Skip to content

Decadal Strategic & Technical Plan 2026–2035 (Sentinel v2.4 / Omni-Sentinel Mesh v4.0 / SCP v3.0)#139

Merged
OneFineStarstuff merged 10 commits into
mainfrom
genspark_ai_developer
Jul 5, 2026
Merged

Decadal Strategic & Technical Plan 2026–2035 (Sentinel v2.4 / Omni-Sentinel Mesh v4.0 / SCP v3.0)#139
OneFineStarstuff merged 10 commits into
mainfrom
genspark_ai_developer

Conversation

@OneFineStarstuff

@OneFineStarstuff OneFineStarstuff commented Jun 21, 2026

Copy link
Copy Markdown
Owner

Summary

Adds the authoritative consolidated decadal (2026–2035) strategic & technical plan for deploying the Sentinel AI Governance Stack v2.4, Omni-Sentinel Mesh v4.0, and Unified AI Supervisory Control Plane (SCP v3.0) across G-SIFIs and Fortune 500 financial institutions — and grows the runnable assurance suite from 11 to 18 verified checks.

governance_blueprint/DECADAL_STRATEGIC_TECHNICAL_PLAN_2026_2035.md (424 lines, 20 sections).

Builds on merged PR #138. Every technical claim is anchored to a runnable, verified in-repo artifact — the assurance suite is 18/18 PASS at head.

Coverage (all requested topics)

  • Zero-trust AI governance + TEE (Intel TDX, AMD SEV-SNP, vTPM PCR_MATCH); confidential enclave deployment + remote attestation
  • StaR-MoE (SARA+ACR) routing stabilization; telemetry attestation + G-SRI
  • PQC WORM logging: ML-DSA-65 / CRYSTALS-Dilithium / SPHINCS+ + Kafka/S3 Object Lock; Merkle-anchored evidence
  • zk systemic-risk proofs (Circom/Groth16 → zk-STARK migration) + zk-SNARK/zk-STARK relayer pipelines; zkML transition-validity
  • OSCAL 1.1.2 + OPA/Rego compliance-as-code; full mapping to EU AI Act (Annex IV), NIST AI RMF, ISO/IEC 42001, Basel III/IV, DORA, NIS2, GDPR Art.22, MAS/HKMA FEAT, FCA SMCR, ECOA, ICGC/GASO
  • TLA+ SentinelContainmentProtocol + SIP v3.0 invariants; HSM + Terraform multi-region enclaves
  • GIEN / SIP v3.0 federated collective defense; security-review patterns (Solidity/OPA/React)
  • omni_sentinel_24h_monitor.py 24h monitoring + integrity; OmegaActual dead-man's switch; DevSecOps/GitOps (ArgoCD/Flux)
  • 6-month 2028 G-SIFI pilot design (runnable acceptance gates); supervisory adoption model; automated compliance dashboards; KPIs/KRIs; global rollout through 2035

New assurance checks added in this PR (12 → 18)

# Check Tool
12 OSCAL 1.1.2 catalog conformance (prop/href cross-reference integrity) oscal/validate_oscal_conformance.py
13 Annex IV dossier auto-assembly (8 sections from conformant catalog) oscal/generate_annex_iv_dossier.py
14 DORA ICT-risk register auto-assembly (5 pillars; coverage gaps disclosed) oscal/generate_dora_register.py
15 NIST AI RMF profile crosswalk (GOVERN/MAP/MEASURE/MANAGE) oscal/generate_nist_ai_rmf_crosswalk.py
16 Verified distribution-bundle packager (SHA-256 manifest, deterministic content_digest, refuses non-conformant catalogs) package_distribution_bundle.py
17 Recipient-side bundle verifier + detached ML-DSA-65 manifest signature (10/10 independent checks) verify_distribution_bundle.py
18 Evidence freshness-SLA gate — catalog-declared per-control SLAs (PT5M…P3M) enforced against a digest-protected freshness ledger; statuses FRESH/STALE/FAILED/NOT-RECORDED/FUTURE-DATED; organisational controls honestly disclosed NOT-RUNNABLE check_evidence_freshness.py

Also closes dashboard High findings (DASH-04/06/07), adds runnable 2028 pilot acceptance gates, and wires CI for pilot + dashboard tests.

Integrity discipline

A/B/C/D feasibility tiering throughout. Explicit statement that ASI containment is modelled as a formally-checked control discipline, not a safety proof for arbitrarily capable agents (Tier D). Live attestation/HSM/enclave verified at IaC/policy layer (Tier B). Freshness-ledger digest detects casual edits, is not a signature — signed provenance comes from the ML-DSA-65-signed bundle (checks 16/17). All cross-referenced files confirmed present; roadmap YAML parses (5 phases + 4 extension).

Verification

bash governance_artifacts/run_runnable_assurance.sh   # 18/18 PASS

Verified in-sandbox at head (e8a2596d): all 18 checks PASS, freshness audit reports 6 runnable controls FRESH, 1 organisational control disclosed NOT-RUNNABLE, ledger digest intact.

@code-genius-code-coverage

Copy link
Copy Markdown

The files' contents are under analysis for test generation.

@semanticdiff-com

semanticdiff-com Bot commented Jun 21, 2026

Copy link
Copy Markdown

Review changes with  SemanticDiff

Changed Files
File Status
  next-app/app/api/risk/scores/route.ts  65% smaller
  next-app/app/api/chat/stream/route.ts  44% smaller
  next-app/lib/privacy/consentLedger.ts  38% smaller
  next-app/app/api/intent/route.ts  31% smaller
  next-app/__tests__/dashboard_security_review.test.ts  20% smaller
  next-app/next.config.js  19% smaller
  next-app/app/api/consent/route.ts  17% smaller
  governance_blueprint/roadmap_2026_2035.yaml  13% smaller
  governance_artifacts/oscal/catalog_sentinel_v24_env_rte.json  7% smaller
  .github/workflows/runnable-assurance.yml  7% smaller
  governance_artifacts/oscal/catalog_sentinel_v24_excerpt.json  4% smaller
  governance_artifacts/README.md Unsupported file format
  governance_artifacts/RUNNABLE_ASSURANCE.md Unsupported file format
  governance_artifacts/check_evidence_freshness.py  0% smaller
  governance_artifacts/oscal/README.md Unsupported file format
  governance_artifacts/oscal/annex_iv_section_map.yaml  0% smaller
  governance_artifacts/oscal/crosswalk_common.py  0% smaller
  governance_artifacts/oscal/dora_framework_map.yaml  0% smaller
  governance_artifacts/oscal/generate_annex_iv_dossier.py  0% smaller
  governance_artifacts/oscal/generate_dora_ict_register.py  0% smaller
  governance_artifacts/oscal/generate_nist_rmf_crosswalk.py  0% smaller
  governance_artifacts/oscal/generated/annex_iv_dossier.json  0% smaller
  governance_artifacts/oscal/generated/annex_iv_dossier.md Unsupported file format
  governance_artifacts/oscal/generated/dora_ict_register.json  0% smaller
  governance_artifacts/oscal/generated/dora_ict_register.md Unsupported file format
  governance_artifacts/oscal/generated/evidence_freshness_ledger.json  0% smaller
  governance_artifacts/oscal/generated/nist_ai_rmf_crosswalk.json  0% smaller
  governance_artifacts/oscal/generated/nist_ai_rmf_crosswalk.md Unsupported file format
  governance_artifacts/oscal/nist_ai_rmf_map.yaml  0% smaller
  governance_artifacts/oscal/oscal_conformance.py  0% smaller
  governance_artifacts/package_distribution_bundle.py  0% smaller
  governance_artifacts/pilot/README.md Unsupported file format
  governance_artifacts/pilot/run_pilot_acceptance_gates.py  0% smaller
  governance_artifacts/run_runnable_assurance.sh Unsupported file format
  governance_artifacts/verify_distribution_bundle.py  0% smaller
  governance_blueprint/DECADAL_STRATEGIC_TECHNICAL_PLAN_2026_2035.md Unsupported file format
  next-app/DASHBOARD_SECURITY_REVIEW.md Unsupported file format
  next-app/app/api/auth/login/route.ts  0% smaller
  next-app/lib/auth/session.ts  0% smaller
  next-app/lib/http/guard.ts  0% smaller
  next-app/lib/http/rateLimit.ts  0% smaller
  next-app/middleware.ts  0% smaller
  tests/governance/test_governance_artifacts.py  0% smaller

