# Unknown Budget Policy Enforcement

## Module
Policy

## Status
IMPLEMENTED

## Description
Unknown budget enforcement with environment-aware thresholds, supporting policy evaluation that can fail/warn based on unknown counts by type.

## Implementation Details
- **UnknownsBudgetEnforcer**: `src/Policy/__Libraries/StellaOps.Policy.Unknowns/Services/UnknownsBudgetEnforcer.cs`
  - Enforces budget constraints based on unknown counts by type
  - Threshold levels: Green (within limits), Yellow (warning), Red (over budget), Exhausted (blocked)
  - Environment-aware: different thresholds for production vs staging vs development
- **UnknownBudgetService**: `src/Policy/__Libraries/StellaOps.Policy.Unknowns/Services/UnknownBudgetService.cs`
  - Budget management: create, query, consume, replenish
  - Per-type budget tracking (reachability unknowns, identity unknowns, VEX gaps, etc.)
- **UnknownRanker**: `src/Policy/__Libraries/StellaOps.Policy.Unknowns/Services/UnknownRanker.cs`
  - Ranks unknowns by two-factor score: (Uncertainty * 50) + (ExploitPressure * 50)
  - Reason codes: AnalyzerLimit, Reachability, Identity, Provenance, VexConflict, FeedGap, ConfigUnknown
  - Band assignment: Hot >= 75, Warm >= 50, Cold >= 25, Negligible < 25
- **PolicyGateEvaluator Uncertainty Tier gate**: `src/Policy/StellaOps.Policy.Engine/Gates/PolicyGateEvaluator.cs`
  - Uncertainty Tier gate (4th in pipeline) evaluates unknown counts against thresholds
  - Tiers: T1 (High uncertainty -> strictest enforcement), T4 (Negligible -> most permissive)
- **BudgetEndpoints**: `src/Policy/StellaOps.Policy.Engine/Endpoints/BudgetEndpoints.cs` -- API for budget management
- **RiskBudgetEndpoints**: `src/Policy/StellaOps.Policy.Engine/Endpoints/RiskBudgetEndpoints.cs` -- API for budget evaluation

## E2E Test Plan
- [ ] Set budget limit for reachability unknowns=10; report 5 unknowns; verify status Green
- [ ] Set budget limit for reachability unknowns=10; report 8 unknowns; verify status Yellow (warning)
- [ ] Set budget limit for reachability unknowns=10; report 12 unknowns; verify status Red/Exhausted
- [ ] Verify environment-aware thresholds: production has stricter limits than development
- [ ] Evaluate through PolicyGateEvaluator with T1 uncertainty tier; verify Uncertainty gate blocks
- [ ] Evaluate through PolicyGateEvaluator with T4 uncertainty tier; verify Uncertainty gate passes
- [ ] Consume unknowns budget; resolve some unknowns; verify budget capacity restored
- [ ] Query budget status via API; verify response includes per-type counts and thresholds
- [ ] Verify Hot-band unknowns consume more budget than Cold-band unknowns
- [ ] Verify Exhausted budget escalates gate level in PolicyGateEvaluator