. ## Reference Config (draft) ```yaml version: 1 updated_at: 2025-12-01T00:00:00Z entities: vulnerability: tau_days: 21 tau_min: 7 tau_max: 90 confidence_floor: {critical: 0.60, high: 0.45, medium: 0.30, low: 0.20} sla_floor: {critical: 0.60, high: 0.50} freeze_default_days: 30 incident: tau_days: 14 tau_min: 3 tau_max: 60 signals_taxonomy: exploit: 1.0 customer_incident: 0.9 threat_intel: 0.7 code_change: 0.4 artifact_refresh: 0.3 metadata_touch: 0.1 time: reject_future_minutes: 5 reject_backdated_days: 30 recompute: schedule_utc: "03:00" snapshot_retention_days: 30 observability: alerts: missing_snapshot_hours: 26 sla_floor_breach: true uncertainty_band_force: 0.4 signing: predicate: stella.ops/confidenceDecayConfig@v1 dsse_required: true ``` ## Operational Rules - Config changes must produce a new DSSE envelope and update the checksum in the nightly snapshot header. - Nightly job writes `decay_snapshot_.ndjson` (sorted by `item_id`) plus `SHA256SUMS`; both stored in Evidence Locker. - Any on-read recompute must emit an audit log with reasons (stale snapshot or forced recalculation). ## Migration Playbook 1) Run dry-run backfill: compute bands with proposed config; write `decay_backfill_diff.ndjson` (before/after bands, delta) and checksum. 2) Get dual approval; sign `confidence_decay_config.yaml` with DSSE predicate above. 3) Apply config, execute full recompute, publish snapshot + checksums, update observability dashboard baselines. ## API Notes - Add fields to Signals API and CLI responses; ensure canonical serialization (sorted keys, UTC timestamps, fixed decimals 3dp) to avoid hash drift. - Bands map: `>=0.75 critical`, `>=0.55 high`, `>=0.35 medium`, `>=0.20 low`, else `under_review`. ## Evidence & Storage - Store config DSSE, snapshots, and backfill reports in Evidence Locker with retention class `signals-decay-config`. - For offline kits, include latest config DSSE + last 3 snapshots and checksums. ## Open Items for Review (12-03) - Confirm weights for threat_intel vs exploit; adjust if customer data suggests different ordering. - Confirm `under_review` threshold (currently uncertainty ≥0.4). - Align with Policy on SLA floors for High severity (0.50 proposed).