Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
66 changes: 63 additions & 3 deletions .github/workflows/runnable-assurance.yml
Original file line number Diff line number Diff line change
@@ -1,17 +1,23 @@
name: Runnable Assurance (Sentinel v2.4)

# Executes the runnable proof obligations behind the governance artifacts:
# OPA policy tests, TLA+ TLC model check, GC-IR cross-target harness, and the
# SRC-1 Groth16 concentration-bound proof flow.
# OPA policy tests, TLA+ TLC model checks, GC-IR cross-target harness, the
# SRC-1 Groth16 concentration-bound proof + relayer pipeline, Solidity contract
# hardening, the 2028 pilot acceptance-gate checklist, and the next-app dashboard
# security test suite.

on:
push:
paths:
- 'governance_artifacts/**'
- 'governance_blueprint/**'
- 'next-app/**'
- '.github/workflows/runnable-assurance.yml'
pull_request:
paths:
- 'governance_artifacts/**'
- 'governance_blueprint/**'
- 'next-app/**'
workflow_dispatch:

permissions:
Expand Down Expand Up @@ -59,6 +65,15 @@ jobs:
working-directory: governance_artifacts/zk
run: npm install

- name: Install solc (for contract compile + zk relayer verifier)
working-directory: governance_blueprint/contracts
run: npm install

- name: Set up Terraform (for pilot IaC gate)
uses: hashicorp/setup-terraform@v3
with:
terraform_version: '1.9.8'

Comment thread
OneFineStarstuff marked this conversation as resolved.
- name: Fetch TLA+ tools
run: |
mkdir -p governance_artifacts/tla/tools
Expand All @@ -71,10 +86,55 @@ jobs:
circom circuits/src1_concentration_bound.circom --r1cs --wasm --sym --O0 -o circuits/
circom circuits/src_fair1_reason_code_check.circom --r1cs --wasm --sym --O0 -o circuits/

- name: Unit tests (routing + PQC WORM)
- name: Unit tests (routing + PQC WORM + contract logic + OSCAL conformance + Annex IV dossier)
run: |
pytest governance_artifacts/routing/test_sara_acr_router.py -q
pytest governance_artifacts/kafka/test_pqc_worm_logger_v2.py -q
pytest governance_blueprint/contracts/test_contract_logic.py -q
pytest tests/governance/test_governance_artifacts.py -q -k "oscal or annex or dora or nist or crosswalk or bundle"

- name: Run runnable assurance suite
run: bash governance_artifacts/run_runnable_assurance.sh

- name: 2028 pilot acceptance-gate checklist
run: python3 governance_artifacts/pilot/run_pilot_acceptance_gates.py

- name: Assemble regulator deliverables (live evidence)
run: |
python3 governance_artifacts/oscal/generate_annex_iv_dossier.py
python3 governance_artifacts/oscal/generate_dora_ict_register.py
python3 governance_artifacts/oscal/generate_nist_rmf_crosswalk.py

- name: Package verified distribution bundle (SHA-256 manifest)
run: python3 governance_artifacts/package_distribution_bundle.py --with-suite

- name: Upload regulator deliverables artifact
uses: actions/upload-artifact@v4
Comment thread
OneFineStarstuff marked this conversation as resolved.
with:
name: regulator-deliverables
path: governance_artifacts/oscal/generated/

- name: Upload verified distribution bundle
uses: actions/upload-artifact@v4
with:
name: distribution-bundle
path: governance_artifacts/dist/

dashboard-tests:
name: Dashboard security tests (next-app)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4

- name: Set up Node
uses: actions/setup-node@v4
with:
node-version: '20'

- name: Install next-app deps
working-directory: next-app
run: npm install

- name: Vitest (dashboard security + governance remediation)
working-directory: next-app
run: npx vitest run
Comment thread
OneFineStarstuff marked this conversation as resolved.
21 changes: 21 additions & 0 deletions governance_artifacts/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,27 @@ SRC-1 Groth16 systemic-risk concentration proof — see
bash run_runnable_assurance.sh
```

## Package & distribute (finalize the stack)
To assemble the three OSCAL-native regulator deliverables (EU AI Act Annex IV
dossier, DORA ICT-risk register, NIST AI RMF crosswalk) into one auditable,
tamper-evident distribution bundle — each artifact pinned by SHA-256, with a
`MANIFEST.json`, a regulator-facing `DISTRIBUTION_README.md`, and a guided
`EXECUTION_CHECKLIST.md` — run:

```bash
python3 package_distribution_bundle.py --with-suite # writes governance_artifacts/dist/
```

The packager refuses to bundle a deliverable that reports a catalog-conformance
failure. The manifest records **two** fingerprints: a byte-exact
**`bundle_sha256`** (provenance — pins this exact build, changes each run with
the embedded `generated_at` timestamp) and a timestamp-normalized
**`content_digest`** (reproducibility — **stable** across regenerations for a
given catalog + evidence state, so an independent party who re-runs the
generators derives the same value). Both recompute from the sorted per-artifact
digests. It is an **assembly-integrity + reproducibility** bundle, **not** a
conformity assessment or certification.

## Local validation
Run the deterministic validator directly:

Expand Down
9 changes: 8 additions & 1 deletion governance_artifacts/RUNNABLE_ASSURANCE.md
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ the master reference documents assert that a control "holds," the artifacts here
bash governance_artifacts/run_runnable_assurance.sh
```

Runs all eleven checks below and fails fast on any error.
Runs all eighteen checks below and fails fast on any error.

