feat: add PolicyPackSelectorComponent with tests and integration

- Implemented PolicyPackSelectorComponent for selecting policy packs. - Added unit tests for component behavior, including API success and error handling. - Introduced monaco-workers type declarations for editor workers. - Created acceptance tests for guardrails with stubs for AT1–AT10. - Established SCA Failure Catalogue Fixtures for regression testing. - Developed plugin determinism harness with stubs for PL1–PL10. - Added scripts for evidence upload and verification processes.
2025-12-05 21:24:34 +02:00
parent 347c88342c
commit 18d87c64c5
220 changed files with 7700 additions and 518 deletions
--- a/scripts/packs/fixtures/bad/bundle-missing-quota.json
+++ b/scripts/packs/fixtures/bad/bundle-missing-quota.json
@@ -0,0 +1,49 @@
+{
+  "schemaVersion": "stellaops.pack.offline-bundle.v1",
+  "pack": {
+    "name": "demo-pack",
+    "version": "1.0.0",
+    "bundle": "packs/demo-pack.tgz",
+    "digest": "sha256:c0ffee0000000000000000000000000000000000000000000000000000000000",
+    "registry": "registry.local/demo/demo-pack:1.0.0",
+    "sbom": "sbom.json"
+  },
+  "plan": {
+    "hashAlgorithm": "sha256",
+    "hash": "sha256:1111111111111111111111111111111111111111111111111111111111111111",
+    "canonicalPlanPath": "canonical-plan.json",
+    "inputsLock": "inputs.lock",
+    "rngSeed": "seed-1111",
+    "timestampSource": "utc-iso8601"
+  },
+  "evidence": {
+    "attestation": "attestation.dsse",
+    "approvalsLedger": "approvals-ledger.dsse"
+  },
+  "security": {
+    "sandbox": {
+      "mode": "sealed",
+      "egressAllowlist": [],
+      "cpuLimitMillicores": 250,
+      "memoryLimitMiB": 256
+    },
+    "revocations": "revocations.json",
+    "signatures": {
+      "bundleDsse": "bundle.dsse",
+      "attestationDsse": "attestation.dsse.sig",
+      "registryCertChain": "certs.pem"
+    },
+    "secretsRedactionPolicy": "redaction-policy.json"
+  },
+  "hashes": [],
+  "slo": {
+    "runP95Seconds": 300,
+    "approvalP95Seconds": 900,
+    "maxQueueDepth": 1000,
+    "alertRules": "alerts.yaml"
+  },
+  "tenant": "demo-tenant",
+  "environment": "dev",
+  "created": "2025-12-05T00:00:00Z",
+  "verifyScriptVersion": "local-fixture"
+}
--- a/scripts/packs/fixtures/good/approvals-ledger.dsse
+++ b/scripts/packs/fixtures/good/approvals-ledger.dsse
@@ -0,0 +1,13 @@
+{
+  "schemaVersion": "stellaops.pack.approval-ledger.v1",
+  "runId": "run-1",
+  "gateId": "security-review",
+  "planHash": "sha256:ca3d163bab055381827226140568f3bef7eaac187cebd76878e0b63e9e442356",
+  "decision": "approved",
+  "decidedAt": "2025-12-05T00:00:00Z",
+  "tenantId": "demo-tenant",
+  "approver": {
+    "id": "approver@example.com",
+    "summary": "LGTM"
+  }
+}
--- a/scripts/packs/fixtures/good/attestation.dsse
+++ b/scripts/packs/fixtures/good/attestation.dsse
@@ -0,0 +1 @@
+{}
--- a/scripts/packs/fixtures/good/attestation.dsse.sig
+++ b/scripts/packs/fixtures/good/attestation.dsse.sig
@@ -0,0 +1 @@
+{}
--- a/scripts/packs/fixtures/good/bundle.dsse
+++ b/scripts/packs/fixtures/good/bundle.dsse
@@ -0,0 +1 @@
+{}
--- a/scripts/packs/fixtures/good/bundle.json
+++ b/scripts/packs/fixtures/good/bundle.json
@@ -0,0 +1,104 @@
+{
+  "schemaVersion": "stellaops.pack.offline-bundle.v1",
+  "pack": {
+    "name": "demo-pack",
+    "version": "1.0.0",
+    "bundle": "packs/demo-pack.tgz",
+    "digest": "sha256:c0ffee0000000000000000000000000000000000000000000000000000000000",
+    "registry": "registry.local/demo/demo-pack:1.0.0",
+    "sbom": "sbom.json"
+  },
+  "plan": {
+    "hashAlgorithm": "sha256",
+    "hash": "sha256:ca3d163bab055381827226140568f3bef7eaac187cebd76878e0b63e9e442356",
+    "canonicalPlanPath": "canonical-plan.json",
+    "inputsLock": "inputs.lock",
