OneFineStarstuff
diff --git a/‎.github/workflows/runnable-assurance.yml‎
Lines changed: 8 additions & 5 deletions b/‎.github/workflows/runnable-assurance.yml‎
Lines changed: 8 additions & 5 deletions
diff --git a/‎governance_artifacts/RUNNABLE_ASSURANCE.md‎
Lines changed: 3 additions & 1 deletion b/‎governance_artifacts/RUNNABLE_ASSURANCE.md‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎governance_artifacts/oscal/README.md‎
Lines changed: 17 additions & 4 deletions b/‎governance_artifacts/oscal/README.md‎
Lines changed: 17 additions & 4 deletions
diff --git a/‎governance_artifacts/oscal/crosswalk_common.py‎
Lines changed: 206 additions & 0 deletions b/‎governance_artifacts/oscal/crosswalk_common.py‎
Lines changed: 206 additions & 0 deletions
diff --git a/‎governance_artifacts/oscal/dora_framework_map.yaml‎
Lines changed: 57 additions & 0 deletions b/‎governance_artifacts/oscal/dora_framework_map.yaml‎
Lines changed: 57 additions & 0 deletions
@@ -91,21 +91,24 @@ jobs:
           pytest governance_artifacts/routing/test_sara_acr_router.py -q
           pytest governance_artifacts/kafka/test_pqc_worm_logger_v2.py -q
           pytest governance_blueprint/contracts/test_contract_logic.py -q
-          pytest tests/governance/test_governance_artifacts.py -q -k "oscal or annex"
+          pytest tests/governance/test_governance_artifacts.py -q -k "oscal or annex or dora or nist or crosswalk"
 
       - name: Run runnable assurance suite
         run: bash governance_artifacts/run_runnable_assurance.sh
 
       - name: 2028 pilot acceptance-gate checklist
         run: python3 governance_artifacts/pilot/run_pilot_acceptance_gates.py
 
-      - name: Assemble Annex IV dossier (live evidence) and upload
-        run: python3 governance_artifacts/oscal/generate_annex_iv_dossier.py
+      - name: Assemble regulator deliverables (live evidence)
+        run: |
+          python3 governance_artifacts/oscal/generate_annex_iv_dossier.py
+          python3 governance_artifacts/oscal/generate_dora_ict_register.py
+          python3 governance_artifacts/oscal/generate_nist_rmf_crosswalk.py
 
-      - name: Upload Annex IV dossier artifact
+      - name: Upload regulator deliverables artifact
         uses: actions/upload-artifact@v4
         with:
-          name: annex-iv-dossier
+          name: regulator-deliverables
           path: governance_artifacts/oscal/generated/
 
   dashboard-tests:
 
