From ff97cad21642d7e443a9fc98c842209c3b10df44 Mon Sep 17 00:00:00 2001 From: reynold Date: Sat, 18 Jul 2026 20:21:36 +0800 Subject: [PATCH] feat: seed Lariza feature demonstration Add synthetic fixtures and proposed policy contracts for safely demonstrating future Lariza capabilities. Assisted-by: Codex: GPT-5.6 --- .gitea/ISSUE_TEMPLATE/policy-exception.md | 23 +++++++++++++++ .gitea/pull_request_template.md | 16 ++++++++++ .lariza/policy.yaml | 36 +++++++++++++++++++++++ CODEOWNERS | 4 +++ README.md | 19 ++++++++++++ cmd/service/main.go | 11 +++++++ docs/architecture.md | 6 ++++ go.mod | 3 ++ internal/payment/payment.go | 8 +++++ internal/payment/payment_test.go | 10 +++++++ tests/governance-cases.yaml | 19 ++++++++++++ 11 files changed, 155 insertions(+) create mode 100644 .gitea/ISSUE_TEMPLATE/policy-exception.md create mode 100644 .gitea/pull_request_template.md create mode 100644 .lariza/policy.yaml create mode 100644 CODEOWNERS create mode 100644 README.md create mode 100644 cmd/service/main.go create mode 100644 docs/architecture.md create mode 100644 go.mod create mode 100644 internal/payment/payment.go create mode 100644 internal/payment/payment_test.go create mode 100644 tests/governance-cases.yaml diff --git a/.gitea/ISSUE_TEMPLATE/policy-exception.md b/.gitea/ISSUE_TEMPLATE/policy-exception.md new file mode 100644 index 0000000..a08e0d5 --- /dev/null +++ b/.gitea/ISSUE_TEMPLATE/policy-exception.md @@ -0,0 +1,23 @@ +--- +name: Policy exception +about: Request a scoped and expiring governance exception +title: "[Policy exception] " +labels: policy-exception +--- + +## Policy and scope + +- Policy identifier: +- Repository, branch, or path scope: +- Requested behavior: + +## Justification and safeguards + +- Business reason: +- Compensating controls: +- Approver who is independent of the requester: + +## Expiration + +- Expiration date and time: +- Removal or renewal owner: diff --git a/.gitea/pull_request_template.md b/.gitea/pull_request_template.md new file mode 100644 index 0000000..c6b5a8a --- /dev/null +++ b/.gitea/pull_request_template.md @@ -0,0 +1,16 @@ +## Change summary + + + +## Risk and evidence + +- [ ] Tests cover the changed behavior. +- [ ] Sensitive paths and required owners were reviewed. +- [ ] Policy exceptions are linked and unexpired, or not required. +- [ ] Deployment impact is described. + +## Lariza demonstration + +Expected policy decision: +Expected required approval groups: +Expected audit events: diff --git a/.lariza/policy.yaml b/.lariza/policy.yaml new file mode 100644 index 0000000..6fb3484 --- /dev/null +++ b/.lariza/policy.yaml @@ -0,0 +1,36 @@ +apiVersion: policy.lariza.dev/v1alpha1 +kind: RepositoryPolicyIntent +metadata: + name: production-service + complianceProfiles: [internal, production-critical] +spec: + mode: audit + inheritance: + organizationPolicy: engineering-baseline + lockedFields: + - branches.main.forcePush + - branches.main.requiredStatusChecks + - exceptions.requireIndependentApproval + branches: + main: + requirePullRequest: true + approvals: 2 + dismissStaleApprovals: true + requireConversationResolution: true + requireSignedCommits: false + forcePush: deny + requiredStatusChecks: [manual-ci/policy-check] + pathRules: + - pattern: internal/payment/** + approvalGroups: + - group: payments-owners + minimum: 1 + disallowAuthor: true + - pattern: .lariza/** + approvalGroups: + - group: governance-owners + minimum: 1 + exceptions: + maximumDuration: 7d + requireReason: true + requireIndependentApproval: true diff --git a/CODEOWNERS b/CODEOWNERS new file mode 100644 index 0000000..219d6e7 --- /dev/null +++ b/CODEOWNERS @@ -0,0 +1,4 @@ +# Proposed ownership fixture for path-aware approval