feat: add PolicyPackSelectorComponent with tests and integration

- Implemented PolicyPackSelectorComponent for selecting policy packs. - Added unit tests for component behavior, including API success and error handling. - Introduced monaco-workers type declarations for editor workers. - Created acceptance tests for guardrails with stubs for AT1–AT10. - Established SCA Failure Catalogue Fixtures for regression testing. - Developed plugin determinism harness with stubs for PL1–PL10. - Added scripts for evidence upload and verification processes.
2025-12-05 21:24:34 +02:00
parent 347c88342c
commit 18d87c64c5
220 changed files with 7700 additions and 518 deletions
--- a/docs/risk/profiles.md
+++ b/docs/risk/profiles.md
@@ -0,0 +1,52 @@
+# Risk Profiles (draft outline)
+
+> Draft scaffold pending PLLG0104 risk profile schema approval. Do not publish externally until schemas and sample payloads arrive. Mirrors existing `docs/risk/risk-profiles.md`; this file will supersede it once populated.
+
+## Purpose
+- Define how profiles group factors, weights, thresholds, and severity bands.
+- Describe authoring, simulation, promotion, rollback, and provenance for profiles.
+
+## Scope & Audience
+- Audience: policy authors, risk engineers, platform SREs.
+- Coverage: profile schema, lifecycle, governance, promotion paths, rollback, and observability hooks.
+
+## Schema (placeholder)
+- Profile schema reference: `<pending PLLG0104>`
+- Required fields: id, versioning, factors list, weights, thresholds, severity mapping, metadata, provenance.
+- Optional fields: tenant overrides, imposed rules, time-to-live.
+
+## Lifecycle (outline)
+1. Authoring in Policy Studio (draft state)
+2. Simulation against fixtures (deterministic inputs)
+3. Review/approval workflow
+4. Promotion to environments (dev → staging → prod)
+5. Rollback hooks and audit trail
+
+## Governance & Determinism
+- Profiles stored with DSSE/signatures; record SHA256 for fixtures.
+- Same evaluation codepath for simulation and production; note required feature flags.
+- Offline posture: include profiles and fixtures inside mirror bundles.
+
+## Explainability & Observability
+- Per-factor contribution outputs (JSON) with stable ordering.
+- Metrics to log: evaluation latency, cache hit ratio, factor coverage.
+- Dashboards/alerts to enumerate once telemetry payloads are supplied.
+
+## Open Items
+- PLLG0104 schema approval and sample JSON payloads
+- Feature-flag list for registry alignment
+- Telemetry field list for dashboards/alerts
+
+## References
+- `docs/risk/overview.md`
+- `docs/risk/factors.md`
+- `docs/risk/formulas.md`
+- `docs/risk/explainability.md`
+- `docs/risk/api.md`
+- Existing context: `docs/risk/risk-profiles.md` (to reconcile once schema lands)
+
+## Interim Notes (carried from legacy `docs/risk/risk-profiles.md`)
+- Profiles define how evidence (CVSS/EPSS-like exploit likelihood, KEV flags, VEX status, reachability, runtime evidence, fix availability, asset criticality, provenance trust) normalizes into a 0–100 score with severity buckets.
+- Workflow highlights: author in Policy Studio → simulate with fixtures → activate in Policy Engine → explain outputs in CLI/Console → export for auditors via Export Center.
+- Governance: draft/review/approval with DSSE/signatures; rollback hooks and promotion gates enforced by Authority scopes; determinism required (same codepath for simulation and production).
+- Observability: record scoring latency, factor distribution, and profile usage; offline posture via mirror bundles with fixtures and hash manifests.