feat: add PolicyPackSelectorComponent with tests and integration

- Implemented PolicyPackSelectorComponent for selecting policy packs.
- Added unit tests for component behavior, including API success and error handling.
- Introduced monaco-workers type declarations for editor workers.
- Created acceptance tests for guardrails with stubs for AT1–AT10.
- Established SCA Failure Catalogue Fixtures for regression testing.
- Developed plugin determinism harness with stubs for PL1–PL10.
- Added scripts for evidence upload and verification processes.

tests/acceptance/packs/guardrails/README.md

@@ -0,0 +1,18 @@
+# Acceptance Tests Guardrail Pack (Placeholder)
+
+Placeholder for the signed acceptance pack covering AT1–AT10.
+
+- Deterministic fixtures with fixed seeds and UTC timestamps.
+- DSSE envelopes for pack manifests; offline verification only.
+- Version pins live in `inputs.lock`.
+- Map to AT1–AT10:
+  - AT1 admission controls
+  - AT2 VEX handling
+  - AT3 authz flow
+  - AT4 replay parity
+  - AT5 policy DSSE negative tests
+  - AT6 PITR rehearsal
+  - AT7 offline guardrail pack
+  - AT8 gating thresholds
+  - AT9 reporting SLOs
+  - AT10 schema/signing coverage

tests/acceptance/packs/guardrails/expected/at1.json

@@ -0,0 +1 @@
+{"status":"pass","notes":"AT1 admission control - stub expected"}

tests/acceptance/packs/guardrails/expected/at10.json

@@ -0,0 +1 @@
+{"status":"pass","notes":"AT10 schema/signing coverage - stub expected"}

tests/acceptance/packs/guardrails/expected/at2.json

@@ -0,0 +1 @@
+{"status":"pass","notes":"AT2 VEX handling - stub expected"}

tests/acceptance/packs/guardrails/expected/at3.json

@@ -0,0 +1 @@
+{"status":"pass","notes":"AT3 authz flow - stub expected"}

tests/acceptance/packs/guardrails/expected/at4.json

@@ -0,0 +1 @@
+{"status":"pass","notes":"AT4 replay parity - stub expected"}

tests/acceptance/packs/guardrails/expected/at5.json

@@ -0,0 +1 @@
+{"status":"pass","notes":"AT5 policy DSSE negative - stub expected"}

tests/acceptance/packs/guardrails/expected/at6.json

@@ -0,0 +1 @@
+{"status":"pass","notes":"AT6 PITR rehearsal - stub expected"}

tests/acceptance/packs/guardrails/expected/at7.json

@@ -0,0 +1 @@
+{"status":"pass","notes":"AT7 offline guardrail pack - stub expected"}

tests/acceptance/packs/guardrails/expected/at8.json

@@ -0,0 +1 @@
+{"status":"pass","notes":"AT8 gating thresholds - stub expected"}

tests/acceptance/packs/guardrails/expected/at9.json

@@ -0,0 +1 @@
+{"status":"pass","notes":"AT9 reporting SLO - stub expected"}

tests/acceptance/packs/guardrails/inputs.lock

@@ -0,0 +1,9 @@
+scanner_version: "stella-scanner 0.9.0-offline"
+db_version: "mongo 6.0.12"
+policy_engine_version: "stella-policy 0.8.4"
+seeds:
+  default: 1337
+  replay: 4242
+feeds_snapshot: "offline-cache-2025-11-30"
+tz: "UTC"
+notes: "Deterministic replay; no network calls"

