# Stella Ops Starter Policy Pack - Base Configuration
# Version: 1.0.0
#
# This file contains the core policy rules that apply across all environments.
# Environment-specific overrides are in the overrides/ directory.
#
# Override precedence: base.yaml < overrides/<env>.yaml

apiVersion: policy.stellaops.io/v1
kind: PolicyPack
metadata:
  name: starter-day1
  version: "1.0.0"
  description: "Production-ready starter policy - Base configuration"

spec:
  settings:
    defaultAction: warn
    unknownsThreshold: 0.05
    requireSignedSbom: true
    requireSignedVerdict: true
    minimumVexTrustScore: 0.5

  # Core rules - see ../starter-day1.yaml for full documentation
  rules:
    - name: block-reachable-high-critical
      priority: 100
      match:
        severity: [CRITICAL, HIGH]
        reachability: reachable
      unless:
        vexStatus: not_affected
        vexJustification:
          - vulnerable_code_not_present
          - vulnerable_code_cannot_be_controlled_by_adversary
          - inline_mitigations_already_exist
      action: block

    - name: warn-reachable-medium
      priority: 90
      match:
        severity: MEDIUM
        reachability: reachable
      unless:
        vexStatus: not_affected
      action: warn

    - name: allow-unreachable
      priority: 80
      match:
        reachability: unreachable
      action: allow
      log: true

    - name: fail-on-unknowns
      priority: 200
      type: aggregate
      match:
        unknownsRatio:
          gt: ${settings.unknownsThreshold}
      action: block

    - name: block-kev
      priority: 110
      match:
        kev: true
        reachability: reachable
      unless:
        vexStatus: not_affected
      action: block

    - name: default-allow
      priority: 0
      match:
        always: true
      action: allow