Skip to content

Decadal Strategic & Technical Plan 2026–2035 (Sentinel v2.4 / Omni-Sentinel Mesh v4.0 / SCP v3.0)#139

Open
OneFineStarstuff wants to merge 9 commits into
mainfrom
genspark_ai_developer
Open

Decadal Strategic & Technical Plan 2026–2035 (Sentinel v2.4 / Omni-Sentinel Mesh v4.0 / SCP v3.0)#139
OneFineStarstuff wants to merge 9 commits into
mainfrom
genspark_ai_developer

Conversation

@OneFineStarstuff

@OneFineStarstuff OneFineStarstuff commented Jun 21, 2026

Copy link
Copy Markdown
Owner

Summary

Adds the authoritative consolidated decadal (2026–2035) strategic & technical plan for deploying the Sentinel AI Governance Stack v2.4, Omni-Sentinel Mesh v4.0, and Unified AI Supervisory Control Plane (SCP v3.0) across G-SIFIs and Fortune 500 financial institutions.

governance_blueprint/DECADAL_STRATEGIC_TECHNICAL_PLAN_2026_2035.md (424 lines, 20 sections).

Builds on merged PR #138. Every technical claim is anchored to a runnable, verified in-repo artifact — the assurance suite is 11/11 PASS at issue.

Coverage (all requested topics)

  • Zero-trust AI governance + TEE (Intel TDX, AMD SEV-SNP, vTPM PCR_MATCH); confidential enclave deployment + remote attestation
  • StaR-MoE (SARA+ACR) routing stabilization; telemetry attestation + G-SRI
  • PQC WORM logging: ML-DSA-65 / CRYSTALS-Dilithium / SPHINCS+ + Kafka/S3 Object Lock; Merkle-anchored evidence
  • zk systemic-risk proofs (Circom/Groth16 → zk-STARK migration) + zk-SNARK/zk-STARK relayer pipelines; zkML transition-validity
  • OSCAL 1.1.2 + OPA/Rego compliance-as-code; full mapping to EU AI Act (Annex IV), NIST AI RMF, ISO/IEC 42001, Basel III/IV, DORA, NIS2, GDPR Art.22, MAS/HKMA FEAT, FCA SMCR, ECOA, ICGC/GASO
  • TLA+ SentinelContainmentProtocol + SIP v3.0 invariants; HSM + Terraform multi-region enclaves
  • GIEN / SIP v3.0 federated collective defense; security-review patterns (Solidity/OPA/React)
  • omni_sentinel_24h_monitor.py 24h monitoring + integrity; OmegaActual dead-man's switch; DevSecOps/GitOps (ArgoCD/Flux)
  • 6-month 2028 G-SIFI pilot design; supervisory adoption model; automated compliance dashboards; KPIs/KRIs; global rollout through 2035

Integrity discipline

A/B/C/D feasibility tiering throughout. Explicit statement that ASI containment is modelled as a formally-checked control discipline, not a safety proof for arbitrarily capable agents (Tier D). Live attestation/HSM/enclave verified at IaC/policy layer (Tier B). All cross-referenced files confirmed present; roadmap YAML parses (5 phases + 4 extension).

Verification

bash governance_artifacts/run_runnable_assurance.sh   # 11/11 PASS

Summary by CodeRabbit

  • Documentation

    • Added the 2026–2035 governance & technical plan; updated the 2026–2035 roadmap.
    • Published 2028 G-SIFI pilot acceptance-gate guidance, updated dashboard security review, and OSCAL/Annex IV tooling docs.
  • New Features

    • Added a runnable 2028 G-SIFI acceptance-gate checklist (automated results plus manual evidence staging).
    • Added API demo login and expanded synthetic risk-score response metadata.
    • Enabled per-client /api/* rate limiting.
  • Bug Fixes

    • Secured chat streaming (authenticated POST only, SSE sanitization, safety-policy blocking/refusals).
    • Enforced authenticated/authorized consent and strengthened signed consent ledger integrity.
  • Tests / CI

    • Reworked dashboard security tests and expanded runnable assurance with OSCAL conformance + Annex IV dossier coverage.

@code-genius-code-coverage

Copy link
Copy Markdown

The files' contents are under analysis for test generation.

@semanticdiff-com

semanticdiff-com Bot commented Jun 21, 2026

Copy link
Copy Markdown

Review changes with  SemanticDiff

Changed Files
File Status
  next-app/app/api/risk/scores/route.ts  65% smaller
  next-app/app/api/chat/stream/route.ts  44% smaller
  next-app/lib/privacy/consentLedger.ts  38% smaller
  next-app/app/api/intent/route.ts  31% smaller
  next-app/__tests__/dashboard_security_review.test.ts  20% smaller
  next-app/next.config.js  19% smaller
  next-app/app/api/consent/route.ts  17% smaller
  governance_blueprint/roadmap_2026_2035.yaml  13% smaller
  governance_artifacts/oscal/catalog_sentinel_v24_env_rte.json  7% smaller
  .github/workflows/runnable-assurance.yml  7% smaller
  governance_artifacts/oscal/catalog_sentinel_v24_excerpt.json  4% smaller
  governance_artifacts/README.md Unsupported file format
  governance_artifacts/RUNNABLE_ASSURANCE.md Unsupported file format
  governance_artifacts/oscal/README.md Unsupported file format
  governance_artifacts/oscal/annex_iv_section_map.yaml  0% smaller
  governance_artifacts/oscal/crosswalk_common.py  0% smaller
  governance_artifacts/oscal/dora_framework_map.yaml  0% smaller
  governance_artifacts/oscal/generate_annex_iv_dossier.py  0% smaller
  governance_artifacts/oscal/generate_dora_ict_register.py  0% smaller
  governance_artifacts/oscal/generate_nist_rmf_crosswalk.py  0% smaller
  governance_artifacts/oscal/generated/annex_iv_dossier.json  0% smaller
  governance_artifacts/oscal/generated/annex_iv_dossier.md Unsupported file format
  governance_artifacts/oscal/generated/dora_ict_register.json  0% smaller
  governance_artifacts/oscal/generated/dora_ict_register.md Unsupported file format
  governance_artifacts/oscal/generated/nist_ai_rmf_crosswalk.json  0% smaller
  governance_artifacts/oscal/generated/nist_ai_rmf_crosswalk.md Unsupported file format
  governance_artifacts/oscal/nist_ai_rmf_map.yaml  0% smaller
  governance_artifacts/oscal/oscal_conformance.py  0% smaller
  governance_artifacts/package_distribution_bundle.py  0% smaller
  governance_artifacts/pilot/README.md Unsupported file format
  governance_artifacts/pilot/run_pilot_acceptance_gates.py  0% smaller
  governance_artifacts/run_runnable_assurance.sh Unsupported file format
  governance_artifacts/verify_distribution_bundle.py  0% smaller
  governance_blueprint/DECADAL_STRATEGIC_TECHNICAL_PLAN_2026_2035.md Unsupported file format
  next-app/DASHBOARD_SECURITY_REVIEW.md Unsupported file format
  next-app/app/api/auth/login/route.ts  0% smaller
  next-app/lib/auth/session.ts  0% smaller
  next-app/lib/http/guard.ts  0% smaller
  next-app/lib/http/rateLimit.ts  0% smaller
  next-app/middleware.ts  0% smaller
  tests/governance/test_governance_artifacts.py  0% smaller

@gitnotebooks

gitnotebooks Bot commented Jun 21, 2026

Copy link
Copy Markdown

@netlify

netlify Bot commented Jun 21, 2026

Copy link
Copy Markdown

Deploy Preview for onefinestarstuff failed.

Name Link
🔨 Latest commit db06d3f
🔍 Latest deploy log https://app.netlify.com/projects/onefinestarstuff/deploys/6a47af409eaf240008fbbea5

@vercel

vercel Bot commented Jun 21, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
v0-one-fine-starstuff-github-io Ready Ready Preview, Comment, Open in v0 Jul 3, 2026 12:47pm

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry @OneFineStarstuff, you have reached your weekly rate limit of 500000 diff characters.

