# AGENTS.md - Policy Unknowns Library

## Purpose
- Provide deterministic ranking for unknown findings using uncertainty, exploit pressure, decay, and containment signals.
- Maintain stable, reproducible scoring and band assignment.

## Required Reading
- docs/README.md
- docs/07_HIGH_LEVEL_ARCHITECTURE.md
- docs/modules/platform/architecture-overview.md
- docs/modules/policy/architecture.md
- docs-archived/product/advisories/2025-12-21-moat-gap-closure/14-Dec-2025 - Triage and Unknowns Technical Reference.md

## Working Directory
- src/Policy/__Libraries/StellaOps.Policy.Unknowns/

## Signal Sources

### BlastRadius
- Source: Scanner/Signals module call graph analysis.
- Dependents: count of packages in dependency tree.
- NetFacing: reachability from network entrypoints (HTTP controllers, gRPC, etc).
- Privilege: extracted from container config or runtime probes.

### ContainmentSignals
- Source: runtime probes (eBPF, Seccomp profiles, container inspection).
- Seccomp: profile enforcement status.
- FileSystem: mount mode from container spec or /proc/mounts.
- NetworkPolicy: Kubernetes NetworkPolicy or firewall rules.

### Data Flow
1. Scanner generates BlastRadius during SBOM or call graph analysis.
2. Runtime probes collect ContainmentSignals.
3. Signals are stored in policy.unknowns columns.
4. UnknownRanker reads signals for scoring and explainability.

## Engineering Rules
- Target net10.0 with preview features already enabled in repo.
- Determinism: stable ordering, UTC timestamps, and decimal math for scoring.
- No network dependencies inside ranking logic.