feat: support multiple control catalog versions

Implements the proposal from #257 to handle multiple control catalogs
and versions of each.

Changes:
- Rename OSPS evaluation plan to OSPS_2025_10 with version-specific
  catalog ID (osps-baseline-2025-10)
- Add OSPS_2026_02 evaluation plan (initially mirrors 2025_10, to be
  updated as the new baseline evolves)
- Register both evaluation suites in main.go
- Add OSPS_Baseline_2026_02.yaml catalog with version-specific metadata
- Update CI scripts and example config to use the new catalog naming

Closes #257

Author: Vinaya Damle

.github/scripts/ci.sh

@@ -94,7 +94,7 @@ services:
     plugin: github-repo
     policy:
       catalogs:
-        - osps-baseline
+        - osps-baseline-2026-02
       applicability:
         - Maturity Level 1
     vars:

.github/workflows/ci.yaml

@@ -33,4 +33,4 @@ jobs:
           ./.github/scripts/ci.sh 2>&1 | tee integration_output.txt
       - name: Verify test output
         run: |
-          grep -E 'privateer_osps-baseline.*Passed.*Warnings.*Failed.*Possible' integration_output.txt
+          grep -E 'privateer_osps-baseline-2026-02.*Passed.*Warnings.*Failed.*Possible' integration_output.txt

data/catalogs/OSPS_Baseline_2025_10.yaml

@@ -1,7 +1,7 @@
 metadata:
-  id: osps-baseline
+  id: osps-baseline-2025-10
   title: Open Source Project Security Baseline
-  version: ""
+  version: "2025.10"
   description: |
     The Open Source Project Security (OSPS) Baseline is a set of security criteria
     that projects should meet to demonstrate a strong security posture.

data/catalogs/OSPS_Baseline_2026_02.yaml

@@ -15,7 +15,11 @@ import (
 )
 
 var (
-	// Open Source Project Security Baseline
+	// OSPS contains assessment step implementations for all known assessment IDs
+	// across all OSPS Baseline versions. Each catalog YAML defines which IDs are
+	// active for that version, so the SDK only runs the relevant subset.
+	// When a new baseline version introduces new assessment IDs, add their step
+	// implementations here.
 	OSPS = map[string][]gemara.AssessmentStep{
 		"OSPS-AC-01.01": {
 			access_control.OrgRequiresMFA,

evaluation_plans/evaluation-plans.go

@@ -13,7 +13,7 @@ services:
     # The policy section may be set at the top level if assessing multiple services via privateer
     policy:
       catalogs:
-        - osps-baseline # currently this is the only available catalog to assess against
+        - osps-baseline-2026-02 # use osps-baseline-2025-10 for the previous version
       applicability:
         - Maturity Level 1
         # - Maturity Level 2

example-config.yml

@@ -54,10 +54,16 @@ func main() {
 	}
 
 	orchestrator.AddRequiredVars(RequiredVars)
-	err = orchestrator.AddEvaluationSuite("osps-baseline", nil, evaluation_plans.OSPS)
-	if err != nil {
-		fmt.Printf("Error adding evaluation suite: %v\n", err)
-		os.Exit(1)
+
+	// Register the same step implementations for each catalog version.
+	// The catalog YAML defines which assessment IDs are active for that version,
+	// so the SDK only runs the relevant subset of steps.
+	for _, catalogID := range []string{"osps-baseline-2025-10", "osps-baseline-2026-02"} {
+		err = orchestrator.AddEvaluationSuite(catalogID, nil, evaluation_plans.OSPS)
+		if err != nil {
+			fmt.Printf("Error adding evaluation suite %s: %v\n", catalogID, err)
+			os.Exit(1)
+		}
 	}
 
 	runCmd := command.NewPluginCommands(