# Risk Budget Model (Service Tiers + Risk Points)

## Module
Policy

## Status
IMPLEMENTED

## Description
Complete risk budget system with service tier-based scoring, risk point computation, budget ledger tracking, constraint enforcement, threshold notifications, capacity replenishment, and persistence. Includes API endpoints and property-based tests for monotonicity.

## Implementation Details
- **RiskSimulationService**: `src/Policy/StellaOps.Policy.Engine/Simulation/RiskSimulationService.cs`
  - Signal-based risk point computation: Boolean (0/1), Numeric (direct), Categorical (mapped weight)
  - Severity mapping: Critical>=90, High>=70, Medium>=40, Low>=10
  - Distribution calculation with 10 buckets, 6 percentiles (p25/p50/p75/p90/p95/p99)
  - Aggregate metrics: total, mean, median, stddev, severity breakdown
- **UnknownRanker**: `src/Policy/__Libraries/StellaOps.Policy.Unknowns/Services/UnknownRanker.cs`
  - Two-factor risk score: Score = (Uncertainty * 50) + (ExploitPressure * 50)
  - Band assignment: Hot >= 75, Warm >= 50, Cold >= 25, Negligible < 25
  - Containment reduction capped at 40% (Seccomp 10%, FsRO 10%, Isolated 15%, etc.)
  - Decay buckets for time-based scoring adjustments
- **UnknownBudgetService** / **UnknownsBudgetEnforcer**: `src/Policy/__Libraries/StellaOps.Policy.Unknowns/`
  - Per-service budget constraints with Green/Yellow/Red/Exhausted thresholds
  - Budget enforcement blocks releases when Exhausted
- **LedgerExportService**: `src/Policy/StellaOps.Policy.Engine/Ledger/LedgerExportService.cs` -- budget ledger persistence
- **BudgetEndpoints** / **RiskBudgetEndpoints**: `src/Policy/StellaOps.Policy.Engine/Endpoints/` -- API for budget CRUD and evaluation
- **Scoring engines**: `src/Policy/StellaOps.Policy.Engine/Scoring/Engines/` -- SimpleScoringEngine, AdvancedScoringEngine, ProofAwareScoringEngine
- **ScoringProfileService**: `src/Policy/StellaOps.Policy.Engine/Scoring/ScoringProfileService.cs` -- configurable scoring profiles with weighted signals

## E2E Test Plan
- [ ] Compute risk points for finding with Critical severity (CVSS>=9.0, EPSS>=0.90); verify score >= 90
- [ ] Compute risk points for finding with Low severity (CVSS=3.0); verify score maps to Low range (10-39)
- [ ] Compute risk points with containment reduction (Seccomp + FsRO); verify 20% reduction applied
- [ ] Verify score monotonicity: higher CVSS/EPSS always produces higher or equal score
- [ ] Compute aggregate risk for 10 findings; verify distribution has 10 buckets, valid percentiles
- [ ] Verify severity breakdown: Critical count + High count + Medium count + Low count = total findings
- [ ] Create budget with tier-based limits; consume RP; verify threshold transitions (Green -> Yellow -> Red -> Exhausted)
- [ ] Verify budget capacity replenishment: resolve 5 findings; verify remaining capacity increases
- [ ] Verify ProofAwareScoringEngine includes proof references in scored output
- [ ] Verify scoring profile weights CVSS, EPSS, reachability contributions correctly