audit remarks work

src/Cli/StellaOps.Cli/Commands/CommandFactory.cs

@@ -52,6 +52,7 @@ internal static class CommandFactory
         root.Add(BuildAuthCommand(services, options, verboseOption, cancellationToken));
         root.Add(BuildTenantsCommand(services, options, verboseOption, cancellationToken));
         root.Add(BuildPolicyCommand(services, options, verboseOption, cancellationToken));
+        root.Add(ToolsCommandGroup.BuildToolsCommand(loggerFactory, cancellationToken));
         root.Add(BuildTaskRunnerCommand(services, verboseOption, cancellationToken));
         root.Add(BuildFindingsCommand(services, verboseOption, cancellationToken));
         root.Add(BuildAdviseCommand(services, options, verboseOption, cancellationToken));

src/Cli/StellaOps.Cli/Commands/ReplayCommandGroup.cs

@@ -10,13 +10,12 @@ using System.Text.Json;
 using System.Text.Json.Serialization;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
+using StellaOps.Cli.Replay;
 using StellaOps.Canonicalization.Json;
 using StellaOps.Canonicalization.Verification;
 using StellaOps.Policy.Replay;
 using StellaOps.Replay.Core;
 using StellaOps.Replay.Core.Export;
-using StellaOps.Testing.Manifests.Models;
-using StellaOps.Testing.Manifests.Serialization;
 
 namespace StellaOps.Cli.Commands;
 

src/Cli/StellaOps.Cli/Commands/ToolsCommandGroup.cs

@@ -0,0 +1,25 @@
+using System;
+using System.CommandLine;
+using System.Threading;
+using Microsoft.Extensions.Logging;
+using StellaOps.Policy;
+using StellaOps.Policy.Tools;
+
+namespace StellaOps.Cli.Commands;
+
+internal static class ToolsCommandGroup
+{
+    internal static Command BuildToolsCommand(ILoggerFactory loggerFactory, CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(loggerFactory);
+
+        var tools = new Command("tools", "Local policy tooling and maintenance commands.");
+        var validationRunner = new PolicyValidationRunner(new PolicyValidationCli());
+
+        tools.Add(PolicyDslValidatorCommand.BuildCommand(validationRunner, cancellationToken));
+        tools.Add(PolicySchemaExporterCommand.BuildCommand(new PolicySchemaExporterRunner(), cancellationToken));
+        tools.Add(PolicySimulationSmokeCommand.BuildCommand(new PolicySimulationSmokeRunner(loggerFactory), cancellationToken));
+
+        return tools;
+    }
+}

src/Cli/StellaOps.Cli/Replay/RunManifest.cs

@@ -0,0 +1,60 @@
+using System.Collections.Immutable;
+
+namespace StellaOps.Cli.Replay;
+
+public sealed record RunManifest
+{
+    public required string RunId { get; init; }
+    public string SchemaVersion { get; init; } = "1.0.0";
+    public required ImmutableArray<ArtifactDigest> ArtifactDigests { get; init; }
+    public ImmutableArray<SbomReference> SbomDigests { get; init; } = [];
+    public required FeedSnapshot FeedSnapshot { get; init; }
+    public required PolicySnapshot PolicySnapshot { get; init; }
+    public required ToolVersions ToolVersions { get; init; }
+    public required CryptoProfile CryptoProfile { get; init; }
+    public required EnvironmentProfile EnvironmentProfile { get; init; }
+    public long? PrngSeed { get; init; }
+    public required string CanonicalizationVersion { get; init; }
+    public required DateTimeOffset InitiatedAt { get; init; }
+    public string? ManifestDigest { get; init; }
+}
+
+public sealed record ArtifactDigest(
+    string Algorithm,
+    string Digest,
+    string? MediaType,
+    string? Reference);
+
+public sealed record SbomReference(
+    string Format,
+    string Digest,
+    string? Uri);
+
+public sealed record FeedSnapshot(
+    string FeedId,
+    string Version,
+    string Digest,
+    DateTimeOffset SnapshotAt);
+
+public sealed record PolicySnapshot(
+    string PolicyVersion,
+    string LatticeRulesDigest,
+    ImmutableArray<string> EnabledRules);
+
+public sealed record ToolVersions(
+    string ScannerVersion,
+    string SbomGeneratorVersion,
+    string ReachabilityEngineVersion,
+    string AttestorVersion,
+    ImmutableDictionary<string, string> AdditionalTools);
+
+public sealed record CryptoProfile(
+    string ProfileName,
+    ImmutableArray<string> TrustRootIds,
+    ImmutableArray<string> AllowedAlgorithms);
+
+public sealed record EnvironmentProfile(
+    string Name,
+    bool ValkeyEnabled,
+    string? PostgresVersion,
+    string? ValkeyVersion);

