# EPSS Risk Band Mapping

## Module
RiskEngine

## Status
IMPLEMENTED

## Description
EPSS provider with bundle loading, fetching, and risk band mapping that converts EPSS probabilities into actionable risk categorizations.

## Implementation Details
- **EPSS Provider**: `src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/EpssProvider.cs` (implements `IRiskScoreProvider`) -- converts EPSS probability scores into risk band categorizations (Critical, High, Medium, Low) using configurable thresholds.
- **EPSS Bundle Loader**: `src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/EpssBundleLoader.cs` -- loads EPSS score bundles from local files or cached downloads for offline operation.
- **EPSS Fetcher**: `src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/EpssFetcher.cs` -- fetches EPSS score data from the FIRST.org EPSS API for periodic updates.
- **EPSS Sources Interface**: `src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/IEpssSources.cs` -- data source contract for EPSS score lookups.
- **In-Memory Result Store**: `src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Infrastructure/Stores/InMemoryRiskScoreResultStore.cs` (implements `IRiskScoreResultStore`) -- in-memory store for computed risk scores with EPSS band mappings.
- **Risk Score Result Store Interface**: `src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Services/IRiskScoreResultStore.cs` -- persistence contract for risk score results.
- **Tests**: `src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Tests/EpssBundleTests.cs`, `RiskEngineApiTests.cs`

## E2E Test Plan
- [ ] Load an EPSS bundle via `EpssBundleLoader` and query the score for a known CVE; verify the returned probability matches the bundle data
- [ ] Map an EPSS probability of 0.95 and verify it is categorized as "Critical" risk band
- [ ] Map an EPSS probability of 0.01 and verify it is categorized as "Low" risk band
- [ ] Verify bundle loading from file: place an EPSS CSV bundle in the expected path and confirm `EpssBundleLoader` loads it without network access
- [ ] Verify the EPSS fetcher downloads fresh data and the bundle loader caches it for subsequent offline lookups
- [ ] Combine EPSS with CVSS: compute a risk score using both EPSS and CVSS providers and verify the combined score reflects both signals