@@ -17,7 +17,7 @@ the master reference documents assert that a control "holds," the artifacts here
 bash governance_artifacts/run_runnable_assurance.sh
 ```
 
-Runs all thirteen checks below and fails fast on any error.
+Runs all fifteen checks below and fails fast on any error.
 
 ## What is proven, and against which control
 
@@ -36,6 +36,8 @@ Runs all thirteen checks below and fails fast on any error.
 | 11 | Governance artifact schema validation | Python validator | manifest/schema integrity | OSCAL, evidence logging (EU AI Act Art. 12) |
 | 12 | OSCAL catalog conformance — every control's `tla-spec` / `rego-policy` / `circuit` / `simulator` prop resolves to a real in-repo artifact; every regime `#href` resolves to a back-matter anchor (no dangling references); `feasibility-tier ∈ {A,B,C,D}`; `freshness-sla` is a valid ISO-8601 duration (43 cross-reference checks, falsifiable) | Python (`oscal_conformance.py`) + pytest | all `con-*`, `cry-*`, `env-*`, `rte-*` | OSCAL 1.1.2 compliance-as-code integrity (EU AI Act Annex IV, NIST AI RMF, DORA, Basel, SR 11-7) |
 | 13 | Annex IV dossier auto-assembly — builds an OSCAL-native 8-section (A–H) EU AI Act technical-documentation dossier from the conformant catalog + live assurance evidence; refuses to run on a non-conformant catalog or unknown control id; never marks a section SATISFIED without a green runnable check | Python (`generate_annex_iv_dossier.py`) + pytest | all controls → Annex IV §A–H | EU AI Act Annex IV technical documentation (auto-assembled deliverable) |
+| 14 | DORA ICT-risk register auto-assembly — builds a 5-pillar (P1–P5) DORA register from the same catalog + live evidence; reports P4/P5 as honest coverage gaps; same refusal/honesty guarantees | Python (`generate_dora_ict_register.py`) + pytest | `env-*`, `cry-02`, `con-04/07` → DORA pillars | DORA (Reg. (EU) 2022/2554) ICT-risk register (auto-assembled deliverable) |
+| 15 | NIST AI RMF profile crosswalk auto-assembly — builds a 4-function (GOVERN/MAP/MEASURE/MANAGE) crosswalk with per-function coverage analysis from the same catalog + live evidence; same refusal/honesty guarantees | Python (`generate_nist_rmf_crosswalk.py`) + pytest | all controls → NIST AI RMF functions | NIST AI RMF 1.0 coverage crosswalk (auto-assembled deliverable) |
 
 ### Companion reviews & plan (this iteration)
 
 
@@ -11,9 +11,16 @@ honest and turn them into regulator deliverables.
 | `catalog_sentinel_v24_env_rte.json` | OSCAL 1.1.2 catalog — Confidential-computing (ENV) + MoE-routing (RTE) controls, with regime back-matter. |
 | `sentinel_control_catalog_v1.yaml` | Higher-level control families + regulatory mapping (legacy/companion view). |
 | `oscal_conformance.py` | **Conformance validator** — verifies every control's `tla-spec` / `rego-policy` / `circuit` / `simulator` prop resolves to a real in-repo artifact, every regime `#href` resolves to a back-matter anchor, `feasibility-tier ∈ {A,B,C,D}`, and `freshness-sla` is a valid ISO-8601 duration. |
+| `crosswalk_common.py` | **Shared crosswalk engine** — one source of truth for catalog loading, the control→live-evidence map, the conformance gate, and the evidence-status rule. Reused by all three generators. |
 | `annex_iv_section_map.yaml` | Auditable map: each EU AI Act Annex IV section (A–H) → the OSCAL control ids that evidence it, plus a provider narrative. |
+| `dora_framework_map.yaml` | Auditable map: each DORA pillar (P1–P5) → controls + register narrative. |
+| `nist_ai_rmf_map.yaml` | Auditable map: each NIST AI RMF function (GOVERN/MAP/MEASURE/MANAGE) → controls + crosswalk narrative. |
 | `generate_annex_iv_dossier.py` | **Dossier generator** — auto-assembles an OSCAL-native Annex IV technical-documentation dossier from the catalogs + live assurance evidence. |
-| `generated/annex_iv_dossier.{json,md}` | Sample auto-assembled dossier (regenerate any time; `generated_at` changes per run). |
+| `generate_dora_ict_register.py` | **DORA register generator** — auto-assembles a scoped DORA ICT-risk register; reports P4/P5 as coverage gaps. |
+| `generate_nist_rmf_crosswalk.py` | **NIST RMF crosswalk generator** — auto-assembles a NIST AI RMF coverage crosswalk with per-function coverage analysis. |
+| `generated/annex_iv_dossier.{json,md}` | Sample auto-assembled Annex IV dossier (regenerate any time; `generated_at` changes per run). |
+| `generated/dora_ict_register.{json,md}` | Sample auto-assembled DORA ICT-risk register. |
+| `generated/nist_ai_rmf_crosswalk.{json,md}` | Sample auto-assembled NIST AI RMF crosswalk. |
 
 ## Run it
 
@@ -27,12 +34,18 @@ python3 governance_artifacts/oscal/generate_annex_iv_dossier.py
 #   -> generated/annex_iv_dossier.json  (machine-readable)
 #   -> generated/annex_iv_dossier.md    (human-readable)
 
-# Faster, assembly-only (does NOT run backing checks; no section reported SATISFIED)
+# 3. Assemble the multi-framework deliverables from the SAME verified catalog
+python3 governance_artifacts/oscal/generate_dora_ict_register.py   # DORA ICT-risk register (5 pillars)
+python3 governance_artifacts/oscal/generate_nist_rmf_crosswalk.py  # NIST AI RMF crosswalk (4 functions)
+
+# Faster, assembly-only (does NOT run backing checks; nothing reported SATISFIED)
 python3 governance_artifacts/oscal/generate_annex_iv_dossier.py --no-verify
 ```
 
