up

src/Policy/__Libraries/StellaOps.Policy.Storage.Postgres/Migrations/001_initial_schema.sql

@@ -0,0 +1,220 @@
+-- Policy Schema Migration 001: Initial Schema
+-- Creates the policy schema for packs, rules, and risk profiles
+
+-- Create schema
+CREATE SCHEMA IF NOT EXISTS policy;
+
+-- Packs table (policy pack containers)
+CREATE TABLE IF NOT EXISTS policy.packs (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    tenant_id TEXT NOT NULL,
+    name TEXT NOT NULL,
+    display_name TEXT,
+    description TEXT,
+    active_version INT,
+    is_builtin BOOLEAN NOT NULL DEFAULT FALSE,
+    is_deprecated BOOLEAN NOT NULL DEFAULT FALSE,
+    metadata JSONB NOT NULL DEFAULT '{}',
+    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    created_by TEXT,
+    UNIQUE(tenant_id, name)
+);
+
+CREATE INDEX idx_packs_tenant ON policy.packs(tenant_id);
+CREATE INDEX idx_packs_builtin ON policy.packs(is_builtin);
+
+-- Pack versions table (immutable versions)
+CREATE TABLE IF NOT EXISTS policy.pack_versions (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    pack_id UUID NOT NULL REFERENCES policy.packs(id) ON DELETE CASCADE,
+    version INT NOT NULL,
+    description TEXT,
+    rules_hash TEXT NOT NULL,
+    is_published BOOLEAN NOT NULL DEFAULT FALSE,
+    published_at TIMESTAMPTZ,
+    published_by TEXT,
+    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    created_by TEXT,
+    UNIQUE(pack_id, version)
+);
+
+CREATE INDEX idx_pack_versions_pack ON policy.pack_versions(pack_id);
+CREATE INDEX idx_pack_versions_published ON policy.pack_versions(pack_id, is_published);
+
+-- Rules table (OPA/Rego rules)
+CREATE TABLE IF NOT EXISTS policy.rules (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    pack_version_id UUID NOT NULL REFERENCES policy.pack_versions(id) ON DELETE CASCADE,
+    name TEXT NOT NULL,
+    description TEXT,
+    rule_type TEXT NOT NULL DEFAULT 'rego' CHECK (rule_type IN ('rego', 'json', 'yaml')),
+    content TEXT NOT NULL,
+    content_hash TEXT NOT NULL,
+    severity TEXT NOT NULL DEFAULT 'medium' CHECK (severity IN ('critical', 'high', 'medium', 'low', 'info')),
+    category TEXT,
+    tags TEXT[] NOT NULL DEFAULT '{}',
+    metadata JSONB NOT NULL DEFAULT '{}',
+    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    UNIQUE(pack_version_id, name)
+);
+
+CREATE INDEX idx_rules_pack_version ON policy.rules(pack_version_id);
+CREATE INDEX idx_rules_severity ON policy.rules(severity);
+CREATE INDEX idx_rules_category ON policy.rules(category);
+CREATE INDEX idx_rules_tags ON policy.rules USING GIN(tags);
+
+-- Risk profiles table
+CREATE TABLE IF NOT EXISTS policy.risk_profiles (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    tenant_id TEXT NOT NULL,
+    name TEXT NOT NULL,
+    display_name TEXT,
+    description TEXT,
+    version INT NOT NULL DEFAULT 1,
+    is_active BOOLEAN NOT NULL DEFAULT TRUE,
+    thresholds JSONB NOT NULL DEFAULT '{}',
+    scoring_weights JSONB NOT NULL DEFAULT '{}',
+    exemptions JSONB NOT NULL DEFAULT '[]',
+    metadata JSONB NOT NULL DEFAULT '{}',
+    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    created_by TEXT,
+    UNIQUE(tenant_id, name, version)
+);
+
+CREATE INDEX idx_risk_profiles_tenant ON policy.risk_profiles(tenant_id);
+CREATE INDEX idx_risk_profiles_active ON policy.risk_profiles(tenant_id, name, is_active)
+    WHERE is_active = TRUE;
+
+-- Risk profile history (for audit trail)
+CREATE TABLE IF NOT EXISTS policy.risk_profile_history (
+    id BIGSERIAL PRIMARY KEY,
+    risk_profile_id UUID NOT NULL REFERENCES policy.risk_profiles(id),
+    version INT NOT NULL,
+    thresholds JSONB NOT NULL,
+    scoring_weights JSONB NOT NULL,
+    exemptions JSONB NOT NULL,
+    changed_by TEXT,
+    changed_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    change_reason TEXT
+);
+
+CREATE INDEX idx_risk_profile_history_profile ON policy.risk_profile_history(risk_profile_id);
+
+-- Evaluation runs table
+CREATE TABLE IF NOT EXISTS policy.evaluation_runs (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    tenant_id TEXT NOT NULL,
+    project_id TEXT,
+    artifact_id TEXT,
