# EPSS Threshold Policy Gate

## Module
Policy

## Status
IMPLEMENTED

## Description
Policy gate that evaluates EPSS probability thresholds to block or allow releases based on configurable risk bands and delta thresholds.

## Implementation Details
- **PolicyGateEvaluator**: `src/Policy/StellaOps.Policy.Engine/Gates/PolicyGateEvaluator.cs` -- multi-gate evaluation including EPSS-aware gates
  - EPSS thresholds integrated into evidence and confidence gate evaluation
  - Gate result types: Pass, PassWithNote, Warn, Block, Skip
- **UnknownRanker EPSS Scoring**: `src/Policy/__Libraries/StellaOps.Policy.Unknowns/Services/UnknownRanker.cs` -- EPSS exploit pressure
  - EPSS >= 0.90: +0.30 (critical exploit likelihood)
  - EPSS >= 0.50: +0.15 (significant exploit likelihood)
  - CVSS >= 9.0: +0.05 (additional severity factor)
  - Combined with KEV status (+0.50) for total exploit pressure
  - Exploit pressure feeds into band assignment: Hot >= 75, Warm >= 50, Cold >= 25
- **Risk Profile Scoring**: `src/Policy/StellaOps.Policy.Engine/Scoring/` -- EPSS as scoring signal
  - `ScoringProfileService.cs` -- profile configuration includes EPSS weights
  - `ScorePolicyService.cs` -- EPSS threshold evaluation per policy
  - `IScoringEngine.cs` interface with EPSS-aware implementations
- **CVSS + EPSS Combined Scoring**: `src/Policy/StellaOps.Policy.Scoring/` -- CVSS and EPSS used together
  - CVSS provides severity; EPSS provides exploit probability
  - Combined score informs gate decisions
- **Risk Budget Integration**: EPSS-driven unknowns affect budget consumption

## E2E Test Plan
- [ ] Configure EPSS threshold gate at 0.80; evaluate finding with EPSS=0.85; verify gate blocks
- [ ] Configure EPSS threshold gate at 0.80; evaluate finding with EPSS=0.50; verify gate allows
- [ ] Verify EPSS + KEV combination: KEV=true with EPSS=0.95 produces exploit pressure 0.80 (0.50+0.30)
- [ ] Verify EPSS + KEV combination: KEV=true with EPSS=0.50 produces exploit pressure 0.65 (0.50+0.15)
- [ ] Verify HOT band assignment for finding with total score >= 75 (high EPSS + high uncertainty)
- [ ] Verify band transition from WARM to HOT when EPSS score increases above 0.90
- [ ] Verify EPSS delta: finding with rising EPSS triggers re-evaluation
- [ ] Verify scoring profile weights EPSS contribution correctly