# Versioned Weight Manifests ## Module Policy ## Status IMPLEMENTED ## Description Initial weight manifest file exists, but the weight manifest infrastructure (loading, versioning, hashing, CLI management) is marked TODO in the sprint (TSF-001). ## What's Implemented - **Weight manifest file**: `etc/weights/v2026-01-22.weights.json` - Schema: `https://stella-ops.org/schemas/weight-manifest/v1.0.0` - Schema version: 1.0.0, version: v2026-01-22, profile: production - Legacy 6-dimension weights: RCH=0.30, RTS=0.25, BKP=0.15, XPL=0.15, SRC=0.10, MIT=0.10 - Advisory 5-dimension weights: CVSS=0.25, EPSS=0.30, Reachability=0.20, ExploitMaturity=0.10, PatchProof=0.15 - Dimension names mapping (human-readable) - Subtractive dimensions: MIT, patchProof - Guardrails: notAffectedCap (maxScore=15, requires BKP>=1.0 and RTS<=0.6), runtimeFloor (minScore=60, requires RTS>=0.8), speculativeCap (maxScore=45, requires RCH<=0.0 and RTS<=0.0) - Priority buckets: actNowMin=90, scheduleNextMin=70, investigateMin=40 - Determinization thresholds: manualReviewEntropy=0.60, refreshEntropy=0.40 - Signal weights for entropy: VEX=0.25, Reachability=0.25, EPSS=0.15, Runtime=0.15, Backport=0.10, SBOMLineage=0.10 - Content hash: `sha256:auto` (placeholder for computed hash) - Metadata: changelog, creation date, notes - **SignalWeights record**: `src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/SignalWeights.cs` - Matches the signalWeightsForEntropy values from the manifest - **ScoringRulesSnapshot**: `src/Policy/__Libraries/StellaOps.Policy/Scoring/ScoringRulesSnapshot.cs` - Content-addressed snapshots with SHA256 digest - Builder pattern with WithWeights, WithThresholds, WithSeverityMultipliers, etc. - `IScoringRulesSnapshotService` interface for CRUD operations - **ScorePolicyLoader**: `src/Policy/__Libraries/StellaOps.Policy/Scoring/ScorePolicyLoader.cs` - YAML policy loading with version and weight sum validation - **ScorePolicyValidator**: `src/Policy/__Libraries/StellaOps.Policy/Scoring/ScorePolicyValidator.cs` - JSON Schema validation for score policies ## Additional Implementation Found - **FileBasedWeightManifestLoader**: `src/Signals/StellaOps.Signals/EvidenceWeightedScore/FileBasedWeightManifestLoader.cs` -- loads manifests from `etc/weights/*.json` files, implements `IWeightManifestLoader` - **ScoringManifestVersioner**: `src/__Libraries/StellaOps.DeltaVerdict/Manifest/ScoringManifestVersioner.cs` (with `.Compare.cs`, `.Compare.Helpers.cs`) -- manifest versioning with compare, bump, and generate-next-version capabilities - **ScoringManifestSigningService**: `src/__Libraries/StellaOps.DeltaVerdict/` -- manifest signing with KMS integration and Rekor anchoring - **Extensive tests**: `src/__Libraries/__Tests/StellaOps.DeltaVerdict.Tests/Manifest/` -- 7 test files covering versioning, comparison, bumping, signing ## What's Missing - **CLI management commands**: No `stella weights list`, `stella weights validate`, `stella weights diff`, or `stella weights activate` CLI commands wrapping the existing loader/versioner - **Content hash auto-compute at build**: Manifest has `"contentHash": "sha256:auto"` placeholder -- no build step replaces it with actual computed hash - **Unified binding**: FileBasedWeightManifestLoader is in Signals, ScoringManifestVersioner is in DeltaVerdict; no unified service in the Policy module that binds manifest loading, versioning, signing, and runtime configuration together ## Implementation Plan - Create `WeightManifestLoader` service that discovers manifests in `etc/weights/`, validates schema, computes/verifies content hash, and selects by `effectiveFrom` date - Add build step to compute content hash and replace `sha256:auto` placeholder - Create CLI commands for manifest lifecycle management - Build manifest-to-runtime binding that configures SignalWeights and ScoringRulesSnapshot from the active manifest - Add manifest diff utility for comparing versions ## Related Documentation - Weight manifest: `etc/weights/v2026-01-22.weights.json` - Signal weights: `src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/SignalWeights.cs` - Scoring rules snapshot: `src/Policy/__Libraries/StellaOps.Policy/Scoring/ScoringRulesSnapshot.cs`