feat: Implement vulnerability token signing and verification utilities

- Added VulnTokenSigner for signing JWT tokens with specified algorithms and keys.
- Introduced VulnTokenUtilities for resolving tenant and subject claims, and sanitizing context dictionaries.
- Created VulnTokenVerificationUtilities for parsing tokens, verifying signatures, and deserializing payloads.
- Developed VulnWorkflowAntiForgeryTokenIssuer for issuing anti-forgery tokens with configurable options.
- Implemented VulnWorkflowAntiForgeryTokenVerifier for verifying anti-forgery tokens and validating payloads.
- Added AuthorityVulnerabilityExplorerOptions to manage configuration for vulnerability explorer features.
- Included tests for FilesystemPackRunDispatcher to ensure proper job handling under egress policy restrictions.

src/Policy/StellaOps.Policy.Engine/Program.cs

@@ -10,7 +10,8 @@ using StellaOps.Policy.Engine.Options;
 using StellaOps.Policy.Engine.Compilation;
 using StellaOps.Policy.Engine.Endpoints;
 using StellaOps.Policy.Engine.Services;
-using StellaOps.Policy.Engine.Workers;
+using StellaOps.Policy.Engine.Workers;
+using StellaOps.AirGap.Policy;
 
 var builder = WebApplication.CreateBuilder(args);
 
@@ -60,9 +61,11 @@ var bootstrap = StellaOpsConfigurationBootstrapper.Build<PolicyEngineOptions>(op
     options.PostBind = static (value, _) => value.Validate();
 });
 
-builder.Configuration.AddConfiguration(bootstrap.Configuration);
-
-builder.Services.AddOptions<PolicyEngineOptions>()
+builder.Configuration.AddConfiguration(bootstrap.Configuration);
+
+builder.Services.AddAirGapEgressPolicy(builder.Configuration, sectionName: "AirGap");
+
+builder.Services.AddOptions<PolicyEngineOptions>()
     .Bind(builder.Configuration.GetSection(PolicyEngineOptions.SectionName))
     .Validate(options =>
     {

src/Policy/StellaOps.Policy.Engine/StellaOps.Policy.Engine.csproj

@@ -16,5 +16,6 @@
     <ProjectReference Include="../../Authority/StellaOps.Authority/StellaOps.Auth.Abstractions/StellaOps.Auth.Abstractions.csproj" />
     <ProjectReference Include="../../Authority/StellaOps.Authority/StellaOps.Auth.Client/StellaOps.Auth.Client.csproj" />
     <ProjectReference Include="../../Authority/StellaOps.Authority/StellaOps.Auth.ServerIntegration/StellaOps.Auth.ServerIntegration.csproj" />
+    <ProjectReference Include="../../AirGap/StellaOps.AirGap.Policy/StellaOps.AirGap.Policy/StellaOps.AirGap.Policy.csproj" />
   </ItemGroup>
-</Project>
+</Project>

src/Policy/StellaOps.Policy.Gateway/Program.cs

@@ -15,11 +15,12 @@ using StellaOps.Auth.ServerIntegration;
 using StellaOps.Configuration;
 using StellaOps.Policy.Gateway.Clients;
 using StellaOps.Policy.Gateway.Contracts;
-using StellaOps.Policy.Gateway.Infrastructure;
-using StellaOps.Policy.Gateway.Options;
-using StellaOps.Policy.Gateway.Services;
-using Polly;
-using Polly.Extensions.Http;
+using StellaOps.Policy.Gateway.Infrastructure;
+using StellaOps.Policy.Gateway.Options;
+using StellaOps.Policy.Gateway.Services;
+using Polly;
+using Polly.Extensions.Http;
+using StellaOps.AirGap.Policy;
 
 var builder = WebApplication.CreateBuilder(args);
 
@@ -69,9 +70,11 @@ var bootstrap = StellaOpsConfigurationBootstrapper.Build<PolicyGatewayOptions>(o
     options.PostBind = static (value, _) => value.Validate();
 });
 