## What is proven, and against which control

Expand All @@ -34,6 +34,13 @@ Runs all eleven checks below and fails fast on any error.
| 9 | PQC WORM audit log — real CRYSTALS-Dilithium (ML-DSA-65) signatures + tamper-evident hash chain + S3 Object Lock retention | Python (`dilithium-py`) + pytest | `cry-02` | DORA, EU AI Act Art. 12 logging |
| 10 | OmegaActual contract hardening — both contracts compile (0 warnings); 7 logic tests prove original exploitable & hardened blocks SEC-01..06 | solc 0.8.26 + pytest | `con-07` settlement | EU AI Act Art. 14, DORA |
| 11 | Governance artifact schema validation | Python validator | manifest/schema integrity | OSCAL, evidence logging (EU AI Act Art. 12) |
| 12 | OSCAL catalog conformance — every control's `tla-spec` / `rego-policy` / `circuit` / `simulator` prop resolves to a real in-repo artifact; every regime `#href` resolves to a back-matter anchor (no dangling references); `feasibility-tier ∈ {A,B,C,D}`; `freshness-sla` is a valid ISO-8601 duration (43 cross-reference checks, falsifiable) | Python (`oscal_conformance.py`) + pytest | all `con-*`, `cry-*`, `env-*`, `rte-*` | OSCAL 1.1.2 compliance-as-code integrity (EU AI Act Annex IV, NIST AI RMF, DORA, Basel, SR 11-7) |
| 13 | Annex IV dossier auto-assembly — builds an OSCAL-native 8-section (A–H) EU AI Act technical-documentation dossier from the conformant catalog + live assurance evidence; refuses to run on a non-conformant catalog or unknown control id; never marks a section SATISFIED without a green runnable check | Python (`generate_annex_iv_dossier.py`) + pytest | all controls → Annex IV §A–H | EU AI Act Annex IV technical documentation (auto-assembled deliverable) |
| 14 | DORA ICT-risk register auto-assembly — builds a 5-pillar (P1–P5) DORA register from the same catalog + live evidence; reports P4/P5 as honest coverage gaps; same refusal/honesty guarantees | Python (`generate_dora_ict_register.py`) + pytest | `env-*`, `cry-02`, `con-04/07` → DORA pillars | DORA (Reg. (EU) 2022/2554) ICT-risk register (auto-assembled deliverable) |
| 15 | NIST AI RMF profile crosswalk auto-assembly — builds a 4-function (GOVERN/MAP/MEASURE/MANAGE) crosswalk with per-function coverage analysis from the same catalog + live evidence; same refusal/honesty guarantees | Python (`generate_nist_rmf_crosswalk.py`) + pytest | all controls → NIST AI RMF functions | NIST AI RMF 1.0 coverage crosswalk (auto-assembled deliverable) |
| 16 | Verified distribution-bundle packaging — collects all three regulator deliverables (6 artifacts) into a `dist/` bundle and emits a `MANIFEST.json` with **two** digests per artifact and per bundle: a **`bundle_sha256`** (byte-exact provenance fingerprint of this build — changes each run with the `generated_at` timestamp) and a **`content_digest`** (timestamp-normalized — **stable/reproducible** across regenerations for a given catalog + evidence state). Both recompute from the sorted per-artifact digests; refuses to package on any catalog-conformance failure; reports coverage gaps (DORA P4/P5), never inflates them | Python (`package_distribution_bundle.py`) + pytest | all deliverables → one auditable bundle | Regulator-facing distribution package (assembly-integrity + reproducibility, not a certification) |
| 17 | Recipient-side bundle verification — a **standalone** verifier (`verify_distribution_bundle.py`, stdlib-only; deliberately does NOT import the packager — digest rules independently re-implemented) re-checks a received `dist/` bundle: per-artifact byte + timestamp-normalized digests, both bundle-level digest recomputations, digest distinctness, and **manifest-vs-content consistency** (unit counts / coverage gaps / conformance recomputed from the bundled deliverable JSONs — a manifest that inflates SATISFIED or hides a gap FAILS). The packager's `--sign` emits a detached **ML-DSA-65 (FIPS 204)** `MANIFEST.sig.json`; the suite verifies it in strict `--require-signature` mode. Tamper negatives proven by tests (artifact edit, forged manifest claims, single-byte manifest change) | Python (`verify_distribution_bundle.py`) + `dilithium-py` + pytest | all deliverables → independently verifiable received bundle | Recipient/regulator-side integrity check (proves assembly integrity + signer key continuity, not identity without an out-of-band fingerprint comparison) |
| 18 | Evidence freshness-SLA gate — the catalogs declare per-control `freshness-sla` props (e.g. `env-01` attestation evidence ≤ PT5M old, `cry-05` zk proof ≤ P3M); until now check C3 validated only the *format*. `check_evidence_freshness.py --run` re-executes every control's mapped assurance check (the same single-source-of-truth `CONTROL_EVIDENCE` map the deliverable generators use) and records **when** each piece of evidence was produced in a digest-protected ledger (`oscal/generated/evidence_freshness_ledger.json`); `--audit` then enforces each declared SLA against those instants (stated conversion: 1M=30d, 1Y=365d; compound `P1D/P90D` enforces the first period). STALE / FAILED / NOT-RECORDED / FUTURE-DATED / tampered-ledger → gate FAILS; organisational-evidence controls (`env-02`) are disclosed `NOT-RUNNABLE`, never counted fresh. Tamper/staleness negatives proven by 7 pytest checks | Python (`check_evidence_freshness.py`) + pytest | all runnable controls' `freshness-sla` props | Evidence-recency enforcement (EU AI Act Art. 12 record-keeping, DORA ICT monitoring; the ledger digest detects casual edits, is not a signature — pair with checks 16/17 for signed provenance) |

### Companion reviews & plan (this iteration)

Expand Down
Loading
Loading