@gitnotebooks

gitnotebooks Bot commented Jun 21, 2026

Copy link
Copy Markdown

@netlify

netlify Bot commented Jun 21, 2026

Copy link
Copy Markdown

Deploy Preview for onefinestarstuff failed.

Name Link
🔨 Latest commit e8a2596
🔍 Latest deploy log https://app.netlify.com/projects/onefinestarstuff/deploys/6a4a51582759d900073b8f21

@vercel

vercel Bot commented Jun 21, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
v0-one-fine-starstuff-github-io Ready Ready Preview, Comment, Open in v0 Jul 5, 2026 12:43pm

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry @OneFineStarstuff, you have reached your weekly rate limit of 500000 diff characters.

Please try again later or upgrade to continue using Sourcery

@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

@difflens

difflens Bot commented Jun 21, 2026

Copy link
Copy Markdown

View changes in DiffLens

@github-actions github-actions Bot added the documentation Improvements or additions to documentation label Jun 21, 2026
@coderabbitai

coderabbitai Bot commented Jun 21, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

This PR adds a decadal governance blueprint, updates the roadmap and pilot-gate workflow, extends runnable assurance with OSCAL conformance checks, and hardens the Next.js app with authenticated sessions, request validation, rate limiting, signed consent events, and route-level enforcement.

Changes

Governance Blueprint, Roadmap, Pilot Gates, and Assurance

Layer / File(s) Summary
Blueprint and roadmap framing
governance_blueprint/DECADAL_STRATEGIC_TECHNICAL_PLAN_2026_2035.md, governance_blueprint/roadmap_2026_2035.yaml
Defines the decadal plan framing, feasibility tiers, architecture and control-plane mapping, control disciplines, roadmap phases, pilot schedule, operating model, KPI/KRI tracking, limitations, and verification ledger.
Roadmap and pilot execution
governance_blueprint/roadmap_2026_2035.yaml, governance_artifacts/pilot/*
Updates roadmap feasibility tiers and 2031–2035 phases, adds the pilot gate runner and documentation, and defines the month-by-month acceptance-gate flow.
OSCAL conformance, dossier assembly, and assurance wiring
governance_artifacts/run_runnable_assurance.sh, governance_artifacts/RUNNABLE_ASSURANCE.md, governance_artifacts/oscal/*, tests/governance/test_governance_artifacts.py, \.github/workflows/runnable-assurance.yml
Adds OSCAL catalogs and back-matter anchors, a catalog conformance validator, Annex IV dossier generation, runnable-assurance step expansion, CI wiring, README guidance, and governance tests.

Next.js Security Hardening and Dashboard Remediation

Layer / File(s) Summary
Session auth and request guards
next-app/lib/auth/session.ts, next-app/lib/http/guard.ts
Adds token minting and verification, principal extraction, authorization helpers, JSON response factories, request body limits, safe JSON parsing, and stream sanitization utilities.
Dashboard remediation and authenticated route enforcement
next-app/DASHBOARD_SECURITY_REVIEW.md, next-app/__tests__/dashboard_security_review.test.ts, next-app/app/api/chat/stream/route.ts, next-app/app/api/consent/route.ts, next-app/app/api/intent/route.ts, next-app/app/api/risk/scores/route.ts
Updates the security review and tests, rewrites the chat, consent, and intent routes to require authenticated principals and validated inputs, and keeps the synthetic risk-scores metadata response.
Demo login, rate limiting, and security headers
next-app/app/api/auth/login/route.ts, next-app/lib/http/rateLimit.ts, next-app/middleware.ts, next-app/next.config.js
Adds the demo login route, fixed-window API rate limiting, middleware enforcement, and Next.js security headers.
Consent ledger signing and verification
next-app/lib/privacy/consentLedger.ts
Adds signed consent events, chain verification, verified export output, and fail-closed tail reads.

Sequence Diagram(s)

sequenceDiagram
  participant Client
  participant Middleware
  participant Session as session.ts
  participant Route as API route
  participant Guard as readJson/sanitizeForStream
  Client->>Middleware: request to /api/*
  Middleware->>Session: derive client key and enforce limit
  Client->>Route: authenticated request
  Route->>Guard: parse body / sanitize stream
  Guard-->>Route: validated data or structured error
Loading

Estimated code review effort

🎯 5 (Critical) | ⏱️ ~90 minutes

Possibly related PRs

Suggested labels

documentation, enhancement, size/XXL, python, backend

Suggested reviewers

  • gstraccini

Poem

🐇 I hopped through tiers from A to C,
And signed each gate with certainty.
The ledger hums, the routes stand tall,
The rabbit checks each ounce and all.
With WORM and clues and headers bright,
I nibble proof, then hop goodnight.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 38.71% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately summarizes the main change and names the three major framework versions covered by the plan.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch genspark_ai_developer

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@deepsource-io

deepsource-io Bot commented Jun 21, 2026

Copy link
Copy Markdown

DeepSource Code Review

We reviewed changes in 0dd1a89...e8a2596 on this pull request. Below is the summary for the review, and you can see the individual issues we found as inline review comments.

See full review on DeepSource ↗

PR Report Card

Overall Grade   Security  

Reliability  

Complexity  

Hygiene  

Code Review Summary

Analyzer Status Updated (UTC) Details
Python Jul 5, 2026 12:43p.m. Review ↗
JavaScript Jul 5, 2026 12:43p.m. Review ↗
Shell Jul 5, 2026 12:43p.m. Review ↗

Important

AI Review is run only on demand for your team. We're only showing results of static analysis review right now. To trigger AI Review, comment @deepsourcebot review on this thread.

gstraccini[bot]
gstraccini Bot previously approved these changes Jun 21, 2026
@codacy-production

codacy-production Bot commented Jun 21, 2026

Copy link
Copy Markdown

Not up to standards ⛔

🔴 Issues 1 critical · 5 high · 4 medium · 90 minor

Alerts:
⚠ 100 issues (≤ 0 issues of at least minor severity)

Results:
100 new issues

Category Results
Compatibility 1 high
BestPractice 2 medium
Documentation 4 minor
ErrorProne 4 high
Security 1 critical
CodeStyle 86 minor
Complexity 1 medium
Performance 1 medium

View in Codacy

🟢 Metrics 106 complexity · 2 duplication

Metric Results
Complexity 106
Duplication 2

View in Codacy

NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.