demonstrations. +* @lariza-labs/platform-owners +/internal/payment/ @lariza-labs/payments-owners +/.lariza/ @lariza-labs/governance-owners diff --git a/README.md b/README.md new file mode 100644 index 0000000..8078a19 --- /dev/null +++ b/README.md @@ -0,0 +1,19 @@ +# Governance demo + +This tiny payment service is a stable target for demonstrating repository and +organization governance features without using production code. + +## Demonstration scenarios + +1. Preview an organization policy inherited by this repository. +2. Show why `main` requires approvals, resolved conversations, and trusted CI. +3. Change `internal/payment/**` and require the Payments Owners group. +4. Request a temporary exception using the issue template. +5. Compare audit-only and enforced policy decisions. +6. Explain which policy source won when repository settings conflict. + +The `.lariza/policy.yaml` document is an intentionally proposed contract. It is +not consumed by upstream Gitea and gives future Lariza APIs and UI a versioned, +reviewable fixture. + +Run the sample locally with `go test ./...`. diff --git a/cmd/service/main.go b/cmd/service/main.go new file mode 100644 index 0000000..6d07094 --- /dev/null +++ b/cmd/service/main.go @@ -0,0 +1,11 @@ +package main + +import ( + "fmt" + + "gitea-dev.lariza.org/lariza-labs/governance-demo/internal/payment" +) + +func main() { + fmt.Println(payment.Authorize(12500, "PHP")) +} diff --git a/docs/architecture.md b/docs/architecture.md new file mode 100644 index 0000000..c6e01ff --- /dev/null +++ b/docs/architecture.md @@ -0,0 +1,6 @@ +# Architecture fixture + +The service contains one deliberately sensitive package: `internal/payment`. +Changing it should produce a higher-risk pull-request summary and an additional +approval requirement. Documentation-only changes should retain the organization +baseline without triggering the sensitive-path rule. diff --git a/go.mod b/go.mod new file mode 100644 index 0000000..155e80a --- /dev/null +++ b/go.mod @@ -0,0 +1,3 @@ +module gitea-dev.lariza.org/lariza-labs/governance-demo + +go 1.24 diff --git a/internal/payment/payment.go b/internal/payment/payment.go new file mode 100644 index 0000000..f2fc7fd --- /dev/null +++ b/internal/payment/payment.go @@ -0,0 +1,8 @@ +package payment + +import "fmt" + +// Authorize returns a deterministic message for governance demonstrations. +func Authorize(amountMinor int64, currency string) string { + return fmt.Sprintf("authorized %d %s", amountMinor, currency) +} diff --git a/internal/payment/payment_test.go b/internal/payment/payment_test.go new file mode 100644 index 0000000..15cc3df --- /dev/null +++ b/internal/payment/payment_test.go @@ -0,0 +1,10 @@ +package payment + +import "testing" + +func TestAuthorize(t *testing.T) { + got := Authorize(12500, "PHP") + if got != "authorized 12500 PHP" { + t.Fatalf("unexpected authorization result: %q", got) + } +} diff --git a/tests/governance-cases.yaml b/tests/governance-cases.yaml new file mode 100644 index 0000000..a3e8aab --- /dev/null +++ b/tests/governance-cases.yaml @@ -0,0 +1,19 @@ +cases: + - name: documentation-only change + changedPaths: [docs/architecture.md] + expectedDecision: allow-after-baseline + expectedApprovalGroups: [] + - name: payment implementation change + changedPaths: [internal/payment/payment.go] + expectedDecision: require-review + expectedApprovalGroups: [payments-owners] + - name: attempted locked-field override + repositoryOverride: + branches.main.forcePush: allow + expectedDecision: deny + expectedReason: organization-field-locked + - name: valid temporary exception + exception: + approvedBy: independent-governance-owner + expiresIn: 48h + expectedDecision: allow-with-audit-event