feat: add PolicyPackSelectorComponent with tests and integration

- Implemented PolicyPackSelectorComponent for selecting policy packs.
- Added unit tests for component behavior, including API success and error handling.
- Introduced monaco-workers type declarations for editor workers.
- Created acceptance tests for guardrails with stubs for AT1–AT10.
- Established SCA Failure Catalogue Fixtures for regression testing.
- Developed plugin determinism harness with stubs for PL1–PL10.
- Added scripts for evidence upload and verification processes.

tools/lint/implementor-guidelines.sh

@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Stub lint: enforce docs tag placeholder until full checks land.
+if git diff --cached --name-only | grep -q '^docs/'; then
+  echo "[stub] docs touched: ensure commit includes 'docs:' trailer (value or 'n/a')"
+fi

tools/signals-upload-evidence.sh

@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+STAGED_DIR="evidence-locker/signals/2025-12-05"
+MODULE_ROOT="docs/modules/signals"
+TAR_OUT="/tmp/signals-evidence.tar"
+
+if [[ -z "${EVIDENCE_LOCKER_URL:-}" || -z "${CI_EVIDENCE_LOCKER_TOKEN:-}" ]]; then
+  echo "EVIDENCE_LOCKER_URL and CI_EVIDENCE_LOCKER_TOKEN are required" >&2
+  exit 1
+fi
+
+tmpdir=$(mktemp -d)
+trap 'rm -rf "$tmpdir"' EXIT
+
+rsync -a --relative \
+  "$STAGED_DIR/SHA256SUMS" \
+  "$STAGED_DIR/confidence_decay_config.sigstore.json" \
+  "$STAGED_DIR/unknowns_scoring_manifest.sigstore.json" \
+  "$STAGED_DIR/heuristics_catalog.sigstore.json" \
+  "$MODULE_ROOT/decay/confidence_decay_config.yaml" \
+  "$MODULE_ROOT/unknowns/unknowns_scoring_manifest.json" \
+  "$MODULE_ROOT/heuristics/heuristics.catalog.json" \
+  "$tmpdir/"
+
+pushd "$tmpdir/$STAGED_DIR" >/dev/null
+sha256sum --check SHA256SUMS
+popd >/dev/null
+
+# Build deterministic tarball
+pushd "$tmpdir" >/dev/null
+tar --sort=name --mtime="UTC 1970-01-01" --owner=0 --group=0 --numeric-owner \
+  -cf "$TAR_OUT" .
+popd >/dev/null
+
+sha256sum "$TAR_OUT"
+
+curl --retry 3 --retry-delay 2 --fail \
+  -H "Authorization: Bearer $CI_EVIDENCE_LOCKER_TOKEN" \
+  -X PUT "$EVIDENCE_LOCKER_URL/signals/2025-12-05/signals-evidence.tar" \
+  --data-binary "@$TAR_OUT"
+
+echo "Uploaded $TAR_OUT to $EVIDENCE_LOCKER_URL/signals/2025-12-05/"

tools/signals-verify-evidence-tar.sh

@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+TAR_PATH=${1:-evidence-locker/signals/2025-12-05/signals-evidence.tar}
+EXPECTED_SHA=${EXPECTED_SHA:-a17910b8e90aaf44d4546057db22cdc791105dd41feb14f0c9b7c8bac5392e0d}
+
+if [[ ! -f "$TAR_PATH" ]]; then
+  echo "missing tar: $TAR_PATH" >&2
+  exit 1
+fi
+
+sha=$(sha256sum "$TAR_PATH" | awk '{print $1}')
+if [[ -n "$EXPECTED_SHA" && "$sha" != "$EXPECTED_SHA" ]]; then
+  echo "sha mismatch: got $sha expected $EXPECTED_SHA" >&2
+  exit 2
+fi
+
+tmpdir=$(mktemp -d)
+trap 'rm -rf "$tmpdir"' EXIT
+
+tar -xf "$TAR_PATH" -C "$tmpdir"
+(cd "$tmpdir/evidence-locker/signals/2025-12-05" && sha256sum --check SHA256SUMS)
+
+echo "OK: tar hash=${sha} (expected=${EXPECTED_SHA:-<not set>}); inner SHA256SUMS verified"

