# Stella Ops Starter Policy - Development Override
# Version: 1.0.0
#
# Development environment is lenient to enable rapid iteration:
# - Never block, only warn
# - Higher unknowns threshold
# - No signing requirements
# - All vulnerabilities logged but allowed
#
# NOTE: Development policy is for local dev only. Pre-commit hooks
# or CI should use staging or production policies.

apiVersion: policy.stellaops.io/v1
kind: PolicyOverride
metadata:
  name: starter-day1-development
  version: "1.0.0"
  parent: starter-day1
  environment: development
  description: "Lenient settings for development - warn only, never block"

spec:
  # Development settings - maximum leniency
  settings:
    defaultAction: allow
    unknownsThreshold: 0.50  # 50% unknowns allowed in dev
    requireSignedSbom: false
    requireSignedVerdict: false
    minimumVexTrustScore: 0.0  # Accept any VEX in dev

  ruleOverrides:
    # Downgrade all blocking rules to warnings
    - name: block-reachable-high-critical
      action: warn  # Warn instead of block

    - name: block-kev
      action: warn  # Warn instead of block

    - name: fail-on-unknowns
      action: warn  # Warn instead of block

    # Disable signing requirements entirely
    - name: require-signed-sbom-prod
      enabled: false

    - name: require-signed-verdict-prod
      enabled: false

    # Enable verbose logging for all findings (helpful for debugging)
    - name: default-allow
      log: true
      logLevel: verbose