tests/acceptance/packs/guardrails/pack.dsse.json

@@ -0,0 +1,7 @@
+{
+  "payloadType": "application/json",
+  "payload": "ewogICJwYWNrX2lkIjogImF0LWd1YXJkcmFpbHMiLAogICJ2ZXJzaW9uIjogIjAuMS4wLXN0dWIiLAogICJpbnB1dHNfbG9jayI6ICJ0ZXN0cy9hY2NlcHRhbmNlL3BhY2tzL2d1YXJkcmFpbHMvaW5wdXRzLmxvY2siLAogICJzaWduZXJzIjogWyJzdHViLWtleS1pZCJdLAogICJmaXh0dXJlcyI6IFsKICAgIHsiaWQiOiAiQVQxLWFkbWlzc2lvbiIsICJleHBlY3RlZCI6ICJleHBlY3RlZC9hdDEuanNvbiIsICJhcnRpZmFjdCI6ICJmaXh0dXJlcy9hdDEifSwKICAgIHsiaWQiOiAiQVQyLXZleCIsICJleHBlY3RlZCI6ICJleHBlY3RlZC9hdDIuanNvbiIsICJhcnRpZmFjdCI6ICJmaXh0dXJlcy9hdDIifSwKICAgIHsiaWQiOiAiQVQzLWF1dGh6IiwgImV4cGVjdGVkIjogImV4cGVjdGVkL2F0My5qc29uIiwgImFydGlmYWN0IjogImZpeHR1cmVzL2F0MyJ9LAogICAgeyJpZCI6ICJBVDQtcmVwbGF5LXBhcml0eSIsICJleHBlY3RlZCI6ICJleHBlY3RlZC9hdDQuanNvbiIsICJhcnRpZmFjdCI6ICJmaXh0dXJlcy9hdDQifSwKICAgIHsiaWQiOiAiQVQ1LXBvbGljeS1kc3NlLW5lZ2F0aXZlIiwgImV4cGVjdGVkIjogImV4cGVjdGVkL2F0NS5qc29uIiwgImFydGlmYWN0IjogImZpeHR1cmVzL2F0NSJ9LAogICAgeyJpZCI6ICJBVDYtcGl0ci1yZWhlYXJzYWwiLCAiZXhwZWN0ZWQiOiAiZXhwZWN0ZWQvYXQ2Lmpzb24iLCAiYXJ0aWZhY3QiOiAiZml4dHVyZXMvYXQ2In0sCiAgICB7ImlkIjogIkFUNy1vZmZsaW5lLWd1YXJkcmFpbC1wYWNrIiwgImV4cGVjdGVkIjogImV4cGVjdGVkL2F0Ny5qc29uIiwgImFydGlmYWN0IjogImZpeHR1cmVzL2F0NyJ9LAogICAgeyJpZCI6ICJBVDgtZ2F0aW5nLXRocmVzaG9sZHMiLCAiZXhwZWN0ZWQiOiAiZXhwZWN0ZWQvYXQ4Lmpzb24iLCAiYXJ0aWZhY3QiOiAiZml4dHVyZXMvYXQ4In0sCiAgICB7ImlkIjogIkFUOS1yZXBvcnRpbmctc2xvIiwgImV4cGVjdGVkIjogImV4cGVjdGVkL2F0OS5qc29uIiwgImFydGlmYWN0IjogImZpeHR1cmVzL2F0OSJ9LAogICAgeyJpZCI6ICJBVDEwLXNjaGVtYS1zaWduaW5nIiwgImV4cGVjdGVkIjogImV4cGVjdGVkL2F0MTAuanNvbiIsICJhcnRpZmFjdCI6ICJmaXh0dXJlcy9hdDEwIn0KICBdCn0K",
+  "signatures": [
+    {"keyid": "stub-key-id", "sig": ""}
+  ]
+}

tests/acceptance/packs/guardrails/pack.json

@@ -0,0 +1,18 @@
+{
+  "pack_id": "at-guardrails",
+  "version": "0.1.0-stub",
+  "inputs_lock": "tests/acceptance/packs/guardrails/inputs.lock",
+  "signers": ["stub-key-id"],
+  "fixtures": [
+    {"id": "AT1-admission", "expected": "expected/at1.json", "artifact": "fixtures/at1"},
+    {"id": "AT2-vex", "expected": "expected/at2.json", "artifact": "fixtures/at2"},
+    {"id": "AT3-authz", "expected": "expected/at3.json", "artifact": "fixtures/at3"},
+    {"id": "AT4-replay-parity", "expected": "expected/at4.json", "artifact": "fixtures/at4"},
+    {"id": "AT5-policy-dsse-negative", "expected": "expected/at5.json", "artifact": "fixtures/at5"},
+    {"id": "AT6-pitr-rehearsal", "expected": "expected/at6.json", "artifact": "fixtures/at6"},
+    {"id": "AT7-offline-guardrail-pack", "expected": "expected/at7.json", "artifact": "fixtures/at7"},
+    {"id": "AT8-gating-thresholds", "expected": "expected/at8.json", "artifact": "fixtures/at8"},
+    {"id": "AT9-reporting-slo", "expected": "expected/at9.json", "artifact": "fixtures/at9"},
+    {"id": "AT10-schema-signing", "expected": "expected/at10.json", "artifact": "fixtures/at10"}
+  ]
+}

tests/fixtures/sca/catalogue/README.md

@@ -0,0 +1,15 @@
+# SCA Failure Catalogue Fixtures (Placeholder)
+
+This directory hosts deterministic fixtures for the five regressions in
+`docs/product-advisories/29-Nov-2025 - SCA Failure Catalogue for StellaOps Tests.md`.
+
+Cases (to be populated):
+- FC1 credential leak (Grype)
+- FC2 Trivy offline DB schema mismatch
+- FC3 SBOM parity drift
+- FC4 Grype version divergence
+- FC5 inconsistent detection
+
+- Pinned tool versions and feeds are recorded in `inputs.lock`.
+- Each case will include DSSE-signed manifests and normalized expected outputs.
+- No network access; rely on bundled caches only.

