18d87c64c5
- Implemented PolicyPackSelectorComponent for selecting policy packs. - Added unit tests for component behavior, including API success and error handling. - Introduced monaco-workers type declarations for editor workers. - Created acceptance tests for guardrails with stubs for AT1–AT10. - Established SCA Failure Catalogue Fixtures for regression testing. - Developed plugin determinism harness with stubs for PL1–PL10. - Added scripts for evidence upload and verification processes.
2.7 KiB
2.7 KiB
Risk Profiles (draft outline)
Draft scaffold pending PLLG0104 risk profile schema approval. Do not publish externally until schemas and sample payloads arrive. Mirrors existing
docs/risk/risk-profiles.md; this file will supersede it once populated.
Purpose
- Define how profiles group factors, weights, thresholds, and severity bands.
- Describe authoring, simulation, promotion, rollback, and provenance for profiles.
Scope & Audience
- Audience: policy authors, risk engineers, platform SREs.
- Coverage: profile schema, lifecycle, governance, promotion paths, rollback, and observability hooks.
Schema (placeholder)
- Profile schema reference:
<pending PLLG0104> - Required fields: id, versioning, factors list, weights, thresholds, severity mapping, metadata, provenance.
- Optional fields: tenant overrides, imposed rules, time-to-live.
Lifecycle (outline)
- Authoring in Policy Studio (draft state)
- Simulation against fixtures (deterministic inputs)
- Review/approval workflow
- Promotion to environments (dev → staging → prod)
- Rollback hooks and audit trail
Governance & Determinism
- Profiles stored with DSSE/signatures; record SHA256 for fixtures.
- Same evaluation codepath for simulation and production; note required feature flags.
- Offline posture: include profiles and fixtures inside mirror bundles.
Explainability & Observability
- Per-factor contribution outputs (JSON) with stable ordering.
- Metrics to log: evaluation latency, cache hit ratio, factor coverage.
- Dashboards/alerts to enumerate once telemetry payloads are supplied.
Open Items
- PLLG0104 schema approval and sample JSON payloads
- Feature-flag list for registry alignment
- Telemetry field list for dashboards/alerts
References
docs/risk/overview.mddocs/risk/factors.mddocs/risk/formulas.mddocs/risk/explainability.mddocs/risk/api.md- Existing context:
docs/risk/risk-profiles.md(to reconcile once schema lands)
Interim Notes (carried from legacy docs/risk/risk-profiles.md)
- Profiles define how evidence (CVSS/EPSS-like exploit likelihood, KEV flags, VEX status, reachability, runtime evidence, fix availability, asset criticality, provenance trust) normalizes into a 0–100 score with severity buckets.
- Workflow highlights: author in Policy Studio → simulate with fixtures → activate in Policy Engine → explain outputs in CLI/Console → export for auditors via Export Center.
- Governance: draft/review/approval with DSSE/signatures; rollback hooks and promotion gates enforced by Authority scopes; determinism required (same codepath for simulation and production).
- Observability: record scoring latency, factor distribution, and profile usage; offline posture via mirror bundles with fixtures and hash manifests.