2170a58734
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Export Center CI / export-ci (push) Has been cancelled
Findings Ledger CI / build-test (push) Has been cancelled
Findings Ledger CI / migration-validation (push) Has been cancelled
Findings Ledger CI / generate-manifest (push) Has been cancelled
Manifest Integrity / Validate Schema Integrity (push) Has been cancelled
Lighthouse CI / Lighthouse Audit (push) Has been cancelled
Lighthouse CI / Axe Accessibility Audit (push) Has been cancelled
Manifest Integrity / Validate Contract Documents (push) Has been cancelled
Manifest Integrity / Validate Pack Fixtures (push) Has been cancelled
Manifest Integrity / Audit SHA256SUMS Files (push) Has been cancelled
Manifest Integrity / Verify Merkle Roots (push) Has been cancelled
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Policy Simulation / policy-simulate (push) Has been cancelled
- Implemented tests for Cryptographic Failures (A02) to ensure proper handling of sensitive data, secure algorithms, and key management. - Added tests for Security Misconfiguration (A05) to validate production configurations, security headers, CORS settings, and feature management. - Developed tests for Authentication Failures (A07) to enforce strong password policies, rate limiting, session management, and MFA support. - Created tests for Software and Data Integrity Failures (A08) to verify artifact signatures, SBOM integrity, attestation chains, and feed updates.
Policy Engine Host Template
This service hosts the Policy Engine APIs and background workers introduced in Policy Engine v2. The project currently ships a minimal bootstrap that validates configuration, registers Authority clients, and exposes readiness/health endpoints. Future tasks will extend it with compilation, evaluation, and persistence features.
Compliance Checklist
- Configuration loads from
policy-engine.yaml/environment variables and validates on startup. - Authority client scaffolding enforces
policy:*+effective:writescopes and respects back-channel timeouts. - Resource server authentication requires Policy Engine scopes with tenant-aware policies.
- Health and readiness endpoints exist for platform probes.
- Deterministic policy evaluation pipeline implemented (POLICY-ENGINE-20-002).
- PostgreSQL materialisation writers implemented (POLICY-ENGINE-20-004).
- Observability (metrics/traces/logs) completed (POLICY-ENGINE-20-007).
- Comprehensive test suites and perf baselines established (POLICY-ENGINE-20-008).