# Unknowns Decay and Triage Queue ## Module Policy ## Status IMPLEMENTED ## Description Unknowns ranking and API endpoints exist. BlastRadius model present with database migration. The full time-based decay algorithm and containment signals ranking were identified as gaps in the archive manifest. ## What's Implemented - **DecayedConfidenceCalculator**: `src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/DecayedConfidenceCalculator.cs` - Exponential decay formula: `max(floor, baseConfidence * exp(-ln(2) * ageDays / halfLifeDays))` - Configurable half-life (default 14 days) and floor - OpenTelemetry histogram: `stellaops_determinization_decay_multiplier` - **ObservationDecay**: `src/Policy/__Libraries/StellaOps.Policy.Determinization/Models/ObservationDecay.cs` - Per-observation decay state: BaseConfidence, ObservedAt, HalfLifeDays=14, Floor=0.35, StalenessThreshold=0.50 - `CalculateDecay(now)`: computes current decayed confidence - `CheckIsStale(now)`: returns true when decayed confidence falls below staleness threshold - Factory methods: `Create()`, `Fresh()`, `WithSettings()` - **UnknownRanker** (from unchecked features): two-factor scoring `Uncertainty*50 + ExploitPressure*50` - Containment reduction capped at 40% - Band assignment: Hot>=75, Warm>=50, Cold>=25, Ice<25 - **UncertaintyScoreCalculator**: `src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/UncertaintyScoreCalculator.cs` - Entropy-based uncertainty from 6 signal dimensions - Signal gap tracking (which signals are missing) - **Risk budget API endpoints** (from unchecked features): budget tracking, ledger, Green/Yellow/Red/Exhausted thresholds - **Unknown budget policy enforcement** (from unchecked features): UncertaintyTierGate (gate 4 in pipeline) ## What's Missing - **Time-based decay triage queue**: No service that automatically re-queues unknowns for triage when their confidence decays below the staleness threshold - **Triage queue UI**: No frontend triage interface showing unknowns sorted by decay urgency - **Automated re-analysis triggering**: ObservationDecay tracks staleness but no event-driven mechanism triggers re-analysis when an unknown becomes stale - **Containment signal integration**: The advisory describes containment signals (WAF rules, network segmentation, runtime controls) reducing unknown scores -- this is partially in UnknownRanker but not connected to real containment data sources - **Decay notification**: No notification system alerting when high-priority unknowns decay below acceptable confidence - **Historical decay tracking**: DecayedConfidenceCalculator computes point-in-time decay but no ledger tracks confidence decay history over time ## Implementation Plan - Create `UnknownTriageQueueService` that periodically evaluates ObservationDecay.CheckIsStale() and queues stale unknowns for re-analysis - Add event-driven triggers (e.g., background job or message queue) when confidence drops below threshold - Build triage queue frontend component showing unknowns sorted by urgency (band + decay rate) - Integrate containment signal sources (WAF, network, runtime) as inputs to UnknownRanker - Add decay history ledger for audit trail ## Related Documentation - Decay calculator: `src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/DecayedConfidenceCalculator.cs` - Observation decay model: `src/Policy/__Libraries/StellaOps.Policy.Determinization/Models/ObservationDecay.cs` - Unknowns ranking (unchecked): `docs/features/unchecked/policy/unknowns-ranking-algorithm.md`