feat: Add Promotion-Time Attestations for Stella Ops

- Introduced a new document for promotion-time attestations, detailing the purpose, predicate schema, producer workflow, verification flow, APIs, and security considerations.
- Implemented the `stella.ops/promotion@v1` predicate schema to capture promotion evidence including image digest, SBOM/VEX artifacts, and Rekor proof.
- Defined producer responsibilities and workflows for CLI orchestration, signer responsibilities, and Export Center integration.
- Added verification steps for auditors to validate promotion attestations offline.

feat: Create Symbol Manifest v1 Specification

- Developed a specification for Symbol Manifest v1 to provide a deterministic format for publishing debug symbols and source maps.
- Defined the manifest structure, including schema, entries, source maps, toolchain, and provenance.
- Outlined upload and verification processes, resolve APIs, runtime proxy, caching, and offline bundle generation.
- Included security considerations and related tasks for implementation.

chore: Add Ruby Analyzer with Git Sources

- Created a Gemfile and Gemfile.lock for Ruby analyzer with dependencies on git-gem, httparty, and path-gem.
- Implemented main application logic to utilize the defined gems and output their versions.
- Added expected JSON output for the Ruby analyzer to validate the integration of the new gems and their functionalities.
- Developed internal observation classes for Ruby packages, runtime edges, and capabilities, including serialization logic for observations.

test: Add tests for Ruby Analyzer

- Created test fixtures for Ruby analyzer, including Gemfile, Gemfile.lock, main application, and expected JSON output.
- Ensured that the tests validate the correct integration and functionality of the Ruby analyzer with the specified gems.

src/Policy/__Tests/StellaOps.Policy.Engine.Tests/PolicyEvaluatorTests.cs

@@ -51,14 +51,26 @@ policy "Baseline Production Policy" syntax "stella-dsl@1" {
     because "Respect strong vendor VEX claims."
   }
 
-  rule alert_warn_eol_runtime priority 1 {
-    when severity.normalized <= "Medium"
-         and sbom.has_tag("runtime:eol")
-    then warn message "Runtime marked as EOL; upgrade recommended."
-    because "Deprecated runtime should be upgraded."
-  }
-}
-""";
+  rule alert_warn_eol_runtime priority 1 {
+    when severity.normalized <= "Medium"
+         and sbom.has_tag("runtime:eol")
+    then warn message "Runtime marked as EOL; upgrade recommended."
+    because "Deprecated runtime should be upgraded."
+  }
+
+  rule block_ruby_dev priority 4 {
+    when sbom.any_component(ruby.group("development") and ruby.declared_only())
+    then status := "blocked"
+    because "Development-only Ruby gems without install evidence cannot ship."
+  }
+
+  rule warn_ruby_git_sources {
+    when sbom.any_component(ruby.source("git"))
+    then warn message "Git-sourced Ruby gem present; review required."
+    because "Git-sourced Ruby dependencies require explicit review."
+  }
+}
+"""; 
 
     private readonly PolicyCompiler compiler = new();
     private readonly PolicyEvaluationService evaluationService = new();
@@ -113,11 +125,11 @@ policy "Baseline Production Policy" syntax "stella-dsl@1" {
     public void Evaluate_WarnRuleEmitsWarning()
     {
         var document = CompileBaseline();
-        var tags = ImmutableHashSet.Create("runtime:eol");
-        var context = CreateContext("Medium", "internal") with
-        {
-            Sbom = new PolicyEvaluationSbom(tags)
-        };
+        var tags = ImmutableHashSet.Create("runtime:eol");
+        var context = CreateContext("Medium", "internal") with
+        {
+            Sbom = new PolicyEvaluationSbom(tags)
+        };
 
         var result = evaluationService.Evaluate(document, context);
 
