feat(cli)!: complyctl redesign

.dockerignore

@@ -0,0 +1,52 @@
+# Git
+.git
+.gitignore
+.gitattributes
+
+# Build artifacts
+bin/
+dist/
+*.exe
+*.test
+*.out
+vendor/
+
+# IDE
+.vscode/
+.idea/
+*.swp
+*.swo
+*~
+
+# Documentation
+docs/
+*.md
+!README.md
+
+# Test files
+*_test.go
+testdata/
+tests/
+coverage.out
+
+# Config files
+*.yaml
+*.yml
+!go.mod
+!go.sum
+.env*
+*.log
+
+# Temporary files
+*.tmp
+*.bak
+.DS_Store
+Thumbs.db
+
+# Project specific
+.specify/
+.cursor/
+user_workspace
+assessment-plan.json
+assessment-results.*
+go.work*

.github/actions/setup-complyctl/action.yml

@@ -1,37 +1,28 @@
 name: "Setup complyctl environment"
-description: "Setup environment for complyctl running"
-
-inputs:
-  product:
-    description: "The chosen product"
-    required: true
-  catalog:
-    description: "OSCAL content catalog of the chosen product"
-    required: true
-  profile:
-    description: "OSCAL content profile of the chosen product"
-    required: true
+description: "Build complyctl, test plugin, and mock OCI registry for integration testing"
 
 runs:
-  using: composite
-  steps:
-    # Install dependency on fedora
-    - name: Install dependency
-      run: dnf install wget make scap-security-guide git jq gh -y
-      shell: bash
+    using: composite
+    steps:
+        - name: Install dependencies
+          run: dnf install -y make git jq curl
+          shell: bash
+
+        - name: Configure Git for safe directory
+          run: git config --global --add safe.directory /__w/complyctl/complyctl
+          shell: bash
 
-    # Configure Git for safe directory
-    - name: Configure Git for safe directory
-      run: git config --global --add safe.directory /__w/complyctl/complyctl
-      shell: bash
+        - name: Set up Go
+          uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+          with:
+              go-version-file: './go.mod'
 
-    # Set up Go environment
-    - name: Set up Go
-      uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
-      with:
-        go-version-file: './go.mod'
+        - name: Build binaries
+          run: make build build-test-plugin
+          shell: bash
 
-    # Build complyctl and setup complyctl
-    - name: Build complyctl and setup complyctl
-      run: sh tests/build_init_env.sh ${{ inputs.product }} ${{ inputs.catalog }} ${{ inputs.profile }}
-      shell: bash
+        - name: Install test plugin
+          run: |
+              mkdir -p ~/.complytime/providers
+              cp bin/complytime-providers-test ~/.complytime/providers/
+          shell: bash

.github/dependabot.yml

@@ -2,28 +2,28 @@
 
 version: 2
 updates:
-  - package-ecosystem: "github-actions"
-    directories:
-      - "/"
-      - "/.github/actions/e2e-testing"      # used in complyscribe
-      - "/.github/actions/publish-image"    # used in complyscribe
-      - "/.github/actions/setup-poetry"     # used in complyscribe
-      - "/.github/actions/setup-complyctl"  # used in complyctl
-    schedule:
-      interval: "daily"
-    commit-message:
-      prefix: "ci"
-      include: "scope"
+    - package-ecosystem: "github-actions"
+      directories:
+          - "/"
+          - "/.github/actions/e2e-testing"      # used in complyscribe
+          - "/.github/actions/publish-image"    # used in complyscribe
+          - "/.github/actions/setup-poetry"     # used in complyscribe
+          - "/.github/actions/setup-complyctl"  # used in complyctl
+      schedule:
+          interval: "daily"
+      commit-message:
+          prefix: "ci"
+          include: "scope"
 
