# Stella Ops Starter Policy - Production Override
# Version: 1.0.0
#
# Production environment has the strictest settings:
# - All blocking rules enforced
# - Lower unknowns threshold
# - Signed artifacts required
# - Higher VEX trust score required

apiVersion: policy.stellaops.io/v1
kind: PolicyOverride
metadata:
  name: starter-day1-production
  version: "1.0.0"
  parent: starter-day1
  environment: production
  description: "Strict settings for production deployments"

spec:
  # Production settings - stricter than defaults
  settings:
    defaultAction: block  # Block by default in production
    unknownsThreshold: 0.03  # Only 3% unknowns allowed
    requireSignedSbom: true
    requireSignedVerdict: true
    minimumVexTrustScore: 0.7  # Higher trust required

  # No rule overrides - production uses base rules at full strictness
  ruleOverrides: []

  # Additional production-only rules
  additionalRules:
    # Require explicit approval for any blocked findings
    - name: require-approval-for-exceptions
      priority: 400
      description: "Any exception in production requires documented approval"
      match:
        hasException: true
      require:
        exceptionApproval: true
        exceptionExpiry:
          maxDays: 30
      action: block
      message: "Production exceptions require approval and must expire within 30 days"