4.2 KiB
4.2 KiB
Versioned Weight Manifests
Module
Policy
Status
IMPLEMENTED
Description
Initial weight manifest file exists, but the weight manifest infrastructure (loading, versioning, hashing, CLI management) is marked TODO in the sprint (TSF-001).
What's Implemented
- Weight manifest file:
etc/weights/v2026-01-22.weights.json- Schema:
https://stella-ops.org/schemas/weight-manifest/v1.0.0 - Schema version: 1.0.0, version: v2026-01-22, profile: production
- Legacy 6-dimension weights: RCH=0.30, RTS=0.25, BKP=0.15, XPL=0.15, SRC=0.10, MIT=0.10
- Advisory 5-dimension weights: CVSS=0.25, EPSS=0.30, Reachability=0.20, ExploitMaturity=0.10, PatchProof=0.15
- Dimension names mapping (human-readable)
- Subtractive dimensions: MIT, patchProof
- Guardrails: notAffectedCap (maxScore=15, requires BKP>=1.0 and RTS<=0.6), runtimeFloor (minScore=60, requires RTS>=0.8), speculativeCap (maxScore=45, requires RCH<=0.0 and RTS<=0.0)
- Priority buckets: actNowMin=90, scheduleNextMin=70, investigateMin=40
- Determinization thresholds: manualReviewEntropy=0.60, refreshEntropy=0.40
- Signal weights for entropy: VEX=0.25, Reachability=0.25, EPSS=0.15, Runtime=0.15, Backport=0.10, SBOMLineage=0.10
- Content hash:
sha256:auto(placeholder for computed hash) - Metadata: changelog, creation date, notes
- Schema:
- SignalWeights record:
src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/SignalWeights.cs- Matches the signalWeightsForEntropy values from the manifest
- ScoringRulesSnapshot:
src/Policy/__Libraries/StellaOps.Policy/Scoring/ScoringRulesSnapshot.cs- Content-addressed snapshots with SHA256 digest
- Builder pattern with WithWeights, WithThresholds, WithSeverityMultipliers, etc.
IScoringRulesSnapshotServiceinterface for CRUD operations
- ScorePolicyLoader:
src/Policy/__Libraries/StellaOps.Policy/Scoring/ScorePolicyLoader.cs- YAML policy loading with version and weight sum validation
- ScorePolicyValidator:
src/Policy/__Libraries/StellaOps.Policy/Scoring/ScorePolicyValidator.cs- JSON Schema validation for score policies
Additional Implementation Found
- FileBasedWeightManifestLoader:
src/Signals/StellaOps.Signals/EvidenceWeightedScore/FileBasedWeightManifestLoader.cs-- loads manifests frometc/weights/*.jsonfiles, implementsIWeightManifestLoader - ScoringManifestVersioner:
src/__Libraries/StellaOps.DeltaVerdict/Manifest/ScoringManifestVersioner.cs(with.Compare.cs,.Compare.Helpers.cs) -- manifest versioning with compare, bump, and generate-next-version capabilities - ScoringManifestSigningService:
src/__Libraries/StellaOps.DeltaVerdict/-- manifest signing with KMS integration and Rekor anchoring - Extensive tests:
src/__Libraries/__Tests/StellaOps.DeltaVerdict.Tests/Manifest/-- 7 test files covering versioning, comparison, bumping, signing
What's Missing
- CLI management commands: No
stella weights list,stella weights validate,stella weights diff, orstella weights activateCLI commands wrapping the existing loader/versioner - Content hash auto-compute at build: Manifest has
"contentHash": "sha256:auto"placeholder -- no build step replaces it with actual computed hash - Unified binding: FileBasedWeightManifestLoader is in Signals, ScoringManifestVersioner is in DeltaVerdict; no unified service in the Policy module that binds manifest loading, versioning, signing, and runtime configuration together
Implementation Plan
- Create
WeightManifestLoaderservice that discovers manifests inetc/weights/, validates schema, computes/verifies content hash, and selects byeffectiveFromdate - Add build step to compute content hash and replace
sha256:autoplaceholder - Create CLI commands for manifest lifecycle management
- Build manifest-to-runtime binding that configures SignalWeights and ScoringRulesSnapshot from the active manifest
- Add manifest diff utility for comparing versions
Related Documentation
- Weight manifest:
etc/weights/v2026-01-22.weights.json - Signal weights:
src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/SignalWeights.cs - Scoring rules snapshot:
src/Policy/__Libraries/StellaOps.Policy/Scoring/ScoringRulesSnapshot.cs