@difflens

difflens Bot commented Jun 21, 2026

Copy link
Copy Markdown

View changes in DiffLens

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (1)
governance_blueprint/DECADAL_STRATEGIC_TECHNICAL_PLAN_2026_2035.md (1)

65-83: 💤 Low value

Add a language identifier to the ASCII diagram code block.

Line 65 opens a fenced code block for the architecture diagram. Adding a language identifier (e.g., text` or ascii`) improves markdown linting compliance and readability.

✨ Proposed fix
 ### 2. Architecture overview (the four control planes)
 
-```
+```text
 ┌──────────────────────────────────────────────────────────────────────────────────┐
 │  SCP v3.0 — Unified AI Supervisory Control Plane            (supervisor-facing)    │
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@governance_blueprint/DECADAL_STRATEGIC_TECHNICAL_PLAN_2026_2035.md` around
lines 65 - 83, The ASCII architecture diagram code block starting at line 65
does not have a language identifier in its opening fence. Add a language
identifier such as `text` or `ascii` immediately after the opening triple
backticks (e.g., change the opening fence from ``` to ```text) to improve
markdown linting compliance and readability of the diagram block.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@governance_blueprint/DECADAL_STRATEGIC_TECHNICAL_PLAN_2026_2035.md`:
- Around line 65-102: Two Tier A artifacts referenced in the
component-to-artifact-to-evidence map are missing from the repository:
tla/SentinelContainmentProtocol.tla and tla/KillSwitchAbstract.tla. These files
are cited as having verifiable TLC model-checking evidence (75 + 13 states with
no errors) for the containment one-way ratchet and kill-switch abstraction
control components. Either create and add these TLA+ files to the repository
with the corresponding TLC verification results, or update the table rows
referencing these files to remove them and correct the Tier A evidence claims to
match what actually exists in the repository.
- Around line 397-412: The "Full assurance suite" row in the verification ledger
section claims "11/11 PASS" but the actual execution of bash
governance_artifacts/run_runnable_assurance.sh fails at the OPA policy tests
step because OPA is not installed. Update the "Last result" column for the "Full
assurance suite" row to reflect the actual failure output (e.g., "FAIL: opa:
command not found" or similar), or alternatively ensure all required
dependencies including OPA, TLC, terraform, node, and python3 packages are
properly installed and available in the environment so the command can execute
successfully and produce the claimed result. Verify that all other commands in
the verification ledger table also execute correctly and produce their claimed
outputs before updating their results.

---

Nitpick comments:
In `@governance_blueprint/DECADAL_STRATEGIC_TECHNICAL_PLAN_2026_2035.md`:
- Around line 65-83: The ASCII architecture diagram code block starting at line
65 does not have a language identifier in its opening fence. Add a language
identifier such as `text` or `ascii` immediately after the opening triple
backticks (e.g., change the opening fence from ``` to ```text) to improve
markdown linting compliance and readability of the diagram block.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d24fab33-4acc-4150-98d5-389a2fd351e2

📥 Commits

Reviewing files that changed from the base of the PR and between 2dcd7c1 and 41f1edf.

📒 Files selected for processing (1)
  • governance_blueprint/DECADAL_STRATEGIC_TECHNICAL_PLAN_2026_2035.md

Comment thread governance_blueprint/DECADAL_STRATEGIC_TECHNICAL_PLAN_2026_2035.md
Comment thread governance_blueprint/DECADAL_STRATEGIC_TECHNICAL_PLAN_2026_2035.md
@difflens

difflens Bot commented Jun 22, 2026

Copy link
Copy Markdown

View changes in DiffLens

@OneFineStarstuff

Copy link
Copy Markdown
Owner Author

Update — follow-on hardening (commit 8892373)

Three concrete follow-ups, all verified:

1. Roadmap phases 5–8 promoted to first-class

governance_blueprint/roadmap_2026_2035.yaml now has 9 first-class segments (phase_0..phase_8, 2026–2035), each with feasibility_tier, objectives, exit_criteria, and a gating precondition for the Tier C/D phases. (Previously phases 5–8 were loose extension: entries.) YAML parses clean.

2. Runnable 2028 pilot acceptance-gate checklist

governance_artifacts/pilot/run_pilot_acceptance_gates.py operationalizes decadal-plan §14. It actually executes the 6 Tier‑A gates (terraform validate, OPA gates, PQC WORM tamper, containment TLC, zk relayer, full assurance) and reports the 6 Tier‑B/hardware gates as PENDING-EVIDENCE with precise criteria — never faked. Current: 6/6 automated gates PASS.

3. Dashboard High-severity findings closed (DASH-01/02/03/05/08)

  • New lib/auth/session.ts (HMAC-signed tokens, principal derived server-side only, constant-time verify, expiry) + lib/http/guard.ts (16 KiB body cap, safe JSON, SSE-injection sanitizer).
  • DASH-01 IDOR closed (consent export requires ownership or dpo); DASH-02 consent identity bound to principal; DASH-03 chat authn + body cap, unauthenticated GET text-gen removed; DASH-05 moderation block now enforced; DASH-08 intent route hardened.
  • Tests rewritten to assert the fixed behaviour: vitest 14/14 pass. My new files typecheck clean (0 TS errors); pre-existing repo TS errors untouched.

Regression: bash governance_artifacts/run_runnable_assurance.sh11/11 PASS.

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

New security issues found

Comment thread governance_artifacts/pilot/run_pilot_acceptance_gates.py
@difflens

difflens Bot commented Jun 22, 2026

Copy link
Copy Markdown

View changes in DiffLens

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (3)
next-app/app/api/consent/route.ts (1)

36-36: 🧹 Nitpick | 🔵 Trivial | 💤 Low value

Redundant type cast.

new Date().toISOString() already returns string, so the as unknown as string cast is unnecessary.

-    ts: new Date().toISOString() as unknown as string,
+    ts: new Date().toISOString(),
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@next-app/app/api/consent/route.ts` at line 36, The ts property assignment in
the consent route includes a redundant type cast `as unknown as string` after
calling `new Date().toISOString()`. Since the toISOString() method already
returns a string type, the explicit cast is unnecessary and should be removed.
Simply replace the line to use `ts: new Date().toISOString()` without any type
annotations.
next-app/app/api/intent/route.ts (1)

18-21: 🧹 Nitpick | 🔵 Trivial | 💤 Low value

Consider rejecting empty message for consistency.

The chat route rejects empty strings with message.length === 0, but this route only checks typeof message !== 'string'. An empty string would pass validation and return 'casual'. While not harmful, aligning validation behavior across routes aids maintainability.

