Policytab upstream GitHub catalog

Product model: Community catalogs are GitHub import templates, not default tenant comparison sources. See Comparison baseline model.

What the upstream catalog is

Teuftis/ConditionalAccessBaseline-Hardened is an open-source CA baseline many MSPs import as a starting point. The upstream repo currently includes dozens of policy intents (for example CA101 through workload-identity policies), standard groups, named locations, and a manifest.json deploy order. Policy counts change over time on GitHub - Policytab does not ship or pin a fixed catalog in the app bundle.

Policytab keeps an optional checked-in copy under baseline-upstream/ for local dev and loader unit tests only. It is not bundled as the default comparison baseline for new tenants (baseline_source = imported by default).

Supported product path: import from GitHub into public.msp_baseline, edit in the workspace, assign per tenant as msp_custom.

How Policytab consumes the upstream catalog

baseline-upstream/ is populated from the upstream GitHub project (policies, groups, namedLocations, manifest).

baseline-policytab/ holds Policytab-specific extensions (profiles.json, frameworks.json, scenario mappings) used by compliance orientation layers at runtime.

lib/baseline/public-github-import.ts fetches community catalogs from GitHub for workspace imports (production path). scripts/verify-github-baseline-imports.mjs validates live GitHub fetches in CI.

Optional dev fixture refresh

.github/workflows/sync-baseline.yml runs on workflow_dispatch only (not scheduled):

1. Clones the upstream repo at the configured ref (default main)
2. Copies baseline/* into baseline-upstream/
3. Updates baseline-upstream/SOURCE_REF with the commit sha
4. If anything changed, opens a PR for operator review

Use this when updating the checked-in dev fixture or loader tests. It does not affect tenant comparison baselines in production.

Compliance scenario framework refs

Scenario coverage (/tenants/[id]/compliance/scenarios) evaluates live CA policies against recommended scenarios in lib/baseline/scenarios.ts. CIS, NIST, ISO 27001, and HIPAA control IDs come from baseline-policytab/scenarios-to-frameworks.json. They are not filtered by the tenant comparison baseline.

Policy-level framework mappings (baseline-policytab/frameworks.json, /policies/[id]) are a static orientation layer for fleet views, separate from per-tenant drift.

When the upstream catalog changes

After a dev fixture refresh merges, loader unit tests may need updating. MSPs pick up upstream changes by re-importing from GitHub into their workspace baseline.

Tenants on imported or msp_custom are unaffected unless the operator imports a new workspace version.

Why not consume the upstream catalog at runtime

Drift and deploy resolve comparison baselines from Postgres (workspace manifest or imported snapshot). GitHub import fetches live at import time. Legacy policytab / j0eyv enum values throw until migrated.

Related

• Comparison baseline model
• Retired baseline version stamps