+    pack_id UUID REFERENCES policy.packs(id),
+    pack_version INT,
+    risk_profile_id UUID REFERENCES policy.risk_profiles(id),
+    status TEXT NOT NULL DEFAULT 'pending' CHECK (status IN ('pending', 'running', 'completed', 'failed')),
+    result TEXT CHECK (result IN ('pass', 'fail', 'warn', 'error')),
+    score NUMERIC(5,2),
+    findings_count INT NOT NULL DEFAULT 0,
+    critical_count INT NOT NULL DEFAULT 0,
+    high_count INT NOT NULL DEFAULT 0,
+    medium_count INT NOT NULL DEFAULT 0,
+    low_count INT NOT NULL DEFAULT 0,
+    input_hash TEXT,
+    duration_ms INT,
+    error_message TEXT,
+    metadata JSONB NOT NULL DEFAULT '{}',
+    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    started_at TIMESTAMPTZ,
+    completed_at TIMESTAMPTZ,
+    created_by TEXT
+);
+
+CREATE INDEX idx_evaluation_runs_tenant ON policy.evaluation_runs(tenant_id);
+CREATE INDEX idx_evaluation_runs_project ON policy.evaluation_runs(tenant_id, project_id);
+CREATE INDEX idx_evaluation_runs_artifact ON policy.evaluation_runs(tenant_id, artifact_id);
+CREATE INDEX idx_evaluation_runs_created ON policy.evaluation_runs(tenant_id, created_at);
+CREATE INDEX idx_evaluation_runs_status ON policy.evaluation_runs(status);
+
+-- Explanations table (rule evaluation details)
+CREATE TABLE IF NOT EXISTS policy.explanations (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    evaluation_run_id UUID NOT NULL REFERENCES policy.evaluation_runs(id) ON DELETE CASCADE,
+    rule_id UUID REFERENCES policy.rules(id),
+    rule_name TEXT NOT NULL,
+    result TEXT NOT NULL CHECK (result IN ('pass', 'fail', 'skip', 'error')),
+    severity TEXT NOT NULL,
+    message TEXT,
+    details JSONB NOT NULL DEFAULT '{}',
+    remediation TEXT,
+    resource_path TEXT,
+    line_number INT,
+    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+CREATE INDEX idx_explanations_run ON policy.explanations(evaluation_run_id);
+CREATE INDEX idx_explanations_result ON policy.explanations(evaluation_run_id, result);
+
+-- Exceptions table (policy exceptions/waivers)
+CREATE TABLE IF NOT EXISTS policy.exceptions (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    tenant_id TEXT NOT NULL,
+    name TEXT NOT NULL,
+    description TEXT,
+    rule_pattern TEXT,
+    resource_pattern TEXT,
+    artifact_pattern TEXT,
+    project_id TEXT,
+    reason TEXT NOT NULL,
+    status TEXT NOT NULL DEFAULT 'active' CHECK (status IN ('active', 'expired', 'revoked')),
+    expires_at TIMESTAMPTZ,
+    approved_by TEXT,
+    approved_at TIMESTAMPTZ,
+    revoked_by TEXT,
+    revoked_at TIMESTAMPTZ,
+    metadata JSONB NOT NULL DEFAULT '{}',
+    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    created_by TEXT,
+    UNIQUE(tenant_id, name)
+);
+
+CREATE INDEX idx_exceptions_tenant ON policy.exceptions(tenant_id);
+CREATE INDEX idx_exceptions_status ON policy.exceptions(tenant_id, status);
+CREATE INDEX idx_exceptions_expires ON policy.exceptions(expires_at)
+    WHERE status = 'active';
+CREATE INDEX idx_exceptions_project ON policy.exceptions(tenant_id, project_id);
+
+-- Audit log table
+CREATE TABLE IF NOT EXISTS policy.audit (
+    id BIGSERIAL PRIMARY KEY,
+    tenant_id TEXT NOT NULL,
+    user_id UUID,
+    action TEXT NOT NULL,
+    resource_type TEXT NOT NULL,
+    resource_id TEXT,
+    old_value JSONB,
+    new_value JSONB,
+    correlation_id TEXT,
+    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+CREATE INDEX idx_audit_tenant ON policy.audit(tenant_id);
+CREATE INDEX idx_audit_resource ON policy.audit(resource_type, resource_id);
+CREATE INDEX idx_audit_created ON policy.audit(tenant_id, created_at);
+
+-- Update timestamp function
+CREATE OR REPLACE FUNCTION policy.update_updated_at()
+RETURNS TRIGGER AS $$
+BEGIN
+    NEW.updated_at = NOW();
+    RETURN NEW;
+END;
+$$ LANGUAGE plpgsql;
+
+-- Triggers
+CREATE TRIGGER trg_packs_updated_at
+    BEFORE UPDATE ON policy.packs
+    FOR EACH ROW EXECUTE FUNCTION policy.update_updated_at();
+
+CREATE TRIGGER trg_risk_profiles_updated_at
+    BEFORE UPDATE ON policy.risk_profiles
+    FOR EACH ROW EXECUTE FUNCTION policy.update_updated_at();