Please try again later or upgrade to continue using Sourcery

@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

@difflens

difflens Bot commented Jun 21, 2026

Copy link
Copy Markdown

View changes in DiffLens

@github-actions github-actions Bot added the documentation Improvements or additions to documentation label Jun 21, 2026
@coderabbitai

coderabbitai Bot commented Jun 21, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

This PR adds a decadal governance blueprint, updates the roadmap and pilot-gate workflow, extends runnable assurance with OSCAL conformance checks, and hardens the Next.js app with authenticated sessions, request validation, rate limiting, signed consent events, and route-level enforcement.

Changes

Governance Blueprint, Roadmap, Pilot Gates, and Assurance

Layer / File(s) Summary
Blueprint and roadmap framing
governance_blueprint/DECADAL_STRATEGIC_TECHNICAL_PLAN_2026_2035.md, governance_blueprint/roadmap_2026_2035.yaml
Defines the decadal plan framing, feasibility tiers, architecture and control-plane mapping, control disciplines, roadmap phases, pilot schedule, operating model, KPI/KRI tracking, limitations, and verification ledger.
Roadmap and pilot execution
governance_blueprint/roadmap_2026_2035.yaml, governance_artifacts/pilot/*
Updates roadmap feasibility tiers and 2031–2035 phases, adds the pilot gate runner and documentation, and defines the month-by-month acceptance-gate flow.
OSCAL conformance, dossier assembly, and assurance wiring
governance_artifacts/run_runnable_assurance.sh, governance_artifacts/RUNNABLE_ASSURANCE.md, governance_artifacts/oscal/*, tests/governance/test_governance_artifacts.py, \.github/workflows/runnable-assurance.yml
Adds OSCAL catalogs and back-matter anchors, a catalog conformance validator, Annex IV dossier generation, runnable-assurance step expansion, CI wiring, README guidance, and governance tests.

Next.js Security Hardening and Dashboard Remediation

Layer / File(s) Summary
Session auth and request guards
next-app/lib/auth/session.ts, next-app/lib/http/guard.ts
Adds token minting and verification, principal extraction, authorization helpers, JSON response factories, request body limits, safe JSON parsing, and stream sanitization utilities.
Dashboard remediation and authenticated route enforcement
next-app/DASHBOARD_SECURITY_REVIEW.md, next-app/__tests__/dashboard_security_review.test.ts, next-app/app/api/chat/stream/route.ts, next-app/app/api/consent/route.ts, next-app/app/api/intent/route.ts, next-app/app/api/risk/scores/route.ts
Updates the security review and tests, rewrites the chat, consent, and intent routes to require authenticated principals and validated inputs, and keeps the synthetic risk-scores metadata response.
Demo login, rate limiting, and security headers
next-app/app/api/auth/login/route.ts, next-app/lib/http/rateLimit.ts, next-app/middleware.ts, next-app/next.config.js
Adds the demo login route, fixed-window API rate limiting, middleware enforcement, and Next.js security headers.
Consent ledger signing and verification
next-app/lib/privacy/consentLedger.ts
Adds signed consent events, chain verification, verified export output, and fail-closed tail reads.

Sequence Diagram(s)

sequenceDiagram
  participant Client
  participant Middleware
  participant Session as session.ts
  participant Route as API route
  participant Guard as readJson/sanitizeForStream
  Client->>Middleware: request to /api/*
  Middleware->>Session: derive client key and enforce limit
  Client->>Route: authenticated request
  Route->>Guard: parse body / sanitize stream
  Guard-->>Route: validated data or structured error
Loading

Estimated code review effort

🎯 5 (Critical) | ⏱️ ~90 minutes

Possibly related PRs

Suggested labels

documentation, enhancement, size/XXL, python, backend

Suggested reviewers

  • gstraccini

Poem

🐇 I hopped through tiers from A to C,
And signed each gate with certainty.
The ledger hums, the routes stand tall,
The rabbit checks each ounce and all.
With WORM and clues and headers bright,
I nibble proof, then hop goodnight.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 38.71% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change and names the three major framework versions covered by the plan.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch genspark_ai_developer

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@deepsource-io

deepsource-io Bot commented Jun 21, 2026

Copy link
Copy Markdown

DeepSource Code Review

We reviewed changes in 0dd1a89...db06d3f on this pull request. Below is the summary for the review, and you can see the individual issues we found as inline review comments.

See full review on DeepSource ↗

PR Report Card

Overall Grade   Security  

Reliability  

Complexity  

Hygiene  

Code Review Summary

Analyzer Status Updated (UTC) Details
Python Jul 3, 2026 12:46p.m. Review ↗
JavaScript Jul 3, 2026 12:46p.m. Review ↗
Shell Jul 3, 2026 12:46p.m. Review ↗

Important

AI Review is run only on demand for your team. We're only showing results of static analysis review right now. To trigger AI Review, comment @deepsourcebot review on this thread.

gstraccini[bot]
gstraccini Bot previously approved these changes Jun 21, 2026
@codacy-production

codacy-production Bot commented Jun 21, 2026

Copy link
Copy Markdown

Not up to standards ⛔

🔴 Issues 1 critical · 5 high · 4 medium · 90 minor

Alerts:
⚠ 100 issues (≤ 0 issues of at least minor severity)

Results:
100 new issues

Category Results
Compatibility 1 high
BestPractice 2 medium
Documentation 4 minor
ErrorProne 4 high
Security 1 critical
CodeStyle 86 minor
Complexity 1 medium
Performance 1 medium

View in Codacy

🟢 Metrics 106 complexity · 2 duplication

Metric Results
Complexity 106
Duplication 2

View in Codacy

NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.

@difflens

difflens Bot commented Jun 21, 2026

Copy link
Copy Markdown

View changes in DiffLens

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (1)
governance_blueprint/DECADAL_STRATEGIC_TECHNICAL_PLAN_2026_2035.md (1)

65-83: 💤 Low value

Add a language identifier to the ASCII diagram code block.

Line 65 opens a fenced code block for the architecture diagram. Adding a language identifier (e.g., text` or ascii`) improves markdown linting compliance and readability.

✨ Proposed fix
 ### 2. Architecture overview (the four control planes)
 
-```
+```text
 ┌──────────────────────────────────────────────────────────────────────────────────┐
 │  SCP v3.0 — Unified AI Supervisory Control Plane            (supervisor-facing)    │
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@governance_blueprint/DECADAL_STRATEGIC_TECHNICAL_PLAN_2026_2035.md` around
lines 65 - 83, The ASCII architecture diagram code block starting at line 65
does not have a language identifier in its opening fence. Add a language
identifier such as `text` or `ascii` immediately after the opening triple
backticks (e.g., change the opening fence from ``` to ```text) to improve
markdown linting compliance and readability of the diagram block.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@governance_blueprint/DECADAL_STRATEGIC_TECHNICAL_PLAN_2026_2035.md`:
- Around line 65-102: Two Tier A artifacts referenced in the
component-to-artifact-to-evidence map are missing from the repository:
tla/SentinelContainmentProtocol.tla and tla/KillSwitchAbstract.tla. These files
are cited as having verifiable TLC model-checking evidence (75 + 13 states with
no errors) for the containment one-way ratchet and kill-switch abstraction
control components. Either create and add these TLA+ files to the repository
with the corresponding TLC verification results, or update the table rows
referencing these files to remove them and correct the Tier A evidence claims to
match what actually exists in the repository.
- Around line 397-412: The "Full assurance suite" row in the verification ledger
section claims "11/11 PASS" but the actual execution of bash
governance_artifacts/run_runnable_assurance.sh fails at the OPA policy tests
step because OPA is not installed. Update the "Last result" column for the "Full
assurance suite" row to reflect the actual failure output (e.g., "FAIL: opa:
command not found" or similar), or alternatively ensure all required
dependencies including OPA, TLC, terraform, node, and python3 packages are
properly installed and available in the environment so the command can execute
successfully and produce the claimed result. Verify that all other commands in
the verification ledger table also execute correctly and produce their claimed
outputs before updating their results.

---

Nitpick comments:
In `@governance_blueprint/DECADAL_STRATEGIC_TECHNICAL_PLAN_2026_2035.md`:
- Around line 65-83: The ASCII architecture diagram code block starting at line
65 does not have a language identifier in its opening fence. Add a language
identifier such as `text` or `ascii` immediately after the opening triple
backticks (e.g., change the opening fence from ``` to ```text) to improve
markdown linting compliance and readability of the diagram block.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d24fab33-4acc-4150-98d5-389a2fd351e2

📥 Commits

Reviewing files that changed from the base of the PR and between 2dcd7c1 and 41f1edf.