-  if (typeof message !== 'string') {
+  if (typeof message !== 'string' || message.length === 0) {
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@next-app/app/api/intent/route.ts` around lines 18 - 21, The message
validation in the intent route only checks for type but not for empty strings,
whereas the chat route validates for empty strings using message.length === 0.
Add an additional validation check after the typeof validation for the message
variable to reject empty strings and return a 400 response with an appropriate
error message, ensuring consistency with the chat route's validation behavior.
governance_artifacts/pilot/run_pilot_acceptance_gates.py (1)

107-118: 🧹 Nitpick | 🔵 Trivial | ⚡ Quick win

Unused variable in tuple unpacking.

Line 109 unpacks rc from the _run() return value but never uses it. The return code is ignored in favor of checking the output text for "No error has been found".

Consider using _ to indicate the value is intentionally ignored.

♻️ Proposed fix
 def check_containment_tlc() -> tuple[bool, str]:
     jar = GA / "tla" / "tools" / "tla2tools.jar"
-    rc, out = _run(
+    _, out = _run(
         ["java", "-cp", str(jar), "tlc2.TLC",
          "-config", str(GA / "tla" / "SentinelContainmentProtocol.cfg"),
          str(GA / "tla" / "SentinelContainmentProtocol.tla")],
         timeout=300,
     )
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@governance_artifacts/pilot/run_pilot_acceptance_gates.py` around lines 107 -
118, In the check_containment_tlc() function, the return code variable rc is
unpacked from the _run() call but never used since the function only checks the
output text for error messages. Replace rc with an underscore (_) in the tuple
unpacking statement to indicate the value is intentionally ignored and follows
Python convention for unused variables.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@governance_artifacts/pilot/run_pilot_acceptance_gates.py`:
- Line 28: The os module is imported at the top of the
run_pilot_acceptance_gates.py file but is never used anywhere in the script.
Remove the import os statement to clean up unused imports and improve code
clarity.

In `@governance_blueprint/roadmap_2026_2035.yaml`:
- Around line 70-117: The validator function `validate_roadmap_2035_shape()` in
governance_blueprint/validation/validate_artifacts.py accumulates validation
errors throughout its execution but fails to return them, instead returning None
implicitly. Add a `return errors` statement at the end of the function after
line 299 to ensure that accumulated validation errors are properly propagated to
the caller and validation failures are correctly reported instead of silently
passing.

---

Nitpick comments:
In `@governance_artifacts/pilot/run_pilot_acceptance_gates.py`:
- Around line 107-118: In the check_containment_tlc() function, the return code
variable rc is unpacked from the _run() call but never used since the function
only checks the output text for error messages. Replace rc with an underscore
(_) in the tuple unpacking statement to indicate the value is intentionally
ignored and follows Python convention for unused variables.

In `@next-app/app/api/consent/route.ts`:
- Line 36: The ts property assignment in the consent route includes a redundant
type cast `as unknown as string` after calling `new Date().toISOString()`. Since
the toISOString() method already returns a string type, the explicit cast is
unnecessary and should be removed. Simply replace the line to use `ts: new
Date().toISOString()` without any type annotations.

In `@next-app/app/api/intent/route.ts`:
- Around line 18-21: The message validation in the intent route only checks for
type but not for empty strings, whereas the chat route validates for empty
strings using message.length === 0. Add an additional validation check after the
typeof validation for the message variable to reject empty strings and return a
400 response with an appropriate error message, ensuring consistency with the
chat route's validation behavior.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 59df18ae-d3a2-4487-bca9-8b1e3502da69

📥 Commits

Reviewing files that changed from the base of the PR and between 41f1edf and 8892373.

📒 Files selected for processing (11)
  • governance_artifacts/pilot/README.md
  • governance_artifacts/pilot/run_pilot_acceptance_gates.py
  • governance_blueprint/DECADAL_STRATEGIC_TECHNICAL_PLAN_2026_2035.md
  • governance_blueprint/roadmap_2026_2035.yaml
  • next-app/DASHBOARD_SECURITY_REVIEW.md
  • next-app/__tests__/dashboard_security_review.test.ts
  • next-app/app/api/chat/stream/route.ts
  • next-app/app/api/consent/route.ts
  • next-app/app/api/intent/route.ts
  • next-app/lib/auth/session.ts
  • next-app/lib/http/guard.ts
🚧 Files skipped from review as they are similar to previous changes (1)
  • governance_blueprint/DECADAL_STRATEGIC_TECHNICAL_PLAN_2026_2035.md

Comment thread governance_artifacts/pilot/run_pilot_acceptance_gates.py
Comment thread governance_blueprint/roadmap_2026_2035.yaml
@difflens

difflens Bot commented Jun 25, 2026

Copy link
Copy Markdown

View changes in DiffLens

1 similar comment
@difflens

difflens Bot commented Jun 25, 2026

Copy link
Copy Markdown

View changes in DiffLens

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/runnable-assurance.yml:
- Line 106: The workflow step using actions/upload-artifact is pinned to a
mutable tag, so update the runnable-assurance workflow to reference
actions/upload-artifact by an immutable commit SHA instead of v4. Locate the
upload step in the workflow and replace the current uses value with the specific
SHA for the same major version so the action reference cannot change
unexpectedly.

In `@governance_artifacts/oscal/generate_annex_iv_dossier.py`:
- Around line 179-185: The build_dossier flow currently loads catalog bodies via
_load_catalogs before checking OSCAL validity, so a malformed catalog can fail
early instead of using the validator report path. Update build_dossier to call
_run_conformance before _load_catalogs, then only hydrate catalogs/controls
after conformance passes; keep the existing control-loading logic and use the
build_dossier and _run_conformance symbols to locate the change.

In `@governance_artifacts/run_runnable_assurance.sh`:
- Around line 137-149: Step 13 is only checking dossier shape because
run_runnable_assurance.sh invokes generate_annex_iv_dossier.py with --no-verify,
so build_dossier() never exercises backing checks or live SATISFIED evidence.
Update this step to run the generator through the verified path and assert the
evidence/status fields from the resulting dossier, or if that is not intended,
adjust the step’s assertion/message and related RUNNABLE_ASSURANCE wording to
claim only assembly structure. Use the generate_annex_iv_dossier.py invocation
and the d["dossier"] assertions as the place to align the test with the
documented live-evidence behavior.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 25d4b8f6-e081-4205-89b2-185c781b3312

📥 Commits

Reviewing files that changed from the base of the PR and between 13eb322 and 816e120.

