Files

StellaOps Bot 18d87c64c5 feat: add PolicyPackSelectorComponent with tests and integration

- Implemented PolicyPackSelectorComponent for selecting policy packs.
- Added unit tests for component behavior, including API success and error handling.
- Introduced monaco-workers type declarations for editor workers.
- Created acceptance tests for guardrails with stubs for AT1–AT10.
- Established SCA Failure Catalogue Fixtures for regression testing.
- Developed plugin determinism harness with stubs for PL1–PL10.
- Added scripts for evidence upload and verification processes.

2025-12-05 21:24:34 +02:00

2.1 KiB

Raw Blame History

Risk Factors (draft outline)

Draft scaffold; fill once 66-002/66-003 inputs (engine contract + sample payloads) arrive. Keep fixtures deterministic and offline-friendly.

Purpose

Catalog supported factors (exploit likelihood, VEX state, reachability, runtime facts, fix availability, asset criticality, provenance trust, tenant overrides) and how they normalize into risk math.

Scope & Audience

Audience: risk engineers, policy authors, platform SREs.
In scope: factor definitions, required/optional fields, normalization rules, TTLs, provenance expectations.
Out of scope: full formula math (see formulas.md), API wiring (see api.md).

Factor Catalog (to fill with schema-backed tables)

Exploit likelihood — fields: source, score, last_seen, confidence
VEX status — fields: status, justification, impact_statement
Reachability — fields: entrypoint, callgraph evidence, runtime observation
Runtime facts — fields: host, container, signal type, timestamp (UTC), provenance attestation
Fix availability — fields: advisory id, patch released at, mitigation guidance
Asset criticality — fields: business tier, data class, tenancy scope
Provenance trust — fields: signature status, key id, chain of custody
Custom/tenant overrides — fields: override reason, reviewer, expiry/TTL

Normalization Rules (outline)

Input validation + schema versioning
Unit ranges (0–1) and clamping
Time decay / TTL handling
Precedence rules when multiple sources disagree

Interim notes: follow legacy profile guidance — preserve provenance, never mutate source evidence, and keep ordering stable so explainability hashes are repeatable across UI/CLI/exports.

Determinism & Ordering

Sort factors by type then source; stable hashing rules for fixtures.
Record SHA256 for sample payloads once provided.

Open Items

Engine contract and sample payloads for each factor
TTL/decay parameters from Risk Engine Guild
Provenance attestation examples

References

docs/risk/overview.md
docs/risk/profiles.md
docs/risk/formulas.md
docs/risk/api.md

2.1 KiB Raw Blame History Unescape Escape