-  - package-ecosystem: "gomod"
-    directories:
-      - "/"
-      - "/compass"      # used in complybeacon
-      - "/proofwatch"   # used in complybeacon
-      - "/truthbeam"    # used in complybeacon
-    schedule:
-      interval: "weekly"
-    open-pull-requests-limit: 10
-    commit-message:
-      prefix: "chore"
-      include: "scope"
+    - package-ecosystem: "gomod"
+      directories:
+          - "/"
+          - "/compass"      # used in complybeacon
+          - "/proofwatch"   # used in complybeacon
+          - "/truthbeam"    # used in complybeacon
+      schedule:
+          interval: "weekly"
+      open-pull-requests-limit: 10
+      commit-message:
+          prefix: "chore"
+          include: "scope"

.github/workflows/behavioral_assessment.yml

@@ -0,0 +1,38 @@
+name: behavioral-assessment
+
+on:
+    push:
+        branches:
+            - main
+
+permissions:
+    contents: read
+
+jobs:
+    behavioral-assessment:
+        runs-on: ubuntu-latest
+        permissions:
+            contents: read
+            actions: read
+            security-events: write
+        steps:
+            - name: Checkout code
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+            - name: Set up Go
+              uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+              with:
+                  go-version-file: './go.mod'
+
+            - name: Build binaries
+              run: make build build-test-plugin build-behavioral-report
+
+            - name: Run behavioral assessment
+              run: make test-behavioral
+
+            - name: Upload SARIF to Code Scanning
+              uses: github/codeql-action/upload-sarif@45580472a5bb82c4681c4ac726cfdb60060c2ee1 # v3
+              if: always()
+              with:
+                  sarif_file: governance/reports/behavioral-report.sarif.json
+                  category: behavioral-assessment

.github/workflows/ci_auto_review.yml

@@ -1,26 +1,26 @@
 name: Gemini AI Code Review
 on:
-  pull_request_target:
-    types: [opened]
+    pull_request_target:
+        types: [opened]
 
 permissions:
-  contents: none
-  pull-requests: none
-  issues: none
-  actions: none
+    contents: none
+    pull-requests: none
+    issues: none
+    actions: none
 
 jobs:
-  call-gemini-review:
-    # 1. Reference the remote workflow
-    uses: complytime/org-infra/.github/workflows/reusable_gemini_review.yml@main
+    call-gemini-review:
+        # 1. Reference the remote workflow
+        uses: complytime/org-infra/.github/workflows/reusable_gemini_review.yml@main
 
-    # 2. Pass the defined 'inputs' via 'with'
-    with:
-      google_cloud_project: 'complytime-test'
-      google_cloud_location: 'us-central1'
+        # 2. Pass the defined 'inputs' via 'with'
+        with:
+            google_cloud_project: 'complytime-test'
+            google_cloud_location: 'us-central1'
 
-    # 3. Pass the secrets required by the reusable workflow's internal steps
-    secrets:
-      GH_APP_ID: ${{ secrets.APP_ID }}
-      GH_APP_PRIVATE_KEY: ${{ secrets.PRIVATE_KEY }}
-      credentials_json: ${{ secrets.GCP_SA_KEY }}
+        # 3. Pass the secrets required by the reusable workflow's internal steps
+        secrets:
+            GH_APP_ID: ${{ secrets.APP_ID }}
+            GH_APP_PRIVATE_KEY: ${{ secrets.PRIVATE_KEY }}
+            credentials_json: ${{ secrets.GCP_SA_KEY }}

.github/workflows/ci_checks.yml

@@ -1,22 +1,22 @@
 name: CI
 
 on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - main
+    push:
+        branches:
+            - main
+    pull_request:
+        branches:
+            - main
 
 permissions:
-  contents: read
-  issues: none
-  pull-requests: none
+    contents: read
+    issues: none
+    pull-requests: none
 
 jobs:
-  call_reusable_ci:
-    name: Standardized CI
-    uses: complytime/org-infra/.github/workflows/reusable_ci.yml@main
-    permissions:
-      contents: read
-      issues: read
+    call_reusable_ci:
+        name: Standardized CI
+        uses: complytime/org-infra/.github/workflows/reusable_ci.yml@main
+        permissions:
+            contents: read
+            issues: read