OneFineStarstuff
diff --git a/‎.github/workflows/runnable-assurance.yml‎
Lines changed: 11 additions & 2 deletions b/‎.github/workflows/runnable-assurance.yml‎
Lines changed: 11 additions & 2 deletions
diff --git a/‎governance_artifacts/RUNNABLE_ASSURANCE.md‎
Lines changed: 2 additions & 1 deletion b/‎governance_artifacts/RUNNABLE_ASSURANCE.md‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎governance_artifacts/oscal/README.md‎
Lines changed: 57 additions & 0 deletions b/‎governance_artifacts/oscal/README.md‎
Lines changed: 57 additions & 0 deletions
diff --git a/‎governance_artifacts/oscal/annex_iv_section_map.yaml‎
Lines changed: 82 additions & 0 deletions b/‎governance_artifacts/oscal/annex_iv_section_map.yaml‎
Lines changed: 82 additions & 0 deletions
@@ -86,19 +86,28 @@ jobs:
           circom circuits/src1_concentration_bound.circom --r1cs --wasm --sym --O0 -o circuits/
           circom circuits/src_fair1_reason_code_check.circom --r1cs --wasm --sym --O0 -o circuits/
 
-      - name: Unit tests (routing + PQC WORM + contract logic + OSCAL conformance)
+      - name: Unit tests (routing + PQC WORM + contract logic + OSCAL conformance + Annex IV dossier)
         run: |
           pytest governance_artifacts/routing/test_sara_acr_router.py -q
           pytest governance_artifacts/kafka/test_pqc_worm_logger_v2.py -q
           pytest governance_blueprint/contracts/test_contract_logic.py -q
-          pytest tests/governance/test_governance_artifacts.py -q -k oscal
+          pytest tests/governance/test_governance_artifacts.py -q -k "oscal or annex"
 
       - name: Run runnable assurance suite
         run: bash governance_artifacts/run_runnable_assurance.sh
 
       - name: 2028 pilot acceptance-gate checklist
         run: python3 governance_artifacts/pilot/run_pilot_acceptance_gates.py
 
+      - name: Assemble Annex IV dossier (live evidence) and upload
+        run: python3 governance_artifacts/oscal/generate_annex_iv_dossier.py
+
+      - name: Upload Annex IV dossier artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: annex-iv-dossier
+          path: governance_artifacts/oscal/generated/
+
   dashboard-tests:
     name: Dashboard security tests (next-app)
     runs-on: ubuntu-latest
 