tools/upload-all-evidence.sh

@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Upload both Zastava and Signals evidence bundles to the locker.
+# Requires EVIDENCE_LOCKER_URL and CI_EVIDENCE_LOCKER_TOKEN.
+
+EVIDENCE_LOCKER_URL=${EVIDENCE_LOCKER_URL:-}
+CI_EVIDENCE_LOCKER_TOKEN=${CI_EVIDENCE_LOCKER_TOKEN:-}
+
+if [[ -z "$EVIDENCE_LOCKER_URL" || -z "$CI_EVIDENCE_LOCKER_TOKEN" ]]; then
+  echo "EVIDENCE_LOCKER_URL and CI_EVIDENCE_LOCKER_TOKEN are required" >&2
+  exit 1
+fi
+
+# Defaults
+ZASTAVA_TAR=${ZASTAVA_TAR:-evidence-locker/zastava/2025-12-02/zastava-evidence.tar}
+ZASTAVA_VERIFY=${ZASTAVA_VERIFY:-tools/zastava-verify-evidence-tar.sh}
+ZASTAVA_PATH=\$EVIDENCE_LOCKER_URL/zastava/2025-12-02/zastava-evidence.tar
+
+SIGNALS_TAR=${SIGNALS_TAR:-evidence-locker/signals/2025-12-05/signals-evidence.tar}
+SIGNALS_VERIFY=${SIGNALS_VERIFY:-tools/signals-verify-evidence-tar.sh}
+SIGNALS_PATH=\$EVIDENCE_LOCKER_URL/signals/2025-12-05/signals-evidence.tar
+
+# Verify
+if [[ -x "$ZASTAVA_VERIFY" ]]; then
+  "$ZASTAVA_VERIFY" "$ZASTAVA_TAR"
+fi
+if [[ -x "$SIGNALS_VERIFY" ]]; then
+  "$SIGNALS_VERIFY" "$SIGNALS_TAR"
+fi
+
+# Upload Zastava
+curl --retry 3 --retry-delay 2 --fail \
+  -H "Authorization: Bearer $CI_EVIDENCE_LOCKER_TOKEN" \
+  -X PUT "$EVIDENCE_LOCKER_URL/zastava/2025-12-02/zastava-evidence.tar" \
+  --data-binary @"$ZASTAVA_TAR"
+
+echo "Uploaded Zastava evidence to $EVIDENCE_LOCKER_URL/zastava/2025-12-02/zastava-evidence.tar"
+
+# Upload Signals
+curl --retry 3 --retry-delay 2 --fail \
+  -H "Authorization: Bearer $CI_EVIDENCE_LOCKER_TOKEN" \
+  -X PUT "$EVIDENCE_LOCKER_URL/signals/2025-12-05/signals-evidence.tar" \
+  --data-binary @"$SIGNALS_TAR"
+
+echo "Uploaded Signals evidence to $EVIDENCE_LOCKER_URL/signals/2025-12-05/signals-evidence.tar"

tools/zastava-upload-evidence.sh

@@ -8,10 +8,37 @@ fi
 
 STAGED_DIR="evidence-locker/zastava/2025-12-02"
 TAR_OUT="/tmp/zastava-evidence.tar"
+MODULE_ROOT="docs/modules/zastava"
 
-test -d "$STAGED_DIR" || { echo "missing staged dir $STAGED_DIR" >&2; exit 1; }
+test -d "$MODULE_ROOT" || { echo "missing module root $MODULE_ROOT" >&2; exit 1; }
+mkdir -p "$STAGED_DIR"
 
-tar -cf "$TAR_OUT" -C "$STAGED_DIR" .
+tmpdir=$(mktemp -d)
+trap 'rm -rf "$tmpdir"' EXIT
+
+rsync -a --relative \
+  "$MODULE_ROOT/SHA256SUMS" \
+  "$MODULE_ROOT/schemas/" \
+  "$MODULE_ROOT/exports/" \
+  "$MODULE_ROOT/thresholds.yaml" \
+  "$MODULE_ROOT/thresholds.yaml.dsse" \
+  "$MODULE_ROOT/kit/verify.sh" \
+  "$MODULE_ROOT/kit/README.md" \
+  "$MODULE_ROOT/kit/ed25519.pub" \
+  "$MODULE_ROOT/kit/zastava-kit.tzst" \
+  "$MODULE_ROOT/kit/zastava-kit.tzst.dsse" \
+  "$MODULE_ROOT/evidence/README.md" \
+  "$tmpdir/"
+
+pushd "$tmpdir/docs/modules/zastava" >/dev/null
+sha256sum --check SHA256SUMS
+
+# Build deterministic tarball for reproducibility (payloads + DSSE)
+tar --sort=name --mtime="UTC 1970-01-01" --owner=0 --group=0 --numeric-owner \
+  -cf "$TAR_OUT" .
+popd >/dev/null
+
+sha256sum "$TAR_OUT"
 
 curl --retry 3 --retry-delay 2 --fail \
   -H "Authorization: Bearer $CI_EVIDENCE_LOCKER_TOKEN" \

tools/zastava-verify-evidence-tar.sh

@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+TAR_PATH=${1:-evidence-locker/zastava/2025-12-02/zastava-evidence.tar}
+EXPECTED_SHA=${EXPECTED_SHA:-e1d67424273828c48e9bf5b495a96c2ebcaf1ef2c308f60d8b9c62b8a1b735ae}
+
+if [[ ! -f "$TAR_PATH" ]]; then
+  echo "missing tar: $TAR_PATH" >&2
+  exit 1
+fi
+
+sha=$(sha256sum "$TAR_PATH" | awk '{print $1}')
+if [[ "$sha" != "$EXPECTED_SHA" ]]; then
+  echo "sha mismatch: got $sha expected $EXPECTED_SHA" >&2
+  exit 2
+fi
+
+tmpdir=$(mktemp -d)
+trap 'rm -rf "$tmpdir"' EXIT
+
+tar -xf "$TAR_PATH" -C "$tmpdir"
+(cd "$tmpdir" && sha256sum --check SHA256SUMS)
+
+echo "OK: tar hash matches and inner SHA256SUMS verified"