feat(policy): add witness policy generate command

[manzil-infinity180]

What this PR does / why we need it

Description
We already have the witness policy check command #681 , so adding it to generate the policy will improve the user experiences.

By this pr we completed these things: Policy Creation and Validation: Capability within witness policy to create and validate policy files. from the issue #344

Which issue(s) this PR fixes (optional)

Partial Fix #344

Example:

./bin/witness policy generate --step "build" \            
--step "test" --step "deploy" --public-key "build=buildpub.pem" \
--public-key "test=testpub.pem" --public-key "deploy=deploypub.pem" \
--attestation "build=git" --attestation "build=command-run" --attestation "build=product" \
--attestation "test=command-run" --attestation "deploy=command-run" --output pipeline-policy.json

{
  "expires": "2026-01-09T18:16:16Z",
  "publickeys": {
    "938bebb782595bb14cea21a483dae1ac0dccd057f9550fb29fd9775dfa0807e1": {
      "keyid": "938bebb782595bb14cea21a483dae1ac0dccd057f9550fb29fd9775dfa0807e1",
      "key": "TFMwdExTMUNSVWRKVGlCUVZVSk1TVU1nUzBWWkxTMHRMUzBLVFVOdmQwSlJXVVJMTWxaM1FYbEZRVXRNVVRkeGRVeGlVRE5CTDNSMWVtUnpXazVQTVdzclptbGhSVWg1TkRaQ2FIbFVhWGxRUkM5VlRWazlDaTB0TFMwdFJVNUVJRkJWUWt4SlF5QkxSVmt0TFMwdExRbz0="
    },
    "ba3a8b104a761d270b9481bef2cd351fdd8d9d8f478e8a313c943b04ce8fe4c8": {
      "keyid": "ba3a8b104a761d270b9481bef2cd351fdd8d9d8f478e8a313c943b04ce8fe4c8",
      "key": "TFMwdExTMUNSVWRKVGlCUVZVSk1TVU1nUzBWWkxTMHRMUzBLVFVOdmQwSlJXVVJMTWxaM1FYbEZRV1ZMYjJKNlkyTlJUREZUVVZsUU9WRlVXRE5SVkZkRE5rOUxjbFVyVUZsdVZFVnlTelFyUW1kd1NIYzlDaTB0TFMwdFJVNUVJRkJWUWt4SlF5QkxSVmt0TFMwdExRbz0="
    },
    "e266fbfaf2fce1875e8b903d6ef38b9986188eae5246eedfe0184ecdd7836bcb": {
      "keyid": "e266fbfaf2fce1875e8b903d6ef38b9986188eae5246eedfe0184ecdd7836bcb",
      "key": "TFMwdExTMUNSVWRKVGlCUVZVSk1TVU1nUzBWWkxTMHRMUzBLVFVOdmQwSlJXVVJMTWxaM1FYbEZRVmxXVWpsM1JVNUNNWFJCYTNBMGVsVnJaemMwYW5aVU1qUXJiMWhEYlU5NGJ6aG1WWHBGY2poaVNGazlDaTB0TFMwdFJVNUVJRkJWUWt4SlF5QkxSVmt0TFMwdExRbz0="
    }
  },
  "steps": {
    "build": {
      "name": "build",
      "functionaries": [
        {
          "type": "publickey",
          "certConstraint": {
            "commonname": "",
            "dnsnames": null,
            "emails": null,
            "organizations": null,
            "uris": null,
            "roots": null,
            "extensions": {
              "Issuer": ""
            }
          },
          "publickeyid": "938bebb782595bb14cea21a483dae1ac0dccd057f9550fb29fd9775dfa0807e1"
        }
      ],
      "attestations": [
        {
          "type": "https://witness.dev/attestations/material/v0.1",
          "regopolicies": []
        },
        {
          "type": "https://witness.dev/attestations/command-run/v0.1",
          "regopolicies": []
        },
        {
          "type": "https://witness.dev/attestations/product/v0.1",
          "regopolicies": []
        },
        {
          "type": "https://witness.dev/attestations/git/v0.1",
          "regopolicies": []
        }
      ]
    },
    "deploy": {
      "name": "deploy",
      "functionaries": [
        {
          "type": "publickey",
          "certConstraint": {
            "commonname": "",
            "dnsnames": null,
            "emails": null,
            "organizations": null,
            "uris": null,
            "roots": null,
            "extensions": {
              "Issuer": ""
            }
          },
          "publickeyid": "e266fbfaf2fce1875e8b903d6ef38b9986188eae5246eedfe0184ecdd7836bcb"
        }
      ],
      "attestations": [
        {
          "type": "https://witness.dev/attestations/material/v0.1",
          "regopolicies": []
        },
        {
          "type": "https://witness.dev/attestations/command-run/v0.1",
          "regopolicies": []
        },
        {
          "type": "https://witness.dev/attestations/product/v0.1",
          "regopolicies": []
        }
      ]
    },
    "test": {
      "name": "test",
      "functionaries": [
        {
          "type": "publickey",
          "certConstraint": {
            "commonname": "",
            "dnsnames": null,
            "emails": null,
            "organizations": null,
            "uris": null,
            "roots": null,
            "extensions": {
              "Issuer": ""
            }
          },
          "publickeyid": "ba3a8b104a761d270b9481bef2cd351fdd8d9d8f478e8a313c943b04ce8fe4c8"
        }
      ],
      "attestations": [
        {
          "type": "https://witness.dev/attestations/material/v0.1",
          "regopolicies": []
        },
        {
          "type": "https://witness.dev/attestations/command-run/v0.1",
          "regopolicies": []
        },
        {
          "type": "https://witness.dev/attestations/product/v0.1",
          "regopolicies": []
        }
      ]
    }
  }
}

