feat: add PolicyPackSelectorComponent with tests and integration

- Implemented PolicyPackSelectorComponent for selecting policy packs. - Added unit tests for component behavior, including API success and error handling. - Introduced monaco-workers type declarations for editor workers. - Created acceptance tests for guardrails with stubs for AT1–AT10. - Established SCA Failure Catalogue Fixtures for regression testing. - Developed plugin determinism harness with stubs for PL1–PL10. - Added scripts for evidence upload and verification processes.
2025-12-05 21:24:34 +02:00
parent 347c88342c
commit 18d87c64c5
220 changed files with 7700 additions and 518 deletions
--- a/docs/security/aoc-invariants.md
+++ b/docs/security/aoc-invariants.md
@@ -18,6 +18,9 @@ Last updated: 2025-11-25 (DOCS-ATTEST-75-002)

 ## Guardrails for implementers
 - Never permit unsigned or partially signed payloads to proceed past parsing.
+
+## Pending Update
+- Add risk scoring provenance guarantees (DOCS-RISK-68-002) once Export/Risk inputs land; due 2025-12-11 per sprint action tracker. Include deterministic hash list for any new examples or schemas.
 - Reject any outbound HTTP/S fetch during verification when `Attestor__Offline__Enabled=true`.
 - Keep secret material out of logs; log statement digests and key ids only.
 - Round numeric scores/weights only at the presentation boundary; internal math stays high-precision.
--- a/docs/security/auth-scopes.md
+++ b/docs/security/auth-scopes.md
@@ -0,0 +1,11 @@
+# Auth Scopes
+
+- Pending OAuth2/PAT scope matrix + tenancy header rules.
+
+## Pending Inputs
+- Scope matrix + tenancy header rules expected from Security Guild · Authority Core (due 2025-12-11 per sprint action tracker).
+
+## Determinism Checklist
+- [ ] Hash any inbound tables/examples and note source/approver.
+- [ ] Keep examples offline-friendly and deterministic (fixed seeds, pinned versions, stable ordering).
+- [ ] Record version/date of source specs when added.
--- a/docs/security/redaction-and-privacy.md
+++ b/docs/security/redaction-and-privacy.md
@@ -0,0 +1,11 @@
+# Redaction and Privacy
+
+- Pending telemetry privacy controls + opt-in debug flow.
+
+## Pending Inputs
+- Telemetry privacy controls + opt-in debug flow from Security Guild (due 2025-12-11 per sprint action tracker).
+
+## Determinism Checklist
+- [ ] Hash any sample configs/payloads and track source/approver.
+- [ ] Keep guidance offline-friendly; avoid live endpoints in examples.
+- [ ] Use deterministic ordering and pinned versions in any sample policies or logs.
--- a/docs/security/vuln-rbac.md
+++ b/docs/security/vuln-rbac.md
@@ -0,0 +1,16 @@
+# Vuln Explorer RBAC & ABAC (Md.XI draft)
+
+> Status: DRAFT — pending security review and GRAP0101. Do not publish until roles/claims verified.
+
+## Scope
+- Roles/scopes, ABAC policies, attachment encryption/CSRF considerations for Vuln Explorer.
+
+## Dependencies
+- Security review; GRAP0101 identifiers; attachment token wording from Authority.
+
+## Outline
+- Scopes: vuln:view/investigate/operate/audit (+ legacy read).
+- ABAC filters: vuln_env, vuln_owner, vuln_business_tier; enforcement in tokens/permalinks.
+- Attachment tokens: issuance/verify; encryption notes; CSRF protections.
+
+_Last updated: 2025-12-05 (UTC)_