Stop tracking generated evidence bundles

.gitattributes

@@ -0,0 +1,7 @@
+*.zip binary
+*.png binary
+*.jpg binary
+*.jpeg binary
+*.gif binary
+*.ico binary
+*.pdf binary

artifacts/APP1/api_matrix.json

@@ -0,0 +1,9 @@
+{
+  "app": "APP1",
+  "routes": [
+    {"path": "/api/quote", "methods": ["GET", "POST"], "roles": {"broker": "allow", "underwriter": "allow", "auditor": "read", "anonymous": "deny"}},
+    {"path": "/api/claim", "methods": ["POST"], "roles": {"broker": "allow", "auditor": "deny", "customer": "allow"}},
+    {"path": "/api/admin/quote/{quoteId}/approve", "methods": ["POST"], "roles": {"underwriter": "allow", "broker": "deny", "auditor": "read"}}
+  ],
+  "generated_at": "2025-10-28T13:10:00Z"
+}

artifacts/APP1/chaos_report.json

@@ -0,0 +1,11 @@
+{
+  "app": "APP1",
+  "experiments": [
+    {"name": "pod_kill", "status": "pass", "error_rate": 0.006, "p95_ms": 410, "rollback": "scale restored"},
+    {"name": "az_failure", "status": "pass", "failover_duration_s": 96, "p95_ms": 480},
+    {"name": "network_partition", "status": "pass", "breaker_open_s": 9, "customer_impact": "retry-after 3s"},
+    {"name": "disk_full", "status": "pass", "eviction_time_s": 70},
+    {"name": "broker_failover", "status": "warn", "consumer_lag": 122, "notes": "lag exceeded SLO 100 messages"}
+  ],
+  "generated_at": "2025-10-28T13:20:00Z"
+}

artifacts/APP1/components.json

@@ -0,0 +1,9 @@
+{
+  "app": "APP1",
+  "components": [
+    {"name": "frontend", "language": "React", "version": "18.2.0", "owner": "frontend-team"},
+    {"name": "pricing-service", "language": "Node.js", "version": "20.10.0", "owner": "pricing-team"},
+    {"name": "claims-processor", "language": "Python", "version": "3.11", "owner": "claims-team"},
+    {"name": "terraform", "language": "HCL", "version": "1.7.5", "owner": "platform-team"}
+  ]
+}

artifacts/APP1/decisions.json

@@ -0,0 +1,10 @@
+{
+  "app": "APP1",
+  "run_id": "7c8d2b8e-4f37-4f64-8c86-4ad23d45bc11",
+  "decisions": [
+    {"stage": "design-review", "status": "pass", "evidence": "inputs/APP1/design.csv"},
+    {"stage": "supply-chain", "status": "fail", "reason": "Unsigned pricing image", "remediation_pr": "See reports/APP1_vc_summary.md#remediation"},
+    {"stage": "runtime-controls", "status": "warn", "reason": "Kafka consumer lag"},
+    {"stage": "release", "status": "blocked", "reason": "Policy gate: RDS public"}
+  ]
+}

artifacts/APP1/e2e_junit.xml

@@ -0,0 +1,20 @@
+<testsuite name="APP1-SSDLC" tests="24" failures="2" errors="0" skipped="1" timestamp="2025-10-28T13:15:00Z">
+  <testcase classname="contract.quote" name="create-quote-positive" time="0.43"/>
+  <testcase classname="contract.quote" name="create-quote-negative" time="0.31"/>
+  <testcase classname="contract.claim" name="submit-claim" time="0.27"/>
+  <testcase classname="authz" name="underwriter-approve" time="0.11"/>
+  <testcase classname="authz" name="broker-approve-deny" time="0.09">
+    <failure message="Expected 403 got 200">Policy enforcement missing on staging cluster</failure>
+  </testcase>
+  <testcase classname="idempotency" name="quote-replay" time="0.05"/>
+  <testcase classname="idempotency" name="audit-ledger" time="0.07"/>
+  <testcase classname="perf" name="baseline" time="180">
+    <failure message="p95 exceeded">Observed p95=520ms vs SLO 500ms</failure>
+  </testcase>
+  <testcase classname="chaos" name="pod-kill" time="300"/>
+  <testcase classname="chaos" name="az-failure" time="720"/>
+  <testcase classname="chaos" name="disk-full" time="420"/>
+  <testcase classname="webhook" name="partner-429" time="0.15" status="skipped">
+    <skipped message="Partner simulation executed for APP2 only"/>
+  </testcase>
+</testsuite>