tests/fixtures/sca/catalogue/fc1/expected.json

@@ -0,0 +1,8 @@
+{
+  "id": "fc1-credential-leak",
+  "scanner": "grype",
+  "feed": "offline-cache-2025-11-30",
+  "expected_findings": [
+    {"purl": "pkg:docker/example@1.0.0", "cve": "CVE-2024-9999", "status": "present"}
+  ]
+}

tests/fixtures/sca/catalogue/fc1/manifest.dsse.json

@@ -0,0 +1,7 @@
+{
+  "payloadType": "application/json",
+  "payload": "<base64-encoded expected.json>",
+  "signatures": [
+    {"keyid": "stub-key-id", "sig": ""}
+  ]
+}

tests/fixtures/sca/catalogue/fc2/expected.json

@@ -0,0 +1,8 @@
+{
+  "id": "fc2-trivy-offline-schema",
+  "scanner": "trivy",
+  "feed": "offline-cache-2025-11-30",
+  "expected_errors": [
+    {"code": "SCHEMA_MISMATCH", "message": "offline DB schema mismatch"}
+  ]
+}

tests/fixtures/sca/catalogue/fc2/manifest.dsse.json

@@ -0,0 +1,7 @@
+{
+  "payloadType": "application/json",
+  "payload": "<base64-encoded expected.json>",
+  "signatures": [
+    {"keyid": "stub-key-id", "sig": ""}
+  ]
+}

tests/fixtures/sca/catalogue/fc3/expected.json

@@ -0,0 +1,8 @@
+{
+  "id": "fc3-sbom-parity-drift",
+  "scanner": "syft",
+  "feed": "offline-cache-2025-11-30",
+  "expected_findings": [
+    {"purl": "pkg:docker/example@1.0.0", "issue": "sbom_parity_drift"}
+  ]
+}

tests/fixtures/sca/catalogue/fc3/manifest.dsse.json

@@ -0,0 +1,7 @@
+{
+  "payloadType": "application/json",
+  "payload": "<base64-encoded expected.json>",
+  "signatures": [
+    {"keyid": "stub-key-id", "sig": ""}
+  ]
+}

tests/fixtures/sca/catalogue/fc4/expected.json

@@ -0,0 +1,8 @@
+{
+  "id": "fc4-grype-version-divergence",
+  "scanner": "grype",
+  "feed": "offline-cache-2025-11-30",
+  "expected_warnings": [
+    {"code": "VERSION_DIVERGENCE", "message": "scanner version drift detected"}
+  ]
+}

tests/fixtures/sca/catalogue/fc4/manifest.dsse.json

@@ -0,0 +1,7 @@
+{
+  "payloadType": "application/json",
+  "payload": "<base64-encoded expected.json>",
+  "signatures": [
+    {"keyid": "stub-key-id", "sig": ""}
+  ]
+}

tests/fixtures/sca/catalogue/fc5/expected.json

@@ -0,0 +1,8 @@
+{
+  "id": "fc5-inconsistent-detection",
+  "scanner": "grype",
+  "feed": "offline-cache-2025-11-30",
+  "expected_findings": [
+    {"purl": "pkg:docker/example@1.0.0", "issue": "inconsistent_detection"}
+  ]
+}

tests/fixtures/sca/catalogue/fc5/manifest.dsse.json

@@ -0,0 +1,7 @@
+{
+  "payloadType": "application/json",
+  "payload": "<base64-encoded expected.json>",
+  "signatures": [
+    {"keyid": "stub-key-id", "sig": ""}
+  ]
+}

tests/fixtures/sca/catalogue/inputs.lock

@@ -0,0 +1,11 @@
+scanner_versions:
+  grype: "0.76.1"
+  trivy: "0.49.1"
+  syft: "1.1.0"
+feed_snapshot: "offline-cache-2025-11-30"
+seeds:
+  default: 20251205
+os:
+  distro: "ubuntu-22.04"
+  kernel: "5.15"
+notes: "Offline-only; normalize outputs before comparison"

tests/plugins/README.md

@@ -0,0 +1,8 @@
+# Plugin Determinism Harness (Stub)
+
+Tracks PL1–PL10 gaps from `31-Nov-2025 FINDINGS.md`.
+
+- TODO: Capability catalog fixture with DSSE signatures.
+- TODO: Resource limit tests (CPU/mem/time) with deterministic seeds.
+- TODO: Offline plugin index verification and revocation path.
+- TODO: Crash kill-switch simulation fixtures.

tests/plugins/plugin-index.json

@@ -0,0 +1,12 @@
+{
+  "version": "0.1.0-stub",
+  "plugins": [
+    {
+      "id": "example-plugin",
+      "capabilities": ["scan", "report"],
+      "dsse_manifest": "manifests/example-plugin.dsse",
+      "resource_limits": {"cpu": "500m", "memory": "256Mi"},
+      "revocation": {"cve_list": ["CVE-2025-0001"], "status": "active"}
+    }
+  ]
+}