Merge pull request #103 from OneFineStarstuff/codex/develop-agi-and-asi-governance-roadmap-2026-2030

Add governance artifacts, validator, unit tests, and CI workflow for G‑SIFI AGI governance blueprint

Author: OneFineStarstuff

.github/workflows/governance-artifacts-validate.yml

@@ -0,0 +1,46 @@
+name: Governance Artifacts Validate
+
+on:
+  push:
+    branches: [ main ]
+    paths:
+      - 'governance_artifacts/**'
+      - '.github/workflows/governance-artifacts-validate.yml'
+  pull_request:
+    paths:
+      - 'governance_artifacts/**'
+      - '.github/workflows/governance-artifacts-validate.yml'
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install pyyaml
+
+      - name: Validate governance artifacts
+        run: python3 governance_artifacts/validate_artifacts.py --quiet
+
+      - name: Validate governance artifacts JSON output file
+        run: |
+          mkdir -p artifacts
+          python3 governance_artifacts/validate_artifacts.py --quiet --output artifacts/validator-output.json
+          python3 -c "import json; p=json.load(open('artifacts/validator-output.json')); assert p.get('status')=='PASS', p; print('validator-output.json status=PASS')"
+
+      - name: Validate CLI metadata contracts
+        run: |
+          python3 -c "import json,subprocess; out=subprocess.check_output(['python3','governance_artifacts/validate_artifacts.py','--version','--json'], text=True); p=json.loads(out); assert 'version' in p and isinstance(p['version'], str), p; print('version contract OK')"
+          python3 -c "import json,subprocess; out=subprocess.check_output(['python3','governance_artifacts/validate_artifacts.py','--list-checks','--json'], text=True); p=json.loads(out); assert isinstance(p.get('checks'), list) and p['checks'], p; print('list-checks contract OK')"
+
+      - name: Run validator unit tests
+        run: python3 -m unittest discover -s tests -p "test_validate_artifacts.py"

AGI_ASI_GSIFI_Blueprint_2026_2030.md

@@ -0,0 +1,38 @@
+# Governance Artifacts Validation
+
+This folder contains machine-readable governance artifacts for the
+`AGI_ASI_GSIFI_Blueprint_2026_2030.md` strategy package.
+
+## Files
+- `control_library.yaml`
+- `model_registry.json`
+- `annex_iv_dossier_template.yaml`
+- `board_kpi_kri_dashboard_schema.json`
+- `containment_runbooks.yaml`
+- `incident_taxonomy_gaics.json`
+- `rego/high_impact_credit.rego`
+- `validate_artifacts.py`
+
+## Local validation
+```bash
+python3 governance_artifacts/validate_artifacts.py
+python3 governance_artifacts/validate_artifacts.py --json
+python3 governance_artifacts/validate_artifacts.py --quiet
+python3 governance_artifacts/validate_artifacts.py --quiet --output artifacts/validator-output.json
+python3 governance_artifacts/validate_artifacts.py --list-checks
+python3 governance_artifacts/validate_artifacts.py --list-checks --json
+python3 governance_artifacts/validate_artifacts.py --json --check validate_control_library
+python3 governance_artifacts/validate_artifacts.py --version
+python3 governance_artifacts/validate_artifacts.py --version --json
+python3 -m unittest discover -s tests -p "test_validate_artifacts.py"
+```
+
+## Validation scope
+- Required-key checks for JSON/YAML artifacts.
+- Basic consistency checks (non-empty controls, model metadata fields).
+- Rego policy token checks for expected governance constraints.
+- JSON output payloads include `generated_at_utc` for audit traceability.
+
+## CI
+Validation is executed on every pull request and push to `main` via:
+- `.github/workflows/governance-artifacts-validate.yml`

governance_artifacts/README.md

@@ -0,0 +1 @@
+"""Governance artifacts package for validation and compliance automation."""

