feat: add PolicyPackSelectorComponent with tests and integration

- Implemented PolicyPackSelectorComponent for selecting policy packs.
- Added unit tests for component behavior, including API success and error handling.
- Introduced monaco-workers type declarations for editor workers.
- Created acceptance tests for guardrails with stubs for AT1–AT10.
- Established SCA Failure Catalogue Fixtures for regression testing.
- Developed plugin determinism harness with stubs for PL1–PL10.
- Added scripts for evidence upload and verification processes.

tests/acceptance/packs/guardrails/README.md

@@ -0,0 +1,18 @@
+# Acceptance Tests Guardrail Pack (Placeholder)
+
+Placeholder for the signed acceptance pack covering AT1–AT10.
+
+- Deterministic fixtures with fixed seeds and UTC timestamps.
+- DSSE envelopes for pack manifests; offline verification only.
+- Version pins live in `inputs.lock`.
+- Map to AT1–AT10:
+  - AT1 admission controls
+  - AT2 VEX handling
+  - AT3 authz flow
+  - AT4 replay parity
+  - AT5 policy DSSE negative tests
+  - AT6 PITR rehearsal
+  - AT7 offline guardrail pack
+  - AT8 gating thresholds
+  - AT9 reporting SLOs
+  - AT10 schema/signing coverage

tests/acceptance/packs/guardrails/expected/at1.json

@@ -0,0 +1 @@
+{"status":"pass","notes":"AT1 admission control - stub expected"}

tests/acceptance/packs/guardrails/expected/at10.json

@@ -0,0 +1 @@
+{"status":"pass","notes":"AT10 schema/signing coverage - stub expected"}

tests/acceptance/packs/guardrails/expected/at2.json

@@ -0,0 +1 @@
+{"status":"pass","notes":"AT2 VEX handling - stub expected"}

tests/acceptance/packs/guardrails/expected/at3.json

@@ -0,0 +1 @@
+{"status":"pass","notes":"AT3 authz flow - stub expected"}

tests/acceptance/packs/guardrails/expected/at4.json

@@ -0,0 +1 @@
+{"status":"pass","notes":"AT4 replay parity - stub expected"}

tests/acceptance/packs/guardrails/expected/at5.json

@@ -0,0 +1 @@
+{"status":"pass","notes":"AT5 policy DSSE negative - stub expected"}

tests/acceptance/packs/guardrails/expected/at6.json

@@ -0,0 +1 @@
+{"status":"pass","notes":"AT6 PITR rehearsal - stub expected"}

tests/acceptance/packs/guardrails/expected/at7.json

@@ -0,0 +1 @@
+{"status":"pass","notes":"AT7 offline guardrail pack - stub expected"}

tests/acceptance/packs/guardrails/expected/at8.json

@@ -0,0 +1 @@
+{"status":"pass","notes":"AT8 gating thresholds - stub expected"}

tests/acceptance/packs/guardrails/expected/at9.json

@@ -0,0 +1 @@
+{"status":"pass","notes":"AT9 reporting SLO - stub expected"}

tests/acceptance/packs/guardrails/inputs.lock

@@ -0,0 +1,9 @@
+scanner_version: "stella-scanner 0.9.0-offline"
+db_version: "mongo 6.0.12"
+policy_engine_version: "stella-policy 0.8.4"
+seeds:
+  default: 1337
+  replay: 4242
+feeds_snapshot: "offline-cache-2025-11-30"
+tz: "UTC"
+notes: "Deterministic replay; no network calls"