⛔ Files ignored due to path filters (2)
  • governance_artifacts/oscal/generated/annex_iv_dossier.json is excluded by !**/generated/**
  • governance_artifacts/oscal/generated/annex_iv_dossier.md is excluded by !**/generated/**
📒 Files selected for processing (10)
  • .github/workflows/runnable-assurance.yml
  • governance_artifacts/RUNNABLE_ASSURANCE.md
  • governance_artifacts/oscal/README.md
  • governance_artifacts/oscal/annex_iv_section_map.yaml
  • governance_artifacts/oscal/generate_annex_iv_dossier.py
  • governance_artifacts/pilot/README.md
  • governance_artifacts/pilot/run_pilot_acceptance_gates.py
  • governance_artifacts/run_runnable_assurance.sh
  • governance_blueprint/DECADAL_STRATEGIC_TECHNICAL_PLAN_2026_2035.md
  • tests/governance/test_governance_artifacts.py
✅ Files skipped from review due to trivial changes (4)
  • governance_artifacts/pilot/README.md
  • governance_artifacts/oscal/annex_iv_section_map.yaml
  • governance_artifacts/RUNNABLE_ASSURANCE.md
  • governance_artifacts/oscal/README.md
🚧 Files skipped from review as they are similar to previous changes (1)
  • governance_artifacts/pilot/run_pilot_acceptance_gates.py

Comment thread .github/workflows/runnable-assurance.yml
Comment thread governance_artifacts/oscal/generate_annex_iv_dossier.py
Comment thread governance_artifacts/run_runnable_assurance.sh Outdated
…egister + NIST AI RMF crosswalk (14th & 15th assurance checks)

One verified OSCAL 1.1.2 catalog (source of truth) -> multiple regulator
deliverables. Extends the round-4 Annex IV dossier generator to two more
frameworks, all assembled from the same conformance-verified catalog + live
re-run evidence.

New shared engine:
- crosswalk_common.py: load_catalogs, CONTROL_EVIDENCE, run_conformance
  (refuses to assemble against a non-conformant catalog), EvidenceRunner
  (re-runs each control's backing assurance check this run), status_for
  (SATISFIED / PARTIAL / PENDING-EVIDENCE), resolve_controls.

New deliverables (Tier A, runnable):
- generate_dora_ict_register.py + dora_framework_map.yaml: DORA
  (Reg. (EU) 2022/2554) 5-pillar ICT-risk register. Result 3/5 pillars
  SATISFIED; P4 (third-party) and P5 (info-sharing) reported as HONEST
  coverage gaps (is_coverage_gap=true, PENDING-EVIDENCE), not hidden.
- generate_nist_rmf_crosswalk.py + nist_ai_rmf_map.yaml: NIST AI RMF 1.0
  4-function (GOVERN/MAP/MEASURE/MANAGE) crosswalk with per-function
  coverage analysis. Result 4/4 functions SATISFIED (100%).
- generated/{dora_ict_register,nist_ai_rmf_crosswalk}.{json,md} samples.

Honesty guarantees (preserved): each generator embeds an integrity_statement
('not a DORA conformity attestation' / 'not a certification'); both refuse a
non-conformant catalog and raise on unknown control ids (falsifiable —
negative tests confirm exit 1).

Wiring:
- run_runnable_assurance.sh: 13 -> 15 steps (14=DORA, 15=NIST), using
  --no-verify --print piped to inline python validators.
- tests/governance: +3 tests (18 total): DORA gaps reported, NIST full
  coverage with live evidence, and --no-verify does not fabricate SATISFIED.
- CI: pytest selector adds dora/nist/crosswalk; assembles all 3 deliverables
  and uploads them as the 'regulator-deliverables' artifact.

Docs synced: RUNNABLE_ASSURANCE.md (rows 14-15, thirteen->fifteen), DECADAL
plan (13/13 -> 15/15 + 2 verification-ledger rows), pilot P6-REPRO 15/15,
oscal/README.md.

Verification (this commit):
- bash governance_artifacts/run_runnable_assurance.sh -> 15/15 PASS
- pytest tests/governance/test_governance_artifacts.py -> 18 passed
- pilot acceptance gates -> 6/6 automated PASS (P6-REPRO 15/15)
- DORA 3/5 SATISFIED (P4/P5 gaps); NIST 4/4 SATISFIED (100%);
  catalog conformance 0 failures for both.
@difflens

difflens Bot commented Jun 27, 2026

Copy link
Copy Markdown

View changes in DiffLens

@OneFineStarstuff

Copy link
Copy Markdown
Owner Author

Round 5 — Multi-framework regulator deliverables (DORA + NIST AI RMF)

Theme: one verified OSCAL 1.1.2 catalog (single source of truth) → multiple regulator deliverables. This extends the round-4 EU AI Act Annex IV dossier generator to two additional frameworks, all auto-assembled from the same conformance-verified catalog + live re-run evidence.

What shipped (Tier A — runnable, verified this commit)

  • Shared crosswalk engine crosswalk_common.pyload_catalogs, CONTROL_EVIDENCE, run_conformance (refuses to assemble against a non-conformant catalog), EvidenceRunner (re-runs each control's backing assurance check this run), status_for (SATISFIED / PARTIAL / PENDING-EVIDENCE), resolve_controls.
  • DORA ICT-risk register generate_dora_ict_register.py + dora_framework_map.yaml — DORA (Reg. (EU) 2022/2554) 5-pillar register. 3/5 pillars SATISFIED; P4 (third-party) and P5 (info-sharing) reported as honest coverage gaps (is_coverage_gap: true, PENDING-EVIDENCE) — not hidden.
  • NIST AI RMF crosswalk generate_nist_rmf_crosswalk.py + nist_ai_rmf_map.yaml — NIST AI RMF 1.0 4-function (GOVERN/MAP/MEASURE/MANAGE) crosswalk with per-function coverage analysis. 4/4 functions SATISFIED (100%).
  • Sample outputs committed under governance_artifacts/oscal/generated/.

Honesty guarantees (preserved)

  • Each generator embeds an integrity_statement ("not a DORA conformity attestation" / "not a certification").
  • Both refuse a non-conformant catalog and raise on unknown control ids — falsifiable; negative tests confirm exit 1.
  • DORA P4/P5 gaps are surfaced explicitly, not papered over.

Wiring

  • run_runnable_assurance.sh: 13 → 15 steps (14 = DORA, 15 = NIST).
  • tests/governance: +3 tests → 18 total (DORA gaps reported, NIST full coverage with live evidence, --no-verify does not fabricate SATISFIED).
  • CI: pytest selector adds dora/nist/crosswalk; assembles all 3 deliverables and uploads them as the regulator-deliverables artifact.
  • Docs synced: RUNNABLE_ASSURANCE.md (rows 14-15, "thirteen"→"fifteen"), DECADAL plan (13/13 → 15/15 + 2 verification-ledger rows), pilot P6-REPRO 15/15, oscal/README.md.

Verification (this commit 58c87d87)

Check Command Result
Full assurance suite bash governance_artifacts/run_runnable_assurance.sh 15/15 PASS
Governance tests pytest tests/governance/test_governance_artifacts.py 18 passed
Pilot acceptance gates python3 governance_artifacts/pilot/run_pilot_acceptance_gates.py 6/6 automated PASS (P6-REPRO 15/15)
DORA register generate_dora_ict_register.py 3/5 pillars SATISFIED; P4/P5 gaps; 0 conformance failures
NIST crosswalk generate_nist_rmf_crosswalk.py 4/4 functions SATISFIED (100%); 0 conformance failures

Honesty note: these are assembly-integrity artifacts, not conformity assessments / certifications. ASI "containment" remains a control discipline, not a safety proof.

…ckage & distribute the stack (16th assurance check)

Adds the 'finalize, package, and distribute' step the stack has been building
toward: instead of asserting regulator-readiness in prose, this PRODUCES an
auditable, tamper-evident distribution bundle whose contents are exactly the
artifacts that passed THIS run.