src/Cli/StellaOps.Cli/Replay/RunManifestSerializer.cs

@@ -0,0 +1,43 @@
+using System.Security.Cryptography;
+using System.Text;
+using System.Text.Encodings.Web;
+using System.Text.Json;
+using System.Text.Json.Serialization;
+using StellaOps.Canonical.Json;
+
+namespace StellaOps.Cli.Replay;
+
+internal static class RunManifestSerializer
+{
+    private static readonly JsonSerializerOptions JsonOptions = new(JsonSerializerDefaults.Web)
+    {
+        WriteIndented = false,
+        PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
+        DefaultIgnoreCondition = JsonIgnoreCondition.WhenWritingNull,
+        Encoder = JavaScriptEncoder.UnsafeRelaxedJsonEscaping
+    };
+
+    public static string Serialize(RunManifest manifest)
+    {
+        var jsonBytes = JsonSerializer.SerializeToUtf8Bytes(manifest, JsonOptions);
+        var canonicalBytes = CanonJson.CanonicalizeParsedJson(jsonBytes);
+        return Encoding.UTF8.GetString(canonicalBytes);
+    }
+
+    public static RunManifest Deserialize(string json)
+    {
+        return JsonSerializer.Deserialize<RunManifest>(json, JsonOptions)
+            ?? throw new InvalidOperationException("Failed to deserialize manifest");
+    }
+
+    public static string ComputeDigest(RunManifest manifest)
+    {
+        var withoutDigest = manifest with { ManifestDigest = null };
+        var json = Serialize(withoutDigest);
+        var hash = SHA256.HashData(Encoding.UTF8.GetBytes(json));
+        return Convert.ToHexString(hash).ToLowerInvariant();
+    }
+
+    public static RunManifest WithDigest(RunManifest manifest)
+        => manifest with { ManifestDigest = ComputeDigest(manifest) };
+}

src/Cli/StellaOps.Cli/StellaOps.Cli.csproj

@@ -49,8 +49,8 @@
     <ProjectReference Include="../../__Libraries/StellaOps.Cryptography.DependencyInjection/StellaOps.Cryptography.DependencyInjection.csproj" />
     <ProjectReference Include="../../__Libraries/StellaOps.Cryptography.Plugin.BouncyCastle/StellaOps.Cryptography.Plugin.BouncyCastle.csproj" />
     <ProjectReference Include="../../__Libraries/StellaOps.Canonicalization/StellaOps.Canonicalization.csproj" />
+    <ProjectReference Include="../../__Libraries/StellaOps.Canonical.Json/StellaOps.Canonical.Json.csproj" />
     <ProjectReference Include="../../__Libraries/StellaOps.DeltaVerdict/StellaOps.DeltaVerdict.csproj" />
-    <ProjectReference Include="../../__Tests/__Libraries/StellaOps.Testing.Manifests/StellaOps.Testing.Manifests.csproj" />
     <ProjectReference Include="../../AirGap/StellaOps.AirGap.Policy/StellaOps.AirGap.Policy/StellaOps.AirGap.Policy.csproj" />
     <ProjectReference Include="../../AirGap/StellaOps.AirGap.Importer/StellaOps.AirGap.Importer.csproj" />
     <ProjectReference Include="../../Authority/StellaOps.Authority/StellaOps.Auth.Abstractions/StellaOps.Auth.Abstractions.csproj" />
@@ -69,6 +69,7 @@
     <ProjectReference Include="../../Policy/StellaOps.PolicyDsl/StellaOps.PolicyDsl.csproj" />
     <ProjectReference Include="../../Policy/__Libraries/StellaOps.Policy/StellaOps.Policy.csproj" />
     <ProjectReference Include="../../Policy/StellaOps.Policy.RiskProfile/StellaOps.Policy.RiskProfile.csproj" />
+    <ProjectReference Include="../../__Libraries/StellaOps.Policy.Tools/StellaOps.Policy.Tools.csproj" />
     <ProjectReference Include="../../Attestor/StellaOps.Attestation/StellaOps.Attestation.csproj" />
     <ProjectReference Include="../../Attestor/StellaOps.Attestor.Envelope/StellaOps.Attestor.Envelope.csproj" />
     <ProjectReference Include="../../__Libraries/StellaOps.Infrastructure.Postgres/StellaOps.Infrastructure.Postgres.csproj" />