feat: add PolicyPackSelectorComponent with tests and integration

- Implemented PolicyPackSelectorComponent for selecting policy packs.
- Added unit tests for component behavior, including API success and error handling.
- Introduced monaco-workers type declarations for editor workers.
- Created acceptance tests for guardrails with stubs for AT1–AT10.
- Established SCA Failure Catalogue Fixtures for regression testing.
- Developed plugin determinism harness with stubs for PL1–PL10.
- Added scripts for evidence upload and verification processes.

docs/risk/samples/INGEST_CHECKLIST.md

@@ -0,0 +1,8 @@
+# Risk Samples Ingest Checklist (use when payloads arrive)
+
+1) Drop payloads into the correct folder (`profiles/`, `factors/`, `explain/`, `api/`).
+2) Normalize JSON deterministically (e.g., `jq -S .`) before hashing; keep UTC timestamps.
+3) Run `sha256sum * > SHA256SUMS` in the target folder; keep file sorted.
+4) Verify hashes: `sha256sum -c SHA256SUMS`.
+5) Add a short README snippet in the sprint Execution Log noting files added and hashes updated.
+6) Keep fixtures offline-only; no external calls or redactions after hashing.

docs/risk/samples/README.md

@@ -0,0 +1,26 @@
+# Risk Samples (fixtures layout)
+
+Use this folder for frozen, deterministic fixtures once schemas and payloads arrive.
+
+Structure (proposed):
+- `profiles/` — profile JSON (DSSE-wrapped where applicable) + `SHA256SUMS`
+- `factors/` — factor input payloads grouped by source (epss/, kev/, reachability/, runtime/), each with `SHA256SUMS`
+- `explain/` — explainability outputs paired with inputs; include `SHA256SUMS`
+- `api/` — request/response examples for risk endpoints; include `SHA256SUMS`
+
+Rules:
+- UTC timestamps; stable ordering of arrays/objects.
+- No live calls; fixtures only.
+- Record hashes via `sha256sum` and keep manifests alongside samples.
+
+Quick receipt checklist (see `INGEST_CHECKLIST.md` for detail):
+1) Normalize JSON with `jq -S .`
+2) Update `SHA256SUMS` in the target folder
+3) Verify with `sha256sum -c`
+4) Log files + hashes in the sprint Execution Log
+
+Manifests created:
+- `profiles/SHA256SUMS`
+- `factors/SHA256SUMS`
+- `explain/SHA256SUMS`
+- `api/SHA256SUMS`

docs/risk/samples/api/README.md

@@ -0,0 +1,3 @@
+Use the root `INGEST_CHECKLIST.md`.
+Place request/response examples here; normalize with `jq -S .`, update `SHA256SUMS`, verify with `sha256sum -c`.
+Include required headers; redact secrets; UTC timestamps only.

docs/risk/samples/explain/README.md

@@ -0,0 +1,3 @@
+Use the root `INGEST_CHECKLIST.md`.
+Store explainability outputs paired with their inputs; normalize with `jq -S .`, update `SHA256SUMS`, verify with `sha256sum -c`.
+Maintain ordering and UTC timestamps; no live data.

docs/risk/samples/factors/README.md

@@ -0,0 +1,3 @@
+Use the root `INGEST_CHECKLIST.md`.
+Drop factor payloads by source (epss/, kev/, reachability/, runtime/), normalize with `jq -S .`, update `SHA256SUMS`, verify with `sha256sum -c`.
+Keep UTC timestamps and no live data.

docs/risk/samples/intake-log-template.md

@@ -0,0 +1,8 @@
+| Date (UTC) | Folder | Files added | SHA256SUMS updated | Notes |
+| --- | --- | --- | --- | --- |
+| 2025-__-__ | profiles/ |  | yes/no | source + checklist step refs |
+| 2025-__-__ | factors/ |  | yes/no | source + checklist step refs |
+| 2025-__-__ | explain/ |  | yes/no | source + checklist step refs |
+| 2025-__-__ | api/ |  | yes/no | source + checklist step refs |
+
+Instructions: copy a row per drop, fill actual date, list filenames, mark whether `SHA256SUMS` was updated, and note evidence source. Keep this file sorted by date for determinism.

docs/risk/samples/profiles/README.md

@@ -0,0 +1,3 @@
+Use the root `INGEST_CHECKLIST.md`.
+Place profile JSON/DSSE here, normalize with `jq -S .`, update `SHA256SUMS`, and verify with `sha256sum -c`.
+UTC timestamps only; no live data.