Add governance blueprint artifacts, OPA guardrails, manifest/validator enhancements, and self-tests

[OneFineStarstuff]

Motivation

• Add machine-readable governance artifacts and a regulator-ready technical report to support enterprise and systemic AGI/ASI governance workflows.
• Improve artifact manifest generation and validator robustness to handle new artifact types and external report files securely.
• Provide more comprehensive static checks (including optional OPA parse checks) and reliable CI/local runner behavior for the governance validation suite.

Description

• Added new governance artifacts: compliance_profile_2026.json, annex_iv_technical_documentation_template.json, civilizational_compute_governance_framework.yaml, rollout_plan_2026_2030.yaml, and REGULATOR_READY_AGI_ASI_TECHNICAL_REPORT_2026_2030.md.
• Introduced/updated OPA policies: refactored opa/release_gate.rego to use if-style blocks and added opa/systemic_risk_guardrails.rego for frontier/systemic checks.
• Updated governance_blueprint/artifact_manifest.json and enhanced validation/generate_artifact_manifest.py to safely resolve paths, include external artifacts, detect/validate UTC timestamps, discover validation selftests (via git ls-files fallback), and bump the manifest version.
• Extended the validator validation/validate_artifacts.py with many new checks: compliance_profile and annex_iv schema checks, separate release_gate and systemic_guardrails rego structural checks, rollout_plan and report structure validation, manifest schema and external-artifact hash verification, and optional OPA parse checks controlled by --opa-bin and --require-opa.
• Enhanced the suite runner validation/run_validation_suite.py to discover and run selftest_*.py scripts, support --opa-bin/--require-opa, produce JSON reports, and fail-fast/no-fail-fast behaviors; added light env propagation for OPA when producing JSON validator output.
• Added unit test modules for the new/changed validator behaviors: selftest_generate_artifact_manifest.py, selftest_run_validation_suite.py, and extended selftest_validate_artifacts.py to cover the new checks.
• Updated governance_blueprint/validation/README.md and Makefile targets to reflect new commands and test discovery semantics.

Testing

• Ran validator self-tests: python -m unittest discover governance_blueprint/validation -p 'selftest_*.py', and the selftest suite completed successfully.
• Exercised the suite runner in JSON mode: python3 governance_blueprint/validation/run_validation_suite.py --json-report /tmp/validator.json --skip-selftest --quiet, which produced a valid JSON validator report.
• Executed manifest generation check: python3 governance_blueprint/validation/generate_artifact_manifest.py --check, which validated the manifest consistency during development.

---

Codex Task

Summary by Sourcery

Add new governance artifacts and strengthen the governance validation and runner tooling to support regulator-ready workflows and OPA-based guardrails.

New Features:

• Introduce compliance and annex templates, civilizational compute framework, rollout plan, systemic OPA guardrails, and a regulator-ready AGI/ASI technical report as first-class governance artifacts.
• Add optional OPA syntax validation support, configurable via CLI flags and environment variables, into the artifact validator and suite runner.
• Enable automatic discovery and execution of validation self-test scripts and generation of machine-readable JSON reports from the validation suite.

Enhancements:

• Expand artifact validation to cover new governance artifacts, manifest schema and hash integrity (including external artifacts), and structural checks on the regulator-ready report.
• Refine the governance artifact manifest generator to include new files, external report hashes, validated UTC timestamps, git-aware selftest discovery, and stricter JSON handling, while bumping its version.
• Improve the validation suite runner with selftest discovery, OPA-related flag propagation and env wiring, fail-fast/no-fail-fast semantics, and explicit handling when no selftests are found.
• Update OPA release gate policy syntax and documentation to align with the new guardrail structure and validation behavior.

Build:

• Adjust Makefile governance targets to use the new governance reports validation naming, JSON checks, and unified selftest invocation via unittest discovery.

Documentation:

• Refresh validation README with unified selftest invocation, expanded validator coverage description, OPA integration flags, and updated exit code semantics.

Tests:

• Add and extend selftest modules for manifest generation, artifact validation, and validation-suite orchestration, covering new schema checks, OPA integration paths, manifest hardening, and selftest discovery behavior.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
v0-one-fine-starstuff-github-io	Building	Preview, Comment, Open in v0	Jun 1, 2026 9:25am

[semanticdiff-com]

Review changes with  

Changed Files

File	Status
governance_blueprint/artifact_manifest.json	30% smaller
governance_blueprint/validation/selftest_validate_artifacts.py	15% smaller
governance_blueprint/validation/run_validation_suite.py	15% smaller
governance_blueprint/validation/validate_artifacts.py	12% smaller
governance_blueprint/validation/generate_artifact_manifest.py	7% smaller
governance_blueprint/validation/selftest_run_validation_suite.py	2% smaller
Makefile	Unsupported file format
REGULATOR_READY_AGI_ASI_TECHNICAL_REPORT_2026_2030.md	Unsupported file format
governance_blueprint/annex_iv_technical_documentation_template.json	0% smaller
governance_blueprint/civilizational_compute_governance_framework.yaml	0% smaller
governance_blueprint/compliance_profile_2026.json	0% smaller
governance_blueprint/opa/release_gate.rego	Unsupported file format
governance_blueprint/opa/systemic_risk_guardrails.rego	Unsupported file format
governance_blueprint/rollout_plan_2026_2030.yaml	0% smaller
governance_blueprint/validation/README.md	Unsupported file format
governance_blueprint/validation/selftest_generate_artifact_manifest.py	0% smaller