📒 Files selected for processing (1)
  • governance_blueprint/DECADAL_STRATEGIC_TECHNICAL_PLAN_2026_2035.md

Comment thread governance_blueprint/DECADAL_STRATEGIC_TECHNICAL_PLAN_2026_2035.md
Comment thread governance_blueprint/DECADAL_STRATEGIC_TECHNICAL_PLAN_2026_2035.md
@difflens

difflens Bot commented Jun 22, 2026

Copy link
Copy Markdown

View changes in DiffLens

@OneFineStarstuff

Copy link
Copy Markdown
Owner Author

Update — follow-on hardening (commit 8892373)

Three concrete follow-ups, all verified:

1. Roadmap phases 5–8 promoted to first-class

governance_blueprint/roadmap_2026_2035.yaml now has 9 first-class segments (phase_0..phase_8, 2026–2035), each with feasibility_tier, objectives, exit_criteria, and a gating precondition for the Tier C/D phases. (Previously phases 5–8 were loose extension: entries.) YAML parses clean.

2. Runnable 2028 pilot acceptance-gate checklist

governance_artifacts/pilot/run_pilot_acceptance_gates.py operationalizes decadal-plan §14. It actually executes the 6 Tier‑A gates (terraform validate, OPA gates, PQC WORM tamper, containment TLC, zk relayer, full assurance) and reports the 6 Tier‑B/hardware gates as PENDING-EVIDENCE with precise criteria — never faked. Current: 6/6 automated gates PASS.

3. Dashboard High-severity findings closed (DASH-01/02/03/05/08)

  • New lib/auth/session.ts (HMAC-signed tokens, principal derived server-side only, constant-time verify, expiry) + lib/http/guard.ts (16 KiB body cap, safe JSON, SSE-injection sanitizer).
  • DASH-01 IDOR closed (consent export requires ownership or dpo); DASH-02 consent identity bound to principal; DASH-03 chat authn + body cap, unauthenticated GET text-gen removed; DASH-05 moderation block now enforced; DASH-08 intent route hardened.
  • Tests rewritten to assert the fixed behaviour: vitest 14/14 pass. My new files typecheck clean (0 TS errors); pre-existing repo TS errors untouched.

Regression: bash governance_artifacts/run_runnable_assurance.sh11/11 PASS.

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

New security issues found

Comment thread governance_artifacts/pilot/run_pilot_acceptance_gates.py
@difflens

difflens Bot commented Jun 22, 2026

Copy link
Copy Markdown

View changes in DiffLens

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (3)
next-app/app/api/consent/route.ts (1)

36-36: 🧹 Nitpick | 🔵 Trivial | 💤 Low value

Redundant type cast.

new Date().toISOString() already returns string, so the as unknown as string cast is unnecessary.

-    ts: new Date().toISOString() as unknown as string,
+    ts: new Date().toISOString(),
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@next-app/app/api/consent/route.ts` at line 36, The ts property assignment in
the consent route includes a redundant type cast `as unknown as string` after
calling `new Date().toISOString()`. Since the toISOString() method already
returns a string type, the explicit cast is unnecessary and should be removed.
Simply replace the line to use `ts: new Date().toISOString()` without any type
annotations.
next-app/app/api/intent/route.ts (1)

18-21: 🧹 Nitpick | 🔵 Trivial | 💤 Low value

Consider rejecting empty message for consistency.

The chat route rejects empty strings with message.length === 0, but this route only checks typeof message !== 'string'. An empty string would pass validation and return 'casual'. While not harmful, aligning validation behavior across routes aids maintainability.

-  if (typeof message !== 'string') {
+  if (typeof message !== 'string' || message.length === 0) {
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@next-app/app/api/intent/route.ts` around lines 18 - 21, The message
validation in the intent route only checks for type but not for empty strings,
whereas the chat route validates for empty strings using message.length === 0.
Add an additional validation check after the typeof validation for the message
variable to reject empty strings and return a 400 response with an appropriate
error message, ensuring consistency with the chat route's validation behavior.
governance_artifacts/pilot/run_pilot_acceptance_gates.py (1)

107-118: 🧹 Nitpick | 🔵 Trivial | ⚡ Quick win

Unused variable in tuple unpacking.

Line 109 unpacks rc from the _run() return value but never uses it. The return code is ignored in favor of checking the output text for "No error has been found".

Consider using _ to indicate the value is intentionally ignored.

♻️ Proposed fix
 def check_containment_tlc() -> tuple[bool, str]:
     jar = GA / "tla" / "tools" / "tla2tools.jar"
-    rc, out = _run(
+    _, out = _run(
         ["java", "-cp", str(jar), "tlc2.TLC",
          "-config", str(GA / "tla" / "SentinelContainmentProtocol.cfg"),
          str(GA / "tla" / "SentinelContainmentProtocol.tla")],
         timeout=300,
     )
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@governance_artifacts/pilot/run_pilot_acceptance_gates.py` around lines 107 -
118, In the check_containment_tlc() function, the return code variable rc is
unpacked from the _run() call but never used since the function only checks the
output text for error messages. Replace rc with an underscore (_) in the tuple
unpacking statement to indicate the value is intentionally ignored and follows
Python convention for unused variables.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@governance_artifacts/pilot/run_pilot_acceptance_gates.py`:
- Line 28: The os module is imported at the top of the
run_pilot_acceptance_gates.py file but is never used anywhere in the script.
Remove the import os statement to clean up unused imports and improve code
clarity.

In `@governance_blueprint/roadmap_2026_2035.yaml`:
- Around line 70-117: The validator function `validate_roadmap_2035_shape()` in
governance_blueprint/validation/validate_artifacts.py accumulates validation
errors throughout its execution but fails to return them, instead returning None
implicitly. Add a `return errors` statement at the end of the function after
line 299 to ensure that accumulated validation errors are properly propagated to
the caller and validation failures are correctly reported instead of silently
passing.

---

Nitpick comments:
In `@governance_artifacts/pilot/run_pilot_acceptance_gates.py`:
- Around line 107-118: In the check_containment_tlc() function, the return code
variable rc is unpacked from the _run() call but never used since the function
only checks the output text for error messages. Replace rc with an underscore
(_) in the tuple unpacking statement to indicate the value is intentionally
ignored and follows Python convention for unused variables.

In `@next-app/app/api/consent/route.ts`:
- Line 36: The ts property assignment in the consent route includes a redundant
type cast `as unknown as string` after calling `new Date().toISOString()`. Since
the toISOString() method already returns a string type, the explicit cast is
unnecessary and should be removed. Simply replace the line to use `ts: new
Date().toISOString()` without any type annotations.

In `@next-app/app/api/intent/route.ts`:
- Around line 18-21: The message validation in the intent route only checks for
type but not for empty strings, whereas the chat route validates for empty
strings using message.length === 0. Add an additional validation check after the
typeof validation for the message variable to reject empty strings and return a
400 response with an appropriate error message, ensuring consistency with the
chat route's validation behavior.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 59df18ae-d3a2-4487-bca9-8b1e3502da69

📥 Commits

Reviewing files that changed from the base of the PR and between 41f1edf and 8892373.

📒 Files selected for processing (11)
  • governance_artifacts/pilot/README.md
  • governance_artifacts/pilot/run_pilot_acceptance_gates.py
  • governance_blueprint/DECADAL_STRATEGIC_TECHNICAL_PLAN_2026_2035.md
  • governance_blueprint/roadmap_2026_2035.yaml
  • next-app/DASHBOARD_SECURITY_REVIEW.md
  • next-app/__tests__/dashboard_security_review.test.ts
  • next-app/app/api/chat/stream/route.ts
  • next-app/app/api/consent/route.ts
  • next-app/app/api/intent/route.ts
  • next-app/lib/auth/session.ts
  • next-app/lib/http/guard.ts
🚧 Files skipped from review as they are similar to previous changes (1)
  • governance_blueprint/DECADAL_STRATEGIC_TECHNICAL_PLAN_2026_2035.md

Comment thread governance_artifacts/pilot/run_pilot_acceptance_gates.py
Comment thread governance_blueprint/roadmap_2026_2035.yaml
@OneFineStarstuff

Copy link
Copy Markdown
Owner Author

Round 3 update — OSCAL catalog conformance (12th assurance check)

Commit 13eb3225 closes a real compliance-as-code integrity gap: the OSCAL control catalogs carried machine-readable cross-references that nothing actually verified, and the regime #href links were in fact dangling (the catalogs had no back-matter). A catalog can be valid JSON and still rot — a tla-spec pointing at a renamed module, a circuit with no .circom file, a regime link resolving to nothing.