governance_artifacts/__init__.py

@@ -0,0 +1,25 @@
+annex_iv_dossier:
+  ai_system_identification:
+    system_name: ""
+    version: ""
+    provider: ""
+  intended_purpose:
+    business_process: ""
+    user_groups: []
+  model_characteristics:
+    model_family: ""
+    training_method: ""
+    known_limitations: []
+  data_governance:
+    data_sources: []
+    quality_controls: []
+    bias_controls: []
+  risk_management:
+    identified_risks: []
+    mitigations: []
+  human_oversight:
+    oversight_roles: []
+    override_procedures: []
+  monitoring_incidents:
+    post_market_metrics: []
+    incident_reporting_flow: []

governance_artifacts/annex_iv_dossier_template.yaml

@@ -0,0 +1,27 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "title": "Board KPI/KRI Dashboard Schema",
+  "type": "object",
+  "properties": {
+    "reporting_period": {"type": "string"},
+    "kpis": {
+      "type": "object",
+      "properties": {
+        "annex_iv_completeness_pct": {"type": "number"},
+        "drift_monitoring_coverage_pct": {"type": "number"},
+        "mean_time_to_containment_hours": {"type": "number"}
+      },
+      "required": ["annex_iv_completeness_pct", "drift_monitoring_coverage_pct", "mean_time_to_containment_hours"]
+    },
+    "kris": {
+      "type": "object",
+      "properties": {
+        "correlated_policy_violation_rate": {"type": "number"},
+        "unexplained_decision_rate": {"type": "number"},
+        "frontier_escalation_alerts": {"type": "integer"}
+      },
+      "required": ["correlated_policy_violation_rate", "unexplained_decision_rate", "frontier_escalation_alerts"]
+    }
+  },
+  "required": ["reporting_period", "kpis", "kris"]
+}

governance_artifacts/board_kpi_kri_dashboard_schema.json

@@ -0,0 +1,16 @@
+runbooks:
+  - id: RUNBOOK-SENTINEL-RED
+    trigger: "resonance_index >= 0.85 OR critical policy breach"
+    steps:
+      - constrain_tools
+      - isolate_network
+      - throttle_compute
+      - escalate_human_command
+      - revoke_keys_if_unresolved
+  - id: RUNBOOK-DRIFT-ORANGE
+    trigger: "psi > 0.20 OR unexplained_decision_rate > 0.01"
+    steps:
+      - reduce_autonomy_level
+      - enforce_human_review
+      - execute_replay_suite
+      - open_model_risk_ticket

governance_artifacts/containment_runbooks.yaml

@@ -0,0 +1,24 @@
+version: 1.0.0
+last_updated: 2026-04-29
+controls:
+  - id: CTRL-HITL-001
+    name: Human review for high-impact AI decisions
+    mapped_regimes: [eu_ai_act, gdpr_art22, fcra, ecoa]
+    owner: model_risk_management
+    evidence:
+      - workflowai_review_log
+      - decision_audit_trail
+  - id: CTRL-ANNEXIV-002
+    name: Annex IV technical dossier completeness
+    mapped_regimes: [eu_ai_act]
+    owner: ai_governance_office
+    evidence:
+      - annex_iv_dossier
+      - post_market_monitoring_register
+  - id: CTRL-DRIFT-003
+    name: Continuous drift and behavior monitoring
+    mapped_regimes: [sr_11_7, nist_ai_rmf, iso_42001]
+    owner: ai_platform_engineering
+    evidence:
+      - drift_dashboard
+      - incident_escalation_tickets

governance_artifacts/control_library.yaml

@@ -0,0 +1,10 @@
+{
+  "taxonomy": "GAICS",
+  "version": "0.1-draft",
+  "classes": [
+    {"id": "GAICS-1", "name": "Safety Policy Breach", "severity": "high"},
+    {"id": "GAICS-2", "name": "Autonomy Overreach", "severity": "critical"},
+    {"id": "GAICS-3", "name": "Market Integrity Risk Event", "severity": "critical"},
+    {"id": "GAICS-4", "name": "Data Governance Breach", "severity": "high"}
+  ]
+}

governance_artifacts/incident_taxonomy_gaics.json

@@ -0,0 +1,18 @@
+{
+  "registry_version": "1.0.0",
+  "generated_on": "2026-04-29",
+  "models": [
+    {
+      "model_id": "gsifi-credit-agent-v7",
+      "use_case": "credit_underwriting",
+      "risk_tier": "high",
+      "deployment_status": "production",
+      "controls": ["CTRL-HITL-001", "CTRL-ANNEXIV-002", "CTRL-DRIFT-003"],
+      "validation": {
+        "last_validation": "2026-11-12",
+        "next_due": "2027-02-12",
+        "independent_validation": true
+      }
+    }
+  ]
+}