[Cloudsmith] add vulnerability policy management components

[felixgateru]

Overview

This issue tracks the implementation of SuperPlane components for Cloudsmith Vulnerability Policies — a security feature of the Cloudsmith package registry that enables organisations to define rules governing how packages with known vulnerabilities are handled. A vulnerability policy specifies conditions based on CVSS severity levels, CVE identifiers, or package age, and enforces actions such as blocking package downloads or quarantining affected artifacts. These components enable workflows to programmatically create, inspect, and remove vulnerability policies as part of automated supply chain security and compliance pipelines.

Components to implement

Vulnerability policy management

Type	Component	Description
action	createVulnerabilityPolicy	Create a new vulnerability policy within a Cloudsmith organisation, defining its name, description, severity thresholds, CVE allow/block rules, and enforcement action.
action	getVulnerabilityPolicy	Retrieve the full configuration of a vulnerability policy by slug, including its severity thresholds, CVE rules, enforcement action, and the repositories it applies to.
action	deleteVulnerabilityPolicy	Permanently remove a vulnerability policy from a Cloudsmith organisation, disabling its enforcement across all associated repositories.

Acceptance criteria

• All 3 actions are implemented and tested
• Unit and integration tests cover happy path and error cases including invalid CVSS thresholds, non-existent policy slugs, and insufficient permissions
• Documentation added for each component with usage examples including a sample policy definition

References

• Cloudsmith — Vulnerability scanning overview
• Cloudsmith — Vulnerability policies
• Cloudsmith API — Vulnerabilities
• CVSS — Common Vulnerability Scoring System