New artifact — governance_artifacts/oscal/oscal_conformance.py
For every control in every catalog under oscal/, runs 8 falsifiable checks:

Check What it proves
C1 OSCAL 1.1.2 structure (catalog/metadata/groups; each control has id + statement)
C2 feasibility-tier ∈ {A,B,C,D}
C3 freshness-sla is a valid ISO-8601 duration (or P.../P... retest pair)
C4 tla-spec resolves to a real .tla module (handles Module::label)
C5 rego-policy resolves to a real declared Rego package
C6 circuit logical id resolves via registry to a real .circom file
C7 simulator path exists on disk
C8 every internal #href resolves to a back-matter anchor (no dangling)

Result on the repo catalogs: 43 passed, 0 failed across 2 catalogs. --json for machine output; non-zero exit on any failure.

Closing the dangling-reference gap honestly: both catalogs now carry back-matter resources defining each regime anchor (EU AI Act Art. 12/14/15, DORA ICT-risk/resilience, Basel op-risk, NIST AI RMF MEASURE, SR 11-7) plus Tier-C/D design fixtures (GAIRA, ICGC/GACP, supervisory scenario) explicitly remarked as speculative — so every regime link now resolves.

Wired in:

  • run_runnable_assurance.sh → renumbered to 12 steps; step 12 runs the validator. Suite now 12/12 PASS.
  • tests/governance/test_governance_artifacts.py → +2 tests: a positive (repo catalogs conform) and a negative (a catalog with a dangling href / bad tla-spec / bad tier / bad SLA fails with exit 1) — proving the check is not vacuous.
  • CI unit-test job runs the OSCAL pytest (-k oscal).
  • Docs synced to 12/12: RUNNABLE_ASSURANCE.md (new row 12), DECADAL plan (verification ledger + counts), pilot P6-REPRO + README.

Verification (all green before push):

  • run_runnable_assurance.sh12/12 PASS
  • run_pilot_acceptance_gates.py6/6 automated PASS, 6 manual PENDING-EVIDENCE
  • pytest tests/governance/test_governance_artifacts.py12/12 PASS (incl. negative falsifiability test)

Integrity note: Tier A — this verifies in-repo cross-reference integrity only. It does not assert the named regimes are satisfied in production; it asserts the catalog's claims are internally consistent and anchored to real, runnable artifacts.

@codacy-production

codacy-production Bot commented Jun 24, 2026

Copy link
Copy Markdown

Not up to standards ⛔

🔴 Issues 2 critical · 14 high · 17 medium · 67 minor

Alerts:
⚠ 100 issues (≤ 0 issues of at least minor severity)

Results:
100 new issues

Category Results
UnusedCode 3 medium
BestPractice 18 minor
Documentation 37 minor
ErrorProne 10 high
Security 4 high
CodeStyle 7 minor
Complexity 5 minor
2 critical
11 medium
Performance 3 medium

View in Codacy

🟢 Metrics 330 complexity · 10 duplication

Metric Results
Complexity 330
Duplication 10

View in Codacy

NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.

@difflens

difflens Bot commented Jun 24, 2026

Copy link
Copy Markdown

View changes in DiffLens

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (2)
governance_artifacts/run_runnable_assurance.sh (1)

129-134: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Step 12 only checks exit status, not the expected output line.

Unlike Steps 5–7 which add && grep -q "..." as a content guard, Step 12 passes on a zero exit alone, then greps the message only for display. Since the validator returns non-zero on failure this is functionally safe, but for parity with the other content-asserting steps consider guarding on the OSCAL conformance: line too.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@governance_artifacts/run_runnable_assurance.sh` around lines 129 - 134, Step
12 in run_runnable_assurance.sh only verifies the Python command’s exit status
and then uses grep just for reporting, unlike the earlier validation steps that
also assert on the expected message. Update the OSCAL conformance check around
the oscal_conformance.py invocation so it also guards on the presence of the
“OSCAL conformance:” output line before calling pass, matching the pattern used
in Steps 5–7 and keeping the check consistent with the rest of the script.
governance_artifacts/oscal/oscal_conformance.py (1)

96-101: 🎯 Functional Correctness | 🔵 Trivial | 💤 Low value

_iso_duration_ok accepts empty/degenerate durations.

_ISO_DUR makes every component optional, so "PT" (and "P" inside a "P.../P..." pair, e.g. "P/P90D") match. The explicit value == "P" guard only covers the whole, unsplit value, so degenerate parts in a periodic/retest pair slip through C3.

♻️ Reject degenerate parts per-segment
 def _iso_duration_ok(value: str) -> bool:
-    if value == "P":
-        return False
-    # Allow a "periodic/retest" pair like P1D/P90D.
-    parts = value.split("/")
-    return all(bool(_ISO_DUR.match(p)) for p in parts) and all(parts)
+    # Allow a "periodic/retest" pair like P1D/P90D; reject empty/degenerate parts.
+    parts = value.split("/")
+    return bool(parts) and all(
+        p not in ("", "P", "PT") and bool(_ISO_DUR.match(p)) for p in parts
+    )
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@governance_artifacts/oscal/oscal_conformance.py` around lines 96 - 101, The
_iso_duration_ok helper currently lets degenerate ISO duration segments like PT
or P inside a periodic/retest pair pass because it only special-cases the whole
value and then checks the split parts with _ISO_DUR. Update _iso_duration_ok so
each segment in the split value is validated as a non-empty, non-degenerate
duration, not just matched against _ISO_DUR; use the existing _ISO_DUR and the
_iso_duration_ok function to reject empty or bare-P/bare-PT parts in both single
and paired forms.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@governance_artifacts/oscal/oscal_conformance.py`:
- Around line 96-101: The _iso_duration_ok helper currently lets degenerate ISO
duration segments like PT or P inside a periodic/retest pair pass because it
only special-cases the whole value and then checks the split parts with
_ISO_DUR. Update _iso_duration_ok so each segment in the split value is
validated as a non-empty, non-degenerate duration, not just matched against
_ISO_DUR; use the existing _ISO_DUR and the _iso_duration_ok function to reject
empty or bare-P/bare-PT parts in both single and paired forms.

In `@governance_artifacts/run_runnable_assurance.sh`:
- Around line 129-134: Step 12 in run_runnable_assurance.sh only verifies the
Python command’s exit status and then uses grep just for reporting, unlike the
earlier validation steps that also assert on the expected message. Update the
OSCAL conformance check around the oscal_conformance.py invocation so it also
guards on the presence of the “OSCAL conformance:” output line before calling
pass, matching the pattern used in Steps 5–7 and keeping the check consistent
with the rest of the script.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 99806dcb-3321-48b5-b5e5-26038d9914a6

📥 Commits

Reviewing files that changed from the base of the PR and between 15d6734 and 13eb322.

📒 Files selected for processing (10)
  • .github/workflows/runnable-assurance.yml
  • governance_artifacts/RUNNABLE_ASSURANCE.md
  • governance_artifacts/oscal/catalog_sentinel_v24_env_rte.json
  • governance_artifacts/oscal/catalog_sentinel_v24_excerpt.json
  • governance_artifacts/oscal/oscal_conformance.py
  • governance_artifacts/pilot/README.md
  • governance_artifacts/pilot/run_pilot_acceptance_gates.py
  • governance_artifacts/run_runnable_assurance.sh
  • governance_blueprint/DECADAL_STRATEGIC_TECHNICAL_PLAN_2026_2035.md
  • tests/governance/test_governance_artifacts.py
✅ Files skipped from review due to trivial changes (4)
  • governance_artifacts/oscal/catalog_sentinel_v24_excerpt.json
  • governance_artifacts/RUNNABLE_ASSURANCE.md
  • governance_artifacts/pilot/README.md
  • governance_blueprint/DECADAL_STRATEGIC_TECHNICAL_PLAN_2026_2035.md
🚧 Files skipped from review as they are similar to previous changes (2)
  • .github/workflows/runnable-assurance.yml
  • governance_artifacts/pilot/run_pilot_acceptance_gates.py

…check)

Turns the now-verified OSCAL catalogs + live assurance evidence into an
auto-assembled EU AI Act Annex IV technical-documentation dossier — the
regulator deliverable the compliance-as-code stack was built to produce.

