stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
822a92faeebbceea6fa005b7eddb7572a8b29b41
git.stella-ops.org/docs/features/checked/policy/smart-diff-semantic-risk-delta.md
master e9aeadc040 save checkpoint
2026-02-14 09:11:48 +02:00

45 lines
2.6 KiB
Markdown
Raw Blame History

# Smart-Diff Semantic Risk Delta (Moat Score 4)
## Module
Policy
## Status
IMPLEMENTED
## Description
Material risk change detection with delta verdict computation, security state delta analysis, and delta computing.
## Implementation Details
- **WhatIfSimulationService**: `src/Policy/StellaOps.Policy.Engine/WhatIfSimulation/WhatIfSimulationService.cs`
- `SimulateAsync()` computes semantic risk delta between baseline and target
- SBOM diff operations: add, remove, upgrade, downgrade with advisory/VEX/reachability context
- Decision change types: status_changed, severity_changed, new, removed
- Impact summary: risk delta (increased/decreased/unchanged), material risk indicators
- Recommendations based on delta analysis
- **ConsoleSimulationDiffService**: `src/Policy/StellaOps.Policy.Engine/Console/ConsoleSimulationDiffService.cs`
- Schema version: console-policy-23-001
- Deterministic before/after severity breakdowns
- Rule impact analysis: identifies which policy rules drive the risk delta
- Explain samples for delta reasoning
- **DriftGateEvaluator**: `src/Policy/StellaOps.Policy.Engine/Gates/DriftGateEvaluator.cs`
- SBOM drift detection as a semantic risk signal
- Component addition/removal/version change tracking
- **CounterfactualEngine**: `src/Policy/__Libraries/StellaOps.Policy/Counterfactuals/CounterfactualEngine.cs`
- Computes "what would fix this" paths: VEX, Exception, Reachability, VersionUpgrade, CompensatingControl
- Effort ratings per path: Critical=5, High=4, Medium=3, Low=2
- **RiskSimulationService**: `src/Policy/StellaOps.Policy.Engine/Simulation/RiskSimulationService.cs`
- Signal-based risk scoring with distribution and top movers
- `CompareProfilesWithBreakdown()` for before/after profile delta
## E2E Test Plan
- [ ] Simulate adding component with known critical CVE; verify risk delta shows "increased" with new critical finding
- [ ] Simulate upgrading component that fixes CVE; verify risk delta shows "decreased" with removed finding
- [ ] Simulate no changes; verify risk delta shows "unchanged"
- [ ] Verify severity_changed detection: finding changes from High to Critical
- [ ] Verify new detection: component addition introduces new findings
- [ ] Verify removed detection: component removal clears associated findings
- [ ] Verify CounterfactualEngine computes fix paths for blocked findings in delta
- [ ] Verify console diff output includes rule impact analysis
- [ ] Verify deterministic output: same baseline + target always produces same delta
- [ ] Verify DriftGateEvaluator integrates semantic drift into gate evaluation
Reference in New Issue View Git Blame Copy Permalink