New tool — governance_artifacts/package_distribution_bundle.py:
- Re-runs the 3 OSCAL-native regulator-deliverable generators with LIVE
  evidence (Annex IV dossier, DORA ICT-risk register, NIST AI RMF crosswalk).
- Collects all 6 deliverable artifacts (JSON+MD) into governance_artifacts/dist/.
- Emits MANIFEST.json: per-artifact SHA-256 + byte size, the live
  SATISFIED/PARTIAL/PENDING-EVIDENCE status per unit, declared coverage gaps,
  and a single bundle_sha256 = SHA-256 over the sorted per-artifact digests
  (whole-bundle tamper evidence).
- Writes a regulator-facing DISTRIBUTION_README.md + a guided
  EXECUTION_CHECKLIST.md (command-by-command independent reproduction).
- --with-suite runs the full runnable-assurance suite and gates on it.

Honesty guarantees (falsifiable):
- REFUSES to package (exit 1) if any deliverable reports a catalog-conformance
  failure — verified by a negative test (monkeypatched conformance failure).
- bundle_sha256 recomputes from the per-artifact digests (verified in suite + test).
- Coverage gaps (DORA P4/P5) are reported, never inflated to SATISFIED.
- Explicitly an assembly-integrity + reproducibility bundle, NOT a conformity
  assessment, certification, or safety proof; ASI containment is a control
  discipline, not a guarantee.

Result this run: 6 artifacts across 3 deliverables; 15/17 units SATISFIED;
2 declared gaps (DORA P4/P5); all catalogs conformant.

Wiring:
- run_runnable_assurance.sh: 15 -> 16 steps (step 16 packages the bundle,
  --no-regenerate --print, asserts 3 deliverables / 6 artifacts / digest
  recomputes / all conformant).
- tests/governance: +3 tests -> 21 total (manifest tamper-evidence, DORA gaps
  not hidden, refuses non-conformant deliverable).
- CI: pytest selector adds 'bundle'; packages bundle with --with-suite and
  uploads it as the 'distribution-bundle' artifact (dist/ stays gitignored —
  fully reproducible output).

Docs synced: RUNNABLE_ASSURANCE.md (row 16, fifteen->sixteen), DECADAL plan
(15/15 -> 16/16 + verification-ledger row), pilot P6-REPRO 16/16,
governance_artifacts/README.md (package & distribute section), oscal/README.md.

Verification (this commit):
- bash governance_artifacts/run_runnable_assurance.sh -> 16/16 PASS
- pytest tests/governance/test_governance_artifacts.py -> 21 passed
- pilot acceptance gates -> 6/6 automated PASS (P6-REPRO 16/16)
@OneFineStarstuff

Copy link
Copy Markdown
Owner Author

Round 6 — Verified distribution-bundle packager (finalize, package & distribute)

This round closes the one gap your "finalize, package, and distribute" ask highlighted that was thinner than everything else: the stack had many deliverable generators but no single command that assembles the complete, verified, regulator-facing distribution bundle. Now it does — and the bundle's contents are exactly the artifacts that passed this run, each pinned by SHA-256.

What shipped (Tier A — runnable, verified this commit 3f9e4d00)

  • governance_artifacts/package_distribution_bundle.py — re-runs the 3 OSCAL-native deliverable generators with live evidence, collects all 6 artifacts into dist/, and emits:
    • MANIFEST.json — per-artifact SHA-256 + size, per-unit live status (SATISFIED / PARTIAL / PENDING-EVIDENCE), declared coverage gaps, and a single bundle_sha256 = SHA-256 over the sorted per-artifact digests (whole-bundle tamper evidence).
    • DISTRIBUTION_README.md — regulator-facing summary.
    • EXECUTION_CHECKLIST.md — guided, command-by-command independent reproduction.
  • --with-suite runs the full 16-check assurance suite and gates the bundle on it.

Result this run

  • 6 artifacts across 3 deliverables; 15/17 units SATISFIED; 2 declared gaps (DORA P4/P5); all source catalogs conformant.

Honesty guarantees (falsifiable)

  • Refuses to package (exit 1) if any deliverable reports a catalog-conformance failure — proven by a negative test (monkeypatched failure).
  • bundle_sha256 recomputes from the per-artifact digests (asserted in both the suite step and a pytest test).
  • Coverage gaps are reported, never inflated to SATISFIED.
  • Embedded statement: this is an assembly-integrity + reproducibility bundle, NOT a conformity assessment, certification, or safety proof. ASI containment remains a control discipline, not a guarantee.

Wiring

  • run_runnable_assurance.sh: 15 → 16 steps (step 16 = bundle packaging).
  • tests/governance: +3 tests → 21 total (tamper-evidence, DORA gaps not hidden, refuses non-conformant).
  • CI: pytest selector adds bundle; packages with --with-suite and uploads the distribution-bundle artifact (dist/ stays gitignored — fully reproducible output).
  • Docs synced: RUNNABLE_ASSURANCE.md (row 16, "fifteen"→"sixteen"), DECADAL plan (15/15 → 16/16 + ledger row), pilot P6-REPRO 16/16, governance_artifacts/README.md (package & distribute section), oscal/README.md.

Verification (this commit)

Check Command Result
Full assurance suite bash governance_artifacts/run_runnable_assurance.sh 16/16 PASS
Governance tests pytest tests/governance/test_governance_artifacts.py 21 passed
Pilot acceptance gates python3 governance_artifacts/pilot/run_pilot_acceptance_gates.py 6/6 automated PASS (P6-REPRO 16/16)
Distribution bundle python3 governance_artifacts/package_distribution_bundle.py --with-suite 6 artifacts, digest recomputes, all conformant, assurance PASS

A note on scope

Most of the very broad roadmap in the request (zero-trust architecture, confidential-computing attestation, StaR-MoE routing, PQC WORM, zk systemic-risk proofs, TLA+ containment, OSCAL/OPA compliance-as-code, Terraform multi-region, G-SRI, 2028 pilot, 24h monitoring, etc.) already exists as runnable, verified artifacts in this repo from earlier rounds. Rather than re-describe them in prose, this round added the missing packaging/distribution capstone that ties those verified artifacts into one auditable deliverable a G-SIFI could hand to a supervisor.

@difflens

difflens Bot commented Jun 29, 2026

Copy link
Copy Markdown

View changes in DiffLens

…le (content_digest)

Closes a real honesty gap in the round-6 packager: the EXECUTION_CHECKLIST
claimed the bundle digest "matches the value above (timestamps aside)", but
bundle_sha256 in fact changed on EVERY regeneration because each deliverable
embeds a fresh generated_at timestamp. A supervisor following the checklist
would get a different digest each run, undermining the reproducibility claim.

Root cause (verified): the ONLY non-deterministic content in a deliverable is
the ISO-8601 generated_at instant (JSON "generated_at" + Markdown
**Generated:**). All live evidence and everything else is byte-stable.

