stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/policy/risk-budget-model.md

3.0 KiB
Raw Blame History

Risk Budget Model (Service Tiers + Risk Points)

Module

Policy

Status

IMPLEMENTED

Description

Complete risk budget system with service tier-based scoring, risk point computation, budget ledger tracking, constraint enforcement, threshold notifications, capacity replenishment, and persistence. Includes API endpoints and property-based tests for monotonicity.

Implementation Details

  • RiskSimulationService: src/Policy/StellaOps.Policy.Engine/Simulation/RiskSimulationService.cs
    • Signal-based risk point computation: Boolean (0/1), Numeric (direct), Categorical (mapped weight)
    • Severity mapping: Critical>=90, High>=70, Medium>=40, Low>=10
    • Distribution calculation with 10 buckets, 6 percentiles (p25/p50/p75/p90/p95/p99)
    • Aggregate metrics: total, mean, median, stddev, severity breakdown
  • UnknownRanker: src/Policy/__Libraries/StellaOps.Policy.Unknowns/Services/UnknownRanker.cs
    • Two-factor risk score: Score = (Uncertainty * 50) + (ExploitPressure * 50)
    • Band assignment: Hot >= 75, Warm >= 50, Cold >= 25, Negligible < 25
    • Containment reduction capped at 40% (Seccomp 10%, FsRO 10%, Isolated 15%, etc.)
    • Decay buckets for time-based scoring adjustments
  • UnknownBudgetService / UnknownsBudgetEnforcer: src/Policy/__Libraries/StellaOps.Policy.Unknowns/
    • Per-service budget constraints with Green/Yellow/Red/Exhausted thresholds
    • Budget enforcement blocks releases when Exhausted
  • LedgerExportService: src/Policy/StellaOps.Policy.Engine/Ledger/LedgerExportService.cs -- budget ledger persistence
  • BudgetEndpoints / RiskBudgetEndpoints: src/Policy/StellaOps.Policy.Engine/Endpoints/ -- API for budget CRUD and evaluation
  • Scoring engines: src/Policy/StellaOps.Policy.Engine/Scoring/Engines/ -- SimpleScoringEngine, AdvancedScoringEngine, ProofAwareScoringEngine
  • ScoringProfileService: src/Policy/StellaOps.Policy.Engine/Scoring/ScoringProfileService.cs -- configurable scoring profiles with weighted signals

E2E Test Plan

  • Compute risk points for finding with Critical severity (CVSS>=9.0, EPSS>=0.90); verify score >= 90
  • Compute risk points for finding with Low severity (CVSS=3.0); verify score maps to Low range (10-39)
  • Compute risk points with containment reduction (Seccomp + FsRO); verify 20% reduction applied
  • Verify score monotonicity: higher CVSS/EPSS always produces higher or equal score
  • Compute aggregate risk for 10 findings; verify distribution has 10 buckets, valid percentiles
  • Verify severity breakdown: Critical count + High count + Medium count + Low count = total findings
  • Create budget with tier-based limits; consume RP; verify threshold transitions (Green -> Yellow -> Red -> Exhausted)
  • Verify budget capacity replenishment: resolve 5 findings; verify remaining capacity increases
  • Verify ProofAwareScoringEngine includes proof references in scored output
  • Verify scoring profile weights CVSS, EPSS, reachability contributions correctly