feat: add evidence-driven admissibility gate (CI → K8s)

[BrianCLong]

Motivation

• Enforce an evidence-first admissibility contract so artifacts without valid SBOM/provenance/signature are blocked from deployment.
• Make admissibility a binary, auditable gate that is reproducible and enforceable in both CI and the cluster.
• Provide a deterministic evidence spine (report/metrics) while keeping runtime metadata separate for auditability.

Description

• Added an admissibility evaluator at lib/admissibility.ts exposing evaluateAdmissibility(evidenceBundle) -> PASS|FAIL with structured failure reasons and machine-friendly checks for signature, SBOM, provenance, and prohibited dependencies.
• Added a local verifier CLI scripts/verify-admissibility.ts and wired verify:admissibility in package.json that emits evidence/admissibility-verdict.json and exits non-zero on FAIL for CI/Enforcement integration.
• Added deterministic evidence composer scripts/ci/build_evidence_bundle.mjs which writes evidence/bundle.json, evidence/report.json, evidence/metrics.json (deterministic) and evidence/stamp.json (non-deterministic metadata).
• Installed a CI gate workflow .github/workflows/admissibility-gate.yml that builds an artifact, generates SBOM with syft, signs/verifies with cosign, creates provenance, composes the evidence bundle and runs the admissibility check, then uploads evidence artifacts.
• Added runtime enforcement artifacts: Kyverno policy k8s/policy/kyverno/admissibility-enforcement.yaml to require admissibility.summit.ai/status=PASS label and attestations, ArgoCD pre-sync job k8s/argocd/admissibility-presync-job.yaml which runs the verifier before sync, and updated k8s/server-deployment.yaml to include the admissibility.summit.ai/status: PASS label.
• Added edge-case unit tests at tests/admissibility/admissibility.test.ts covering missing SBOM, invalid/tampered signature, partial provenance, and prohibited-dependency detection.

Testing

• Ran formatting checks and fixed files with npx prettier --write, final style check passed for modified files.
• Executed unit tests with npx tsx --test tests/admissibility/admissibility.test.ts and all tests passed (4/4).
• Executed the verifier end-to-end with a sample evidence/bundle.json via npx tsx scripts/verify-admissibility.ts which returned a PASS verdict for the valid sample bundle.
• Verified the CI workflow and scripts locally via node scripts/ci/build_evidence_bundle.mjs and the verifier; the verification step exits non-zero on FAIL as expected.

---

Codex Task

[gemini-code-assist]

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

[coderabbitai]

Warning

Rate limit exceeded

@BrianCLong has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 1 minutes and 5 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 1 minutes and 5 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 8315ae9a-2c13-42fc-8491-8db98e47ba1b

📥 Commits

Reviewing files that changed from the base of the PR and between 12cad4a and 78302b3.

📒 Files selected for processing (9)

• .github/workflows/admissibility-gate.yml
• k8s/argocd/admissibility-presync-job.yaml
• k8s/policy/kyverno/admissibility-enforcement.yaml
• k8s/server-deployment.yaml
• lib/admissibility.ts
• package.json
• scripts/ci/build_evidence_bundle.mjs
• scripts/verify-admissibility.ts
• tests/admissibility/admissibility.test.ts

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/implement-evidence-admissibility-pipeline-0qjvzc

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 78302b3373

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Use a runnable image for the PreSync admissibility hook

The PreSync job executes node scripts/ci/build_evidence_bundle.mjs and npx tsx scripts/verify-admissibility.ts, but it runs in node:20-alpine, which does not contain this repository’s scripts or the evidence inputs that build_evidence_bundle.mjs expects (evidence/sbom.spdx.json, evidence/provenance.json, evidence/signature.verify.json, see scripts/ci/build_evidence_bundle.mjs lines 21–27). In a real ArgoCD sync this hook will fail before app resources are applied (missing files/module or guaranteed FAIL verdict), effectively blocking deployments; the hook needs an image/artifact that includes these files or explicit steps to fetch/generate them first.

Useful? React with 👍 / 👎.

[BrianCLong]

Superseded by #22309. The admissibility gate is being converged on the golden-path branch instead of a separate CI-to-K8s lane.