artifacts/APP1/k6_summary.json

@@ -0,0 +1,8 @@
+{
+  "scenario": "baseline",
+  "vus_max": 200,
+  "requests": 18000,
+  "http_req_duration": {"avg": 320, "p95": 520, "max": 890},
+  "http_req_failed": 0.012,
+  "notes": "Exceeded p95 target during AZ failover replay; flagged for remediation"
+}

artifacts/APP1/metrics.json

@@ -0,0 +1,15 @@
+{
+  "app": "APP1",
+  "run_id": "7c8d2b8e-4f37-4f64-8c86-4ad23d45bc11",
+  "metrics": {
+    "critical_findings": 2,
+    "high_findings": 3,
+    "medium_findings": 5,
+    "policy_blocks": 2,
+    "tests_passed": 20,
+    "tests_failed": 2,
+    "tests_skipped": 1,
+    "mean_time_to_detect": "2m"
+  },
+  "generated_at": "2025-10-28T13:22:00Z"
+}

artifacts/APP1/policy_results.json

@@ -0,0 +1,12 @@
+{
+  "app": "APP1",
+  "run_id": "7c8d2b8e-4f37-4f64-8c86-4ad23d45bc11",
+  "results": [
+    {"rule": "Database instances must not be publicly accessible.", "status": "fail", "resource": "aws_db_instance.customers"},
+    {"rule": "Database must be encrypted at rest.", "status": "fail", "resource": "aws_db_instance.customers"},
+    {"rule": "Ingress rules cannot expose 0.0.0.0/0.", "status": "pass", "resource": "aws_security_group.api"},
+    {"rule": "Load balancers must enforce TLS 1.2+.", "status": "pass", "resource": "aws_lb_listener.app"},
+    {"rule": "Base image older than 180 days", "status": "warn", "resource": "pricing-base:2024-03-01"}
+  ],
+  "evaluated_at": "2025-10-28T13:05:00Z"
+}

artifacts/APP1/run_manifest.json

@@ -0,0 +1,27 @@
+{
+  "app": "APP1",
+  "run_id": "7c8d2b8e-4f37-4f64-8c86-4ad23d45bc11",
+  "mode": "simulated-offline",
+  "host": "https://fixops.local",
+  "inputs": {
+    "design": "inputs/APP1/design.csv",
+    "sbom": "inputs/APP1/sbom.json",
+    "sarif": "inputs/APP1/results.sarif",
+    "cve_feed": "inputs/APP1/cve_feed.json",
+    "vex": "inputs/APP1/vex_doc.json",
+    "cnapp": "inputs/APP1/findings.json"
+  },
+  "tests": {
+    "contract": "tests/APP1/contract_tests/openapi.yaml",
+    "authz": "tests/APP1/authz_tests/matrix.csv",
+    "idempotency": [
+      "tests/APP1/idempotency_tests/quote_idempotency.yaml",
+      "tests/APP1/idempotency_tests/audit_replay.yaml"
+    ],
+    "performance": "tests/APP1/perf_k6.js",
+    "chaos": "tests/APP1/chaos_playbooks"
+  },
+  "policy": ["policy/APP1/security_controls.rego"],
+  "backtests": ["2024-08-pricing-outage", "2023-credential-stuffing"],
+  "created_at": "2025-10-28T12:45:00Z"
+}

