feat: seed Lariza feature demonstration

Add synthetic fixtures and proposed policy contracts for safely demonstrating future Lariza capabilities.

Assisted-by: Codex: GPT-5.6
This commit is contained in:
reynold
2026-07-18 20:21:36 +08:00
commit ff97cad216
11 changed files with 155 additions and 0 deletions
+23
View File
@@ -0,0 +1,23 @@
---
name: Policy exception
about: Request a scoped and expiring governance exception
title: "[Policy exception] "
labels: policy-exception
---
## Policy and scope
- Policy identifier:
- Repository, branch, or path scope:
- Requested behavior:
## Justification and safeguards
- Business reason:
- Compensating controls:
- Approver who is independent of the requester:
## Expiration
- Expiration date and time:
- Removal or renewal owner:
+16
View File
@@ -0,0 +1,16 @@
## Change summary
<!-- Explain the user-visible or policy-visible outcome. -->
## Risk and evidence
- [ ] Tests cover the changed behavior.
- [ ] Sensitive paths and required owners were reviewed.
- [ ] Policy exceptions are linked and unexpired, or not required.
- [ ] Deployment impact is described.
## Lariza demonstration
Expected policy decision:
Expected required approval groups:
Expected audit events:
+36
View File
@@ -0,0 +1,36 @@
apiVersion: policy.lariza.dev/v1alpha1
kind: RepositoryPolicyIntent
metadata:
name: production-service
complianceProfiles: [internal, production-critical]
spec:
mode: audit
inheritance:
organizationPolicy: engineering-baseline
lockedFields:
- branches.main.forcePush
- branches.main.requiredStatusChecks
- exceptions.requireIndependentApproval
branches:
main:
requirePullRequest: true
approvals: 2
dismissStaleApprovals: true
requireConversationResolution: true
requireSignedCommits: false
forcePush: deny
requiredStatusChecks: [manual-ci/policy-check]
pathRules:
- pattern: internal/payment/**
approvalGroups:
- group: payments-owners
minimum: 1
disallowAuthor: true
- pattern: .lariza/**
approvalGroups:
- group: governance-owners
minimum: 1
exceptions:
maximumDuration: 7d
requireReason: true
requireIndependentApproval: true
+4
View File
@@ -0,0 +1,4 @@
# Proposed ownership fixture for path-aware approval demonstrations.
* @lariza-labs/platform-owners
/internal/payment/ @lariza-labs/payments-owners
/.lariza/ @lariza-labs/governance-owners
+19
View File
@@ -0,0 +1,19 @@
# Governance demo
This tiny payment service is a stable target for demonstrating repository and
organization governance features without using production code.
## Demonstration scenarios
1. Preview an organization policy inherited by this repository.
2. Show why `main` requires approvals, resolved conversations, and trusted CI.
3. Change `internal/payment/**` and require the Payments Owners group.
4. Request a temporary exception using the issue template.
5. Compare audit-only and enforced policy decisions.
6. Explain which policy source won when repository settings conflict.
The `.lariza/policy.yaml` document is an intentionally proposed contract. It is
not consumed by upstream Gitea and gives future Lariza APIs and UI a versioned,
reviewable fixture.
Run the sample locally with `go test ./...`.
+11
View File
@@ -0,0 +1,11 @@
package main
import (
"fmt"
"gitea-dev.lariza.org/lariza-labs/governance-demo/internal/payment"
)
func main() {
fmt.Println(payment.Authorize(12500, "PHP"))
}
+6
View File
@@ -0,0 +1,6 @@
# Architecture fixture
The service contains one deliberately sensitive package: `internal/payment`.
Changing it should produce a higher-risk pull-request summary and an additional
approval requirement. Documentation-only changes should retain the organization
baseline without triggering the sensitive-path rule.
+3
View File
@@ -0,0 +1,3 @@
module gitea-dev.lariza.org/lariza-labs/governance-demo
go 1.24
+8
View File
@@ -0,0 +1,8 @@
package payment
import "fmt"
// Authorize returns a deterministic message for governance demonstrations.
func Authorize(amountMinor int64, currency string) string {
return fmt.Sprintf("authorized %d %s", amountMinor, currency)
}
+10
View File
@@ -0,0 +1,10 @@
package payment
import "testing"
func TestAuthorize(t *testing.T) {
got := Authorize(12500, "PHP")
if got != "authorized 12500 PHP" {
t.Fatalf("unexpected authorization result: %q", got)
}
}
+19
View File
@@ -0,0 +1,19 @@
cases:
- name: documentation-only change
changedPaths: [docs/architecture.md]
expectedDecision: allow-after-baseline
expectedApprovalGroups: []
- name: payment implementation change
changedPaths: [internal/payment/payment.go]
expectedDecision: require-review
expectedApprovalGroups: [payments-owners]
- name: attempted locked-field override
repositoryOverride:
branches.main.forcePush: allow
expectedDecision: deny
expectedReason: organization-field-locked
- name: valid temporary exception
exception:
approvedBy: independent-governance-owner
expiresIn: 48h
expectedDecision: allow-with-audit-event