tests/acceptance/packs/guardrails/pack.dsse.json

@@ -0,0 +1,7 @@
+{
+  "payloadType": "application/json",
+  "payload": "ewogICJwYWNrX2lkIjogImF0LWd1YXJkcmFpbHMiLAogICJ2ZXJzaW9uIjogIjAuMS4wLXN0dWIiLAogICJpbnB1dHNfbG9jayI6ICJ0ZXN0cy9hY2NlcHRhbmNlL3BhY2tzL2d1YXJkcmFpbHMvaW5wdXRzLmxvY2siLAogICJzaWduZXJzIjogWyJzdHViLWtleS1pZCJdLAogICJmaXh0dXJlcyI6IFsKICAgIHsiaWQiOiAiQVQxLWFkbWlzc2lvbiIsICJleHBlY3RlZCI6ICJleHBlY3RlZC9hdDEuanNvbiIsICJhcnRpZmFjdCI6ICJmaXh0dXJlcy9hdDEifSwKICAgIHsiaWQiOiAiQVQyLXZleCIsICJleHBlY3RlZCI6ICJleHBlY3RlZC9hdDIuanNvbiIsICJhcnRpZmFjdCI6ICJmaXh0dXJlcy9hdDIifSwKICAgIHsiaWQiOiAiQVQzLWF1dGh6IiwgImV4cGVjdGVkIjogImV4cGVjdGVkL2F0My5qc29uIiwgImFydGlmYWN0IjogImZpeHR1cmVzL2F0MyJ9LAogICAgeyJpZCI6ICJBVDQtcmVwbGF5LXBhcml0eSIsICJleHBlY3RlZCI6ICJleHBlY3RlZC9hdDQuanNvbiIsICJhcnRpZmFjdCI6ICJmaXh0dXJlcy9hdDQifSwKICAgIHsiaWQiOiAiQVQ1LXBvbGljeS1kc3NlLW5lZ2F0aXZlIiwgImV4cGVjdGVkIjogImV4cGVjdGVkL2F0NS5qc29uIiwgImFydGlmYWN0IjogImZpeHR1cmVzL2F0NSJ9LAogICAgeyJpZCI6ICJBVDYtcGl0ci1yZWhlYXJzYWwiLCAiZXhwZWN0ZWQiOiAiZXhwZWN0ZWQvYXQ2Lmpzb24iLCAiYXJ0aWZhY3QiOiAiZml4dHVyZXMvYXQ2In0sCiAgICB7ImlkIjogIkFUNy1vZmZsaW5lLWd1YXJkcmFpbC1wYWNrIiwgImV4cGVjdGVkIjogImV4cGVjdGVkL2F0Ny5qc29uIiwgImFydGlmYWN0IjogImZpeHR1cmVzL2F0NyJ9LAogICAgeyJpZCI6ICJBVDgtZ2F0aW5nLXRocmVzaG9sZHMiLCAiZXhwZWN0ZWQiOiAiZXhwZWN0ZWQvYXQ4Lmpzb24iLCAiYXJ0aWZhY3QiOiAiZml4dHVyZXMvYXQ4In0sCiAgICB7ImlkIjogIkFUOS1yZXBvcnRpbmctc2xvIiwgImV4cGVjdGVkIjogImV4cGVjdGVkL2F0OS5qc29uIiwgImFydGlmYWN0IjogImZpeHR1cmVzL2F0OSJ9LAogICAgeyJpZCI6ICJBVDEwLXNjaGVtYS1zaWduaW5nIiwgImV4cGVjdGVkIjogImV4cGVjdGVkL2F0MTAuanNvbiIsICJhcnRpZmFjdCI6ICJmaXh0dXJlcy9hdDEwIn0KICBdCn0K",
+  "signatures": [
+    {"keyid": "stub-key-id", "sig": ""}
+  ]
+}

tests/acceptance/packs/guardrails/pack.json

@@ -0,0 +1,18 @@
+{
+  "pack_id": "at-guardrails",
+  "version": "0.1.0-stub",
+  "inputs_lock": "tests/acceptance/packs/guardrails/inputs.lock",
+  "signers": ["stub-key-id"],
+  "fixtures": [
+    {"id": "AT1-admission", "expected": "expected/at1.json", "artifact": "fixtures/at1"},
+    {"id": "AT2-vex", "expected": "expected/at2.json", "artifact": "fixtures/at2"},
+    {"id": "AT3-authz", "expected": "expected/at3.json", "artifact": "fixtures/at3"},
+    {"id": "AT4-replay-parity", "expected": "expected/at4.json", "artifact": "fixtures/at4"},
+    {"id": "AT5-policy-dsse-negative", "expected": "expected/at5.json", "artifact": "fixtures/at5"},
+    {"id": "AT6-pitr-rehearsal", "expected": "expected/at6.json", "artifact": "fixtures/at6"},
+    {"id": "AT7-offline-guardrail-pack", "expected": "expected/at7.json", "artifact": "fixtures/at7"},
+    {"id": "AT8-gating-thresholds", "expected": "expected/at8.json", "artifact": "fixtures/at8"},
+    {"id": "AT9-reporting-slo", "expected": "expected/at9.json", "artifact": "fixtures/at9"},
+    {"id": "AT10-schema-signing", "expected": "expected/at10.json", "artifact": "fixtures/at10"}
+  ]
+}