@@ -261,16 +273,74 @@ policy "Baseline Production Policy" syntax "stella-dsl@1" {
         Assert.NotNull(result.AppliedException);
         Assert.Equal("exc-rule", result.AppliedException!.ExceptionId);
         Assert.Equal("Rule Critical Suppress", result.AppliedException!.Metadata["effectName"]);
-        Assert.Equal("alice", result.AppliedException!.Metadata["requestedBy"]);
-        Assert.Equal("alice", result.Annotations["exception.meta.requestedBy"]);
-    }
-
-    private PolicyIrDocument CompileBaseline()
-    {
-        var compilation = compiler.Compile(BaselinePolicy);
-        Assert.True(compilation.Success, Describe(compilation.Diagnostics));
-        return Assert.IsType<PolicyIrDocument>(compilation.Document);
-    }
+        Assert.Equal("alice", result.AppliedException!.Metadata["requestedBy"]);
+        Assert.Equal("alice", result.Annotations["exception.meta.requestedBy"]);
+    }
+
+    [Fact]
+    public void Evaluate_RubyDevComponentBlocked()
+    {
+        var document = CompileBaseline();
+        var component = CreateRubyComponent(
+            name: "dev-only",
+            version: "1.0.0",
+            groups: "development;test",
+            declaredOnly: true,
+            source: "https://rubygems.org/",
+            capabilities: new[] { "exec" });
+
+        var context = CreateContext("Medium", "internal") with
+        {
+            Sbom = new PolicyEvaluationSbom(
+                ImmutableHashSet<string>.Empty.WithComparer(StringComparer.OrdinalIgnoreCase),
+                ImmutableArray.Create(component))
+        };
+
+        var result = evaluationService.Evaluate(document, context);
+
+        Assert.True(result.Matched);
+        Assert.Equal("block_ruby_dev", result.RuleName);
+        Assert.Equal("blocked", result.Status);
+    }
+
+    [Fact]
+    public void Evaluate_RubyGitComponentWarns()
+    {
+        var document = CompileBaseline();
+        var component = CreateRubyComponent(
+            name: "git-gem",
+            version: "0.5.0",
+            groups: "default",
+            declaredOnly: false,
+            source: "git:https://github.com/example/git-gem.git@0123456789abcdef0123456789abcdef01234567",
+            capabilities: Array.Empty<string>(),
+            schedulerCapabilities: new[] { "sidekiq" });
+
+        var context = CreateContext("Low", "internal") with
+        {
+            Sbom = new PolicyEvaluationSbom(
+                ImmutableHashSet<string>.Empty.WithComparer(StringComparer.OrdinalIgnoreCase),
+                ImmutableArray.Create(component))
+        };
+
+        var result = evaluationService.Evaluate(document, context);
+
+        Assert.True(result.Matched);
+        Assert.Equal("warn_ruby_git_sources", result.RuleName);
+        Assert.Equal("warned", result.Status);
+        Assert.Contains(result.Warnings, warning => warning.Contains("Git-sourced", StringComparison.OrdinalIgnoreCase));
+    }
+
+    private PolicyIrDocument CompileBaseline()
+    {
+        var compilation = compiler.Compile(BaselinePolicy);
+        if (!compilation.Success)
+        {
+            Console.WriteLine(Describe(compilation.Diagnostics));
+        }
+        Assert.True(compilation.Success, Describe(compilation.Diagnostics));
+        return Assert.IsType<PolicyIrDocument>(compilation.Document);
+    }
 
     private static PolicyEvaluationContext CreateContext(string severity, string exposure, PolicyEvaluationExceptions? exceptions = null)
     {
@@ -282,10 +352,67 @@ policy "Baseline Production Policy" syntax "stella-dsl@1" {
             }.ToImmutableDictionary(StringComparer.OrdinalIgnoreCase)),
             new PolicyEvaluationAdvisory("GHSA", ImmutableDictionary<string, string>.Empty),
             PolicyEvaluationVexEvidence.Empty,
-            new PolicyEvaluationSbom(ImmutableHashSet<string>.Empty),
-            exceptions ?? PolicyEvaluationExceptions.Empty);
-    }
+            PolicyEvaluationSbom.Empty,
+            exceptions ?? PolicyEvaluationExceptions.Empty);
+    }
 
-    private static string Describe(ImmutableArray<PolicyIssue> issues) =>
-        string.Join(" | ", issues.Select(issue => $"{issue.Severity}:{issue.Code}:{issue.Message}"));
-}
+    private static string Describe(ImmutableArray<PolicyIssue> issues) =>
+        string.Join(" | ", issues.Select(issue => $"{issue.Severity}:{issue.Code}:{issue.Message}"));
+
+    private static PolicyEvaluationComponent CreateRubyComponent(
+        string name,
+        string version,
+        string groups,
+        bool declaredOnly,
+        string source,
+        IEnumerable<string>? capabilities = null,
+        IEnumerable<string>? schedulerCapabilities = null)
+    {
+        var metadataBuilder = ImmutableDictionary.CreateBuilder<string, string>(StringComparer.OrdinalIgnoreCase);
+        if (!string.IsNullOrWhiteSpace(groups))
+        {
+            metadataBuilder["groups"] = groups;
+        }
+
+        metadataBuilder["declaredOnly"] = declaredOnly ? "true" : "false";
+
+        if (!string.IsNullOrWhiteSpace(source))
+        {
+            metadataBuilder["source"] = source.Trim();
+        }
+
+        if (capabilities is not null)
+        {
+            foreach (var capability in capabilities)
+            {
+                if (!string.IsNullOrWhiteSpace(capability))
+                {
+                    metadataBuilder[$"capability.{capability.Trim()}"] = "true";
+                }
+            }
+        }
+
+        if (schedulerCapabilities is not null)
+        {
+            var schedulerList = string.Join(
+                ';',
+                schedulerCapabilities
+                    .Where(static s => !string.IsNullOrWhiteSpace(s))
+                    .Select(static s => s.Trim()));
+
+            if (!string.IsNullOrWhiteSpace(schedulerList))
+            {
+                metadataBuilder["capability.scheduler"] = schedulerList;
+            }
+        }
+
+        metadataBuilder["lockfile"] = "Gemfile.lock";
+
+        return new PolicyEvaluationComponent(
+            name,
+            version,
+            "gem",
+            $"pkg:gem/{name}@{version}",
+            metadataBuilder.ToImmutable());
+    }
+}