feat: seed Lariza feature demonstration
Add synthetic fixtures and proposed policy contracts for safely demonstrating future Lariza capabilities. Assisted-by: Codex: GPT-5.6
This commit is contained in:
@@ -0,0 +1,23 @@
|
||||
---
|
||||
name: Policy exception
|
||||
about: Request a scoped and expiring governance exception
|
||||
title: "[Policy exception] "
|
||||
labels: policy-exception
|
||||
---
|
||||
|
||||
## Policy and scope
|
||||
|
||||
- Policy identifier:
|
||||
- Repository, branch, or path scope:
|
||||
- Requested behavior:
|
||||
|
||||
## Justification and safeguards
|
||||
|
||||
- Business reason:
|
||||
- Compensating controls:
|
||||
- Approver who is independent of the requester:
|
||||
|
||||
## Expiration
|
||||
|
||||
- Expiration date and time:
|
||||
- Removal or renewal owner:
|
||||
@@ -0,0 +1,16 @@
|
||||
## Change summary
|
||||
|
||||
<!-- Explain the user-visible or policy-visible outcome. -->
|
||||
|
||||
## Risk and evidence
|
||||
|
||||
- [ ] Tests cover the changed behavior.
|
||||
- [ ] Sensitive paths and required owners were reviewed.
|
||||
- [ ] Policy exceptions are linked and unexpired, or not required.
|
||||
- [ ] Deployment impact is described.
|
||||
|
||||
## Lariza demonstration
|
||||
|
||||
Expected policy decision:
|
||||
Expected required approval groups:
|
||||
Expected audit events:
|
||||
@@ -0,0 +1,36 @@
|
||||
apiVersion: policy.lariza.dev/v1alpha1
|
||||
kind: RepositoryPolicyIntent
|
||||
metadata:
|
||||
name: production-service
|
||||
complianceProfiles: [internal, production-critical]
|
||||
spec:
|
||||
mode: audit
|
||||
inheritance:
|
||||
organizationPolicy: engineering-baseline
|
||||
lockedFields:
|
||||
- branches.main.forcePush
|
||||
- branches.main.requiredStatusChecks
|
||||
- exceptions.requireIndependentApproval
|
||||
branches:
|
||||
main:
|
||||
requirePullRequest: true
|
||||
approvals: 2
|
||||
dismissStaleApprovals: true
|
||||
requireConversationResolution: true
|
||||
requireSignedCommits: false
|
||||
forcePush: deny
|
||||
requiredStatusChecks: [manual-ci/policy-check]
|
||||
pathRules:
|
||||
- pattern: internal/payment/**
|
||||
approvalGroups:
|
||||
- group: payments-owners
|
||||
minimum: 1
|
||||
disallowAuthor: true
|
||||
- pattern: .lariza/**
|
||||
approvalGroups:
|
||||
- group: governance-owners
|
||||
minimum: 1
|
||||
exceptions:
|
||||
maximumDuration: 7d
|
||||
requireReason: true
|
||||
requireIndependentApproval: true
|
||||
@@ -0,0 +1,4 @@
|
||||
# Proposed ownership fixture for path-aware approval demonstrations.
|
||||
* @lariza-labs/platform-owners
|
||||
/internal/payment/ @lariza-labs/payments-owners
|
||||
/.lariza/ @lariza-labs/governance-owners
|
||||
@@ -0,0 +1,19 @@
|
||||
# Governance demo
|
||||
|
||||
This tiny payment service is a stable target for demonstrating repository and
|
||||
organization governance features without using production code.
|
||||
|
||||
## Demonstration scenarios
|
||||
|
||||
1. Preview an organization policy inherited by this repository.
|
||||
2. Show why `main` requires approvals, resolved conversations, and trusted CI.
|
||||
3. Change `internal/payment/**` and require the Payments Owners group.
|
||||
4. Request a temporary exception using the issue template.
|
||||
5. Compare audit-only and enforced policy decisions.
|
||||
6. Explain which policy source won when repository settings conflict.
|
||||
|
||||
The `.lariza/policy.yaml` document is an intentionally proposed contract. It is
|
||||
not consumed by upstream Gitea and gives future Lariza APIs and UI a versioned,
|
||||
reviewable fixture.
|
||||
|
||||
Run the sample locally with `go test ./...`.
|
||||
@@ -0,0 +1,11 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
|
||||
"gitea-dev.lariza.org/lariza-labs/governance-demo/internal/payment"
|
||||
)
|
||||
|
||||
func main() {
|
||||
fmt.Println(payment.Authorize(12500, "PHP"))
|
||||
}
|
||||
@@ -0,0 +1,6 @@
|
||||
# Architecture fixture
|
||||
|
||||
The service contains one deliberately sensitive package: `internal/payment`.
|
||||
Changing it should produce a higher-risk pull-request summary and an additional
|
||||
approval requirement. Documentation-only changes should retain the organization
|
||||
baseline without triggering the sensitive-path rule.
|
||||
@@ -0,0 +1,8 @@
|
||||
package payment
|
||||
|
||||
import "fmt"
|
||||
|
||||
// Authorize returns a deterministic message for governance demonstrations.
|
||||
func Authorize(amountMinor int64, currency string) string {
|
||||
return fmt.Sprintf("authorized %d %s", amountMinor, currency)
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
package payment
|
||||
|
||||
import "testing"
|
||||
|
||||
func TestAuthorize(t *testing.T) {
|
||||
got := Authorize(12500, "PHP")
|
||||
if got != "authorized 12500 PHP" {
|
||||
t.Fatalf("unexpected authorization result: %q", got)
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,19 @@
|
||||
cases:
|
||||
- name: documentation-only change
|
||||
changedPaths: [docs/architecture.md]
|
||||
expectedDecision: allow-after-baseline
|
||||
expectedApprovalGroups: []
|
||||
- name: payment implementation change
|
||||
changedPaths: [internal/payment/payment.go]
|
||||
expectedDecision: require-review
|
||||
expectedApprovalGroups: [payments-owners]
|
||||
- name: attempted locked-field override
|
||||
repositoryOverride:
|
||||
branches.main.forcePush: allow
|
||||
expectedDecision: deny
|
||||
expectedReason: organization-field-locked
|
||||
- name: valid temporary exception
|
||||
exception:
|
||||
approvedBy: independent-governance-owner
|
||||
expiresIn: 48h
|
||||
expectedDecision: allow-with-audit-event
|
||||
Reference in New Issue
Block a user