New artifacts:
- governance_artifacts/oscal/annex_iv_section_map.yaml: auditable bridge mapping
  each Annex IV section (A-H) to the OSCAL control ids that evidence it, plus a
  provider narrative. Control ids must exist in a catalog (no dangling refs).
- governance_artifacts/oscal/generate_annex_iv_dossier.py: assembles an
  OSCAL-flavoured JSON dossier + human-readable Markdown. For each section it
  resolves controls, pulls statement/tier/SLA/regime-citation/evidence-query,
  and attaches LIVE evidence by running each control's backing assurance check
  (TLA+ TLC, PQC WORM pytest, zk proof, routing simulator). Honesty model:
    * SATISFIED only when a mapped control's runnable check passed in this run;
    * PARTIAL when runnable-backed but not green this run;
    * PENDING-EVIDENCE for organisational/hardware-dependent evidence (e.g.
      env-02 enclave key custody, reported truthfully as n/a organisational).
  Refuses to assemble on a non-conformant catalog or an unknown control id.
  Embeds an integrity statement: assembly-integrity artifact, NOT a conformity
  assessment; does not assert the institution is compliant.
  Result on repo: 8/8 sections SATISFIED, catalog conformance 0 failures.
- governance_artifacts/oscal/generated/annex_iv_dossier.{json,md}: sample output.
- governance_artifacts/oscal/README.md: documents the OSCAL tooling + honesty model.

Wired in:
- run_runnable_assurance.sh: renumbered to 13 steps; step 13 verifies the dossier
  assembles end-to-end (8 sections A-H, 0 conformance failures). Suite 13/13 PASS.
- tests/governance/test_governance_artifacts.py: +3 tests — all section-map
  controls resolve; live-evidence assembly (SATISFIED implies a green check;
  integrity statement disclaims conformity); --no-verify never fabricates
  SATISFIED. Governance pytest 15/15.
- CI: unit-test job runs '-k "oscal or annex"'; new steps assemble the dossier
  with live evidence and upload it as a build artifact (annex-iv-dossier).
- Docs synced to 13/13: RUNNABLE_ASSURANCE.md (new row 13 + count), DECADAL plan
  (ledger + counts), pilot P6-REPRO + README.

Tier A (assembly integrity). Regression: assurance 13/13 PASS; pilot 6/6
automated; governance pytest 15/15.
@OneFineStarstuff

Copy link
Copy Markdown
Owner Author

Round 4 update — OSCAL-native Annex IV dossier generator (13th assurance check)

Commit 816e1209 delivers the regulator deliverable the compliance-as-code stack was built to produce: an auto-assembled EU AI Act Annex IV technical-documentation dossier, built only from the now-verified OSCAL catalogs + live assurance evidence.

New artifacts

  • governance_artifacts/oscal/annex_iv_section_map.yaml — auditable bridge mapping each Annex IV section (A–H) → the OSCAL control ids that evidence it, plus a provider narrative. Referenced control ids must exist in a catalog (no dangling refs).
  • governance_artifacts/oscal/generate_annex_iv_dossier.py — assembles an OSCAL-flavoured JSON dossier + human-readable Markdown. For each section it resolves controls, pulls statement / feasibility-tier / SLA / resolved regime citation / evidence-query, and attaches live evidence by running each control's backing check (TLA+ TLC, PQC WORM pytest, zk proof, routing simulator).
  • governance_artifacts/oscal/generated/annex_iv_dossier.{json,md} — sample output.
  • governance_artifacts/oscal/README.md — documents the tooling + honesty model.

Honesty model (no overclaiming)

Status Meaning
SATISFIED ≥1 mapped control whose runnable check passed in this run
PARTIAL runnable-backed but not green this run
PENDING-EVIDENCE organisational / hardware-dependent evidence not yet attached (e.g. env-02 enclave key custody — reported truthfully as n/a (organisational))

The generator refuses to assemble on a non-conformant catalog or an unknown control id, and embeds an integrity statement: assembly-integrity artifact, NOT a conformity assessment; does not assert the institution is compliant. Result on the repo: 8/8 sections SATISFIED, catalog conformance 0 failures.

Wired in

  • run_runnable_assurance.sh → renumbered to 13 steps; step 13 verifies the dossier assembles end-to-end (8 sections A–H, 0 conformance failures). Suite 13/13 PASS.
  • tests/governance/... → +3 tests: all section-map controls resolve; SATISFIED implies a green check + integrity statement disclaims conformity; --no-verify never fabricates SATISFIED. Governance pytest 15/15.
  • CI → unit-test job runs -k "oscal or annex"; new steps assemble the dossier with live evidence and upload it as a build artifact (annex-iv-dossier).
  • Docs synced to 13/13 (RUNNABLE_ASSURANCE.md, DECADAL plan ledger + counts, pilot P6-REPRO + README).

Verification (green before push)

  • run_runnable_assurance.sh13/13 PASS
  • generate_annex_iv_dossier.py8/8 sections SATISFIED, 0 conformance failures
  • pytest tests/governance/test_governance_artifacts.py15/15 PASS
  • run_pilot_acceptance_gates.py6/6 automated PASS, 6 manual PENDING-EVIDENCE

Integrity note: Tier A — assembly integrity. Proves the dossier is built only from real controls and currently-passing checks; it is not a conformity assessment.

@difflens

difflens Bot commented Jun 25, 2026

Copy link
Copy Markdown

View changes in DiffLens

1 similar comment
@difflens

difflens Bot commented Jun 25, 2026

Copy link
Copy Markdown

View changes in DiffLens

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/runnable-assurance.yml:
- Line 106: The workflow step using actions/upload-artifact is pinned to a
mutable tag, so update the runnable-assurance workflow to reference
actions/upload-artifact by an immutable commit SHA instead of v4. Locate the
upload step in the workflow and replace the current uses value with the specific
SHA for the same major version so the action reference cannot change
unexpectedly.

In `@governance_artifacts/oscal/generate_annex_iv_dossier.py`:
- Around line 179-185: The build_dossier flow currently loads catalog bodies via
_load_catalogs before checking OSCAL validity, so a malformed catalog can fail
early instead of using the validator report path. Update build_dossier to call
_run_conformance before _load_catalogs, then only hydrate catalogs/controls
after conformance passes; keep the existing control-loading logic and use the
build_dossier and _run_conformance symbols to locate the change.

In `@governance_artifacts/run_runnable_assurance.sh`:
- Around line 137-149: Step 13 is only checking dossier shape because
run_runnable_assurance.sh invokes generate_annex_iv_dossier.py with --no-verify,
so build_dossier() never exercises backing checks or live SATISFIED evidence.
Update this step to run the generator through the verified path and assert the
evidence/status fields from the resulting dossier, or if that is not intended,
adjust the step’s assertion/message and related RUNNABLE_ASSURANCE wording to
claim only assembly structure. Use the generate_annex_iv_dossier.py invocation
and the d["dossier"] assertions as the place to align the test with the
documented live-evidence behavior.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 25d4b8f6-e081-4205-89b2-185c781b3312

📥 Commits

Reviewing files that changed from the base of the PR and between 13eb322 and 816e120.

