feat: seed Lariza feature demonstration
Add synthetic fixtures and proposed policy contracts for safely demonstrating future Lariza capabilities. Assisted-by: Codex: GPT-5.6
This commit is contained in:
@@ -0,0 +1,23 @@
|
|||||||
|
---
|
||||||
|
name: Policy exception
|
||||||
|
about: Request a scoped and expiring governance exception
|
||||||
|
title: "[Policy exception] "
|
||||||
|
labels: policy-exception
|
||||||
|
---
|
||||||
|
|
||||||
|
## Policy and scope
|
||||||
|
|
||||||
|
- Policy identifier:
|
||||||
|
- Repository, branch, or path scope:
|
||||||
|
- Requested behavior:
|
||||||
|
|
||||||
|
## Justification and safeguards
|
||||||
|
|
||||||
|
- Business reason:
|
||||||
|
- Compensating controls:
|
||||||
|
- Approver who is independent of the requester:
|
||||||
|
|
||||||
|
## Expiration
|
||||||
|
|
||||||
|
- Expiration date and time:
|
||||||
|
- Removal or renewal owner:
|
||||||
@@ -0,0 +1,16 @@
|
|||||||
|
## Change summary
|
||||||
|
|
||||||
|
<!-- Explain the user-visible or policy-visible outcome. -->
|
||||||
|
|
||||||
|
## Risk and evidence
|
||||||
|
|
||||||
|
- [ ] Tests cover the changed behavior.
|
||||||
|
- [ ] Sensitive paths and required owners were reviewed.
|
||||||
|
- [ ] Policy exceptions are linked and unexpired, or not required.
|
||||||
|
- [ ] Deployment impact is described.
|
||||||
|
|
||||||
|
## Lariza demonstration
|
||||||
|
|
||||||
|
Expected policy decision:
|
||||||
|
Expected required approval groups:
|
||||||
|
Expected audit events:
|
||||||
@@ -0,0 +1,36 @@
|
|||||||
|
apiVersion: policy.lariza.dev/v1alpha1
|
||||||
|
kind: RepositoryPolicyIntent
|
||||||
|
metadata:
|
||||||
|
name: production-service
|
||||||
|
complianceProfiles: [internal, production-critical]
|
||||||
|
spec:
|
||||||
|
mode: audit
|
||||||
|
inheritance:
|
||||||
|
organizationPolicy: engineering-baseline
|
||||||
|
lockedFields:
|
||||||
|
- branches.main.forcePush
|
||||||
|
- branches.main.requiredStatusChecks
|
||||||
|
- exceptions.requireIndependentApproval
|
||||||
|
branches:
|
||||||
|
main:
|
||||||
|
requirePullRequest: true
|
||||||
|
approvals: 2
|
||||||
|
dismissStaleApprovals: true
|
||||||
|
requireConversationResolution: true
|
||||||
|
requireSignedCommits: false
|
||||||
|
forcePush: deny
|
||||||
|
requiredStatusChecks: [manual-ci/policy-check]
|
||||||
|
pathRules:
|
||||||
|
- pattern: internal/payment/**
|
||||||
|
approvalGroups:
|
||||||
|
- group: payments-owners
|
||||||
|
minimum: 1
|
||||||
|
disallowAuthor: true
|
||||||
|
- pattern: .lariza/**
|
||||||
|
approvalGroups:
|
||||||
|
- group: governance-owners
|
||||||
|
minimum: 1
|
||||||
|
exceptions:
|
||||||
|
maximumDuration: 7d
|
||||||
|
requireReason: true
|
||||||
|
requireIndependentApproval: true
|
||||||
@@ -0,0 +1,4 @@
|
|||||||
|
# Proposed ownership fixture for path-aware approval demonstrations.
|
||||||
|
* @lariza-labs/platform-owners
|
||||||
|
/internal/payment/ @lariza-labs/payments-owners
|
||||||
|
/.lariza/ @lariza-labs/governance-owners
|
||||||
@@ -0,0 +1,19 @@
|
|||||||
|
# Governance demo
|
||||||
|
|
||||||
|
This tiny payment service is a stable target for demonstrating repository and
|
||||||
|
organization governance features without using production code.