-Both tools are wired into `governance_artifacts/run_runnable_assurance.sh`
-(steps 12 and 13) and into CI.
+All four tools are wired into `governance_artifacts/run_runnable_assurance.sh`
+(steps 12–15) and into CI. One verified source of truth (the OSCAL catalog)
+produces three regulator deliverables — Annex IV, DORA, NIST AI RMF — that can
+never drift from each other because they share `crosswalk_common.py`.
 
 ## Evidence-status semantics (honesty model)
 
 
@@ -0,0 +1,206 @@
+#!/usr/bin/env python3
+"""
+Shared crosswalk engine for OSCAL-native regulator deliverables.
+
+One source of truth for:
+  - loading the Sentinel OSCAL catalogs into enriched control dicts
+    (statement, feasibility-tier, freshness-sla, evidence-query, resolved
+    regime citations);
+  - the control -> live assurance-evidence map (CONTROL_EVIDENCE) and a
+    cached runner that records whether each control's backing check passed;
+  - the OSCAL conformance gate (refuse to assemble on a non-conformant catalog).
+
+Used by:
+  generate_annex_iv_dossier.py     (EU AI Act Annex IV)
+  generate_dora_ict_register.py    (DORA ICT-risk register)
+  generate_nist_rmf_crosswalk.py   (NIST AI RMF profile crosswalk)
+
+Evidence-status semantics (shared honesty model):
+  SATISFIED         - >=1 mapped control whose runnable check passed this run.
+  PARTIAL           - has runnable-backed controls but none passed this run.
+  PENDING-EVIDENCE  - mapped only to organisational/hardware evidence, or no
+                      controls mapped (i.e. a genuine coverage gap).
+"""
+from __future__ import annotations
+
+import json
+import subprocess
+import sys
+from datetime import datetime, timezone
+from pathlib import Path
+
+OSCAL_DIR = Path(__file__).resolve().parent
+GA_DIR = OSCAL_DIR.parent
+REPO_ROOT = GA_DIR.parent
+DEFAULT_CATALOGS = [
+    "catalog_sentinel_v24_excerpt.json",
+    "catalog_sentinel_v24_env_rte.json",
+]
+
+# Control -> live assurance evidence. `kind` describes the evidence character
+# truthfully; `command` is what a regulator re-runs (None = organisational
+# evidence, reported PENDING). Kept here so all generators agree on what each
+# control's evidence actually is.
+CONTROL_EVIDENCE = {
+    "con-04": {
+        "check": "TLA+ KillSwitchAbstract reachability / dead-man's switch",
+        "kind": "model-checked",
+        "command": "java -cp governance_artifacts/tla/tools/tla2tools.jar tlc2.TLC "
+                   "-config governance_artifacts/tla/KillSwitchAbstract.cfg "
+                   "governance_artifacts/tla/KillSwitchAbstract.tla",
+    },
+    "con-07": {
+        "check": "TLA+ KillSwitchAbstract one-way ratchet (ASA cannot de-escalate)",
+        "kind": "model-checked",
+        "command": "java -cp governance_artifacts/tla/tools/tla2tools.jar tlc2.TLC "
+                   "-config governance_artifacts/tla/KillSwitchAbstract.cfg "
+                   "governance_artifacts/tla/KillSwitchAbstract.tla",
+    },
+    "cry-02": {
+        "check": "PQC WORM audit log (ML-DSA-65 sign + hash chain + tamper detect)",
+        "kind": "cryptographically-verified",
+        "command": "python3 -m pytest governance_artifacts/kafka/test_pqc_worm_logger_v2.py -q",
+    },
+    "cry-05": {
+        "check": "SRC-1 Groth16 systemic-risk concentration bound proof",
+        "kind": "zk-proven",
+        "command": "bash governance_artifacts/zk/run_src1_proof.sh",
+    },
+    "env-01": {
+        "check": "TLA+ AdmissionWithAttestation (no T0 run without valid attestation)",
+        "kind": "model-checked",
+        "command": "java -cp governance_artifacts/tla/tools/tla2tools.jar tlc2.TLC "
+                   "-config governance_artifacts/tla/AdmissionWithAttestation.cfg "
+                   "governance_artifacts/tla/AdmissionWithAttestation.tla",
+    },
+    "env-02": {
+        "check": "Enclave-bound PQC key custody (hardware-dependent)",
+        "kind": "organisational-record-PENDING",
+        "command": None,
