4.2 KiB
4.2 KiB
Versioned Weight Manifests
Module
Policy
Status
PARTIALLY_IMPLEMENTED
Description
Initial weight manifest file exists, but the weight manifest infrastructure (loading, versioning, hashing, CLI management) is marked TODO in the sprint (TSF-001).
What's Implemented
- Weight manifest file:
etc/weights/v2026-01-22.weights.json- Schema:
https://stella-ops.org/schemas/weight-manifest/v1.0.0 - Schema version: 1.0.0, version: v2026-01-22, profile: production
- Legacy 6-dimension weights: RCH=0.30, RTS=0.25, BKP=0.15, XPL=0.15, SRC=0.10, MIT=0.10
- Advisory 5-dimension weights: CVSS=0.25, EPSS=0.30, Reachability=0.20, ExploitMaturity=0.10, PatchProof=0.15
- Dimension names mapping (human-readable)
- Subtractive dimensions: MIT, patchProof
- Guardrails: notAffectedCap (maxScore=15, requires BKP>=1.0 and RTS<=0.6), runtimeFloor (minScore=60, requires RTS>=0.8), speculativeCap (maxScore=45, requires RCH<=0.0 and RTS<=0.0)
- Priority buckets: actNowMin=90, scheduleNextMin=70, investigateMin=40
- Determinization thresholds: manualReviewEntropy=0.60, refreshEntropy=0.40
- Signal weights for entropy: VEX=0.25, Reachability=0.25, EPSS=0.15, Runtime=0.15, Backport=0.10, SBOMLineage=0.10
- Content hash:
sha256:auto(placeholder for computed hash) - Metadata: changelog, creation date, notes
- Schema:
- SignalWeights record:
src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/SignalWeights.cs- Matches the signalWeightsForEntropy values from the manifest
- ScoringRulesSnapshot:
src/Policy/__Libraries/StellaOps.Policy/Scoring/ScoringRulesSnapshot.cs- Content-addressed snapshots with SHA256 digest
- Builder pattern with WithWeights, WithThresholds, WithSeverityMultipliers, etc.
IScoringRulesSnapshotServiceinterface for CRUD operations
- ScorePolicyLoader:
src/Policy/__Libraries/StellaOps.Policy/Scoring/ScorePolicyLoader.cs- YAML policy loading with version and weight sum validation
- ScorePolicyValidator:
src/Policy/__Libraries/StellaOps.Policy/Scoring/ScorePolicyValidator.cs- JSON Schema validation for score policies
Additional Implementation Found
- FileBasedWeightManifestLoader:
src/Signals/StellaOps.Signals/EvidenceWeightedScore/FileBasedWeightManifestLoader.cs-- loads manifests frometc/weights/*.jsonfiles, implementsIWeightManifestLoader - ScoringManifestVersioner:
src/__Libraries/StellaOps.DeltaVerdict/Manifest/ScoringManifestVersioner.cs(with.Compare.cs,.Compare.Helpers.cs) -- manifest versioning with compare, bump, and generate-next-version capabilities - ScoringManifestSigningService:
src/__Libraries/StellaOps.DeltaVerdict/-- manifest signing with KMS integration and Rekor anchoring - Extensive tests:
src/__Libraries/__Tests/StellaOps.DeltaVerdict.Tests/Manifest/-- 7 test files covering versioning, comparison, bumping, signing
What's Missing
- CLI management commands: No
stella weights list,stella weights validate,stella weights diff, orstella weights activateCLI commands wrapping the existing loader/versioner - Content hash auto-compute at build: Manifest has
"contentHash": "sha256:auto"placeholder -- no build step replaces it with actual computed hash - Unified binding: FileBasedWeightManifestLoader is in Signals, ScoringManifestVersioner is in DeltaVerdict; no unified service in the Policy module that binds manifest loading, versioning, signing, and runtime configuration together
Implementation Plan
- Create
WeightManifestLoaderservice that discovers manifests inetc/weights/, validates schema, computes/verifies content hash, and selects byeffectiveFromdate - Add build step to compute content hash and replace
sha256:autoplaceholder - Create CLI commands for manifest lifecycle management
- Build manifest-to-runtime binding that configures SignalWeights and ScoringRulesSnapshot from the active manifest
- Add manifest diff utility for comparing versions
Related Documentation
- Weight manifest:
etc/weights/v2026-01-22.weights.json - Signal weights:
src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/SignalWeights.cs - Scoring rules snapshot:
src/Policy/__Libraries/StellaOps.Policy/Scoring/ScoringRulesSnapshot.cs