git.stella-ops.org/scripts/policy/batch-simulate.sh

#!/usr/bin/env bash
set -euo pipefail
ROOT=$(cd "$(dirname "$0")/.." && pwd)
CLI_PROJECT="$ROOT/Cli/StellaOps.Cli/StellaOps.Cli.csproj"
POLICY_FILES=("docs/examples/policies/baseline.stella" "docs/examples/policies/internal-only.stella" "docs/examples/policies/serverless.stella")
SBOM_FILE="docs/examples/policies/sample-sbom.json"
OUT_DIR="${OUT_DIR:-out/policy-sim}"
THRESHOLD=${THRESHOLD:-0}

usage() {
  cat <<'USAGE'
Batch policy simulate harness (DEVOPS-POLICY-27-002)
- Runs stella policy simulate against sample policies and a sample SBOM
- Fails if violation count exceeds THRESHOLD (default 0)

Env/flags:
  OUT_DIR=out/policy-sim
  THRESHOLD=0
  SBOM_FILE=docs/examples/policies/sample-sbom.json
USAGE
}

if [[ ${1:-} == "-h" || ${1:-} == "--help" ]]; then usage; exit 0; fi
mkdir -p "$OUT_DIR"

violations=0
for policy in "${POLICY_FILES[@]}"; do
  name=$(basename "$policy" .stella)
  report="$OUT_DIR/${name}-simulate.json"
  dotnet run --project "$CLI_PROJECT" -- policy simulate --policy "$policy" --sbom "$SBOM_FILE" --format json --no-color > "$report"
  # count violations if field exists
  count=$(python - <<PY "$report"
import json,sys
with open(sys.argv[1]) as f:
    data=json.load(f)
viol = 0
if isinstance(data, dict):
    viol = len(data.get("violations", [])) if isinstance(data.get("violations", []), list) else 0
print(viol)
PY)
  echo "[$name] violations=$count" | tee -a "$OUT_DIR/summary.txt"
  violations=$((violations + count))
done

echo "total_violations=$violations" | tee -a "$OUT_DIR/summary.txt"
if (( violations > THRESHOLD )); then
  echo "Violation threshold exceeded ($violations > $THRESHOLD)" >&2
  exit 1
fi