Add comprehensive security tests for OWASP A02, A05, A07, and A08 categories

- Implemented tests for Cryptographic Failures (A02) to ensure proper handling of sensitive data, secure algorithms, and key management.
- Added tests for Security Misconfiguration (A05) to validate production configurations, security headers, CORS settings, and feature management.
- Developed tests for Authentication Failures (A07) to enforce strong password policies, rate limiting, session management, and MFA support.
- Created tests for Software and Data Integrity Failures (A08) to verify artifact signatures, SBOM integrity, attestation chains, and feed updates.

docs/schemas/verdict-receipt-predicate.schema.json

@@ -0,0 +1,123 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://stella-ops.org/schemas/verdict.stella/v1.json",
+  "title": "Verdict Receipt Predicate Schema",
+  "description": "Schema for verdict.stella/v1 predicate type - final surfaced decision receipt",
+  "type": "object",
+  "required": [
+    "graphRevisionId",
+    "findingKey",
+    "rule",
+    "decision",
+    "inputs",
+    "outputs",
+    "createdAt"
+  ],
+  "properties": {
+    "graphRevisionId": {
+      "type": "string",
+      "pattern": "^grv_sha256:[a-f0-9]{64}$",
+      "description": "The graph revision ID this verdict was computed from"
+    },
+    "findingKey": {
+      "type": "object",
+      "required": ["sbomEntryId", "vulnerabilityId"],
+      "properties": {
+        "sbomEntryId": {
+          "type": "string",
+          "pattern": "^sha256:[a-f0-9]{64}:pkg:.+",
+          "description": "The SBOM entry ID for the component"
+        },
+        "vulnerabilityId": {
+          "type": "string",
+          "pattern": "^(CVE-[0-9]{4}-[0-9]+|GHSA-.+)$",
+          "description": "The vulnerability ID"
+        }
+      },
+      "additionalProperties": false
+    },
+    "rule": {
+      "type": "object",
+      "required": ["id", "version"],
+      "properties": {
+        "id": {
+          "type": "string",
+          "minLength": 1,
+          "description": "Unique identifier of the rule"
+        },
+        "version": {
+          "type": "string",
+          "description": "Version of the rule"
+        }
+      },
+      "additionalProperties": false
+    },
+    "decision": {
+      "type": "object",
+      "required": ["status", "reason"],
+      "properties": {
+        "status": {
+          "type": "string",
+          "enum": ["block", "warn", "pass"],
+          "description": "Status of the decision"
+        },
+        "reason": {
+          "type": "string",
+          "minLength": 1,
+          "description": "Human-readable reason for the decision"
+        }
+      },
+      "additionalProperties": false
+    },
+    "inputs": {
+      "type": "object",
+      "required": ["sbomDigest", "feedsDigest", "policyDigest"],
+      "properties": {
+        "sbomDigest": {
+          "type": "string",
+          "pattern": "^sha256:[a-f0-9]{64}$",
+          "description": "Digest of the SBOM used"
+        },
+        "feedsDigest": {
+          "type": "string",
+          "pattern": "^sha256:[a-f0-9]{64}$",
+          "description": "Digest of the advisory feeds used"
+        },
+        "policyDigest": {
+          "type": "string",
+          "pattern": "^sha256:[a-f0-9]{64}$",
+          "description": "Digest of the policy bundle used"
+        }
+      },
+      "additionalProperties": false
+    },
+    "outputs": {
+      "type": "object",
+      "required": ["proofBundleId", "reasoningId", "vexVerdictId"],
+      "properties": {
+        "proofBundleId": {
+          "type": "string",
+          "pattern": "^sha256:[a-f0-9]{64}$",
+          "description": "The proof bundle ID containing the evidence chain"
+        },
+        "reasoningId": {
+          "type": "string",
+          "pattern": "^sha256:[a-f0-9]{64}$",
+          "description": "The reasoning ID explaining the decision"
+        },
+        "vexVerdictId": {
+          "type": "string",
+          "pattern": "^sha256:[a-f0-9]{64}$",
+          "description": "The VEX verdict ID for this finding"
+        }
+      },
+      "additionalProperties": false
+    },
+    "createdAt": {
+      "type": "string",
+      "format": "date-time",
+      "description": "UTC timestamp when this verdict was created"
+    }
+  },
+  "additionalProperties": false
+}