artifacts/APP1/tf_plan.json

@@ -0,0 +1,25 @@
+{
+  "planned_values": {
+    "root_module": {
+      "resources": [
+        {
+          "address": "aws_db_instance.customers",
+          "type": "aws_db_instance",
+          "change": {
+            "actions": ["update"],
+            "before": {"storage_encrypted": false, "publicly_accessible": true},
+            "after": {"storage_encrypted": true, "publicly_accessible": false}
+          }
+        },
+        {
+          "address": "aws_security_group.api",
+          "type": "aws_security_group",
+          "change": {
+            "actions": ["no-op"],
+            "after": {"ingress": [{"cidr_blocks": ["10.0.0.0/16"], "from_port": 443, "to_port": 443}]}
+          }
+        }
+      ]
+    }
+  }
+}

artifacts/APP2/api_matrix.json

@@ -0,0 +1,8 @@
+{
+  "app": "APP2",
+  "routes": [
+    {"path": "/graphql", "methods": ["POST"], "roles": {"viewer": "allow", "integration": "allow", "anonymous": "deny"}},
+    {"path": "/api/webhooks/{partner}", "methods": ["POST"], "roles": {"integration": "allow", "viewer": "deny", "ops": "allow"}}
+  ],
+  "generated_at": "2025-10-28T13:46:00Z"
+}

artifacts/APP2/chaos_report.json

@@ -0,0 +1,11 @@
+{
+  "app": "APP2",
+  "experiments": [
+    {"name": "pod_kill", "status": "pass", "p95_ms": 380},
+    {"name": "az_failure", "status": "pass", "error_rate": 0.024},
+    {"name": "broker_failover", "status": "fail", "dlq_messages": 5},
+    {"name": "network_partition", "status": "pass", "fallback_hit_rate": 0.92},
+    {"name": "disk_full", "status": "pass"}
+  ],
+  "generated_at": "2025-10-28T13:50:00Z"
+}

artifacts/APP2/components.json

@@ -0,0 +1,9 @@
+{
+  "app": "APP2",
+  "components": [
+    {"name": "shell", "framework": "Next.js", "owner": "experience-team"},
+    {"name": "graphql-gateway", "language": "TypeScript", "owner": "api-team"},
+    {"name": "partner-transformer", "language": "Python", "owner": "platform-team"},
+    {"name": "kong-gateway", "language": "Lua", "owner": "platform-team"}
+  ]
+}

artifacts/APP2/decisions.json

@@ -0,0 +1,10 @@
+{
+  "app": "APP2",
+  "run_id": "91e1f59b-fef7-4637-9d36-0a7ef5a547ab",
+  "decisions": [
+    {"stage": "design-review", "status": "pass"},
+    {"stage": "partner-security", "status": "fail", "reason": "Webhook signature plugin disabled"},
+    {"stage": "runtime-controls", "status": "fail", "reason": "DLQ > 0 during chaos"},
+    {"stage": "release", "status": "blocked", "reason": "Partner secret not from Secrets Manager"}
+  ]
+}

artifacts/APP2/e2e_junit.xml

@@ -0,0 +1,16 @@
+<testsuite name="APP2-SSDLC" tests="22" failures="3" errors="0" skipped="0" timestamp="2025-10-28T13:47:00Z">
+  <testcase classname="contract.graphql" name="offerFeed-happy" time="0.40"/>
+  <testcase classname="contract.graphql" name="offerFeed-invalid" time="0.32">
+    <failure message="429 not handled">Missing exponential backoff header</failure>
+  </testcase>
+  <testcase classname="webhook" name="valid-signature" time="0.21"/>
+  <testcase classname="webhook" name="invalid-signature" time="0.19"/>
+  <testcase classname="authz" name="viewer-blocked-webhook" time="0.07"/>
+  <testcase classname="performance" name="spike" time="360">
+    <failure message="p95 460ms">Exceeded threshold for 2 minutes</failure>
+  </testcase>
+  <testcase classname="chaos" name="queue-throttle" time="420">
+    <failure message="dlq entries detected">5 messages moved to DLQ</failure>
+  </testcase>
+  <testcase classname="chaos" name="network-partition" time="300"/>
+</testsuite>