+    },
+    "rte-01": {
+        "check": "SARA/ACR MoE routing stabilization invariants",
+        "kind": "simulated",
+        "command": "python3 -m pytest governance_artifacts/routing/test_sara_acr_router.py -q",
+    },
+}
+
+
+def now_iso() -> str:
+    return datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ")
+
+
+def load_catalogs(catalog_names: list[str] | None = None) -> dict[str, dict]:
+    """Return {control_id: enriched control dict} across the named catalogs."""
+    names = catalog_names or DEFAULT_CATALOGS
+    controls: dict[str, dict] = {}
+    for name in names:
+        path = OSCAL_DIR / name
+        if not path.is_file():
+            raise FileNotFoundError(f"catalog not found: {path}")
+        cat = json.loads(path.read_text())["catalog"]
+        anchors = {r["uuid"]: r.get("title", r["uuid"])
+                   for r in cat.get("back-matter", {}).get("resources", [])
+                   if r.get("uuid")}
+
+        def walk(groups):
+            for g in groups:
+                for c in g.get("controls", []):
+                    props = {p["name"]: p["value"] for p in c.get("props", [])}
+                    stmt = next((p["prose"] for p in c.get("parts", [])
+                                 if p.get("name") == "statement"), "")
+                    regimes = []
+                    for link in c.get("links", []):
+                        href = link.get("href", "")
+                        if href.startswith("#"):
+                            a = href[1:]
+                            regimes.append({
+                                "rel": link.get("rel", "regime"),
+                                "anchor": a,
+                                "citation": anchors.get(a, a),
+                            })
+                    controls[c["id"]] = {
+                        "id": c["id"],
+                        "title": c.get("title", ""),
+                        "statement": stmt,
+                        "catalog": name,
+                        "feasibility_tier": props.get("feasibility-tier"),
+                        "freshness_sla": props.get("freshness-sla"),
+                        "evidence_query": props.get("evidence-query"),
+                        "regimes": regimes,
+                    }
+                walk(g.get("groups", []))
+        walk(cat.get("groups", []))
+    return controls
+
+
+def run_conformance() -> dict:
+    """Run oscal_conformance.py --json; raise if non-conformant."""
+    proc = subprocess.run(
+        [sys.executable, str(OSCAL_DIR / "oscal_conformance.py"), "--json"],
+        cwd=REPO_ROOT, capture_output=True, text=True,
+    )
+    if proc.returncode != 0:
+        raise RuntimeError(
+            "OSCAL conformance failed; refusing to assemble a deliverable on a "
+            f"non-conformant catalog:\n{proc.stdout}\n{proc.stderr}"
+        )
+    return json.loads(proc.stdout)
+
+
+class EvidenceRunner:
+    """Runs (and caches) each control's backing assurance check."""
+
+    def __init__(self, verify: bool = True):
+        self.verify = verify
+        self._cache: dict[str, bool | None] = {}
+
+    def evidence(self, control_id: str) -> dict:
+        desc = CONTROL_EVIDENCE.get(control_id, {
+            "check": "(no runnable check mapped)",
+            "kind": "organisational-record-PENDING",
+            "command": None,
+        })
+        if control_id not in self._cache:
+            if self.verify and desc["command"]:
+                proc = subprocess.run(desc["command"], cwd=REPO_ROOT, shell=True,
+                                      capture_output=True, text=True)
+                self._cache[control_id] = proc.returncode == 0
+            else:
+                self._cache[control_id] = None
+        return {
+            "control_id": control_id,
+            "check": desc["check"],
+            "evidence_kind": desc["kind"],
+            "command": desc["command"],
+            "passed": self._cache[control_id],
