stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
18d87c64c5dafb8fa75276ad1ae3c092fbae2de3
git.stella-ops.org/docs/risk/formulas.md
StellaOps Bot 18d87c64c5 feat: add PolicyPackSelectorComponent with tests and integration 
- Implemented PolicyPackSelectorComponent for selecting policy packs.
- Added unit tests for component behavior, including API success and error handling.
- Introduced monaco-workers type declarations for editor workers.
- Created acceptance tests for guardrails with stubs for AT1–AT10.
- Established SCA Failure Catalogue Fixtures for regression testing.
- Developed plugin determinism harness with stubs for PL1–PL10.
- Added scripts for evidence upload and verification processes.
2025-12-05 21:24:34 +02:00

51 lines
1.9 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Risk Formulas (draft outline)
> Draft scaffold; fill once 66-003/66-004 inputs (engine rollout notes + factor contract) are available. Keep math examples deterministic with fixed fixtures.
## Purpose
- Describe how normalized factors combine into a 0100 risk score with severity bands.
- Capture gating, weighting, normalization, and override rules.
## Scope & Audience
- Audience: risk engineers, policy authors, auditors.
- In scope: weighting strategies, aggregation functions, severity thresholds, gating rules, tie-breakers.
- Out of scope: full API payloads (see `api.md`), factor definitions (see `factors.md`).
## Formula Building Blocks (to fill)
- Weighted sum / capped contribution
- Max/min guards per factor family
- Threshold gates (e.g., block if exploitability + reachability high)
- Decay/time weighting
- Tenant/asset overrides and imposed rules
## Severity Mapping (outline)
- Proposed bands (example placeholder):
- Critical: 90100
- High: 7089
- Medium: 4069
- Low: 139
- Info: 0
- Final bands pending governance approval; update once PLLG0104 confirms.
## Determinism
- Stable ordering of factors before aggregation.
- Use fixed precision (e.g., 4 decimals) before severity mapping.
- Hash fixtures and record SHA256 for every example payload.
Interim notes: mirror legacy rule — simulation and production must share the exact evaluation codepath; no per-environment divergences. Severity buckets must be deterministic and governed by Authority scopes.
## Examples (placeholders)
- TBD sample JSON: input factors + output score + contributions table.
- TBD CLI/Console screenshots once telemetry assets provided.
## Open Items
- Engine rollout notes for gating/weighting defaults
- Severity band approval
- Sample payloads and UI traces
## References
- `docs/risk/overview.md`
- `docs/risk/profiles.md`
- `docs/risk/factors.md`
- `docs/risk/api.md`
Reference in New Issue View Git Blame Copy Permalink