# Risk Profiles (draft outline)

> Draft scaffold pending PLLG0104 risk profile schema approval. Do not publish externally until schemas and sample payloads arrive. Mirrors existing `docs/risk/risk-profiles.md`; this file will supersede it once populated.

## Purpose
- Define how profiles group factors, weights, thresholds, and severity bands.
- Describe authoring, simulation, promotion, rollback, and provenance for profiles.

## Scope & Audience
- Audience: policy authors, risk engineers, platform SREs.
- Coverage: profile schema, lifecycle, governance, promotion paths, rollback, and observability hooks.

## Schema (placeholder)
- Profile schema reference: `<pending PLLG0104>`
- Required fields: id, versioning, factors list, weights, thresholds, severity mapping, metadata, provenance.
- Optional fields: tenant overrides, imposed rules, time-to-live.

## Lifecycle (outline)
1. Authoring in Policy Studio (draft state)
2. Simulation against fixtures (deterministic inputs)
3. Review/approval workflow
4. Promotion to environments (dev → staging → prod)
5. Rollback hooks and audit trail

## Governance & Determinism
- Profiles stored with DSSE/signatures; record SHA256 for fixtures.
- Same evaluation codepath for simulation and production; note required feature flags.
- Offline posture: include profiles and fixtures inside mirror bundles.

## Explainability & Observability
- Per-factor contribution outputs (JSON) with stable ordering.
- Metrics to log: evaluation latency, cache hit ratio, factor coverage.
- Dashboards/alerts to enumerate once telemetry payloads are supplied.

## Open Items
- PLLG0104 schema approval and sample JSON payloads
- Feature-flag list for registry alignment
- Telemetry field list for dashboards/alerts

## References
- `docs/risk/overview.md`
- `docs/risk/factors.md`
- `docs/risk/formulas.md`
- `docs/risk/explainability.md`
- `docs/risk/api.md`
- Existing context: `docs/risk/risk-profiles.md` (to reconcile once schema lands)

## Interim Notes (carried from legacy `docs/risk/risk-profiles.md`)
- Profiles define how evidence (CVSS/EPSS-like exploit likelihood, KEV flags, VEX status, reachability, runtime evidence, fix availability, asset criticality, provenance trust) normalizes into a 0–100 score with severity buckets.
- Workflow highlights: author in Policy Studio → simulate with fixtures → activate in Policy Engine → explain outputs in CLI/Console → export for auditors via Export Center.
- Governance: draft/review/approval with DSSE/signatures; rollback hooks and promotion gates enforced by Authority scopes; determinism required (same codepath for simulation and production).
- Observability: record scoring latency, factor distribution, and profile usage; offline posture via mirror bundles with fixtures and hash manifests.