policy "Baseline Production Policy" syntax "stella-dsl@1" {
  metadata {
    description = "Block critical, escalate high, enforce VEX justifications."
    tags = ["baseline","production"]
  }

  profile severity {
    map vendor_weight {
      source "GHSA" => +0.5
      source "OSV" => +0.0
      source "VendorX" => -0.2
    }
    env exposure_adjustments {
      if env.exposure == "internet" then +0.5
      if env.runtime == "legacy" then +0.3
    }
  }

  rule block_critical priority 5 {
    when severity.normalized >= "Critical"
    then status := "blocked"
    because "Critical severity must be remediated before deploy."
  }

  rule escalate_high_internet {
    when severity.normalized == "High"
         and env.exposure == "internet"
    then escalate to severity_band("Critical")
    because "High severity on internet-exposed asset escalates to critical."
  }

  rule require_vex_justification {
    when vex.any(status in ["not_affected","fixed"])
         and vex.justification in ["component_not_present","vulnerable_code_not_present"]
    then status := vex.status
         annotate winning_statement := vex.latest().statementId
    because "Respect strong vendor VEX claims."
  }

  rule alert_warn_eol_runtime priority 1 {
    when severity.normalized <= "Medium"
         and sbom.has_tag("runtime:eol")
    then warn message "Runtime marked as EOL; upgrade recommended."
    because "Deprecated runtime should be upgraded."
  }
}