feat: add Cloudsmith vulnerability policy components

[felixgateru]

What changed

Extended the Cloudsmith integration with three new action components: Create Vulnerability Policy, Get Vulnerability Policy, and Delete Vulnerability Policy.

Why

To manage organization-scoped package vulnerability policies as part of a workflow instead of the Cloudsmith UI. This enables policy-as-code use cases: provisioning guardrails when bootstrapping an organization, auditing/drift-detection of a policy's current settings, and tearing down policies for short-lived environments.

How

Backend

Extended pkg/integrations/cloudsmith/ with:

• client.go — added Organization and VulnerabilityPolicy structs, the VulnerabilityPolicyRequest body, and client methods CreateVulnerabilityPolicy, GetVulnerabilityPolicy, DeleteVulnerabilityPolicy, plus ListOrganizations /
• create_vulnerability_policy.go — cloudsmith.createVulnerabilityPolicy: organization, name (required), description, minimum severity (select, default Critical), package query, and quarantine-on-violation / allow-unknown-severity booleans. Severity is validated at Setup and Execute. Emits cloudsmith.vulnerabilityPolicy.created.
• get_vulnerability_policy.go — cloudsmith.getVulnerabilityPolicy: organization + policy. Emits cloudsmith.vulnerabilityPolicy.fetched.
• delete_vulnerability_policy.go — cloudsmith.deleteVulnerabilityPolicy: organization + policy.
• cloudsmith.go — registered the three actions and noted org-scoped permissions in the integration instructions.
• Added backend tests for each component

Frontend

Added web_src/src/pages/app/mappers/cloudsmith/:

• create_vulnerability_policy.ts, get_vulnerability_policy.ts, delete_vulnerability_policy.ts — node mappers with execution details and canvas metadata (organization via the building-2 icon, policy via shield).
• types.ts — VulnerabilityPolicyData, DeleteVulnerabilityPolicyData, node metadata and configuration interfaces.
• index.ts — registered mappers and event-state registries (created / fetched / deleted).
• test_helpers.ts — buildVulnerabilityPolicyData.
• Spec files for each mapper.

[superplanehq-integration]

👋 Commands for maintainers:

• /sp start - Start an ephemeral machine (takes ~30s)
• /sp stop - Stop a running machine (auto-executed on pr close)

[superplane-gh-integration-9000]

PR Risk Review

Risk: 25/100 (low)
Review approved: Yes
Check passed: Yes

Summary

Well-structured addition of three new Cloudsmith vulnerability policy CRUD components (create, get, delete) with comprehensive tests, documentation, and frontend mappers following established patterns in the codebase.

Concerns

• The pagination logic in ListOrganizations and ListVulnerabilityPolicies has no upper bound on pages, which could lead to infinite loops if the API consistently returns exactly page_size items due to a bug or edge case.
• The resolveOrganizationMetadata and resolvePolicyMetadata functions make API calls during Setup which could slow down UI interactions if the Cloudsmith API is slow or unreachable.
• No rate limiting or timeout configuration is visible for the new API calls, relying entirely on the existing client infrastructure.

[superplane-gh-integration-9000]

Risk: 25/100 (low)

Summary

Adds three new Cloudsmith integration action components (create, get, delete) for organization-scoped vulnerability policy management, with Go backend, TypeScript mappers, tests, and documentation.

Concerns

• resolveOrganizationMetadata and resolvePolicyMetadata in client.go import core.SetupContext, mixing API client and setup-layer concerns.
• Name (max 100) and Description (max 250) length limits are documented but not enforced in Setup() validation.
• No multi-page pagination test cases for ListOrganizations or ListVulnerabilityPolicies.
• Severity validation (isValidSeverity) is only applied in Create; not guarded at the client layer.

Recommended reviewers: forestileao