stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
18d87c64c5dafb8fa75276ad1ae3c092fbae2de3
git.stella-ops.org/docs/risk/overview.md
StellaOps Bot 18d87c64c5 feat: add PolicyPackSelectorComponent with tests and integration 
- Implemented PolicyPackSelectorComponent for selecting policy packs.
- Added unit tests for component behavior, including API success and error handling.
- Introduced monaco-workers type declarations for editor workers.
- Created acceptance tests for guardrails with stubs for AT1–AT10.
- Established SCA Failure Catalogue Fixtures for regression testing.
- Developed plugin determinism harness with stubs for PL1–PL10.
- Added scripts for evidence upload and verification processes.
2025-12-05 21:24:34 +02:00

50 lines
2.2 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Risk Overview (draft outline)
> Draft scaffold only. Populate content after PLLG0104 risk profile schema approval and risk engine/API samples land. Keep all fixtures deterministic (UTC timestamps, stable ordering, sealed sample payloads) and avoid external assets.
## Purpose
- Explain the risk model at a glance: factors, formulas, scoring semantics (0100), and severity bands.
- Show how risk flows through StellaOps services (ingest → evaluate → explain → export) and how provenance is preserved.
## Scope & Audience
- Audience: policy authors, risk engineers, auditors, and SREs consuming risk outputs.
- In scope: concepts, glossary, lifecycle, artifacts, cross-module data flow diagrams (add after schema approval).
- Out of scope: detailed factor math (goes to `formulas.md`), API specifics (goes to `api.md`).
## Core Concepts (to fill)
- Risk factor vs. evidence vs. signal
- Profile vs. formula vs. severity mapping
- Provenance and attestations
- Explainability payloads and UI/CLI displays
- Determinism expectations (ordering, timestamps, hashing)
Interim notes (from legacy doc and sprint context): profiles take normalized factors (exploit likelihood, VEX status, reachability, runtime evidence, fix availability, asset criticality, provenance trust) and output 0100 scores with severity buckets; same code path for simulation and production to ensure determinism.
## Lifecycle (outline)
1. Evidence ingestion (signals, VEX, reachability, runtime)
2. Factor normalization
3. Profile evaluation
4. Severity assignment + gating
5. Explainability + observability
6. Export/archival paths
## Artifacts & Schemas (pending)
- Risk profile schema: `<pending PLLG0104>`
- Risk factor catalog: shared shapes reused by `factors.md`
- Explainability envelope: shared with UI/CLI; add JSON examples once provided.
## Determinism & Offline Posture
- Use frozen fixture sets with SHA256 tables.
- Document regeneration steps (no live network calls) once payloads arrive.
## Open Items
- PLLG0104 schema approval
- Risk engine API payload samples
- UI telemetry captures for explainability walkthroughs
## References (to link once available)
- `docs/risk/profiles.md`
- `docs/risk/factors.md`
- `docs/risk/formulas.md`
- `docs/risk/api.md`
Reference in New Issue View Git Blame Copy Permalink