artifacts/APP2/k6_summary.json

@@ -0,0 +1,8 @@
+{
+  "scenario": "spike",
+  "vus_max": 300,
+  "requests": 25000,
+  "http_req_duration": {"avg": 290, "p95": 460, "max": 730},
+  "http_req_failed": 0.018,
+  "notes": "Backoff header missing for 429 responses"
+}

artifacts/APP2/metrics.json

@@ -0,0 +1,14 @@
+{
+  "app": "APP2",
+  "run_id": "91e1f59b-fef7-4637-9d36-0a7ef5a547ab",
+  "metrics": {
+    "critical_findings": 1,
+    "high_findings": 3,
+    "medium_findings": 4,
+    "policy_blocks": 2,
+    "tests_passed": 19,
+    "tests_failed": 3,
+    "mean_time_to_detect": "4m"
+  },
+  "generated_at": "2025-10-28T13:51:00Z"
+}

artifacts/APP2/policy_results.json

@@ -0,0 +1,12 @@
+{
+  "app": "APP2",
+  "run_id": "91e1f59b-fef7-4637-9d36-0a7ef5a547ab",
+  "results": [
+    {"rule": "Webhook route must enforce HMAC signature plugin", "status": "fail", "resource": "kong/route/webhooks"},
+    {"rule": "Service must use https", "status": "pass", "resource": "kong/service/graphql"},
+    {"rule": "CDN origins cannot be public buckets", "status": "pass", "resource": "cloudfront/app2"},
+    {"rule": "Image older than 180 days", "status": "warn", "resource": "partner-base:2024-02"},
+    {"rule": "Partner secrets from secrets manager", "status": "fail", "resource": "lambda/transformer"}
+  ],
+  "evaluated_at": "2025-10-28T13:45:00Z"
+}

artifacts/APP2/run_manifest.json

@@ -0,0 +1,31 @@
+{
+  "app": "APP2",
+  "run_id": "91e1f59b-fef7-4637-9d36-0a7ef5a547ab",
+  "mode": "simulated-offline",
+  "host": "https://fixops.local",
+  "inputs": {
+    "design": "inputs/APP2/design.csv",
+    "sbom": "inputs/APP2/sbom.json",
+    "sarif": "inputs/APP2/results.sarif",
+    "cve_feed": "inputs/APP2/cve_feed.json",
+    "vex": "inputs/APP2/vex_doc.json",
+    "cnapp": "inputs/APP2/findings.json"
+  },
+  "tests": {
+    "contract": [
+      "tests/APP2/contract_tests/openapi.yaml",
+      "tests/APP2/contract_tests/partner_feed.asyncapi.yaml"
+    ],
+    "authz": "tests/APP2/authz_tests/matrix.csv",
+    "idempotency": [
+      "tests/APP2/idempotency_tests/session_replay.yaml",
+      "tests/APP2/idempotency_tests/deletion_ack.yaml"
+    ],
+    "performance": "tests/APP2/perf_k6.js",
+    "chaos": "tests/APP2/chaos_playbooks"
+  },
+  "policy": ["policy/APP2/security_controls.rego"],
+  "partner_simulators": "tests/APP2/partner_simulators",
+  "backtests": ["2024-partner-429", "2023-webhook-leak"],
+  "created_at": "2025-10-28T13:40:00Z"
+}

artifacts/APP2/tf_plan.json

@@ -0,0 +1,26 @@
+{
+  "planned_values": {
+    "root_module": {
+      "resources": [
+        {
+          "address": "aws_cloudfront_distribution.partnerhub",
+          "type": "aws_cloudfront_distribution",
+          "change": {
+            "actions": ["update"],
+            "before": {"origin_groups": []},
+            "after": {"origin_groups": [{"primary_origin_id": "origin-a", "failover_criteria": ["5xx"]}]}
+          }
+        },
+        {
+          "address": "aws_lambda_function.transformer",
+          "type": "aws_lambda_function",
+          "change": {
+            "actions": ["update"],
+            "before": {"environment": {"variables": {"PARTNER_SECRET": "plaintext"}}},
+            "after": {"environment": {"variables": {"PARTNER_SECRET": "{{secretsmanager:partner/secret}}"}}}
+          }
+        }
+      ]
+    }
+  }
+}

