Add Policy DSL Validator, Schema Exporter, and Simulation Smoke tools

- Implemented PolicyDslValidator with command-line options for strict mode and JSON output.
- Created PolicySchemaExporter to generate JSON schemas for policy-related models.
- Developed PolicySimulationSmoke tool to validate policy simulations against expected outcomes.
- Added project files and necessary dependencies for each tool.
- Ensured proper error handling and usage instructions across tools.

.gitea/workflows/release.yml

@@ -44,6 +44,9 @@ jobs:
         with:
           fetch-depth: 0
 
+      - name: Validate NuGet restore source ordering
+        run: python3 ops/devops/validate_restore_sources.py
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
@@ -58,6 +61,75 @@ jobs:
           dotnet-version: ${{ env.DOTNET_VERSION }}
           include-prerelease: true
 
+      - name: Install cross-arch objcopy tooling
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y --no-install-recommends binutils-aarch64-linux-gnu
+
+      - name: Publish Python analyzer plug-in
+        run: |
+          set -euo pipefail
+          dotnet publish src/StellaOps.Scanner.Analyzers.Lang.Python/StellaOps.Scanner.Analyzers.Lang.Python.csproj \
+            --configuration Release \
+            --output out/analyzers/python \
+            --no-self-contained
+          mkdir -p plugins/scanner/analyzers/lang/StellaOps.Scanner.Analyzers.Lang.Python
+          cp out/analyzers/python/StellaOps.Scanner.Analyzers.Lang.Python.dll plugins/scanner/analyzers/lang/StellaOps.Scanner.Analyzers.Lang.Python/
+          if [ -f out/analyzers/python/StellaOps.Scanner.Analyzers.Lang.Python.pdb ]; then
+            cp out/analyzers/python/StellaOps.Scanner.Analyzers.Lang.Python.pdb plugins/scanner/analyzers/lang/StellaOps.Scanner.Analyzers.Lang.Python/
+          fi
+
+      - name: Run Python analyzer smoke checks
+        run: |
+          dotnet run \
+            --project tools/LanguageAnalyzerSmoke/LanguageAnalyzerSmoke.csproj \
+            --configuration Release \
+            -- \
+            --repo-root .
+
+      # Note: this step enforces DEVOPS-REL-14-004 by signing the restart-only Python plug-in.
+      # Ensure COSIGN_KEY_REF or COSIGN_IDENTITY_TOKEN is configured, otherwise the job will fail.
+      - name: Sign Python analyzer artefacts
+        env:
+          COSIGN_KEY_REF: ${{ secrets.COSIGN_KEY_REF }}
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+          COSIGN_IDENTITY_TOKEN: ${{ secrets.COSIGN_IDENTITY_TOKEN }}
+        run: |
+          set -euo pipefail
+          if [[ -z "${COSIGN_KEY_REF:-}" && -z "${COSIGN_IDENTITY_TOKEN:-}" ]]; then
+            echo "::error::COSIGN_KEY_REF or COSIGN_IDENTITY_TOKEN must be provided to sign analyzer artefacts." >&2
+            exit 1
+          fi
+
+          export COSIGN_PASSWORD="${COSIGN_PASSWORD:-}"
+          export COSIGN_EXPERIMENTAL=1
+
+          PLUGIN_DIR="plugins/scanner/analyzers/lang/StellaOps.Scanner.Analyzers.Lang.Python"
+          ARTIFACTS=(
+            "StellaOps.Scanner.Analyzers.Lang.Python.dll"
+            "manifest.json"
+          )
+
+          for artifact in "${ARTIFACTS[@]}"; do
+            FILE="${PLUGIN_DIR}/${artifact}"
+            if [[ ! -f "${FILE}" ]]; then
+              echo "::error::Missing analyzer artefact ${FILE}" >&2
+              exit 1
+            fi
+
+            sha256sum "${FILE}" | awk '{print $1}' > "${FILE}.sha256"
+
+            SIGN_ARGS=(--yes "${FILE}")
+            if [[ -n "${COSIGN_KEY_REF:-}" ]]; then
+              SIGN_ARGS=(--key "${COSIGN_KEY_REF}" "${SIGN_ARGS[@]}")
+            fi
+            if [[ -n "${COSIGN_IDENTITY_TOKEN:-}" ]]; then
+              SIGN_ARGS=(--identity-token "${COSIGN_IDENTITY_TOKEN}" "${SIGN_ARGS[@]}")
+            fi
+
+            cosign sign-blob "${SIGN_ARGS[@]}" > "${FILE}.sig"
+          done
+
       - name: Install Helm 3.16.0
         run: |
           curl -fsSL https://get.helm.sh/helm-v3.16.0-linux-amd64.tar.gz -o /tmp/helm.tgz
@@ -124,6 +196,7 @@ jobs:
           mkdir -p out/release
 
       - name: Build release bundle
+        # NOTE (DEVOPS-REL-17-004): build_release.py now fails if out/release/debug is missing
         env:
           COSIGN_KEY_REF: ${{ secrets.COSIGN_KEY_REF }}
           COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
@@ -141,6 +214,10 @@ jobs:
             --git-sha "${{ github.sha }}" \
             "${EXTRA_ARGS[@]}"
 
+      - name: Verify release artefacts
+        run: |
+          python ops/devops/release/verify_release.py --release-dir out/release
+
       - name: Upload release artefacts
         uses: actions/upload-artifact@v4
         with: