Support data-driven policy inputs (e.g. ignored_paths) sourced from CSV/JSON files

[migmartri]

Problem

Chainloop ships four Rego policies that evaluate a Sysinternals sigcheck manifest (SYSINTERNALS_SIGCHECK) to assert that binaries are properly signed: trusted-binaries-signed, trusted-binaries-authenticode-signed, trusted-binaries-timestamp, and trusted-binaries-vendor-keys. All four scope the check with path globs, including an ignored_paths exclusion list.

Today the only way to express exclusions is a hand-maintained, comma-separated string passed as a policy argument (in the contract with: or as a binding). This does not scale for real deployments:

• Exclusion lists routinely run to hundreds of full file paths (OS files, third-party redistributables, known-unsigned legacy components).
• The list lives in the contract/argument, divorced from the system that actually knows which files are exempt.
• Updating exclusions means editing policy arguments by hand rather than updating a data file owned by the relevant team.
• The exemption set itself is not attested — there's no tamper-evident record of which exclusions were applied to a given attestation.

Desired outcome

Allow policy inputs such as ignored_paths to be sourced dynamically from a data file (CSV or JSON) at attestation time, instead of (or in addition to) an inline argument string:

• Extract a named column/field from the file and inject it as a policy input during material evaluation.
• The mechanism should be generic over both the input name and the source column, not hardcoded to ignored_paths or to sigcheck.
• Record the source file as attested evidence, linked to the evaluated material, and mark in the policy evaluation which inputs were supplied at runtime, so exclusions remain auditable.

Notes

This is intended to be additive plumbing in the CLI and crafter — no changes to the Rego policies or to the engine's evaluation logic.

Addressed by #3244.

🤖 Posted by Maximus bot (Claude Code) on behalf of @migmartri