|
||||||
|
|
||||||
|
## Demonstration scenarios
|
||||||
|
|
||||||
|
1. Preview an organization policy inherited by this repository.
|
||||||
|
2. Show why `main` requires approvals, resolved conversations, and trusted CI.
|
||||||
|
3. Change `internal/payment/**` and require the Payments Owners group.
|
||||||
|
4. Request a temporary exception using the issue template.
|
||||||
|
5. Compare audit-only and enforced policy decisions.
|
||||||
|
6. Explain which policy source won when repository settings conflict.
|
||||||
|
|
||||||
|
The `.lariza/policy.yaml` document is an intentionally proposed contract. It is
|
||||||
|
not consumed by upstream Gitea and gives future Lariza APIs and UI a versioned,
|
||||||
|
reviewable fixture.
|
||||||
|
|
||||||
|
Run the sample locally with `go test ./...`.
|
||||||
@@ -0,0 +1,11 @@
|
|||||||
|
package main
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
|
||||||
|
"gitea-dev.lariza.org/lariza-labs/governance-demo/internal/payment"
|
||||||
|
)
|
||||||
|
|
||||||
|
func main() {
|
||||||
|
fmt.Println(payment.Authorize(12500, "PHP"))
|
||||||
|
}
|
||||||
@@ -0,0 +1,6 @@
|
|||||||
|
# Architecture fixture
|
||||||
|
|
||||||
|
The service contains one deliberately sensitive package: `internal/payment`.
|
||||||
|
Changing it should produce a higher-risk pull-request summary and an additional
|
||||||
|
approval requirement. Documentation-only changes should retain the organization
|
||||||
|
baseline without triggering the sensitive-path rule.
|
||||||
@@ -0,0 +1,8 @@
|
|||||||
|
package payment
|
||||||
|
|
||||||
|
import "fmt"
|
||||||
|
|
||||||
|
// Authorize returns a deterministic message for governance demonstrations.
|
||||||
|
func Authorize(amountMinor int64, currency string) string {
|
||||||
|
return fmt.Sprintf("authorized %d %s", amountMinor, currency)
|
||||||
|
}
|
||||||
@@ -0,0 +1,10 @@
|
|||||||
|
package payment
|
||||||
|
|
||||||
|
import "testing"
|
||||||
|
|
||||||
|
func TestAuthorize(t *testing.T) {
|
||||||
|
got := Authorize(12500, "PHP")
|
||||||
|
if got != "authorized 12500 PHP" {
|
||||||
|
t.Fatalf("unexpected authorization result: %q", got)
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1,19 @@
|
|||||||
|
cases:
|
||||||
|
- name: documentation-only change
|
||||||
|
changedPaths: [docs/architecture.md]
|
||||||
|
expectedDecision: allow-after-baseline
|
||||||
|
expectedApprovalGroups: []
|
||||||
|
- name: payment implementation change
|
||||||
|
changedPaths: [internal/payment/payment.go]
|
||||||
|
expectedDecision: require-review
|
||||||
|
expectedApprovalGroups: [payments-owners]
|
||||||
|
- name: attempted locked-field override
|
||||||
|
repositoryOverride:
|
||||||
|
branches.main.forcePush: allow
|
||||||
|
expectedDecision: deny
|
||||||
|
expectedReason: organization-field-locked
|
||||||
|
- name: valid temporary exception
|
||||||
|
exception:
|
||||||
|
approvedBy: independent-governance-owner
|
||||||
|
expiresIn: 48h
|
||||||
|
expectedDecision: allow-with-audit-event
|
||||||
Reference in New Issue
Block a user