@@ -17,7 +17,7 @@ the master reference documents assert that a control "holds," the artifacts here
 bash governance_artifacts/run_runnable_assurance.sh
 ```
 
-Runs all twelve checks below and fails fast on any error.
+Runs all thirteen checks below and fails fast on any error.
 
 ## What is proven, and against which control
 
@@ -35,6 +35,7 @@ Runs all twelve checks below and fails fast on any error.
 | 10 | OmegaActual contract hardening — both contracts compile (0 warnings); 7 logic tests prove original exploitable & hardened blocks SEC-01..06 | solc 0.8.26 + pytest | `con-07` settlement | EU AI Act Art. 14, DORA |
 | 11 | Governance artifact schema validation | Python validator | manifest/schema integrity | OSCAL, evidence logging (EU AI Act Art. 12) |
 | 12 | OSCAL catalog conformance — every control's `tla-spec` / `rego-policy` / `circuit` / `simulator` prop resolves to a real in-repo artifact; every regime `#href` resolves to a back-matter anchor (no dangling references); `feasibility-tier ∈ {A,B,C,D}`; `freshness-sla` is a valid ISO-8601 duration (43 cross-reference checks, falsifiable) | Python (`oscal_conformance.py`) + pytest | all `con-*`, `cry-*`, `env-*`, `rte-*` | OSCAL 1.1.2 compliance-as-code integrity (EU AI Act Annex IV, NIST AI RMF, DORA, Basel, SR 11-7) |
+| 13 | Annex IV dossier auto-assembly — builds an OSCAL-native 8-section (A–H) EU AI Act technical-documentation dossier from the conformant catalog + live assurance evidence; refuses to run on a non-conformant catalog or unknown control id; never marks a section SATISFIED without a green runnable check | Python (`generate_annex_iv_dossier.py`) + pytest | all controls → Annex IV §A–H | EU AI Act Annex IV technical documentation (auto-assembled deliverable) |
 
 ### Companion reviews & plan (this iteration)
 
 
@@ -0,0 +1,57 @@
+# Sentinel OSCAL tooling
+
+Machine-readable control catalogs (OSCAL 1.1.2) plus the tools that keep them
+honest and turn them into regulator deliverables.
+
+## Files
+
+| File | Purpose |
+|------|---------|
+| `catalog_sentinel_v24_excerpt.json` | OSCAL 1.1.2 catalog — Containment (CON) + Cryptographic-evidence (CRY) controls, with regime back-matter. |
+| `catalog_sentinel_v24_env_rte.json` | OSCAL 1.1.2 catalog — Confidential-computing (ENV) + MoE-routing (RTE) controls, with regime back-matter. |
+| `sentinel_control_catalog_v1.yaml` | Higher-level control families + regulatory mapping (legacy/companion view). |
+| `oscal_conformance.py` | **Conformance validator** — verifies every control's `tla-spec` / `rego-policy` / `circuit` / `simulator` prop resolves to a real in-repo artifact, every regime `#href` resolves to a back-matter anchor, `feasibility-tier ∈ {A,B,C,D}`, and `freshness-sla` is a valid ISO-8601 duration. |
+| `annex_iv_section_map.yaml` | Auditable map: each EU AI Act Annex IV section (A–H) → the OSCAL control ids that evidence it, plus a provider narrative. |
+| `generate_annex_iv_dossier.py` | **Dossier generator** — auto-assembles an OSCAL-native Annex IV technical-documentation dossier from the catalogs + live assurance evidence. |
+| `generated/annex_iv_dossier.{json,md}` | Sample auto-assembled dossier (regenerate any time; `generated_at` changes per run). |
+
+## Run it
+
+```bash
+# 1. Verify catalog cross-reference integrity (43 checks; falsifiable)
+python3 governance_artifacts/oscal/oscal_conformance.py            # human
+python3 governance_artifacts/oscal/oscal_conformance.py --json     # machine
+
+# 2. Assemble the Annex IV dossier with LIVE evidence (re-runs backing checks)
+python3 governance_artifacts/oscal/generate_annex_iv_dossier.py
+#   -> generated/annex_iv_dossier.json  (machine-readable)
+#   -> generated/annex_iv_dossier.md    (human-readable)
+
+# Faster, assembly-only (does NOT run backing checks; no section reported SATISFIED)
+python3 governance_artifacts/oscal/generate_annex_iv_dossier.py --no-verify
+```
+
+Both tools are wired into `governance_artifacts/run_runnable_assurance.sh`
+(steps 12 and 13) and into CI.
+
+## Evidence-status semantics (honesty model)
+
+The dossier never marks a section satisfied on prose alone:
+
+| Status | Meaning |
+|--------|---------|
+| `SATISFIED` | ≥1 mapped control whose **runnable** assurance check passed in this run. |
+| `PARTIAL` | Has runnable-backed controls but none passed in this run. |
+| `PENDING-EVIDENCE` | Mapped only to organisational / hardware-dependent evidence not yet attached (e.g. `env-02` enclave key custody), or no controls mapped. |
+
+`generate_annex_iv_dossier.py` **refuses to run** if the catalog is not conformant
