Restructure solution layout by module

src/Policy/StellaOps.Policy.Registry/AGENTS.md

@@ -0,0 +1,34 @@
+# Policy Registry Guild Charter
+
+## Mission
+Stand up and operate the Policy Registry service defined in Epic 4. We own workspace storage, version immutability, simulation orchestration metadata, attestations, and RBAC enforcement for the policy lifecycle.
+
+## Scope
+- Service source under `src/Policy/StellaOps.Policy.Registry` (REST API, workers, storage schemas).
+- Mongo models, migrations, and object storage bindings for policy workspaces, versions, reviews, promotions, simulations.
+- Integration with Policy Engine, Scheduler, Authority, Web Gateway, Telemetry.
+- Attestation signing pipeline, evidence bundle management, and retention policies.
+
+## Principles
+1. **Immutability first** – Published versions are append-only; derive new versions rather than mutate.
+2. **Determinism** – Compilation/simulation requests must produce reproducible artifacts and checksums.
+3. **Tenant isolation** – Enforce scoping at every storage layer (Mongo collections, buckets, queues).
+4. **AOC alignment** – Registry stores metadata; it never mutates raw SBOM/advisory/VEX facts.
+5. **Auditable** – Every transition emits structured events with actor, scope, digest, attestation IDs.
+
+## Collaboration
+- Keep `src/Policy/StellaOps.Policy.Registry/TASKS.md`, `../../docs/implplan/SPRINTS.md` synchronized.
+- Coordinate API contracts with Policy Engine (`src/Policy/StellaOps.Policy.Engine`), Web Gateway (`src/Web/StellaOps.Web`), Console (`/console`), CLI (`src/Cli/StellaOps.Cli`), and Docs.
+- Publish or update OpenAPI specs under `src/Policy/StellaOps.Policy.Registry/openapi/` and hand them to client teams.
+
+## Tooling
+- .NET 10 preview (minimal API + background workers).
+- MongoDB with per-tenant collections, S3-compatible object storage for bundles.
+- Background queue (Scheduler job queue or NATS) for batch simulations.
+- Signing via Authority-issued OIDC tokens + cosign integration.
+
+## Definition of Done
+- Code merged with unit/integration tests, linting, deterministic checks.
+- Telemetry (metrics/logs/traces) wired with tenant context.
+- Docs/reference updated; OpenAPI regenerated.
+- Feature flags + configuration defaults documented.

src/Policy/StellaOps.Policy.Registry/TASKS.md

@@ -0,0 +1,17 @@
+# Policy Registry Task Board — Epic 4: Policy Studio
+| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
+|----|--------|----------|------------|-------------|---------------|
+| REGISTRY-API-27-001 | TODO | Policy Registry Guild | AUTH-CONSOLE-23-001, POLICY-ENGINE-20-001 | Define OpenAPI specification covering workspaces, versions, reviews, simulations, promotions, and attestations; publish typed clients for Console/CLI. | OpenAPI YAML committed, spectral lint passes, SDK regeneration documented, consumers notified. Docs `DOCS-POLICY-27-001/008/010` waiting on this spec. |
+| REGISTRY-API-27-002 | TODO | Policy Registry Guild | REGISTRY-API-27-001 | Implement workspace storage (Mongo collections, object storage buckets) with CRUD endpoints, diff history, and retention policies. | Workspace CRUD passes integration tests; retention job documented; tenancy scopes enforced. |
+| REGISTRY-API-27-003 | TODO | Policy Registry Guild | REGISTRY-API-27-002, POLICY-ENGINE-20-001 | Integrate compile endpoint: forward source bundle to Policy Engine, persist diagnostics, symbol table, rule index, and complexity metrics. | Compile API returns diagnostics + symbol table, metrics recorded, failures mapped to `ERR_POL_*`, tests cover success/error cases. |
+| REGISTRY-API-27-004 | TODO | Policy Registry Guild | REGISTRY-API-27-003, POLICY-ENGINE-20-002 | Implement quick simulation API with request limits (sample size, timeouts), returning counts, heatmap, sampled explains. | Quick sim enforces limits, results cached with hash, integration tests validate deterministic output. |
+| REGISTRY-API-27-005 | TODO | Policy Registry Guild, Scheduler Guild | REGISTRY-API-27-004, SCHED-WORKER-27-301 | Build batch simulation orchestration: enqueue shards, collect partials, reduce deltas, produce evidence bundles + signed manifest. | Batch sim runs end-to-end in staging fixture, manifests stored with checksums, retries/backoff documented. |
+> Docs dependency: `DOCS-POLICY-27-004` needs simulation APIs/workers.
+| REGISTRY-API-27-006 | TODO | Policy Registry Guild | REGISTRY-API-27-003 | Implement review workflow (comments, votes, required approvers, status transitions) with audit trails and webhooks. | Review endpoints enforce approver quorum, audit log captured, webhook integration tests pass. |
+> Docs dependency: `DOCS-POLICY-27-005` waiting on review workflow.
+| REGISTRY-API-27-007 | TODO | Policy Registry Guild, Security Guild | REGISTRY-API-27-006, AUTH-POLICY-27-001 | Implement publish pipeline: sign source/compiled digests, create attestations, mark version immutable, emit events. | Published versions immutable, attestations stored & verifiable, metrics/logs emitted, tests cover signing failure. |
+> Docs dependency: `DOCS-POLICY-27-003` blocked until publish/sign pipeline ships.
+| REGISTRY-API-27-008 | TODO | Policy Registry Guild | REGISTRY-API-27-007, AUTH-POLICY-27-002 | Implement promotion bindings per tenant/environment with canary subsets, rollback path, and environment history. | Promotion API updates bindings atomically, canary percent enforced, rollback recorded, runbooks updated. |
+> Docs dependency: `DOCS-POLICY-27-006` requires promotion APIs.
+| REGISTRY-API-27-009 | TODO | Policy Registry Guild, Observability Guild | REGISTRY-API-27-002..008 | Instrument metrics/logs/traces (compile time, diagnostics rate, sim queue depth, approval latency) and expose dashboards. | Metrics registered, dashboards seeded, alerts configured, documentation updated. |
+| REGISTRY-API-27-010 | TODO | Policy Registry Guild, QA Guild | REGISTRY-API-27-002..008 | Build unit/integration/load test suites for compile/sim/review/publish/promote flows; provide seeded fixtures for CI. | Tests run in CI, load test report documented, determinism checks validated across runs. |