feat: DRM and Constraint Catalog binding in ZeroID tokens (#59)

[safayavatsal]

Closes #59.

Summary

• Binds two governance artifacts -- a versioned Decision-Rights Matrix (DRM) and an ES256-signed Constraint Catalog snapshot -- into every delegation token by SHA-256 hash, so post-hoc audit can answer "which governance version authorized this token?".
• token_exchange (RFC 8693) now refuses delegations not permitted by the active DRM; authorization_code embeds the hashes for audit but does not gate (consent is not delegation).
• Every code path is no-op for tenants that haven't published a DRM/catalog -- pre-feat: Decision-Rights Matrix and Constraint Catalog binding in ZeroID tokens #59 flows are bit-identical, so this is opt-in per tenant.

Changes

Schema (migration 014)

• decision_rights_matrix table -- append-only via drm_block_mutation trigger; new versions = new rows.
• constraint_catalog_versions table -- multiple rows can share hash when the 24h re-sign produces an unchanged document (only signed_at/signature differ).
• issued_credentials.drm_hash and constraint_catalog_hash columns + partial indexes scoped to non-revoked, non-expired credentials for policy_drift fan-out.

Domain (domain/)

• DRMDocument, DRMAllowedDelegation, DecisionRightsMatrix.
• ErrDRMUnauthorized, ErrDRMInvalid sentinels (wrapped with %w so callers use errors.Is).
• ConstraintCatalogVersion with json.RawMessage document (opaque -- ZeroID hashes and signs, does not parse).
• SignalTypePolicyDrift added to the SignalType enum and Valid() switch.
• Governance hash fields added to IssuedCredential.

Service (internal/service/governance.go)

• HashSHA256 -- deterministic canonical-JSON via recursive sorted-key encoding; identical documents always hash identically.
• AuthorizeDelegation -- exact match plus single trailing-* SPIFFE pattern (predictable failure modes; no third-party glob library).
• PublishDRM / PublishCatalog / ResignCatalog -- catalog ES256-signs sha256(hash || "|" || signed_at) via the existing jwksSvc.
• emitDriftSignals -- best-effort fan-out of policy_drift signals on hash transition.

Worker (internal/worker/catalog_signer.go)

• 24h re-sign tick; preserves Hash, rewrites SignedAt/Signature. Decoupled from the service package via a CatalogResigner interface.

OAuth wiring (internal/service/oauth.go)

• tokenExchange runs resolveGovernance after scope-intersection and before IssueCredential; rejection wraps ErrDRMUnauthorized as invalid_grant.
• authorization_code embeds the four governance claims but skips the authorization gate.
• The four claim names (drm_version, drm_hash, constraint_catalog_version, constraint_catalog_hash) added to reservedClaims so deployer enrichers cannot spoof them; IssueCredential writes them after CustomClaims as defence-in-depth.
• Introspect passes the four claims through when present.

Admin API (internal/handler/governance.go)

• POST/GET/list /governance/decision-rights-matrix
• POST/GET /governance/constraint-catalog/active
• Routes self-suppress in registerGovernanceRoutes when governanceSvc is nil.

Tests (tests/integration/governance_test.go)

• Happy path with claim assertions (DRM permits, JWT carries the four claims, introspection surfaces them).
• DRM-deny path (pair not covered by DRM -> invalid_grant).
• No-config backward-compat path (no DRM published -> exchange succeeds, no governance claims on the token).
• Each test uses a fresh tenant via X-Account-ID/X-Project-ID headers because the DRM table is append-only (cannot t.Cleanup delete).

Test plan

• go build ./... clean
• go vet ./... clean
• gofmt -l clean
• Governance integration tests: 3/3 pass
• Full integration suite: all pre-existing tests still pass (~44s with real Postgres via testcontainers)

Acceptance criteria

• DRM schema defined and documented (domain/decision_rights_matrix.go)
• DRM storage and versioning implemented (migration 014 + append-only trigger)
• Constraint Catalog hash computed and stored on publish (PublishCatalog)
• drm_hash and constraint_catalog_hash claims added to delegation token issuance
• Token issuance enforces DRM authorization check (tokenExchange)
• Introspection includes DRM/Constraint Catalog claims
• policy_drift CAE signal implemented (SignalTypePolicyDrift + emitDriftSignals)
• Audit archive records DRM version per token issuance event -- deferred (audit payload is already arbitrary JSON, no schema change needed; can be added in a follow-up that wires the audit emitter on the issuance path)
• Documentation updated (route docs in internal/handler/governance.go; downstream Credential Policies guide can land separately)

Notes for reviewers

• authorization_code deliberately skips the DRM gate. The issue says "Token issuance MUST fail if the requested delegation is not authorized by the current DRM"; my reading is that human consent is not a delegation in the SPIFFE-pair sense (no from -> to URI pair exists), so the hash binding is the right answer there but the gate is not. Happy to revisit if you read it differently.
• Cedar is not in-tree on main; the issue references "Cedar policy evaluation in Shield" which I read as downstream. The Constraint Catalog is therefore an opaque blob ZeroID hashes and signs but does not parse, matching the "machine-readable, versioned policy document" wording.
• DRM from/to SPIFFE pattern matching supports only exact match and a single trailing *. Full glob is over-engineering for an operator-authored DRM; predictable failure modes matter more than expressiveness.

[claude]

Claude Code Review

This pull request is from a fork — automated review is disabled. A repository maintainer can comment @claude review to run a one-time review.

[gemini-code-assist]

Code Review

This pull request introduces a governance framework featuring a Decision-Rights Matrix (DRM) and a Constraint Catalog to bind policy snapshots to issued credentials. Key additions include the GovernanceService for managing these artifacts, new API endpoints for publishing and retrieving them, and a background worker for periodic catalog re-signing. Feedback highlights several critical improvements: the emitDriftSignals function should perform asynchronous fan-out with pagination to prevent blocking API responses and OOM risks; the canonicalEncode logic can be simplified using standard library features; and database errors in PublishDRM and PublishCatalog must be handled to ensure reliable policy drift detection. Additionally, it is recommended that the CatalogSignerWorker perform an initial run at startup to prevent stale signatures in environments with frequent restarts.

[safayavatsal]

Merge Conflicts Resolved

Successfully merged upstream/main into this branch to resolve the merge conflicts.

Conflicts Resolved:

1. internal/handler/routes.go (lines 136-141)

   • HEAD (PR): Added a.registerGovernanceRoutes(api) for DRM/Constraint Catalog binding
   • upstream/main: Added a.registerSigningCredentialRoutes(api) for signing credentials (feat: workload-attested ephemeral signing credentials #150)
   • Resolution: Kept both route registrations to integrate both features

2. server.go (lines 243-250)

   • HEAD (PR): Added governanceSvc parameter to NewAPI() call
   • upstream/main: Added signingCredSvc parameter and reformatted to two lines
   • Resolution: Kept both governanceSvc and signingCredSvc parameters in the two-line format

New Features Integrated from upstream/main:

• CIBA helper commands (feat(cli): add CIBA helper commands #145)
• Workload-attested ephemeral signing credentials (feat: workload-attested ephemeral signing credentials #150)

The merge conflict resolution is complete and the branch is now up-to-date with main.

cc: @rsharath