⛔ Files ignored due to path filters (2)
  • governance_artifacts/oscal/generated/annex_iv_dossier.json is excluded by !**/generated/**
  • governance_artifacts/oscal/generated/annex_iv_dossier.md is excluded by !**/generated/**
📒 Files selected for processing (10)
  • .github/workflows/runnable-assurance.yml
  • governance_artifacts/RUNNABLE_ASSURANCE.md
  • governance_artifacts/oscal/README.md
  • governance_artifacts/oscal/annex_iv_section_map.yaml
  • governance_artifacts/oscal/generate_annex_iv_dossier.py
  • governance_artifacts/pilot/README.md
  • governance_artifacts/pilot/run_pilot_acceptance_gates.py
  • governance_artifacts/run_runnable_assurance.sh
  • governance_blueprint/DECADAL_STRATEGIC_TECHNICAL_PLAN_2026_2035.md
  • tests/governance/test_governance_artifacts.py
✅ Files skipped from review due to trivial changes (4)
  • governance_artifacts/pilot/README.md
  • governance_artifacts/oscal/annex_iv_section_map.yaml
  • governance_artifacts/RUNNABLE_ASSURANCE.md
  • governance_artifacts/oscal/README.md
🚧 Files skipped from review as they are similar to previous changes (1)
  • governance_artifacts/pilot/run_pilot_acceptance_gates.py

Comment thread .github/workflows/runnable-assurance.yml
Comment thread governance_artifacts/oscal/generate_annex_iv_dossier.py
Comment thread governance_artifacts/run_runnable_assurance.sh Outdated
…egister + NIST AI RMF crosswalk (14th & 15th assurance checks)

One verified OSCAL 1.1.2 catalog (source of truth) -> multiple regulator
deliverables. Extends the round-4 Annex IV dossier generator to two more
frameworks, all assembled from the same conformance-verified catalog + live
re-run evidence.

New shared engine:
- crosswalk_common.py: load_catalogs, CONTROL_EVIDENCE, run_conformance
  (refuses to assemble against a non-conformant catalog), EvidenceRunner
  (re-runs each control's backing assurance check this run), status_for
  (SATISFIED / PARTIAL / PENDING-EVIDENCE), resolve_controls.

New deliverables (Tier A, runnable):
- generate_dora_ict_register.py + dora_framework_map.yaml: DORA
  (Reg. (EU) 2022/2554) 5-pillar ICT-risk register. Result 3/5 pillars
  SATISFIED; P4 (third-party) and P5 (info-sharing) reported as HONEST
  coverage gaps (is_coverage_gap=true, PENDING-EVIDENCE), not hidden.
- generate_nist_rmf_crosswalk.py + nist_ai_rmf_map.yaml: NIST AI RMF 1.0
  4-function (GOVERN/MAP/MEASURE/MANAGE) crosswalk with per-function
  coverage analysis. Result 4/4 functions SATISFIED (100%).
- generated/{dora_ict_register,nist_ai_rmf_crosswalk}.{json,md} samples.

Honesty guarantees (preserved): each generator embeds an integrity_statement
('not a DORA conformity attestation' / 'not a certification'); both refuse a
non-conformant catalog and raise on unknown control ids (falsifiable —
negative tests confirm exit 1).

Wiring:
- run_runnable_assurance.sh: 13 -> 15 steps (14=DORA, 15=NIST), using
  --no-verify --print piped to inline python validators.
- tests/governance: +3 tests (18 total): DORA gaps reported, NIST full
  coverage with live evidence, and --no-verify does not fabricate SATISFIED.
- CI: pytest selector adds dora/nist/crosswalk; assembles all 3 deliverables
  and uploads them as the 'regulator-deliverables' artifact.

Docs synced: RUNNABLE_ASSURANCE.md (rows 14-15, thirteen->fifteen), DECADAL
plan (13/13 -> 15/15 + 2 verification-ledger rows), pilot P6-REPRO 15/15,
oscal/README.md.

Verification (this commit):
- bash governance_artifacts/run_runnable_assurance.sh -> 15/15 PASS
- pytest tests/governance/test_governance_artifacts.py -> 18 passed
- pilot acceptance gates -> 6/6 automated PASS (P6-REPRO 15/15)
- DORA 3/5 SATISFIED (P4/P5 gaps); NIST 4/4 SATISFIED (100%);
  catalog conformance 0 failures for both.
@difflens

difflens Bot commented Jun 27, 2026

Copy link
Copy Markdown

View changes in DiffLens

@OneFineStarstuff

Copy link
Copy Markdown
Owner Author

Round 5 — Multi-framework regulator deliverables (DORA + NIST AI RMF)

Theme: one verified OSCAL 1.1.2 catalog (single source of truth) → multiple regulator deliverables. This extends the round-4 EU AI Act Annex IV dossier generator to two additional frameworks, all auto-assembled from the same conformance-verified catalog + live re-run evidence.

What shipped (Tier A — runnable, verified this commit)

  • Shared crosswalk engine crosswalk_common.pyload_catalogs, CONTROL_EVIDENCE, run_conformance (refuses to assemble against a non-conformant catalog), EvidenceRunner (re-runs each control's backing assurance check this run), status_for (SATISFIED / PARTIAL / PENDING-EVIDENCE), resolve_controls.
  • DORA ICT-risk register generate_dora_ict_register.py + dora_framework_map.yaml — DORA (Reg. (EU) 2022/2554) 5-pillar register. 3/5 pillars SATISFIED; P4 (third-party) and P5 (info-sharing) reported as honest coverage gaps (is_coverage_gap: true, PENDING-EVIDENCE) — not hidden.
  • NIST AI RMF crosswalk generate_nist_rmf_crosswalk.py + nist_ai_rmf_map.yaml — NIST AI RMF 1.0 4-function (GOVERN/MAP/MEASURE/MANAGE) crosswalk with per-function coverage analysis. 4/4 functions SATISFIED (100%).
  • Sample outputs committed under governance_artifacts/oscal/generated/.

Honesty guarantees (preserved)

  • Each generator embeds an integrity_statement ("not a DORA conformity attestation" / "not a certification").
  • Both refuse a non-conformant catalog and raise on unknown control ids — falsifiable; negative tests confirm exit 1.
  • DORA P4/P5 gaps are surfaced explicitly, not papered over.

Wiring

  • run_runnable_assurance.sh: 13 → 15 steps (14 = DORA, 15 = NIST).
  • tests/governance: +3 tests → 18 total (DORA gaps reported, NIST full coverage with live evidence, --no-verify does not fabricate SATISFIED).
  • CI: pytest selector adds dora/nist/crosswalk; assembles all 3 deliverables and uploads them as the regulator-deliverables artifact.
  • Docs synced: RUNNABLE_ASSURANCE.md (rows 14-15, "thirteen"→"fifteen"), DECADAL plan (13/13 → 15/15 + 2 verification-ledger rows), pilot P6-REPRO 15/15, oscal/README.md.

Verification (this commit 58c87d87)

Check Command Result
Full assurance suite bash governance_artifacts/run_runnable_assurance.sh 15/15 PASS
Governance tests pytest tests/governance/test_governance_artifacts.py 18 passed
Pilot acceptance gates python3 governance_artifacts/pilot/run_pilot_acceptance_gates.py 6/6 automated PASS (P6-REPRO 15/15)
DORA register generate_dora_ict_register.py 3/5 pillars SATISFIED; P4/P5 gaps; 0 conformance failures
NIST crosswalk generate_nist_rmf_crosswalk.py 4/4 functions SATISFIED (100%); 0 conformance failures

Honesty note: these are assembly-integrity artifacts, not conformity assessments / certifications. ASI "containment" remains a control discipline, not a safety proof.

…ckage & distribute the stack (16th assurance check)

Adds the 'finalize, package, and distribute' step the stack has been building
toward: instead of asserting regulator-readiness in prose, this PRODUCES an
auditable, tamper-evident distribution bundle whose contents are exactly the
artifacts that passed THIS run.

New tool — governance_artifacts/package_distribution_bundle.py:
- Re-runs the 3 OSCAL-native regulator-deliverable generators with LIVE
  evidence (Annex IV dossier, DORA ICT-risk register, NIST AI RMF crosswalk).
- Collects all 6 deliverable artifacts (JSON+MD) into governance_artifacts/dist/.
- Emits MANIFEST.json: per-artifact SHA-256 + byte size, the live
  SATISFIED/PARTIAL/PENDING-EVIDENCE status per unit, declared coverage gaps,
  and a single bundle_sha256 = SHA-256 over the sorted per-artifact digests
  (whole-bundle tamper evidence).
- Writes a regulator-facing DISTRIBUTION_README.md + a guided
  EXECUTION_CHECKLIST.md (command-by-command independent reproduction).
- --with-suite runs the full runnable-assurance suite and gates on it.

Honesty guarantees (falsifiable):
- REFUSES to package (exit 1) if any deliverable reports a catalog-conformance
  failure — verified by a negative test (monkeypatched conformance failure).
- bundle_sha256 recomputes from the per-artifact digests (verified in suite + test).
- Coverage gaps (DORA P4/P5) are reported, never inflated to SATISFIED.
- Explicitly an assembly-integrity + reproducibility bundle, NOT a conformity
  assessment, certification, or safety proof; ASI containment is a control
  discipline, not a guarantee.

