stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/policy/unknown-budget-policy-enforcement.md

2.7 KiB
Raw Blame History

Unknown Budget Policy Enforcement

Module

Policy

Status

IMPLEMENTED

Description

Unknown budget enforcement with environment-aware thresholds, supporting policy evaluation that can fail/warn based on unknown counts by type.

Implementation Details

  • UnknownsBudgetEnforcer: src/Policy/__Libraries/StellaOps.Policy.Unknowns/Services/UnknownsBudgetEnforcer.cs
    • Enforces budget constraints based on unknown counts by type
    • Threshold levels: Green (within limits), Yellow (warning), Red (over budget), Exhausted (blocked)
    • Environment-aware: different thresholds for production vs staging vs development
  • UnknownBudgetService: src/Policy/__Libraries/StellaOps.Policy.Unknowns/Services/UnknownBudgetService.cs
    • Budget management: create, query, consume, replenish
    • Per-type budget tracking (reachability unknowns, identity unknowns, VEX gaps, etc.)
  • UnknownRanker: src/Policy/__Libraries/StellaOps.Policy.Unknowns/Services/UnknownRanker.cs
    • Ranks unknowns by two-factor score: (Uncertainty * 50) + (ExploitPressure * 50)
    • Reason codes: AnalyzerLimit, Reachability, Identity, Provenance, VexConflict, FeedGap, ConfigUnknown
    • Band assignment: Hot >= 75, Warm >= 50, Cold >= 25, Negligible < 25
  • PolicyGateEvaluator Uncertainty Tier gate: src/Policy/StellaOps.Policy.Engine/Gates/PolicyGateEvaluator.cs
    • Uncertainty Tier gate (4th in pipeline) evaluates unknown counts against thresholds
    • Tiers: T1 (High uncertainty -> strictest enforcement), T4 (Negligible -> most permissive)
  • BudgetEndpoints: src/Policy/StellaOps.Policy.Engine/Endpoints/BudgetEndpoints.cs -- API for budget management
  • RiskBudgetEndpoints: src/Policy/StellaOps.Policy.Engine/Endpoints/RiskBudgetEndpoints.cs -- API for budget evaluation

E2E Test Plan

  • Set budget limit for reachability unknowns=10; report 5 unknowns; verify status Green
  • Set budget limit for reachability unknowns=10; report 8 unknowns; verify status Yellow (warning)
  • Set budget limit for reachability unknowns=10; report 12 unknowns; verify status Red/Exhausted
  • Verify environment-aware thresholds: production has stricter limits than development
  • Evaluate through PolicyGateEvaluator with T1 uncertainty tier; verify Uncertainty gate blocks
  • Evaluate through PolicyGateEvaluator with T4 uncertainty tier; verify Uncertainty gate passes
  • Consume unknowns budget; resolve some unknowns; verify budget capacity restored
  • Query budget status via API; verify response includes per-type counts and thresholds
  • Verify Hot-band unknowns consume more budget than Cold-band unknowns
  • Verify Exhausted budget escalates gate level in PolicyGateEvaluator