Fix - two distinct digests, each with a clear purpose:
- bundle_sha256 (provenance / tamper-evidence): SHA-256 over the sorted
  per-artifact BYTE digests. Pins THIS exact build; changes each run. Use to
  detect tampering with a specific distributed bundle.
- content_digest (reproducibility): SHA-256 over the sorted per-artifact
  digests with embedded ISO-8601 instants normalized to a fixed sentinel.
  Depends only on the catalog + live-evidence state, so an independent party
  who re-runs the generators derives the SAME value. VERIFIED stable across 3+
  regenerations (f6fa38c7...) while bundle_sha256 varies.

Each artifact entry now carries both sha256 and content_sha256.

Honesty wording corrected:
- DISTRIBUTION_README.md: new 'Two digests, two purposes' section.
- EXECUTION_CHECKLIST.md: step 4 now says compare the CONTENT digest (stable),
  not bundle_sha256; step 5 adds a runnable standalone command to recompute an
  artifact's content_sha256 (verified to match the manifest).

Wiring:
- run_runnable_assurance.sh step 16: now asserts BOTH digests recompute and
  that they are distinct.
- tests/governance: +2 tests -> 23 total: content_digest reproducible across
  regenerations + recomputes; timestamp normalization changes byte digest only
  (falsifiable - a real content change still moves the normalized digest).
- RUNNABLE_ASSURANCE.md row 16, governance_artifacts/README.md, DECADAL ledger
  row updated to document the two-digest model.

Verification (this commit):
- bash governance_artifacts/run_runnable_assurance.sh -> 16/16 PASS
- pytest tests/governance/test_governance_artifacts.py -> 23 passed
- pilot acceptance gates -> 6/6 automated PASS
- content_digest stable across 3 regenerations; bundle_sha256 varies as intended
@OneFineStarstuff

Copy link
Copy Markdown
Owner Author

Round 7 — Deterministically reproducible distribution bundle (honesty fix)

This round fixes a real honesty gap I found in the round-6 packager rather than adding new surface. It follows the project's core rule: when a claim isn't actually true, fix it transparently, don't paper over it.

The gap

The round-6 EXECUTION_CHECKLIST.md told a supervisor that after re-packaging, the bundle digest "matches the value above (timestamps aside)." In reality, bundle_sha256 changed on every single regeneration — because each deliverable embeds a fresh generated_at timestamp. A supervisor following the checklist would get a different digest each run, which quietly undermined the whole reproducibility/tamper-evidence claim.

I verified this directly: three regenerations produced three different bundle_sha256 values.

Root cause (verified)

The only non-deterministic content in a deliverable is the ISO-8601 generated_at instant (JSON "generated_at" + Markdown **Generated:**). Everything else — including all live evidence — is byte-stable.

The fix — two digests, two clearly-separated purposes

  • bundle_sha256 (provenance / tamper-evidence) — SHA-256 over the sorted per-artifact byte digests. Pins this exact build; changes each run. Detects tampering with a specific distributed bundle.
  • content_digest (reproducibility) — SHA-256 over the sorted per-artifact digests with embedded ISO-8601 instants normalized to a fixed sentinel. Depends only on the catalog + live-evidence state, so an independent party who re-runs the generators derives the same value.

Verified: content_digest was stable (f6fa38c7…) across 3+ regenerations and across separate sessions, while bundle_sha256 varied as intended. Each artifact entry now carries both sha256 and content_sha256.

Honesty wording corrected

  • DISTRIBUTION_README.md: new "Two digests, two purposes" section.
  • EXECUTION_CHECKLIST.md: step 4 now says compare the content digest (stable), not bundle_sha256; step 5 adds a runnable standalone command to recompute an artifact's content_sha256 — verified to match the manifest exactly.

Wiring

  • run_runnable_assurance.sh step 16 now asserts both digests recompute and that they are distinct.
  • tests/governance: +2 tests → 23 totalcontent_digest reproducible across regenerations + recomputes; timestamp-normalization changes the byte digest only (falsifiable: a real content change still moves the normalized digest).
  • Docs: RUNNABLE_ASSURANCE.md row 16, governance_artifacts/README.md, DECADAL verification-ledger row updated to document the two-digest model.

Verification (this commit 2bcc568f)

Check Command Result
Full assurance suite bash governance_artifacts/run_runnable_assurance.sh 16/16 PASS
Governance tests pytest tests/governance/test_governance_artifacts.py 23 passed
Pilot acceptance gates python3 governance_artifacts/pilot/run_pilot_acceptance_gates.py 6/6 automated PASS
Reproducibility packager run 3×, compare digests content_digest stable; bundle_sha256 varies (as designed)

No step count change (still 16 checks) — this round hardens the existing capstone into an actually reproducible deliverable.

@difflens

difflens Bot commented Jul 1, 2026

Copy link
Copy Markdown

View changes in DiffLens

@codacy-production

codacy-production Bot commented Jul 1, 2026

Copy link
Copy Markdown

Not up to standards ⛔

🔴 Issues 6 critical · 10 high · 25 medium · 59 minor

Alerts:
⚠ 100 issues (≤ 0 issues of at least minor severity)

Results:
100 new issues

Category Results
Compatibility 2 medium
UnusedCode 1 medium
BestPractice 5 medium
1 high
Documentation 11 minor
ErrorProne 9 high
CodeStyle 33 minor
Complexity 13 minor
6 critical
17 medium
Comprehensibility 2 minor

View in Codacy

🟢 Metrics 454 complexity · 10 duplication

Metric Results
Complexity 454
Duplication 10

View in Codacy

NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.

@difflens

difflens Bot commented Jul 3, 2026

Copy link
Copy Markdown

View changes in DiffLens

@genspark-ai-developer

Copy link
Copy Markdown

Update: 17th assurance check — recipient-side bundle verification + ML-DSA-65 manifest signing (f20c808e)

This completes the distribution-packaging story from checks 13–16 by adding the recipient side: a regulator/supervisor/internal-audit can now verify a received dist/ bundle without trusting the packager.

What's new

  • governance_artifacts/verify_distribution_bundle.py (NEW, standalone)
    • Python stdlib only; deliberately does NOT import the packager — the digest rules (byte SHA-256, timestamp-normalized content SHA-256, sorted-digest bundle digests) are independently re-implemented, so a bug or backdoor in the packager cannot vouch for itself (enforced by an AST import-audit test).
    • 10 named, falsifiable checks: manifest parse, artifact presence, per-artifact byte + content digests, both bundle-level digest recomputations, digest distinctness, manifest-vs-content consistency (unit counts / coverage gaps / conformance recomputed from the bundled deliverable JSONs — a manifest that inflates SATISFIED or hides a gap FAILS), conformance-claim agreement, and optional detached-signature verification.
    • Exit 0 iff every executed check passes; --require-signature turns a missing/unverifiable signature into FAIL (never silently passed).
  • Packager --sign / --signing-key: detached ML-DSA-65 (FIPS 204) MANIFEST.sig.json over the exact MANIFEST.json bytes, with explicit ephemeral-vs-persistent key semantics, embedded public key + SHA-256 fingerprint, and an honesty statement (identity requires out-of-band fingerprint comparison).
  • run_runnable_assurance.sh step 17: packages a signed bundle and verifies it with the independent verifier in strict mode; RUNNABLE_ASSURANCE.md documents the check.