+or if `annex_iv_section_map.yaml` references a control id that does not exist in
+any catalog — so the dossier can only ever be built from real, resolvable controls.
+
+## Integrity statement
+
+These artifacts verify **assembly integrity** — that the dossier is built only
+from real controls and currently-passing checks. They are **not** a conformity
+assessment and do **not** assert that the institution is compliant with the EU AI
+Act. Feasibility tiers (A verified now / B needs hardware / C 2026–2030 standards /
+D speculative 2030–2035) are carried through to the dossier verbatim.
@@ -0,0 +1,82 @@
+# EU AI Act Annex IV technical-documentation section -> Sentinel OSCAL control map.
+#
+# This file is the auditable bridge between the eight Annex IV technical-
+# documentation sections (Regulation (EU) 2024/1689, Annex IV §1-9 condensed to
+# A-H as used by annex_iv_technical_documentation_template.json) and the
+# machine-readable controls in the Sentinel OSCAL catalogs.
+#
+# The dossier generator (generate_annex_iv_dossier.py) consumes this map. Each
+# section lists:
+#   - controls : OSCAL control ids that provide evidence for the section.
+#   - narrative: a short provider statement (the generator inserts it verbatim).
+# A section with no resolved control evidence is reported PENDING-EVIDENCE by the
+# generator rather than being silently marked complete.
+#
+# Control ids must exist in one of the catalogs under governance_artifacts/oscal/;
+# the generator fails if a referenced control id is unknown (no dangling refs).
+annex_iv_version: "Regulation (EU) 2024/1689, Annex IV"
+catalogs:
+  - catalog_sentinel_v24_excerpt.json
+  - catalog_sentinel_v24_env_rte.json
+sections:
+  - id: A
+    name: "General system description"
+    narrative: >
+      The system is the Sentinel AI Governance Stack v2.4 supervisory control
+      plane mediating high-risk (T0/T1) foundation-model decisions for a G-SIFI.
+      Intended purpose, deployers and risk classification are taken from the
+      model registry; the catalog ENV/RTE/CON/CRY control groups scope the
+      governed surface.
+    controls: [env-01, rte-01]
+  - id: B
+    name: "Design and development specifications"
+    narrative: >
+      Routing stability (SARA/ACR) and attested admission are specified as
+      machine-checkable invariants with named TLA+ models and a runnable
+      simulator; design decisions are evidenced by the verified artifacts.
+    controls: [rte-01, env-01]
+  - id: C
+    name: "Data requirements and governance"
+    narrative: >
+      Evidence envelopes and consent/lineage records are cryptographically
+      signed and hash-chained; PQC dual-signature (cry-02) protects the
+      governance data plane. Dataset lineage itself is an organisational record
+      (PENDING-EVIDENCE here until the lineage export is attached).
+    controls: [cry-02]
+  - id: D
+    name: "Risk management system"
+    narrative: >
+      Systemic-risk concentration (HHI) is bounded by a zk attestation (cry-05)
+      and the global containment ratchet (con-04/con-07) provides the terminal
+      risk control. The G-SRI index drives continuous risk posture.
+    controls: [cry-05, con-04, con-07]
+  - id: E
+    name: "Post-market monitoring"
+    narrative: >
+      Continuous monitoring is provided by the 24h G-SRI monitor and the
+      tamper-evident PQC WORM audit log (cry-02), giving an append-only,
+      verifiable post-market record.
+    controls: [cry-02]
+  - id: F
+    name: "Human oversight measures"
+    narrative: >
+      Containment de-escalation and terminal actuation require human dual-control
+      quorum; Autonomous Supervisory Agents can only raise containment, never
+      lower it (con-07 one-way ratchet), with kill-switch reachability verified
+      (con-04).
+    controls: [con-07, con-04]
+  - id: G
+    name: "Performance and limitations"
+    narrative: >
+      Routing-stability thresholds (entropy/load/drop) are explicit and enforced
+      (rte-01); breaches block model-revision promotion. Known limitations and
+      feasibility tiers are carried on each control as OSCAL props.
+    controls: [rte-01]
+  - id: H
+    name: "Cybersecurity and resilience"
+    narrative: >
+      Hardware-attested execution (SEV-SNP/TDX + vTPM PCR_MATCH, env-01),
+      enclave-bound PQC key custody (env-02) and post-quantum signed evidence
+      (cry-02) provide the cybersecurity and operational-resilience posture
+      (aligned to DORA ICT-risk and EU AI Act Art. 15).
+    controls: [env-01, env-02, cry-02]