stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity
Files
822a92faeebbceea6fa005b7eddb7572a8b29b41
git.stella-ops.org/docs/features/checked/policy/versioned-weight-manifests.md
master e9aeadc040 save checkpoint
2026-02-14 09:11:48 +02:00

59 lines
4.2 KiB
Markdown
Raw Blame History

# Versioned Weight Manifests
## Module
Policy
## Status
IMPLEMENTED
## Description
Initial weight manifest file exists, but the weight manifest infrastructure (loading, versioning, hashing, CLI management) is marked TODO in the sprint (TSF-001).
## What's Implemented
- **Weight manifest file**: `etc/weights/v2026-01-22.weights.json`
- Schema: `https://stella-ops.org/schemas/weight-manifest/v1.0.0`
- Schema version: 1.0.0, version: v2026-01-22, profile: production
- Legacy 6-dimension weights: RCH=0.30, RTS=0.25, BKP=0.15, XPL=0.15, SRC=0.10, MIT=0.10
- Advisory 5-dimension weights: CVSS=0.25, EPSS=0.30, Reachability=0.20, ExploitMaturity=0.10, PatchProof=0.15
- Dimension names mapping (human-readable)
- Subtractive dimensions: MIT, patchProof
- Guardrails: notAffectedCap (maxScore=15, requires BKP>=1.0 and RTS<=0.6), runtimeFloor (minScore=60, requires RTS>=0.8), speculativeCap (maxScore=45, requires RCH<=0.0 and RTS<=0.0)
- Priority buckets: actNowMin=90, scheduleNextMin=70, investigateMin=40
- Determinization thresholds: manualReviewEntropy=0.60, refreshEntropy=0.40
- Signal weights for entropy: VEX=0.25, Reachability=0.25, EPSS=0.15, Runtime=0.15, Backport=0.10, SBOMLineage=0.10
- Content hash: `sha256:auto` (placeholder for computed hash)
- Metadata: changelog, creation date, notes
- **SignalWeights record**: `src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/SignalWeights.cs`
- Matches the signalWeightsForEntropy values from the manifest
- **ScoringRulesSnapshot**: `src/Policy/__Libraries/StellaOps.Policy/Scoring/ScoringRulesSnapshot.cs`
- Content-addressed snapshots with SHA256 digest
- Builder pattern with WithWeights, WithThresholds, WithSeverityMultipliers, etc.
- `IScoringRulesSnapshotService` interface for CRUD operations
- **ScorePolicyLoader**: `src/Policy/__Libraries/StellaOps.Policy/Scoring/ScorePolicyLoader.cs`
- YAML policy loading with version and weight sum validation
- **ScorePolicyValidator**: `src/Policy/__Libraries/StellaOps.Policy/Scoring/ScorePolicyValidator.cs`
- JSON Schema validation for score policies
## Additional Implementation Found
- **FileBasedWeightManifestLoader**: `src/Signals/StellaOps.Signals/EvidenceWeightedScore/FileBasedWeightManifestLoader.cs` -- loads manifests from `etc/weights/*.json` files, implements `IWeightManifestLoader`
- **ScoringManifestVersioner**: `src/__Libraries/StellaOps.DeltaVerdict/Manifest/ScoringManifestVersioner.cs` (with `.Compare.cs`, `.Compare.Helpers.cs`) -- manifest versioning with compare, bump, and generate-next-version capabilities
- **ScoringManifestSigningService**: `src/__Libraries/StellaOps.DeltaVerdict/` -- manifest signing with KMS integration and Rekor anchoring
- **Extensive tests**: `src/__Libraries/__Tests/StellaOps.DeltaVerdict.Tests/Manifest/` -- 7 test files covering versioning, comparison, bumping, signing
## What's Missing
- **CLI management commands**: No `stella weights list`, `stella weights validate`, `stella weights diff`, or `stella weights activate` CLI commands wrapping the existing loader/versioner
- **Content hash auto-compute at build**: Manifest has `"contentHash": "sha256:auto"` placeholder -- no build step replaces it with actual computed hash
- **Unified binding**: FileBasedWeightManifestLoader is in Signals, ScoringManifestVersioner is in DeltaVerdict; no unified service in the Policy module that binds manifest loading, versioning, signing, and runtime configuration together
## Implementation Plan
- Create `WeightManifestLoader` service that discovers manifests in `etc/weights/`, validates schema, computes/verifies content hash, and selects by `effectiveFrom` date
- Add build step to compute content hash and replace `sha256:auto` placeholder
- Create CLI commands for manifest lifecycle management
- Build manifest-to-runtime binding that configures SignalWeights and ScoringRulesSnapshot from the active manifest
- Add manifest diff utility for comparing versions
## Related Documentation
- Weight manifest: `etc/weights/v2026-01-22.weights.json`
- Signal weights: `src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/SignalWeights.cs`
- Scoring rules snapshot: `src/Policy/__Libraries/StellaOps.Policy/Scoring/ScoringRulesSnapshot.cs`
Reference in New Issue View Git Blame Copy Permalink