# Blast radius / fleet view

## Module
Policy

## Status
IMPLEMENTED

## Description
Blast radius containment schema and unknown ranker service assess impact across environments and services.

## Implementation Details
- **BlastRadius Model**: `src/Policy/__Libraries/StellaOps.Policy.Unknowns/Models/BlastRadius.cs` -- `BlastRadius` (sealed record)
  - `Dependents` (int) -- number of packages that directly or transitively depend on this package; 0 indicates isolation
  - `NetFacing` (bool) -- whether the package is reachable from network-facing entrypoints
  - `Privilege` (string?) -- privilege level: root, user, none
- **ContainmentSignals Model**: `src/Policy/__Libraries/StellaOps.Policy.Unknowns/Models/ContainmentSignals.cs` -- runtime containment posture
  - Seccomp enforcement status, filesystem mode (ro/rw), network policy (isolated/connected)
- **UnknownRanker Integration**: `src/Policy/__Libraries/StellaOps.Policy.Unknowns/Services/UnknownRanker.cs` -- blast radius is integrated into the `ComputeContainmentReduction` method
  - Isolated package (Dependents=0): 15% risk reduction
  - Not network-facing: 5% risk reduction
  - Non-root privilege (user/none): 5% risk reduction
  - Seccomp enforced: 10% reduction; read-only filesystem: 10% reduction; network isolated: 5% reduction
  - Maximum containment reduction capped at 40%
  - Applied after time-based decay: `finalScore = decayedScore * (1 - containmentReduction)`
- **UnknownRankerOptions**: Configurable reductions via `IsolatedReduction`, `NotNetFacingReduction`, `NonRootReduction`, `SeccompEnforcedReduction`, `FsReadOnlyReduction`, `NetworkIsolatedReduction`, `MaxContainmentReduction`
- **Unknown Model**: `src/Policy/__Libraries/StellaOps.Policy.Unknowns/Models/Unknown.cs` -- unknown entity with blast radius reference
- **Unknowns Budget Enforcer**: `src/Policy/__Libraries/StellaOps.Policy.Unknowns/UnknownsBudgetEnforcer.cs` -- enforces blast radius-aware budget thresholds
- **Unknowns Endpoints**: `src/Policy/StellaOps.Policy.Engine/Endpoints/UnknownsEndpoints.cs` -- REST API for querying unknowns with blast radius data

## E2E Test Plan
- [ ] Rank an unknown with `Dependents=0, NetFacing=false, Privilege="none"` and verify containment reduction is 25% (15+5+5)
- [ ] Rank an unknown with `Dependents=50, NetFacing=true, Privilege="root"` and verify containment reduction is 0%
- [ ] Rank an unknown with full containment signals (seccomp=enforced, fs=ro, network=isolated) and blast radius isolation; verify capped at 40% max reduction
- [ ] Query unknowns API and verify each unknown includes blast radius data (dependents, netFacing, privilege)
- [ ] Verify a high-score unknown (HOT band) drops to WARM band when isolated package containment is applied
- [ ] Verify containment reduction is disabled when `EnableContainmentReduction=false` in options