TODO:

• Add rego policy support

Acceptance Criteria Met

• Docs changes if needed
• Testing changes if needed
• All workflow checks passing (automatically enforced)
• All review conversations resolved (automatically enforced)
• DCO Sign-off

Special notes for your reviewer:

[netlify]

✅ Deploy Preview for witness-project ready!

Name	Link
🔨 Latest commit	1a2ca8c
🔍 Latest deploy log	https://app.netlify.com/projects/witness-project/deploys/69415bdeb430fb00085f3555
😎 Deploy Preview	https://deploy-preview-697--witness-project.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[manzil-infinity180]

Another example

$ ../bin/witness policy generate \
        --step "build" \
        --root-ca "build=rootca.pem" \
        --expires-in "720h" \
        --attestation "build=slsa" \
        --output policy-rootca-single.json
INFO    Generating Witness policy...                 
INFO    Processing step: build                       
INFO    Policy successfully generated: policy-rootca-single.json 
INFO    Policy expires: 2026-01-17T01:25:14+05:30    
INFO    Steps: 1                                     
INFO    Public keys: 0                               
INFO    Root CAs: 1 

$ cat policy-rootca-single.json
{
  "expires": "2026-01-16T19:55:14Z",
  "roots": {
    "422a97dfaf9398124e846f07748b6be2136a13212f975ae3df9c78a72d14cb1b": {
      "certificate": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZaekNDQTArZ0F3SUJBZ0lVRUFqSHVwdjJlaVIzOCtGVjhwVTQ5RmV6WDFnd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1F6RUxNQWtHQTFVRUJoTUNWVk14Q3pBSkJnTlZCQWdNQWtOQk1SVXdFd1lEVlFRS0RBeFhhWFJ1WlhOegpJRlJsYzNReEVEQU9CZ05WQkFNTUIxSnZiM1FnUTBFd0hoY05NalV4TWpFM01UazBPRFU0V2hjTk16VXhNakUxCk1UazBPRFU0V2pCRE1Rc3dDUVlEVlFRR0V3SlZVekVMTUFrR0ExVUVDQXdDUTBFeEZUQVRCZ05WQkFvTURGZHAKZEc1bGMzTWdWR1Z6ZERFUU1BNEdBMVVFQXd3SFVtOXZkQ0JEUVRDQ0FpSXdEUVlKS29aSWh2Y05BUUVCQlFBRApnZ0lQQURDQ0Fnb0NnZ0lCQVBKSkNNQzg0YkZLQ0FtdE9mYTI3TzJxckhrTXRRckpvYmFrVXdHSWwwZTVselVvCitKVFVkUEZMQjg3ckxLbXBKeFJUbm1Rc0IzZnJBeVNsN3pMQmNqcU4wblVpQWxpeGU2YWt4ODZuMjE2ZDg2cksKRFM0VS9xanVBNkRmMkFvM09xUHlpcGFnRytHQ0F0eFEvanNRVFNiQkt4Qmt3aVg1U0srQVEzQ2dEWFhUd0s3eApkRzBCNTY5aEs5UmZodkwxcVd5dklTY2owUlkwYy9mK3AyMmM1K2ZzVFRrcnU3U2h4N0Q4WEN0WURoVktmQmdjCndzMlNoUXF0YVF4YU1BbHBjY2VCNmZ6ZG9hWkNnWmZIazFXRlZWWFRRVDh2b1RGdTZMZWJCSFJ2SlQ5MmhJeXYKNnN2QVExYjJwcUxkSjVGUU93c3VFZFZyVlEyYkVVeUdCeTQ3bVJ2TTgzNmJTampYdi9rajJ0RHN0T3Zza2VwZAp1clcvZWY2Q211UXc0NGFEc241ZHBhREdOWWtZL1NDS3lZMEtMWG53SXlGb2hHaGZuank3L1RLSG9oOThGYjBwClp2b0ZJcURpVW5jNEo0TzFEMEZwTUJiR2tEcGVaK2lMenNCbFlxY3hZMEF5ZUZaQXNCQ1l0L0ZHKzFmL3ZFVkgKMk9UaFJWVnhoNUtIcTFJbTJCd0xBajl6bkk3WEFZNE13b29iMjRmQkc3M3pQOXlEaGNoVmgxZklxd05OREM0dgpjWU5sNHJwYWk2NlJxUEcyS1NnTVNyamZCS2ZWUm5vT2tSK0JzeloxL1dNQlBWM3hkZHltSlE4VC8xWndQTDh3CnVITDVBUi93Tk1XbDJDdzF4OEhsNjlsa3ZVcGtBNEUvR3F1Yk5yRFFlOXVSU0hmb1B6YTROZFRwcy80WkFnTUIKQUFHalV6QlJNQjBHQTFVZERnUVdCQlQ1RDRyZ1NLUkF3MmRGWC9mSFZWQkpXTVQvY3pBZkJnTlZIU01FR0RBVwpnQlQ1RDRyZ1NLUkF3MmRGWC9mSFZWQkpXTVQvY3pBUEJnTlZIUk1CQWY4RUJUQURBUUgvTUEwR0NTcUdTSWIzCkRRRUJDd1VBQTRJQ0FRQzBhVk5oWCtOVjhIT08zM0VDV0oxM05GeHE0M29xOHErcVZtVkhmUi9XRzlwT1AxZkoKWTFmQjcxNnZVbGkyWis5U05XOExXN2M2dWp0d0NTcmcvT2s4ZnR6eEJXQnN3c2xTaENnTmN3U1FMdkJ1MVhkUgpnVHpDdnZkSjVMTzI4ZWk4WnFCaDFvanliL05ET1JyRjZmKzB1b2xOdWtlanFjNXV0TzFFSE1aV3FyZXZaVmZNCndEN085V2JLVkJra0JUSGFjS3lWWG13R3IzQTJ0NVl1QzR5THptck0zaWh6ajhlOVp1UjdObWwrSmRtS0YvcHIKWFk3Mi9VTWtRMmJhcFpBdzRicHZYQmJ1Z3RoRytQbGdNRWdGU0pMM0V5OXQ4NXNmOVFGVG00bzR2ajRRRERMUQpWY0J3Uy9QK2dhRGVoMHFhMWJBaXhkUmVENjM5RERCaERYMHdTRUdhYkZ6SlNiNTFjVHhHYkdJQXA3WVpzR0FiCng2TkdCUmhKRFFvL1lJVFNFTjlmR3Z4ZFhNYTkvS0lVRGFDQWR2VHE5d0c0eWFBK3BVajVIbHNIR1NJR2NPYmQKOFB1YmUxS2tHSVNOeFRDWGh5eXVmYU1xUDlkZGRkZmJXSnV6SC80NTRvamkvbjRqZWg1alhHU1B1a29saGRyOQpFRXlkdFhIY0tZOW42bEE2UTBTOE5WVFJjcEF3T2p1SGFleXlBZzByb3gvb2VVRU9PQlRpNlhxMjMzNi9DOTRtCnpXNXc3Z1NSaXIvelhYRDVOK0llRS9NNWNhTEcvK3VidkVLQkwxVU1DN2U1RWYvUnVDVU9WeklHRmhNM2R0VnYKNFZSeCtVNDV6V2RrUzdyOEVrZnQ0bk8wcWQ3aW9XS2xHcWgvbFdWakNPcnNKZEYxYnl2bVhYVW9EUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K"
    }
  },
  "steps": {
    "build": {
      "name": "build",
      "functionaries": [
        {
          "type": "root",
          "certConstraint": {
            "commonname": "*",
            "dnsnames": [
              "*"
            ],
            "emails": [
              "*"
            ],
            "organizations": [
              "*"
            ],
            "uris": [
              "*"
            ],
            "roots": [
              "422a97dfaf9398124e846f07748b6be2136a13212f975ae3df9c78a72d14cb1b"
            ],
            "extensions": {
              "Issuer": ""
            }
          }
        }
      ],
      "attestations": [
        {
          "type": "https://witness.dev/attestations/material/v0.1",
          "regopolicies": []
        },
        {
          "type": "https://witness.dev/attestations/command-run/v0.1",
          "regopolicies": []
        },
        {
          "type": "https://witness.dev/attestations/product/v0.1",
          "regopolicies": []
        },
        {
          "type": "https://slsa.dev/provenance/v1.0",
          "regopolicies": []
        }
      ]
    }
  }
}

