stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
f4eb64fefcd7d2353b42aed44cb732780e861ea4
git.stella-ops.org/docs/features/checked/policy/blast-radius-fleet-view.md
master 9ca2de05df more features checks. setup improvements
2026-02-13 02:04:55 +02:00

3.1 KiB
Raw Blame History

Blast radius / fleet view

Module

Policy

Status

VERIFIED

Description

Blast radius containment schema and unknown ranker service assess impact across environments and services.

Implementation Details

  • BlastRadius Model: src/Policy/__Libraries/StellaOps.Policy.Unknowns/Models/BlastRadius.cs -- BlastRadius (sealed record)
    • Dependents (int) -- number of packages that directly or transitively depend on this package; 0 indicates isolation
    • NetFacing (bool) -- whether the package is reachable from network-facing entrypoints
    • Privilege (string?) -- privilege level: root, user, none
  • ContainmentSignals Model: src/Policy/__Libraries/StellaOps.Policy.Unknowns/Models/ContainmentSignals.cs -- runtime containment posture
    • Seccomp enforcement status, filesystem mode (ro/rw), network policy (isolated/connected)
  • UnknownRanker Integration: src/Policy/__Libraries/StellaOps.Policy.Unknowns/Services/UnknownRanker.cs -- blast radius is integrated into the ComputeContainmentReduction method
    • Isolated package (Dependents=0): 15% risk reduction
    • Not network-facing: 5% risk reduction
    • Non-root privilege (user/none): 5% risk reduction
    • Seccomp enforced: 10% reduction; read-only filesystem: 10% reduction; network isolated: 5% reduction
    • Maximum containment reduction capped at 40%
    • Applied after time-based decay: finalScore = decayedScore * (1 - containmentReduction)
  • UnknownRankerOptions: Configurable reductions via IsolatedReduction, NotNetFacingReduction, NonRootReduction, SeccompEnforcedReduction, FsReadOnlyReduction, NetworkIsolatedReduction, MaxContainmentReduction
  • Unknown Model: src/Policy/__Libraries/StellaOps.Policy.Unknowns/Models/Unknown.cs -- unknown entity with blast radius reference
  • Unknowns Budget Enforcer: src/Policy/__Libraries/StellaOps.Policy.Unknowns/UnknownsBudgetEnforcer.cs -- enforces blast radius-aware budget thresholds
  • Unknowns Endpoints: src/Policy/StellaOps.Policy.Engine/Endpoints/UnknownsEndpoints.cs -- REST API for querying unknowns with blast radius data

E2E Test Plan

  • Rank an unknown with Dependents=0, NetFacing=false, Privilege="none" and verify containment reduction is 25% (15+5+5)
  • Rank an unknown with Dependents=50, NetFacing=true, Privilege="root" and verify containment reduction is 0%
  • Rank an unknown with full containment signals (seccomp=enforced, fs=ro, network=isolated) and blast radius isolation; verify capped at 40% max reduction
  • Query unknowns API and verify each unknown includes blast radius data (dependents, netFacing, privilege)
  • Verify a high-score unknown (HOT band) drops to WARM band when isolated package containment is applied
  • Verify containment reduction is disabled when EnableContainmentReduction=false in options

Verification

  • Run ID: run-002
  • Date: 2026-02-12
  • Result: PASS - 708/708 tests pass. 9 targeted test methods in UnknownRankerTests verify blast radius fleet view behaviors including containment reduction percentages, 40% cap, band assignment, and disable option.