policy "Internal Only Policy" syntax "stella-dsl@1" {
  metadata {
    description = "Lenient policy for internal / dev tenants."
    tags = ["internal","dev"]
  }

  profile severity {
    env exposure_adjustments {
      if env.exposure == "internal" then -0.4
      if env.stage == "dev" then -0.6
    }
  }

  rule block_kev priority 1 {
    when advisory.has_tag("kev")
    then status := "blocked"
    because "Known exploited vulnerabilities must be remediated."
  }

  rule allow_medium_with_warning {
    when severity.normalized == "Medium"
         and env.exposure == "internal"
    then warn message "Medium severity permitted in internal environments."
    because "Allow Medium findings with warning for internal workloads."
  }

  rule accept_vendor_vex {
    when vex.any(status in ["not_affected","fixed"])
    then status := vex.status
         annotate justification := vex.latest().justification
    because "Trust vendor VEX statements for internal scope."
  }

  rule quiet_low_priority {
    when severity.normalized <= "Low"
    then ignore until "2026-01-01T00:00:00Z"
    because "Quiet low severity until next annual remediation sweep."
  }
}