[gitnotebooks]

Review these changes at https://app.gitnotebooks.com/OneFineStarstuff/OneFineStarstuff.github.io/pull/100

[code-genius-code-coverage]

The files' contents are under analysis for test generation.

[sourcery-ai]

Reviewer's Guide

Adds new governance artifacts and a regulator-ready technical report, strengthens manifest generation and validation (including external artifacts and UTC/semver constraints), introduces systemic OPA guardrails with optional OPA syntax checks, and enhances the validation suite runner and selftests for more robust CI/local governance verification.

Sequence diagram for validation suite, manifest checks, and optional OPA parse

sequenceDiagram
  actor Dev
  participant run_validation_suite_py as run_validation_suite.py
  participant validate_artifacts_py as validate_artifacts.py
  participant OPA
  participant artifact_manifest_json as artifact_manifest.json

  Dev->>run_validation_suite_py: main(--json-report, --opa-bin, --require-opa)
  run_validation_suite_py->>run_validation_suite_py: build_steps(json_report, skip_selftest, opa_bin, require_opa)

  loop steps
    alt validate_artifacts with JSON
      run_validation_suite_py->>validate_artifacts_py: main(--json, --opa-bin, --require-opa)
      validate_artifacts_py->>validate_artifacts_py: run_checks(opa_bin_override, require_opa)
      validate_artifacts_py->>validate_artifacts_py: validate_opa_parse_optional(opa_bin_override, require_opa)
      validate_artifacts_py->>OPA: subprocess.run(opa_bin parse release_gate.rego)
      validate_artifacts_py->>OPA: subprocess.run(opa_bin parse systemic_risk_guardrails.rego)
      validate_artifacts_py->>artifact_manifest_json: validate_manifest_schema()
      validate_artifacts_py->>artifact_manifest_json: validate_manifest_hashes()
      validate_artifacts_py-->>run_validation_suite_py: JSON results
    else other step
      run_validation_suite_py->>run_validation_suite_py: _run(step, quiet, env_with_OPA_BIN)
    end
  end

Loading

Entity relationship diagram for updated artifact_manifest.json structure

erDiagram
  ArtifactManifest {
    string package
    string version
    string generated_utc
    json   artifacts
    json   external_artifacts
  }

  GovernanceArtifact {
    string path
    string sha256
  }

  ExternalArtifact {
    string path
    string sha256
  }

  ArtifactManifest ||--o{ GovernanceArtifact : artifacts
  ArtifactManifest ||--o{ ExternalArtifact : external_artifacts

