git.stella-ops.org/docs/features/checked/policy/earned-capacity-replenishment-for-risk-budgets.md

Earned Capacity Replenishment for Risk Budgets

Module

Policy

Status

IMPLEMENTED

Description

Extends Risk Budget Management with automated enforcement: BudgetLedger for tracking risk point consumption, BudgetConstraintEnforcer for policy gate integration, and EarnedCapacityReplenishment for automatically restoring budget when vulnerabilities are remediated. Includes PostgreSQL persistence and REST endpoints. Goes beyond the known "Risk Budget Management" (which covers configuration/dashboard) by adding the enforcement automation and earned capacity mechanism.

Implementation Details

• Budget Ledger: src/Policy/StellaOps.Policy.Engine/Ledger/
  • Sprint: SPRINT_20251226_002_BE_budget_enforcement
  • LedgerModels.cs -- ledger entry models for tracking risk point consumption and replenishment
  • LedgerExportService.cs -- export ledger data for audit
  • LedgerExportStore.cs -- persistence for ledger exports
• Budget Endpoints: src/Policy/StellaOps.Policy.Engine/Endpoints/BudgetEndpoints.cs -- REST API for budget operations
  • Budget status, consumption tracking, and replenishment triggers
• Risk Budget Endpoints: src/Policy/StellaOps.Policy.Engine/Endpoints/RiskBudgetEndpoints.cs -- risk budget management API
  • Budget configuration, threshold management, and earned capacity rules
• Unknowns Budget Enforcer: src/Policy/__Libraries/StellaOps.Policy.Unknowns/UnknownsBudgetEnforcer.cs -- enforces budget constraints
  • Tracks Hot/Warm/Cold band consumption against budget limits
  • Blocks releases when budget is exceeded
• Unknown Budget Service: src/Policy/__Libraries/StellaOps.Policy.Unknowns/Services/UnknownBudgetService.cs -- budget calculation and management
• Unknown Budget Model: src/Policy/__Libraries/StellaOps.Policy.Unknowns/Models/UnknownBudget.cs -- budget configuration with per-band limits
• Verdict Budget Check: src/Policy/StellaOps.Policy.Engine/Attestation/VerdictBudgetCheck.cs -- budget verification during verdict attestation
• Ledger Export Endpoint: src/Policy/StellaOps.Policy.Engine/Endpoints/LedgerExportEndpoint.cs -- REST API for exporting ledger entries

E2E Test Plan

• GET risk budget status; verify budget shows total capacity, consumed points, and remaining capacity
• Consume risk points by adding a new finding; verify budget consumption increases
• Remediate a vulnerability; verify earned capacity replenishment restores budget points
• Exceed budget limit; verify budget enforcer blocks the release gate
• Verify budget enforcer integrates with policy gate: gate returns Block when budget exceeded
• Export budget ledger; verify ledger contains all consumption and replenishment entries with timestamps
• Configure per-band limits (Hot=10, Warm=25, Cold=100); verify enforcement respects band-specific limits
• Verify verdict attestation includes budget check result
• POST to risk budget endpoint to update capacity; verify new capacity takes effect
• Verify earned capacity calculation: remediated critical finding replenishes more points than low finding