# Trust Lattice Configuration for VEX Source Scoring
# This file defines the default trust vectors and weights for evaluating VEX sources

# Default trust weights for combining P/C/R components
# These weights are used when computing the base trust score
# Formula: BaseTrust = (wP × P) + (wC × C) + (wR × R)
defaultWeights:
  provenance: 0.45      # Weight for provenance score (crypto & process integrity)
  coverage: 0.35        # Weight for coverage score (scope match precision)
  replayability: 0.20   # Weight for replayability score (determinism & pinning)

# Default trust vectors for source classifications
# These are fallback values when a source doesn't have explicit configuration
defaultVectors:

  # Vendor-published VEX statements (e.g., Red Hat, Oracle, Microsoft)
  vendor:
    provenance: 0.90     # High - official vendor channels with signing
    coverage: 0.85       # High - vendor knows their own products
    replayability: 0.70  # Medium-High - usually versioned but may lack pinning

  # Distribution-published VEX (e.g., Ubuntu, Debian, Alpine)
  distro:
    provenance: 0.85     # High - official distro channels
    coverage: 0.90       # Very High - distros track OS packages precisely
    replayability: 0.75  # Medium-High - pinned to distro versions

  # Third-party aggregators/hubs (e.g., SUSE Rancher VEX Hub)
  hub:
    provenance: 0.75     # Medium-High - depends on hub's verification process
    coverage: 0.70       # Medium - may aggregate from various sources
    replayability: 0.60  # Medium - varies by hub's data model

  # Platform-specific VEX (e.g., OCI attestations, cloud provider advisories)
  platform:
    provenance: 0.80     # Medium-High - platform signing available
    coverage: 0.75       # Medium-High - platform-aware matching
    replayability: 0.65  # Medium - depends on platform's commitment

  # User-supplied/internal VEX statements
  internal:
    provenance: 0.70     # Medium - internal PKI or unsigned
    coverage: 0.95       # Very High - organization knows its own environment
    replayability: 0.85  # High - controlled by organization

# Claim strength multipliers
# These adjust the base trust score based on claim metadata
claimStrength:
  high: 1.0       # Full trust (e.g., cryptographic proof, reachability analysis)
  medium: 0.9     # Slightly reduced (e.g., heuristic evidence, manual analysis)
  low: 0.75       # Significantly reduced (e.g., speculation, incomplete data)
  unspecified: 0.8  # Conservative default when strength not provided

# Freshness decay configuration
# Older VEX claims are less trustworthy than recent ones
freshnessDecay:
  enabled: true
  halfLifeDays: 90           # Freshness drops to 50% after this many days
  minimumFreshness: 0.5      # Floor to prevent complete dismissal of old claims

  # Override: Never apply freshness decay to certain statuses
  # These statuses are considered "timeless" facts
  exemptStatuses:
    - fixed                  # Fix remains valid
    - notAffected           # Not-affected is structural, doesn't decay

# Environment variable overrides
# These can be set to override file-based configuration at runtime
# STELLAOPS_TRUST_LATTICE_DEFAULT_WP=0.45
# STELLAOPS_TRUST_LATTICE_DEFAULT_WC=0.35
# STELLAOPS_TRUST_LATTICE_DEFAULT_WR=0.20
# STELLAOPS_TRUST_LATTICE_FRESHNESS_HALFLIFE_DAYS=90