+    "rngSeed": "seed-1111",
+    "timestampSource": "utc-iso8601"
+  },
+  "evidence": {
+    "attestation": "attestation.dsse",
+    "approvalsLedger": "approvals-ledger.dsse",
+    "timeline": "timeline.ndjson"
+  },
+  "security": {
+    "sandbox": {
+      "mode": "sealed",
+      "egressAllowlist": [],
+      "cpuLimitMillicores": 250,
+      "memoryLimitMiB": 256,
+      "quotaSeconds": 120
+    },
+    "revocations": "revocations.json",
+    "signatures": {
+      "bundleDsse": "bundle.dsse",
+      "attestationDsse": "attestation.dsse.sig",
+      "registryCertChain": "certs.pem"
+    },
+    "secretsRedactionPolicy": "redaction-policy.json"
+  },
+  "hashes": [
+    {
+      "path": "canonical-plan.json",
+      "algorithm": "sha256",
+      "digest": "sha256:ca3d163bab055381827226140568f3bef7eaac187cebd76878e0b63e9e442356"
+    },
+    {
+      "path": "inputs.lock",
+      "algorithm": "sha256",
+      "digest": "sha256:ca3d163bab055381827226140568f3bef7eaac187cebd76878e0b63e9e442356"
+    },
+    {
+      "path": "sbom.json",
+      "algorithm": "sha256",
+      "digest": "sha256:ca3d163bab055381827226140568f3bef7eaac187cebd76878e0b63e9e442356"
+    },
+    {
+      "path": "attestation.dsse",
+      "algorithm": "sha256",
+      "digest": "sha256:ca3d163bab055381827226140568f3bef7eaac187cebd76878e0b63e9e442356"
+    },
+    {
+      "path": "approvals-ledger.dsse",
+      "algorithm": "sha256",
+      "digest": "sha256:2018f79642928cedd3b3716637b075d4d8374cc8997f58e00dd4fbf5addcea56"
+    },
+    {
+      "path": "revocations.json",
+      "algorithm": "sha256",
+      "digest": "sha256:ca3d163bab055381827226140568f3bef7eaac187cebd76878e0b63e9e442356"
+    },
+    {
+      "path": "bundle.dsse",
+      "algorithm": "sha256",
+      "digest": "sha256:ca3d163bab055381827226140568f3bef7eaac187cebd76878e0b63e9e442356"
+    },
+    {
+      "path": "attestation.dsse.sig",
+      "algorithm": "sha256",
+      "digest": "sha256:ca3d163bab055381827226140568f3bef7eaac187cebd76878e0b63e9e442356"
+    },
+    {
+      "path": "redaction-policy.json",
+      "algorithm": "sha256",
+      "digest": "sha256:ca3d163bab055381827226140568f3bef7eaac187cebd76878e0b63e9e442356"
+    },
+    {
+      "path": "packs/demo-pack.tgz",
+      "algorithm": "sha256",
+      "digest": "sha256:ca3d163bab055381827226140568f3bef7eaac187cebd76878e0b63e9e442356"
+    }
+  ],
+  "slo": {
+    "runP95Seconds": 300,
+    "approvalP95Seconds": 900,
+    "maxQueueDepth": 1000,
+    "alertRules": "alerts.yaml"
+  },
+  "tenant": "demo-tenant",
+  "environment": "dev",
+  "created": "2025-12-05T00:00:00Z",
+  "expires": "2026-01-05T00:00:00Z",
+  "verifyScriptVersion": "local-fixture",
+  "hash": "sha256:ca3d163bab055381827226140568f3bef7eaac187cebd76878e0b63e9e442356"
+}
--- a/scripts/packs/fixtures/good/canonical-plan.json
+++ b/scripts/packs/fixtures/good/canonical-plan.json
@@ -0,0 +1 @@
+{}
--- a/scripts/packs/fixtures/good/files.txt
+++ b/scripts/packs/fixtures/good/files.txt
@@ -0,0 +1,10 @@
+canonical-plan.json
+inputs.lock
+sbom.json
+attestation.dsse
+approvals-ledger.dsse
+revocations.json
+bundle.dsse
+attestation.dsse.sig
+redaction-policy.json
+packs/demo-pack.tgz
--- a/scripts/packs/fixtures/good/inputs.lock
+++ b/scripts/packs/fixtures/good/inputs.lock
@@ -0,0 +1 @@
+{}
--- a/scripts/packs/fixtures/good/packs/demo-pack.tgz
+++ b/scripts/packs/fixtures/good/packs/demo-pack.tgz
@@ -0,0 +1 @@
+{}
--- a/scripts/packs/fixtures/good/redaction-policy.json
+++ b/scripts/packs/fixtures/good/redaction-policy.json
@@ -0,0 +1 @@
+{}
--- a/scripts/packs/fixtures/good/revocations.json
+++ b/scripts/packs/fixtures/good/revocations.json
@@ -0,0 +1 @@
+{}
--- a/scripts/packs/fixtures/good/sbom.json
+++ b/scripts/packs/fixtures/good/sbom.json
@@ -0,0 +1 @@
+{}