# Risk Factors (draft outline)

> Draft scaffold; fill once 66-002/66-003 inputs (engine contract + sample payloads) arrive. Keep fixtures deterministic and offline-friendly.

## Purpose
- Catalog supported factors (exploit likelihood, VEX state, reachability, runtime facts, fix availability, asset criticality, provenance trust, tenant overrides) and how they normalize into risk math.

## Scope & Audience
- Audience: risk engineers, policy authors, platform SREs.
- In scope: factor definitions, required/optional fields, normalization rules, TTLs, provenance expectations.
- Out of scope: full formula math (see `formulas.md`), API wiring (see `api.md`).

## Factor Catalog (to fill with schema-backed tables)
- Exploit likelihood — fields: source, score, last_seen, confidence
- VEX status — fields: status, justification, impact_statement
- Reachability — fields: entrypoint, callgraph evidence, runtime observation
- Runtime facts — fields: host, container, signal type, timestamp (UTC), provenance attestation
- Fix availability — fields: advisory id, patch released at, mitigation guidance
- Asset criticality — fields: business tier, data class, tenancy scope
- Provenance trust — fields: signature status, key id, chain of custody
- Custom/tenant overrides — fields: override reason, reviewer, expiry/TTL

## Normalization Rules (outline)
- Input validation + schema versioning
- Unit ranges (0–1) and clamping
- Time decay / TTL handling
- Precedence rules when multiple sources disagree

Interim notes: follow legacy profile guidance — preserve provenance, never mutate source evidence, and keep ordering stable so explainability hashes are repeatable across UI/CLI/exports.

## Determinism & Ordering
- Sort factors by type then source; stable hashing rules for fixtures.
- Record SHA256 for sample payloads once provided.

## Open Items
- Engine contract and sample payloads for each factor
- TTL/decay parameters from Risk Engine Guild
- Provenance attestation examples

## References
- `docs/risk/overview.md`
- `docs/risk/profiles.md`
- `docs/risk/formulas.md`
- `docs/risk/api.md`