artifacts/APP3/api_matrix.json

@@ -0,0 +1,8 @@
+{
+  "app": "APP3",
+  "routes": [
+    {"path": "/fhir/Patient", "methods": ["GET", "POST"], "roles": {"clinician": "allow", "patient": "deny", "auditor": "read"}},
+    {"path": "/admin/audit/sign", "methods": ["POST"], "roles": {"auditor": "allow", "clinician": "deny"}}
+  ],
+  "generated_at": "2025-10-28T14:13:00Z"
+}

artifacts/APP3/chaos_report.json

@@ -0,0 +1,11 @@
+{
+  "app": "APP3",
+  "experiments": [
+    {"name": "pod_kill", "status": "pass", "p95_ms": 420},
+    {"name": "az_failure", "status": "pass", "failover_s": 108},
+    {"name": "broker_failover", "status": "pass", "lag": 140},
+    {"name": "network_partition", "status": "pass", "fallback_rate": 0.88},
+    {"name": "disk_full", "status": "warn", "throttle_minutes": 7}
+  ],
+  "generated_at": "2025-10-28T14:15:00Z"
+}

artifacts/APP3/components.json

@@ -0,0 +1,9 @@
+{
+  "app": "APP3",
+  "components": [
+    {"name": "patient-portal", "framework": "Angular", "owner": "experience-team"},
+    {"name": "fhir-gateway", "language": "Java", "owner": "clinical-platform"},
+    {"name": "ml-triage", "language": "Python", "owner": "ml-team"},
+    {"name": "audit-ledger", "language": "Python", "owner": "security-team"}
+  ]
+}

artifacts/APP3/decisions.json

@@ -0,0 +1,10 @@
+{
+  "app": "APP3",
+  "run_id": "f0f7c1bc-5b6c-4dd6-8f1a-6a361d02cd8d",
+  "decisions": [
+    {"stage": "design-review", "status": "pass"},
+    {"stage": "supply-chain", "status": "fail", "reason": "Spring Boot RCE (CVE-2024-34145)"},
+    {"stage": "runtime-controls", "status": "warn", "reason": "Cosmos throttling 7m"},
+    {"stage": "release", "status": "blocked", "reason": "Public admin ingress"}
+  ]
+}

artifacts/APP3/e2e_junit.xml

@@ -0,0 +1,18 @@
+<testsuite name="APP3-SSDLC" tests="25" failures="2" errors="0" skipped="1" timestamp="2025-10-28T14:14:00Z">
+  <testcase classname="contract.fhir" name="patient-search" time="0.38"/>
+  <testcase classname="contract.fhir" name="patient-create" time="0.52"/>
+  <testcase classname="authz" name="patient-denied" time="0.08"/>
+  <testcase classname="idempotency" name="audit-append" time="0.12"/>
+  <testcase classname="idempotency" name="patient-create-replay" time="0.22"/>
+  <testcase classname="performance" name="surge" time="600">
+    <failure message="p95 490ms">Exceeded 480ms target during surge</failure>
+  </testcase>
+  <testcase classname="chaos" name="region-outage" time="780"/>
+  <testcase classname="chaos" name="broker-failover" time="360"/>
+  <testcase classname="chaos" name="disk-full" time="420">
+    <failure message="throttling 7m">Cosmos autoscale capped for 7 minutes</failure>
+  </testcase>
+  <testcase classname="partner" name="emr-timeout" time="0.15" status="skipped">
+    <skipped message="Timeout simulation executed offline"/>
+  </testcase>
+</testsuite>

artifacts/APP3/k6_summary.json

@@ -0,0 +1,8 @@
+{
+  "scenario": "surge",
+  "vus_max": 200,
+  "requests": 32000,
+  "http_req_duration": {"avg": 310, "p95": 490, "max": 780},
+  "http_req_failed": 0.009,
+  "notes": "Slight SLO breach under surge, plan caching improvements"
+}