src/Policy/__Libraries/StellaOps.Policy.Storage.Postgres/PolicyDataSource.cs

@@ -0,0 +1,38 @@
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+using StellaOps.Infrastructure.Postgres.Connections;
+using StellaOps.Infrastructure.Postgres.Options;
+
+namespace StellaOps.Policy.Storage.Postgres;
+
+/// <summary>
+/// PostgreSQL data source for the Policy module.
+/// Manages connections with tenant context for policy packs, rules, and risk profiles.
+/// </summary>
+public sealed class PolicyDataSource : DataSourceBase
+{
+    /// <summary>
+    /// Default schema name for Policy tables.
+    /// </summary>
+    public const string DefaultSchemaName = "policy";
+
+    /// <summary>
+    /// Creates a new Policy data source.
+    /// </summary>
+    public PolicyDataSource(IOptions<PostgresOptions> options, ILogger<PolicyDataSource> logger)
+        : base(CreateOptions(options.Value), logger)
+    {
+    }
+
+    /// <inheritdoc />
+    protected override string ModuleName => "Policy";
+
+    private static PostgresOptions CreateOptions(PostgresOptions baseOptions)
+    {
+        if (string.IsNullOrWhiteSpace(baseOptions.SchemaName))
+        {
+            baseOptions.SchemaName = DefaultSchemaName;
+        }
+        return baseOptions;
+    }
+}

src/Policy/__Libraries/StellaOps.Policy.Storage.Postgres/ServiceCollectionExtensions.cs

@@ -0,0 +1,46 @@
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.DependencyInjection;
+using StellaOps.Infrastructure.Postgres;
+using StellaOps.Infrastructure.Postgres.Options;
+
+namespace StellaOps.Policy.Storage.Postgres;
+
+/// <summary>
+/// Extension methods for configuring Policy PostgreSQL storage services.
+/// </summary>
+public static class ServiceCollectionExtensions
+{
+    /// <summary>
+    /// Adds Policy PostgreSQL storage services.
+    /// </summary>
+    /// <param name="services">Service collection.</param>
+    /// <param name="configuration">Configuration root.</param>
+    /// <param name="sectionName">Configuration section name for PostgreSQL options.</param>
+    /// <returns>Service collection for chaining.</returns>
+    public static IServiceCollection AddPolicyPostgresStorage(
+        this IServiceCollection services,
+        IConfiguration configuration,
+        string sectionName = "Postgres:Policy")
+    {
+        services.Configure<PostgresOptions>(sectionName, configuration.GetSection(sectionName));
+        services.AddSingleton<PolicyDataSource>();
+
+        return services;
+    }
+
+    /// <summary>
+    /// Adds Policy PostgreSQL storage services with explicit options.
+    /// </summary>
+    /// <param name="services">Service collection.</param>
+    /// <param name="configureOptions">Options configuration action.</param>
+    /// <returns>Service collection for chaining.</returns>
+    public static IServiceCollection AddPolicyPostgresStorage(
+        this IServiceCollection services,
+        Action<PostgresOptions> configureOptions)
+    {
+        services.Configure(configureOptions);
+        services.AddSingleton<PolicyDataSource>();
+
+        return services;
+    }
+}

src/Policy/__Libraries/StellaOps.Policy.Storage.Postgres/StellaOps.Policy.Storage.Postgres.csproj

@@ -0,0 +1,21 @@
+<?xml version="1.0" ?>
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <TargetFramework>net10.0</TargetFramework>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <Nullable>enable</Nullable>
+    <LangVersion>preview</LangVersion>
+    <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
+    <RootNamespace>StellaOps.Policy.Storage.Postgres</RootNamespace>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <None Include="Migrations\**\*.sql" CopyToOutputDirectory="PreserveNewest" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\..\..\__Libraries\StellaOps.Infrastructure.Postgres\StellaOps.Infrastructure.Postgres.csproj" />
+  </ItemGroup>
+
+</Project>