+        }
+
+
+def status_for(control_entries: list[dict]) -> str:
+    """Shared evidence-status rule given a section/element's resolved controls
+    (each carrying a 'live_evidence' dict)."""
+    if not control_entries:
+        return "PENDING-EVIDENCE"
+    any_passed = any(c["live_evidence"]["passed"] is True for c in control_entries)
+    any_runnable = any(c["live_evidence"]["command"] for c in control_entries)
+    if any_passed:
+        return "SATISFIED"
+    if any_runnable:
+        return "PARTIAL"
+    return "PENDING-EVIDENCE"
+
+
+def resolve_controls(control_ids: list[str], catalog: dict[str, dict],
+                     runner: EvidenceRunner) -> tuple[list[dict], list[str]]:
+    """Resolve control ids -> enriched entries with live_evidence. Returns
+    (resolved, unknown_ids)."""
+    resolved, unknown = [], []
+    for cid in control_ids:
+        if cid not in catalog:
+            unknown.append(cid)
+            continue
+        entry = dict(catalog[cid])
+        entry["live_evidence"] = runner.evidence(cid)
+        resolved.append(entry)
+    return resolved, unknown
@@ -0,0 +1,57 @@
+# DORA (Regulation (EU) 2022/2554) ICT-risk-register framework map.
+#
+# Auditable bridge: each of the five DORA pillars -> the Sentinel OSCAL control
+# ids that provide evidence for it, plus a register narrative. The generator
+# (generate_dora_ict_register.py) consumes this and attaches LIVE assurance
+# evidence per control.
+#
+# Pillars with no in-scope control are reported as coverage GAPS (PENDING-
+# EVIDENCE), not silently dropped — DORA conformance for a real institution is
+# far broader than the AI-governance control surface modelled here.
+#
+# Control ids must exist in a catalog under governance_artifacts/oscal/; the
+# generator fails on any unknown id (no dangling references).
+framework: "DORA — Regulation (EU) 2022/2554"
+scope_note: >
+  This register scopes DORA ICT-risk pillars to the AI-governance control surface
+  of the Sentinel stack only. It is NOT a complete institutional DORA register;
+  enterprise ICT scope (networks, endpoints, core banking) is out of scope here.
+catalogs:
+  - catalog_sentinel_v24_excerpt.json
+  - catalog_sentinel_v24_env_rte.json
+pillars:
+  - id: P1
+    name: "ICT risk management framework (Arts. 5-16)"
+    narrative: >
+      Hardware-attested admission and enclave-bound key custody establish the
+      ICT control baseline for the AI execution environment; PQC-signed evidence
+      protects the integrity of the risk-management record.
+    controls: [env-01, env-02, cry-02]
+  - id: P2
+    name: "ICT-related incident management, classification & reporting (Arts. 17-23)"
+    narrative: >
+      The tamper-evident PQC WORM audit log provides the append-only,
+      cryptographically verifiable incident record DORA requires; containment
+      reachability ensures incidents can be terminally actuated.
+    controls: [cry-02, con-04]
+  - id: P3
+    name: "Digital operational resilience testing (Arts. 24-27)"
+    narrative: >
+      The containment kill-switch ratchet is verified by model checking (daily
+      reachability) and by quarterly live-actuation testing on canaries —
+      DORA advanced-testing evidence for the terminal AI risk control.
+    controls: [con-04, con-07]
+  - id: P4
+    name: "ICT third-party risk management (Arts. 28-44)"
+    narrative: >
+      Third-party / GPAI-provider assurance (supplier attestation, contractual
+      auditability, exit plans) is an organisational control surface not yet
+      represented by a runnable Sentinel control — reported as a coverage gap.
+    controls: []
+  - id: P5
+    name: "Information & intelligence sharing (Art. 45)"
+    narrative: >
+      Cross-institution threat/intelligence sharing maps to the GIEN / SIP v3.0
+      federated layer (Tier C, design-stage); no Tier-A runnable control backs
+      it yet — reported as a coverage gap.
+    controls: []