stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
18d87c64c5dafb8fa75276ad1ae3c092fbae2de3
git.stella-ops.org/docs/risk/overview.md
StellaOps Bot 18d87c64c5 feat: add PolicyPackSelectorComponent with tests and integration 
- Implemented PolicyPackSelectorComponent for selecting policy packs.
- Added unit tests for component behavior, including API success and error handling.
- Introduced monaco-workers type declarations for editor workers.
- Created acceptance tests for guardrails with stubs for AT1–AT10.
- Established SCA Failure Catalogue Fixtures for regression testing.
- Developed plugin determinism harness with stubs for PL1–PL10.
- Added scripts for evidence upload and verification processes.
2025-12-05 21:24:34 +02:00

2.2 KiB
Raw Blame History

Risk Overview (draft outline)

Draft scaffold only. Populate content after PLLG0104 risk profile schema approval and risk engine/API samples land. Keep all fixtures deterministic (UTC timestamps, stable ordering, sealed sample payloads) and avoid external assets.

Purpose

  • Explain the risk model at a glance: factors, formulas, scoring semantics (0100), and severity bands.
  • Show how risk flows through StellaOps services (ingest → evaluate → explain → export) and how provenance is preserved.

Scope & Audience

  • Audience: policy authors, risk engineers, auditors, and SREs consuming risk outputs.
  • In scope: concepts, glossary, lifecycle, artifacts, cross-module data flow diagrams (add after schema approval).
  • Out of scope: detailed factor math (goes to formulas.md), API specifics (goes to api.md).

Core Concepts (to fill)

  • Risk factor vs. evidence vs. signal
  • Profile vs. formula vs. severity mapping
  • Provenance and attestations
  • Explainability payloads and UI/CLI displays
  • Determinism expectations (ordering, timestamps, hashing)

Interim notes (from legacy doc and sprint context): profiles take normalized factors (exploit likelihood, VEX status, reachability, runtime evidence, fix availability, asset criticality, provenance trust) and output 0100 scores with severity buckets; same code path for simulation and production to ensure determinism.

Lifecycle (outline)

  1. Evidence ingestion (signals, VEX, reachability, runtime)
  2. Factor normalization
  3. Profile evaluation
  4. Severity assignment + gating
  5. Explainability + observability
  6. Export/archival paths

Artifacts & Schemas (pending)

  • Risk profile schema: <pending PLLG0104>
  • Risk factor catalog: shared shapes reused by factors.md
  • Explainability envelope: shared with UI/CLI; add JSON examples once provided.

Determinism & Offline Posture

  • Use frozen fixture sets with SHA256 tables.
  • Document regeneration steps (no live network calls) once payloads arrive.

Open Items

  • PLLG0104 schema approval
  • Risk engine API payload samples
  • UI telemetry captures for explainability walkthroughs

References (to link once available)

  • docs/risk/profiles.md
  • docs/risk/factors.md
  • docs/risk/formulas.md
  • docs/risk/api.md