warnings fixes, tests fixes, sprints completions

policies/secret-detection.policy.yaml

@@ -0,0 +1,87 @@
+# Secret Leak Detection Policy Pack
+# Sprint: SPRINT_20260104_004_POLICY - Task PSD-010
+#
+# This policy pack enforces security gates based on secret leak detection findings.
+# Uses signals from SecretSignalBinder for policy evaluation.
+#
+# Available signals:
+#   secret.has_finding       - true if any secret finding exists
+#   secret.count             - total number of findings
+#   secret.severity.critical - true if any critical finding exists
+#   secret.severity.high     - true if any high severity finding exists
+#   secret.severity.medium   - true if any medium severity finding exists
+#   secret.severity.low      - true if any low severity finding exists
+#   secret.confidence.high   - true if any high confidence finding exists
+#   secret.confidence.medium - true if any medium confidence finding exists
+#   secret.confidence.low    - true if any low confidence finding exists
+#   secret.mask.applied      - true if masking was applied to all findings
+#   secret.bundle.version    - the active bundle version string
+#   secret.bundle.id         - the active bundle ID
+
+name: secret-detection-gates
+version: 1.0.0
+description: |
+  Security gates for secret leak detection. 
+  Blocks deployments when critical or high-severity secrets are detected.
+
+rules:
+  # Block on any critical severity secret (private keys, service account keys, etc.)
+  - id: block-critical-secrets
+    description: Block deployment when critical secrets are detected
+    severity: critical
+    when:
+      signal: secret.severity.critical
+      equals: true
+    deny_message: |
+      CRITICAL: Secrets with critical severity detected.
+      Review findings and rotate any exposed credentials before proceeding.
+      Common causes: Private keys, GCP service account keys, Stripe secret keys.
+
+  # Block on high severity secrets with high confidence (real credentials)
+  - id: block-high-confidence-secrets
+    description: Block deployment when high-confidence high-severity secrets are detected
+    severity: high
+    when:
+      all:
+        - signal: secret.severity.high
+          equals: true
+        - signal: secret.confidence.high
+          equals: true
+    deny_message: |
+      HIGH: High-confidence secrets detected with high severity.
+      These are likely real credentials. Review and remediate before deployment.
+
+  # Warn on medium severity secrets (potential API keys, passwords)
+  - id: warn-medium-secrets
+    description: Warn when medium-severity secrets are detected
+    severity: medium
+    when:
+      signal: secret.severity.medium
+      equals: true
+    warn_message: |
+      WARNING: Medium-severity secrets detected.
+      Review findings to confirm they are not false positives.
+      Consider adding legitimate patterns to the exception list.
+
+  # Warn when any secrets are found (informational)
+  - id: info-any-secrets
+    description: Log when any secrets are detected
+    severity: low
+    when:
+      signal: secret.has_finding
+      equals: true
+    info_message: |
+      Secret detection found {{secret.count}} potential secret(s).
+      Review the findings in the scan results.
+
+  # Ensure masking is applied before allowing export
+  - id: require-masking
+    description: Block export if masking was not applied
+    severity: high
+    context: export
+    when:
+      signal: secret.mask.applied
+      equals: false
+    deny_message: |
+      BLOCKED: Secrets must be masked before export.
+      Ensure revelation policy is not set to FullReveal for exports.