stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
18d87c64c5dafb8fa75276ad1ae3c092fbae2de3
git.stella-ops.org/docs/risk/factors.md
StellaOps Bot 18d87c64c5 feat: add PolicyPackSelectorComponent with tests and integration 
- Implemented PolicyPackSelectorComponent for selecting policy packs.
- Added unit tests for component behavior, including API success and error handling.
- Introduced monaco-workers type declarations for editor workers.
- Created acceptance tests for guardrails with stubs for AT1–AT10.
- Established SCA Failure Catalogue Fixtures for regression testing.
- Developed plugin determinism harness with stubs for PL1–PL10.
- Added scripts for evidence upload and verification processes.
2025-12-05 21:24:34 +02:00

45 lines
2.1 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Risk Factors (draft outline)
> Draft scaffold; fill once 66-002/66-003 inputs (engine contract + sample payloads) arrive. Keep fixtures deterministic and offline-friendly.
## Purpose
- Catalog supported factors (exploit likelihood, VEX state, reachability, runtime facts, fix availability, asset criticality, provenance trust, tenant overrides) and how they normalize into risk math.
## Scope & Audience
- Audience: risk engineers, policy authors, platform SREs.
- In scope: factor definitions, required/optional fields, normalization rules, TTLs, provenance expectations.
- Out of scope: full formula math (see `formulas.md`), API wiring (see `api.md`).
## Factor Catalog (to fill with schema-backed tables)
- Exploit likelihood — fields: source, score, last_seen, confidence
- VEX status — fields: status, justification, impact_statement
- Reachability — fields: entrypoint, callgraph evidence, runtime observation
- Runtime facts — fields: host, container, signal type, timestamp (UTC), provenance attestation
- Fix availability — fields: advisory id, patch released at, mitigation guidance
- Asset criticality — fields: business tier, data class, tenancy scope
- Provenance trust — fields: signature status, key id, chain of custody
- Custom/tenant overrides — fields: override reason, reviewer, expiry/TTL
## Normalization Rules (outline)
- Input validation + schema versioning
- Unit ranges (01) and clamping
- Time decay / TTL handling
- Precedence rules when multiple sources disagree
Interim notes: follow legacy profile guidance — preserve provenance, never mutate source evidence, and keep ordering stable so explainability hashes are repeatable across UI/CLI/exports.
## Determinism & Ordering
- Sort factors by type then source; stable hashing rules for fixtures.
- Record SHA256 for sample payloads once provided.
## Open Items
- Engine contract and sample payloads for each factor
- TTL/decay parameters from Risk Engine Guild
- Provenance attestation examples
## References
- `docs/risk/overview.md`
- `docs/risk/profiles.md`
- `docs/risk/formulas.md`
- `docs/risk/api.md`
Reference in New Issue View Git Blame Copy Permalink