50 lines
3.5 KiB
Markdown
50 lines
3.5 KiB
Markdown
# Unknowns Decay and Triage Queue
|
|
|
|
## Module
|
|
Policy
|
|
|
|
## Status
|
|
IMPLEMENTED
|
|
|
|
## Description
|
|
Unknowns ranking and API endpoints exist. BlastRadius model present with database migration. The full time-based decay algorithm and containment signals ranking were identified as gaps in the archive manifest.
|
|
|
|
## What's Implemented
|
|
- **DecayedConfidenceCalculator**: `src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/DecayedConfidenceCalculator.cs`
|
|
- Exponential decay formula: `max(floor, baseConfidence * exp(-ln(2) * ageDays / halfLifeDays))`
|
|
- Configurable half-life (default 14 days) and floor
|
|
- OpenTelemetry histogram: `stellaops_determinization_decay_multiplier`
|
|
- **ObservationDecay**: `src/Policy/__Libraries/StellaOps.Policy.Determinization/Models/ObservationDecay.cs`
|
|
- Per-observation decay state: BaseConfidence, ObservedAt, HalfLifeDays=14, Floor=0.35, StalenessThreshold=0.50
|
|
- `CalculateDecay(now)`: computes current decayed confidence
|
|
- `CheckIsStale(now)`: returns true when decayed confidence falls below staleness threshold
|
|
- Factory methods: `Create()`, `Fresh()`, `WithSettings()`
|
|
- **UnknownRanker** (from unchecked features): two-factor scoring `Uncertainty*50 + ExploitPressure*50`
|
|
- Containment reduction capped at 40%
|
|
- Band assignment: Hot>=75, Warm>=50, Cold>=25, Ice<25
|
|
- **UncertaintyScoreCalculator**: `src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/UncertaintyScoreCalculator.cs`
|
|
- Entropy-based uncertainty from 6 signal dimensions
|
|
- Signal gap tracking (which signals are missing)
|
|
- **Risk budget API endpoints** (from unchecked features): budget tracking, ledger, Green/Yellow/Red/Exhausted thresholds
|
|
- **Unknown budget policy enforcement** (from unchecked features): UncertaintyTierGate (gate 4 in pipeline)
|
|
|
|
## What's Missing
|
|
- **Time-based decay triage queue**: No service that automatically re-queues unknowns for triage when their confidence decays below the staleness threshold
|
|
- **Triage queue UI**: No frontend triage interface showing unknowns sorted by decay urgency
|
|
- **Automated re-analysis triggering**: ObservationDecay tracks staleness but no event-driven mechanism triggers re-analysis when an unknown becomes stale
|
|
- **Containment signal integration**: The advisory describes containment signals (WAF rules, network segmentation, runtime controls) reducing unknown scores -- this is partially in UnknownRanker but not connected to real containment data sources
|
|
- **Decay notification**: No notification system alerting when high-priority unknowns decay below acceptable confidence
|
|
- **Historical decay tracking**: DecayedConfidenceCalculator computes point-in-time decay but no ledger tracks confidence decay history over time
|
|
|
|
## Implementation Plan
|
|
- Create `UnknownTriageQueueService` that periodically evaluates ObservationDecay.CheckIsStale() and queues stale unknowns for re-analysis
|
|
- Add event-driven triggers (e.g., background job or message queue) when confidence drops below threshold
|
|
- Build triage queue frontend component showing unknowns sorted by urgency (band + decay rate)
|
|
- Integrate containment signal sources (WAF, network, runtime) as inputs to UnknownRanker
|
|
- Add decay history ledger for audit trail
|
|
|
|
## Related Documentation
|
|
- Decay calculator: `src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/DecayedConfidenceCalculator.cs`
|
|
- Observation decay model: `src/Policy/__Libraries/StellaOps.Policy.Determinization/Models/ObservationDecay.cs`
|
|
- Unknowns ranking (unchecked): `docs/features/unchecked/policy/unknowns-ranking-algorithm.md`
|