feat: add PolicyPackSelectorComponent with tests and integration

- Implemented PolicyPackSelectorComponent for selecting policy packs.
- Added unit tests for component behavior, including API success and error handling.
- Introduced monaco-workers type declarations for editor workers.
- Created acceptance tests for guardrails with stubs for AT1–AT10.
- Established SCA Failure Catalogue Fixtures for regression testing.
- Developed plugin determinism harness with stubs for PL1–PL10.
- Added scripts for evidence upload and verification processes.

docs/policy/SHA256SUMS

@@ -0,0 +1 @@
+# Placeholder hashes; replace with real asset sums when inputs arrive

docs/policy/signals-weighting.md

@@ -0,0 +1,15 @@
+# Signals Weighting (outline)
+
+## Pending Inputs
+- See sprint SPRINT_0309_0001_0009_docs_tasks_md_ix action tracker; inputs due 2025-12-09..12 from owning guilds.
+
+## Determinism Checklist
+- [ ] Hash any inbound assets/payloads; place sums alongside artifacts (e.g., SHA256SUMS in this folder).
+- [ ] Keep examples offline-friendly and deterministic (fixed seeds, pinned versions, stable ordering).
+- [ ] Note source/approver for any provided captures or schemas.
+
+## Sections to fill (once inputs arrive)
+- SPL predicate patterns and weighting strategy.
+- Default weights and configurable knobs.
+- Examples (policy snippets/recipes) with deterministic ordering.
+- Hashes for any example bundles or fixtures.

docs/policy/vuln-determinations.md

@@ -0,0 +1,42 @@
+# Vulnerability Determinations (Md.XI draft)
+
+> Status: DRAFT (awaiting GRAP0101 + findings ledger doc + DevOps rollout); keep TODO until signals/simulation semantics confirmed.
+
+## Scope
+- Capture rationale and signals used to determine vulnerability states in Vuln Explorer (policy overlay, VEX, reachability, DevOps signals).
+- Document simulation semantics and precedence/weighting; align with Policy Engine gateways.
+
+## Inputs & Dependencies
+| Input | Status | Notes |
+| --- | --- | --- |
+| Findings Ledger doc (DOCS-VULN-29-005) | in progress | Must align on field names/hashes. |
+| DevOps rollout plan (telemetry + signals) | pending | Needed for final weighting and thresholds. |
+| GRAP0101 contract | pending | Confirms identifiers used in policies. |
+
+## Signals (draft list)
+- Advisory severity + KEV flag.
+- Reachability: call graph + runtime facts (from Signals module) — weighting TBD.
+- VEX status: CSAF-mapped decisions (NOT_AFFECTED, AFFECTED_*).
+- SBOM component context: version range, path, scope (prod/dev/test).
+- Observability: error/traffic indicators (if enabled) — DevOps to confirm.
+
+## Simulation Semantics (draft)
+- Deterministic evaluation order: VEX > Reachability > Policy gates > Overrides.
+- Precedence to `NOT_AFFECTED` when confidence ≥ threshold (TBD) unless explicit policy override.
+- Shadow/simulation runs mirror production gates but do not emit notifications; results stored with flag `simulation=true` and excluded from audit unless promoted.
+
+## Policy Outputs
+- Status mapping: {`blocked`, `warn`, `pass`} with rationale bundle references.
+- Required fields in outputs: `findingId`, `policyVersion`, `signalsUsed`, `weighting`, `explainBundleRef`, `timestamp` (UTC, ISO-8601).
+- Determinism: stable sorting by `findingId` then `policyVersion`; hashes recorded when examples added.
+
+## Offline/Determinism Notes
+- All sample policy outputs must be hashed in `docs/assets/vuln-explorer/SHA256SUMS`.
+- Use fixed fixture inputs; avoid live metrics; keep ordering stable.
+
+## Open Items
+- Finalize signal weights and thresholds after DevOps rollout plan.
+- Insert concrete examples once Findings Ledger and GRAP0101 finalize fields.
+- Add simulation vs. production side-by-side examples with hashes.
+
+_Last updated: 2025-12-05 (UTC)_