Result this run: 6 artifacts across 3 deliverables; 15/17 units SATISFIED;
2 declared gaps (DORA P4/P5); all catalogs conformant.

Wiring:
- run_runnable_assurance.sh: 15 -> 16 steps (step 16 packages the bundle,
  --no-regenerate --print, asserts 3 deliverables / 6 artifacts / digest
  recomputes / all conformant).
- tests/governance: +3 tests -> 21 total (manifest tamper-evidence, DORA gaps
  not hidden, refuses non-conformant deliverable).
- CI: pytest selector adds 'bundle'; packages bundle with --with-suite and
  uploads it as the 'distribution-bundle' artifact (dist/ stays gitignored —
  fully reproducible output).

Docs synced: RUNNABLE_ASSURANCE.md (row 16, fifteen->sixteen), DECADAL plan
(15/15 -> 16/16 + verification-ledger row), pilot P6-REPRO 16/16,
governance_artifacts/README.md (package & distribute section), oscal/README.md.

Verification (this commit):
- bash governance_artifacts/run_runnable_assurance.sh -> 16/16 PASS
- pytest tests/governance/test_governance_artifacts.py -> 21 passed
- pilot acceptance gates -> 6/6 automated PASS (P6-REPRO 16/16)
@OneFineStarstuff

Copy link
Copy Markdown
Owner Author

Round 6 — Verified distribution-bundle packager (finalize, package & distribute)

This round closes the one gap your "finalize, package, and distribute" ask highlighted that was thinner than everything else: the stack had many deliverable generators but no single command that assembles the complete, verified, regulator-facing distribution bundle. Now it does — and the bundle's contents are exactly the artifacts that passed this run, each pinned by SHA-256.

What shipped (Tier A — runnable, verified this commit 3f9e4d00)

  • governance_artifacts/package_distribution_bundle.py — re-runs the 3 OSCAL-native deliverable generators with live evidence, collects all 6 artifacts into dist/, and emits:
    • MANIFEST.json — per-artifact SHA-256 + size, per-unit live status (SATISFIED / PARTIAL / PENDING-EVIDENCE), declared coverage gaps, and a single bundle_sha256 = SHA-256 over the sorted per-artifact digests (whole-bundle tamper evidence).
    • DISTRIBUTION_README.md — regulator-facing summary.
    • EXECUTION_CHECKLIST.md — guided, command-by-command independent reproduction.
  • --with-suite runs the full 16-check assurance suite and gates the bundle on it.

Result this run

  • 6 artifacts across 3 deliverables; 15/17 units SATISFIED; 2 declared gaps (DORA P4/P5); all source catalogs conformant.

Honesty guarantees (falsifiable)

  • Refuses to package (exit 1) if any deliverable reports a catalog-conformance failure — proven by a negative test (monkeypatched failure).
  • bundle_sha256 recomputes from the per-artifact digests (asserted in both the suite step and a pytest test).
  • Coverage gaps are reported, never inflated to SATISFIED.
  • Embedded statement: this is an assembly-integrity + reproducibility bundle, NOT a conformity assessment, certification, or safety proof. ASI containment remains a control discipline, not a guarantee.

Wiring

  • run_runnable_assurance.sh: 15 → 16 steps (step 16 = bundle packaging).
  • tests/governance: +3 tests → 21 total (tamper-evidence, DORA gaps not hidden, refuses non-conformant).
  • CI: pytest selector adds bundle; packages with --with-suite and uploads the distribution-bundle artifact (dist/ stays gitignored — fully reproducible output).
  • Docs synced: RUNNABLE_ASSURANCE.md (row 16, "fifteen"→"sixteen"), DECADAL plan (15/15 → 16/16 + ledger row), pilot P6-REPRO 16/16, governance_artifacts/README.md (package & distribute section), oscal/README.md.

Verification (this commit)

Check Command Result
Full assurance suite bash governance_artifacts/run_runnable_assurance.sh 16/16 PASS
Governance tests pytest tests/governance/test_governance_artifacts.py 21 passed
Pilot acceptance gates python3 governance_artifacts/pilot/run_pilot_acceptance_gates.py 6/6 automated PASS (P6-REPRO 16/16)
Distribution bundle python3 governance_artifacts/package_distribution_bundle.py --with-suite 6 artifacts, digest recomputes, all conformant, assurance PASS

A note on scope

Most of the very broad roadmap in the request (zero-trust architecture, confidential-computing attestation, StaR-MoE routing, PQC WORM, zk systemic-risk proofs, TLA+ containment, OSCAL/OPA compliance-as-code, Terraform multi-region, G-SRI, 2028 pilot, 24h monitoring, etc.) already exists as runnable, verified artifacts in this repo from earlier rounds. Rather than re-describe them in prose, this round added the missing packaging/distribution capstone that ties those verified artifacts into one auditable deliverable a G-SIFI could hand to a supervisor.

@difflens

difflens Bot commented Jun 29, 2026

Copy link
Copy Markdown

View changes in DiffLens

…le (content_digest)

Closes a real honesty gap in the round-6 packager: the EXECUTION_CHECKLIST
claimed the bundle digest "matches the value above (timestamps aside)", but
bundle_sha256 in fact changed on EVERY regeneration because each deliverable
embeds a fresh generated_at timestamp. A supervisor following the checklist
would get a different digest each run, undermining the reproducibility claim.

Root cause (verified): the ONLY non-deterministic content in a deliverable is
the ISO-8601 generated_at instant (JSON "generated_at" + Markdown
**Generated:**). All live evidence and everything else is byte-stable.

Fix - two distinct digests, each with a clear purpose:
- bundle_sha256 (provenance / tamper-evidence): SHA-256 over the sorted
  per-artifact BYTE digests. Pins THIS exact build; changes each run. Use to
  detect tampering with a specific distributed bundle.
- content_digest (reproducibility): SHA-256 over the sorted per-artifact
  digests with embedded ISO-8601 instants normalized to a fixed sentinel.
  Depends only on the catalog + live-evidence state, so an independent party
  who re-runs the generators derives the SAME value. VERIFIED stable across 3+
  regenerations (f6fa38c7...) while bundle_sha256 varies.

Each artifact entry now carries both sha256 and content_sha256.

Honesty wording corrected:
- DISTRIBUTION_README.md: new 'Two digests, two purposes' section.
- EXECUTION_CHECKLIST.md: step 4 now says compare the CONTENT digest (stable),
  not bundle_sha256; step 5 adds a runnable standalone command to recompute an
  artifact's content_sha256 (verified to match the manifest).

Wiring:
- run_runnable_assurance.sh step 16: now asserts BOTH digests recompute and
  that they are distinct.
- tests/governance: +2 tests -> 23 total: content_digest reproducible across
  regenerations + recomputes; timestamp normalization changes byte digest only
  (falsifiable - a real content change still moves the normalized digest).
- RUNNABLE_ASSURANCE.md row 16, governance_artifacts/README.md, DECADAL ledger
  row updated to document the two-digest model.

Verification (this commit):
- bash governance_artifacts/run_runnable_assurance.sh -> 16/16 PASS
- pytest tests/governance/test_governance_artifacts.py -> 23 passed
- pilot acceptance gates -> 6/6 automated PASS
- content_digest stable across 3 regenerations; bundle_sha256 varies as intended
@OneFineStarstuff

Copy link
Copy Markdown
Owner Author

Round 7 — Deterministically reproducible distribution bundle (honesty fix)

This round fixes a real honesty gap I found in the round-6 packager rather than adding new surface. It follows the project's core rule: when a claim isn't actually true, fix it transparently, don't paper over it.

The gap

The round-6 EXECUTION_CHECKLIST.md told a supervisor that after re-packaging, the bundle digest "matches the value above (timestamps aside)." In reality, bundle_sha256 changed on every single regeneration — because each deliverable embeds a fresh generated_at timestamp. A supervisor following the checklist would get a different digest each run, which quietly undermined the whole reproducibility/tamper-evidence claim.

I verified this directly: three regenerations produced three different bundle_sha256 values.

Root cause (verified)

The only non-deterministic content in a deliverable is the ISO-8601 generated_at instant (JSON "generated_at" + Markdown **Generated:**). Everything else — including all live evidence — is byte-stable.