Verification

  • Governance suite: 30/30 tests pass (7 new: happy path, verifier independence, artifact tampering, forged manifest claims, single-byte manifest signature tamper, --require-signature absence, persistent signing-key identity + 0600 perms).
  • Manual e2e: signed bundle → VERIFIED (10 checks PASS); single-byte artifact tamper → FAILED (byte + content digest checks trip), exit 1.

…manifest signing (17th assurance check)

Closes the trust gap left by the round-6/7 packager: a bundle recipient
previously had to trust the packager's own digest arithmetic. This adds the
missing recipient-side half of the distribution story.

New tool — governance_artifacts/verify_distribution_bundle.py:
- Standalone and deliberately INDEPENDENT: stdlib-only (optional
  dilithium-py only for the signature branch) and never imports the
  packager — the digest rules (byte SHA-256, timestamp-normalized content
  SHA-256, sorted-digest bundle digests) are re-implemented from scratch so
  a bug or backdoor in the packager cannot vouch for itself (enforced by an
  AST-based test).
- 10 named, falsifiable checks: manifest-parse, artifact-presence,
  artifact-byte-digest, artifact-content-digest, bundle-digest-recompute,
  content-digest-recompute, digests-distinct, summary-consistency,
  conformance-claims, signature.
- summary-consistency recomputes the manifest's claimed unit counts /
  coverage gaps / conformance from the bundled deliverable JSONs
  themselves — a manifest that inflates units_satisfied or hides a DORA
  P4/P5 gap FAILS even if every digest still recomputes.
- Exit 0 iff every executed check passes; missing dilithium-py reports the
  signature check SKIPPED (never silently passed); --require-signature
  turns absence/skip into FAIL.

Packager — package_distribution_bundle.py --sign / --signing-key:
- Emits a detached ML-DSA-65 (FIPS 204) MANIFEST.sig.json over the EXACT
  MANIFEST.json bytes, embedding the public key + its SHA-256 fingerprint.
- Honest key semantics: --signing-key FILE persists one signing identity
  (0600) so fingerprints are stable across bundles; without it the key is
  EPHEMERAL and the signature file says so (key_persistence) — it then
  proves integrity-since-packaging, not identity. Identity always requires
  an out-of-band fingerprint comparison (stated in the artifact).

Wiring:
- run_runnable_assurance.sh: 16 -> 17 steps. Step 17 packages a signed
  bundle and verifies it with the independent verifier in strict
  --require-signature mode, asserting all 10 checks PASS.
- Generated DISTRIBUTION_README.md + EXECUTION_CHECKLIST.md now include a
  'verify as received' section / step 6 for the recipient.
- RUNNABLE_ASSURANCE.md: row 17 documented.
- Refreshed generated OSCAL deliverables from the final suite run.

Tamper negatives (all verified by tests, 30/30 governance tests pass):
- Artifact byte edit -> artifact-byte-digest + artifact-content-digest FAIL.
- Forged manifest claims (inflated SATISFIED, hidden gaps) ->
  summary-consistency FAILs (and the signature breaks).
- Single-byte whitespace change to MANIFEST.json with digests intact ->
  ONLY the ML-DSA-65 signature check fails (precise localization).
- --require-signature on an unsigned bundle -> FAILED with explicit error.
- Persistent-key double-signing -> identical public-key fingerprints; both
  bundles VERIFIED in strict mode.

Full suite result: 17/17 runnable assurance checks PASS.
@difflens

difflens Bot commented Jul 3, 2026

Copy link
Copy Markdown

View changes in DiffLens

…against a digest-protected ledger (18th assurance check)

The OSCAL catalogs declare per-control freshness-sla props (env-01 PT5M,
cry-02/rte-01 P1D, con-07 P7D, cry-05 P3M, con-04 P1D/P90D) but check C3
only validated their FORMAT — nothing recorded when evidence was produced
and nothing failed when it went stale. The SLA was prose. This makes it
enforced.

New tool — governance_artifacts/check_evidence_freshness.py:
- --run executes every control's mapped runnable assurance check using the
  SAME single-source-of-truth CONTROL_EVIDENCE map the regulator deliverable
  generators use (no parallel drift-prone map) and writes a freshness ledger
  (oscal/generated/evidence_freshness_ledger.json) recording pass/fail, the
  UTC instant evidence was produced, and duration. Entries are protected by
  a SHA-256 ledger digest over the canonical entries JSON.
- --audit enforces each catalog-declared SLA against those instants with
  named, falsifiable checks: ledger-digest, evidence-recorded,
  evidence-passed, evidence-fresh. Per-control statuses: FRESH / STALE /
  FAILED / NOT-RECORDED / FUTURE-DATED / SLA-MISSING / SLA-MALFORMED /
  NOT-RUNNABLE. Exit 0 iff every runnable control is recorded, passed and
  fresh with an intact digest.
- Honest semantics: organisational-evidence controls (env-02) are disclosed
  NOT-RUNNABLE, never counted fresh and never silently passed; a failed
  check is never fresh; future-dated evidence (forged timestamp/clock skew)
  fails; a missing ledger fails, never passes vacuously. Stated conversion
  convention (1M=30d, 1Y=365d; compound P1D/P90D enforces the first period)
  so audits are reproducible. The ledger digest detects casual edits, is
  NOT a signature — pair with the ML-DSA-65-signed bundle (checks 16/17)
  for signed provenance. --as-of enables reproducible point-in-time audits.

Wiring:
- run_runnable_assurance.sh: 17 -> 18 steps. Step 18 runs --run --audit
  --print and asserts PASS, intact digest, zero failing controls, all
  runnable controls FRESH, and >=1 organisational control disclosed.
- RUNNABLE_ASSURANCE.md: row 18 documents the gate and its honesty limits.

Tests (tests/governance/test_governance_artifacts.py — round 8, +7):
- SLA parser conventions (PT5M=300s, P3M=90d, P1D/P90D first period;
  malformed P/PT/5M/P-1D/'' rejected).
- Fresh synthetic ledger -> PASS with env-02 disclosed NOT-RUNNABLE.
- Auditing 10 min later flips env-01 (PT5M) STALE and fails the gate while
  cry-05 (P3M) stays FRESH — SLA granularity actually matters.
- Timestamp edit without re-digesting -> ledger-digest MISMATCH -> FAIL.
- passed=false is never FRESH; future-dated evidence FAILs; a control
  missing from the ledger is NOT-RECORDED; missing ledger file FAILs.
- Single-source-of-truth check: every runnable CONTROL_EVIDENCE control
  with a declared SLA is covered by the committed ledger.

Full suite result: 18/18 runnable assurance checks PASS; 37/37 governance
tests PASS.
@difflens

difflens Bot commented Jul 5, 2026

Copy link
Copy Markdown

View changes in DiffLens

1 similar comment
@difflens

difflens Bot commented Jul 5, 2026

Copy link
Copy Markdown

View changes in DiffLens

@OneFineStarstuff OneFineStarstuff merged commit 835ef34 into main Jul 5, 2026
45 of 66 checks passed
@OneFineStarstuff OneFineStarstuff deleted the genspark_ai_developer branch July 5, 2026 13:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

documentation Improvements or additions to documentation next-app python Pull requests that update python code size/XXL

Development

Successfully merging this pull request may close these issues.

3 participants