$ ../bin/witness policy check policy-rootca-single.json -v
INFO    Validating policy: policy-rootca-single.json 
INFO    Reading policy file...                       
INFO    Valid JSON structure                         
INFO    Policy expires: 2026-01-17T01:25:14+05:30    
INFO    Checking policy expiration...                
INFO    Policy valid until 2026-01-17 (29 days)      
WARNING Warning: Policy expires in 29 days           
INFO    Validating Rego policies...                  
INFO    Validated 0 Rego module(s)                   
INFO    Validating functionaries...                  
INFO    Root '422a97dfaf9398124e846f07748b6be2136a13212f975ae3df9c78a72d14cb1b' exists for step 'build' 
INFO    Validated 1 functionary root reference(s)    
INFO    Validating root certificates...              
INFO    Checking root certificate '422a97dfaf9398124e846f07748b6be2136a13212f975ae3df9c78a72d14cb1b'... 
INFO    Valid x509 certificate (CN=Root CA)          
INFO    Root certificate '422a97dfaf9398124e846f07748b6be2136a13212f975ae3df9c78a72d14cb1b' is valid 
INFO    Validated 1 root certificate(s)              
INFO    Policy validation successful!                
INFO    Summary:                                     
INFO    Total checks: 10                             
INFO    Passed: 10                                   
INFO    Failed: 0                                    
WARNING Warnings: 1

$ ../bin/witness run \
        --step build \
        --signer-file-cert-path signer.pem \
        --signer-file-key-path signer-key.pem \
        -a slsa \
        -o attestation-build-root-ca.json \
        -- go build -o testapp main.go
INFO    Starting prematerial attestors stage...      
INFO    Completed prematerial attestors stage...     
INFO    Starting material attestors stage...         
INFO    Starting material attestor...                
INFO    Finished material attestor... (0.011555875s) 
INFO    Completed material attestors stage...        
INFO    Starting execute attestors stage...          
INFO    Starting command-run attestor...             
INFO    Finished command-run attestor... (0.381696625s) 
INFO    Completed execute attestors stage...         
INFO    Starting product attestors stage...          
INFO    Starting product attestor...                 
INFO    Finished product attestor... (0.003569166s)  
INFO    Completed product attestors stage...         
INFO    Starting postproduct attestors stage...      
INFO    Starting slsa attestor...                    
WARNING No build system attestor invoked. Consider using github, gitlab, jenkins, or aws-codebuild attestors (if appropriate) to enrich your SLSA provenance 
INFO    Finished slsa attestor... (3.4667e-05s)      
INFO    Completed postproduct attestors stage...    

$ ../bin/witness verify \
        -p policy-rootca-single-signed.json \
        --attestations attestation-build-root-ca.json \
        -k policy-pub.pem \
        -f testapp
INFO    Starting verify attestors stage...           
INFO    Starting policyverify attestor...            
INFO    policy signature verified                    
INFO    Finished policyverify attestor... (0.003267458s) 
INFO    Completed verify attestors stage...          
INFO    Verification succeeded                       
INFO    Evidence:                                    
INFO    Step: build                                  
INFO    0: attestation-build-root-ca.json            
INFO    1: attestation-build-root-ca.json            
INFO    2: attestation-build-root-ca.json            
test-policy (feat/witness-policy-create-cmd) $