-builder.Configuration.AddConfiguration(bootstrap.Configuration);
-
-builder.Logging.SetMinimumLevel(bootstrap.Options.Telemetry.MinimumLogLevel);
+builder.Configuration.AddConfiguration(bootstrap.Configuration);
+
+builder.Services.AddAirGapEgressPolicy(builder.Configuration, sectionName: "AirGap");
+
+builder.Logging.SetMinimumLevel(bootstrap.Options.Telemetry.MinimumLogLevel);
 
 builder.Services.AddOptions<PolicyGatewayOptions>()
     .Bind(builder.Configuration.GetSection(PolicyGatewayOptions.SectionName))
@@ -147,12 +150,17 @@ if (bootstrap.Options.PolicyEngine.ClientCredentials.Enabled)
     .AddHttpMessageHandler<PolicyGatewayDpopHandler>();
 }
 
-builder.Services.AddHttpClient<IPolicyEngineClient, PolicyEngineClient>((serviceProvider, client) =>
-{
-    var gatewayOptions = serviceProvider.GetRequiredService<IOptions<PolicyGatewayOptions>>().Value;
-    client.BaseAddress = gatewayOptions.PolicyEngine.BaseUri;
-    client.Timeout = TimeSpan.FromSeconds(gatewayOptions.PolicyEngine.ClientCredentials.BackchannelTimeoutSeconds);
-})
+builder.Services.AddHttpClient<IPolicyEngineClient, PolicyEngineClient>((serviceProvider, client) =>
+{
+    var gatewayOptions = serviceProvider.GetRequiredService<IOptions<PolicyGatewayOptions>>().Value;
+    var egressPolicy = serviceProvider.GetService<IEgressPolicy>();
+    if (egressPolicy is not null)
+    {
+        egressPolicy.EnsureAllowed(new EgressRequest("PolicyGateway", gatewayOptions.PolicyEngine.BaseUri, "policy-engine-client"));
+    }
+    client.BaseAddress = gatewayOptions.PolicyEngine.BaseUri;
+    client.Timeout = TimeSpan.FromSeconds(gatewayOptions.PolicyEngine.ClientCredentials.BackchannelTimeoutSeconds);
+})
 .AddPolicyHandler(static (provider, _) => CreatePolicyEngineRetryPolicy(provider));
 
 var app = builder.Build();

src/Policy/StellaOps.Policy.Gateway/StellaOps.Policy.Gateway.csproj

@@ -15,9 +15,10 @@
     <ProjectReference Include="../../Authority/StellaOps.Authority/StellaOps.Auth.Abstractions/StellaOps.Auth.Abstractions.csproj" />
     <ProjectReference Include="../../Authority/StellaOps.Authority/StellaOps.Auth.Client/StellaOps.Auth.Client.csproj" />
     <ProjectReference Include="../../Authority/StellaOps.Authority/StellaOps.Auth.ServerIntegration/StellaOps.Auth.ServerIntegration.csproj" />
+    <ProjectReference Include="../../AirGap/StellaOps.AirGap.Policy/StellaOps.AirGap.Policy/StellaOps.AirGap.Policy.csproj" />
   </ItemGroup>
   <ItemGroup>
     <PackageReference Include="Microsoft.Extensions.Http.Polly" Version="10.0.0-rc.2.25502.107" />
     <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="8.14.0" />
   </ItemGroup>
-</Project>
+</Project>

src/Policy/__Libraries/StellaOps.Policy/AGENTS.md

@@ -7,7 +7,7 @@ Deliver the policy engine outlined in `docs/modules/scanner/ARCHITECTURE.md` and
 - Offer preview APIs to compare policy impacts on existing reports.
 
 ## Expectations
-- Coordinate with Scanner.WebService, Feedser, Vexer, UI, Notify.
+- Coordinate with Scanner.WebService, Conselier, Excitor, UI, Notify.
 - Maintain deterministic serialization and unit tests for precedence rules.
 - Update `TASKS.md` and broadcast contract changes.