The fix — two digests, two clearly-separated purposes

  • bundle_sha256 (provenance / tamper-evidence) — SHA-256 over the sorted per-artifact byte digests. Pins this exact build; changes each run. Detects tampering with a specific distributed bundle.
  • content_digest (reproducibility) — SHA-256 over the sorted per-artifact digests with embedded ISO-8601 instants normalized to a fixed sentinel. Depends only on the catalog + live-evidence state, so an independent party who re-runs the generators derives the same value.

Verified: content_digest was stable (f6fa38c7…) across 3+ regenerations and across separate sessions, while bundle_sha256 varied as intended. Each artifact entry now carries both sha256 and content_sha256.

Honesty wording corrected

  • DISTRIBUTION_README.md: new "Two digests, two purposes" section.
  • EXECUTION_CHECKLIST.md: step 4 now says compare the content digest (stable), not bundle_sha256; step 5 adds a runnable standalone command to recompute an artifact's content_sha256 — verified to match the manifest exactly.

Wiring

  • run_runnable_assurance.sh step 16 now asserts both digests recompute and that they are distinct.
  • tests/governance: +2 tests → 23 totalcontent_digest reproducible across regenerations + recomputes; timestamp-normalization changes the byte digest only (falsifiable: a real content change still moves the normalized digest).
  • Docs: RUNNABLE_ASSURANCE.md row 16, governance_artifacts/README.md, DECADAL verification-ledger row updated to document the two-digest model.

Verification (this commit 2bcc568f)

Check Command Result
Full assurance suite bash governance_artifacts/run_runnable_assurance.sh 16/16 PASS
Governance tests pytest tests/governance/test_governance_artifacts.py 23 passed
Pilot acceptance gates python3 governance_artifacts/pilot/run_pilot_acceptance_gates.py 6/6 automated PASS
Reproducibility packager run 3×, compare digests content_digest stable; bundle_sha256 varies (as designed)

No step count change (still 16 checks) — this round hardens the existing capstone into an actually reproducible deliverable.

@difflens

difflens Bot commented Jul 1, 2026

Copy link
Copy Markdown

View changes in DiffLens

@codacy-production

codacy-production Bot commented Jul 1, 2026

Copy link
Copy Markdown

Not up to standards ⛔

🔴 Issues 12 critical · 3 high · 21 medium · 64 minor

Alerts:
⚠ 100 issues (≤ 0 issues of at least minor severity)

Results:
100 new issues

Category Results
Compatibility 2 medium
BestPractice 4 medium
1 high
Documentation 2 minor
Security 6 critical
2 high
CodeStyle 40 minor
Complexity 20 minor
6 critical
15 medium
Comprehensibility 2 minor

View in Codacy

🟢 Metrics 399 complexity · 10 duplication

Metric Results
Complexity 399
Duplication 10

View in Codacy

NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.

@difflens

difflens Bot commented Jul 3, 2026

Copy link
Copy Markdown

View changes in DiffLens

@genspark-ai-developer

Copy link
Copy Markdown

Update: 17th assurance check — recipient-side bundle verification + ML-DSA-65 manifest signing (f20c808e)

This completes the distribution-packaging story from checks 13–16 by adding the recipient side: a regulator/supervisor/internal-audit can now verify a received dist/ bundle without trusting the packager.

What's new

  • governance_artifacts/verify_distribution_bundle.py (NEW, standalone)
    • Python stdlib only; deliberately does NOT import the packager — the digest rules (byte SHA-256, timestamp-normalized content SHA-256, sorted-digest bundle digests) are independently re-implemented, so a bug or backdoor in the packager cannot vouch for itself (enforced by an AST import-audit test).
    • 10 named, falsifiable checks: manifest parse, artifact presence, per-artifact byte + content digests, both bundle-level digest recomputations, digest distinctness, manifest-vs-content consistency (unit counts / coverage gaps / conformance recomputed from the bundled deliverable JSONs — a manifest that inflates SATISFIED or hides a gap FAILS), conformance-claim agreement, and optional detached-signature verification.
    • Exit 0 iff every executed check passes; --require-signature turns a missing/unverifiable signature into FAIL (never silently passed).
  • Packager --sign / --signing-key: detached ML-DSA-65 (FIPS 204) MANIFEST.sig.json over the exact MANIFEST.json bytes, with explicit ephemeral-vs-persistent key semantics, embedded public key + SHA-256 fingerprint, and an honesty statement (identity requires out-of-band fingerprint comparison).
  • run_runnable_assurance.sh step 17: packages a signed bundle and verifies it with the independent verifier in strict mode; RUNNABLE_ASSURANCE.md documents the check.

Verification

  • Governance suite: 30/30 tests pass (7 new: happy path, verifier independence, artifact tampering, forged manifest claims, single-byte manifest signature tamper, --require-signature absence, persistent signing-key identity + 0600 perms).
  • Manual e2e: signed bundle → VERIFIED (10 checks PASS); single-byte artifact tamper → FAILED (byte + content digest checks trip), exit 1.

…manifest signing (17th assurance check)

Closes the trust gap left by the round-6/7 packager: a bundle recipient
previously had to trust the packager's own digest arithmetic. This adds the
missing recipient-side half of the distribution story.

New tool — governance_artifacts/verify_distribution_bundle.py:
- Standalone and deliberately INDEPENDENT: stdlib-only (optional
  dilithium-py only for the signature branch) and never imports the
  packager — the digest rules (byte SHA-256, timestamp-normalized content
  SHA-256, sorted-digest bundle digests) are re-implemented from scratch so
  a bug or backdoor in the packager cannot vouch for itself (enforced by an
  AST-based test).
- 10 named, falsifiable checks: manifest-parse, artifact-presence,
  artifact-byte-digest, artifact-content-digest, bundle-digest-recompute,
  content-digest-recompute, digests-distinct, summary-consistency,
  conformance-claims, signature.
- summary-consistency recomputes the manifest's claimed unit counts /
  coverage gaps / conformance from the bundled deliverable JSONs
  themselves — a manifest that inflates units_satisfied or hides a DORA
  P4/P5 gap FAILS even if every digest still recomputes.
- Exit 0 iff every executed check passes; missing dilithium-py reports the
  signature check SKIPPED (never silently passed); --require-signature
  turns absence/skip into FAIL.

Packager — package_distribution_bundle.py --sign / --signing-key:
- Emits a detached ML-DSA-65 (FIPS 204) MANIFEST.sig.json over the EXACT
  MANIFEST.json bytes, embedding the public key + its SHA-256 fingerprint.
- Honest key semantics: --signing-key FILE persists one signing identity
  (0600) so fingerprints are stable across bundles; without it the key is
  EPHEMERAL and the signature file says so (key_persistence) — it then
  proves integrity-since-packaging, not identity. Identity always requires
  an out-of-band fingerprint comparison (stated in the artifact).

Wiring:
- run_runnable_assurance.sh: 16 -> 17 steps. Step 17 packages a signed
  bundle and verifies it with the independent verifier in strict
  --require-signature mode, asserting all 10 checks PASS.
- Generated DISTRIBUTION_README.md + EXECUTION_CHECKLIST.md now include a
  'verify as received' section / step 6 for the recipient.
- RUNNABLE_ASSURANCE.md: row 17 documented.
- Refreshed generated OSCAL deliverables from the final suite run.

Tamper negatives (all verified by tests, 30/30 governance tests pass):
- Artifact byte edit -> artifact-byte-digest + artifact-content-digest FAIL.
- Forged manifest claims (inflated SATISFIED, hidden gaps) ->
  summary-consistency FAILs (and the signature breaks).
- Single-byte whitespace change to MANIFEST.json with digests intact ->
  ONLY the ML-DSA-65 signature check fails (precise localization).
- --require-signature on an unsigned bundle -> FAILED with explicit error.
- Persistent-key double-signing -> identical public-key fingerprints; both
  bundles VERIFIED in strict mode.

Full suite result: 17/17 runnable assurance checks PASS.
@difflens

difflens Bot commented Jul 3, 2026

Copy link
Copy Markdown

View changes in DiffLens

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

documentation Improvements or additions to documentation next-app python Pull requests that update python code size/XXL

Development

Successfully merging this pull request may close these issues.

3 participants