Loading

File-Level Changes

Change	Details	Files
Harden artifact validation with new schema checks, OPA policy structure checks, manifest/external artifact verification, and optional OPA parse integration.	Refactored JSON loading into helpers that enforce top-level object shape and reuse error handling. Added validators for compliance profile and Annex IV template structure and minimum coverage. Split Rego checks into separate release-gate and systemic-guardrails validators with updated expectations for allow if and deny blocks. Introduced rollout plan YAML and technical report structure validators, including tag pairs and required section anchors/audience tags. Extended manifest validation to enforce semantic versioning, UTC timestamp format, SHA-256 hex checks, path safety (no traversal, root confinement), and external artifact hash verification. Added optional OPA parse checks wired via --opa-bin, --require-opa, OPA_BIN env, and subprocess execution with error surfacing. Updated run_checks and CLI to plumb OPA options through to validation and JSON output.	governance_blueprint/validation/validate_artifacts.py
Broaden and strengthen validator selftests to cover new validators, OPA integration behavior, and error cases.	Extended selftest harness to override ROOT/ARTIFACTS/REPORT_PATH and seed new artifacts (compliance profile, Annex IV, systemic rego, rollout plan, report, external manifest entry). Added passing assertions for all new validators and failing tests for systemic rego denies, rollout phases, report tokens, manifest schema/path/hash edge cases, and non-object manifests. Added tests for OPA integration: missing OPA with --require-opa, invalid OPA_BIN path, and subprocess failure behavior including main() exit code. Ensured manifest tests cover SHA-256 hex validation for internal and external artifacts.	governance_blueprint/validation/selftest_validate_artifacts.py
Make the validation suite runner discover selftests dynamically, propagate OPA configuration, and improve JSON/suite reporting semantics.	Introduced _selftest_scripts using git ls-files with a glob fallback for selftest_*.py, with path normalization and sorting. Added _is_selftest_step helper and new constant NO_SELFTESTS_DISCOVERED_RC to signal missing selftests. Extended build_steps to inject --json, --opa-bin, and --require-opa flags into the validator invocation and append discovered selftests when not skipped. Modified main to enforce presence of selftests unless --skip-selftest, and to write a suite report entry when discovery fails. Updated JSON-report execution to pass OPA_BIN via env when --opa-bin is provided and to reuse _run with an env parameter for other steps. Added targeted unit tests for selftest discovery behavior, step construction variants (JSON, OPA flags, require-opa), JSON report behavior with OPA, env propagation, malformed validator JSON, fail-fast/no-fail-fast, and missing-selftest exit handling.	governance_blueprint/validation/run_validation_suite.py governance_blueprint/validation/selftest_run_validation_suite.py
Enhance artifact manifest generation to include new artifacts, external files, selftest discovery, and stronger consistency checking.	Replaced static DEFAULT_FILES with BASE_DEFAULT_FILES plus dynamically discovered selftests via git ls-files or filesystem glob, with deduplication and sorting. Added _safe_join to prevent path traversal and enforce that manifest entries stay within the artifact or repo roots. Extended manifest content to include new governance artifacts, systemic guardrails, rollout plan, and the external regulator-ready report via EXTERNAL_FILES. Introduced UTC timestamp regex (UTC_TS_RE) and stricter _existing_generated_utc validation, returning None when shape is invalid. Bumped manifest version and changed --check mode to compare the entire manifest object (including timestamps and externals), with explicit JSON-parse error reporting. Added unit tests for _safe_join, manifest hashing of internal/external artifacts, default-file deduplication and git fallback, and --check behavior when manifest payload or timestamp format diverges.	governance_blueprint/validation/generate_artifact_manifest.py governance_blueprint/validation/selftest_generate_artifact_manifest.py governance_blueprint/artifact_manifest.json
Introduce and wire in new governance artifacts, OPA systemic guardrails, and rollout plan definitions.	Added regulator-ready technical report markdown with structural tags and required section anchors for multiple stakeholder audiences. Created civilizational compute governance YAML describing global institutions, mechanisms, and enterprise obligations. Added rollout plan YAML for 2026–2030 phases with outcomes, dependencies, and exit criteria, aligning with new rollout validator. Introduced systemic risk OPA guardrails policy defining allow if and multiple deny contains msg if rules for frontier tiers. Refactored release gate OPA policy from block-style to if-style allow/baseline rules to align with new structural checks. Seeded placeholder compliance profile and Annex IV technical documentation template JSON artifacts (actual JSON content not shown in diff).	REGULATOR_READY_AGI_ASI_TECHNICAL_REPORT_2026_2030.md governance_blueprint/civilizational_compute_governance_framework.yaml governance_blueprint/rollout_plan_2026_2030.yaml governance_blueprint/opa/systemic_risk_guardrails.rego governance_blueprint/opa/release_gate.rego governance_blueprint/compliance_profile_2026.json governance_blueprint/annex_iv_technical_documentation_template.json
Update documentation and Makefile targets to reflect the new validation workflow and commands.	Changed README selftest instructions to use unittest discovery on selftest_*.py and documented new validator checks (OPA/systemic rego, new JSON/YAML/report artifacts, manifest schema). Documented optional OPA pinning and --require-opa usage for both the validator and suite runner, and clarified exit-code semantics for missing selftests. Renamed the governance report validation target to governance-reports-validate and updated governance-check to depend on it. Updated gov-selftest Makefile target to run python -m unittest discover over validation selftests.	governance_blueprint/validation/README.md Makefile

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[difflens]

View changes in DiffLens

[coderabbitai]

Warning

Review limit reached

@OneFineStarstuff, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 58 minutes and 55 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 986e5dc8-b29d-44d9-976b-2bd80746c757

📥 Commits

Reviewing files that changed from the base of the PR and between f457e3b and 95498ad.

📒 Files selected for processing (16)

• Makefile
• REGULATOR_READY_AGI_ASI_TECHNICAL_REPORT_2026_2030.md
• governance_blueprint/annex_iv_technical_documentation_template.json
• governance_blueprint/artifact_manifest.json
• governance_blueprint/civilizational_compute_governance_framework.yaml
• governance_blueprint/compliance_profile_2026.json
• governance_blueprint/opa/release_gate.rego
• governance_blueprint/opa/systemic_risk_guardrails.rego
• governance_blueprint/rollout_plan_2026_2030.yaml
• governance_blueprint/validation/README.md
• governance_blueprint/validation/generate_artifact_manifest.py
• governance_blueprint/validation/run_validation_suite.py
• governance_blueprint/validation/selftest_generate_artifact_manifest.py
• governance_blueprint/validation/selftest_run_validation_suite.py
• governance_blueprint/validation/selftest_validate_artifacts.py
• governance_blueprint/validation/validate_artifacts.py

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/create-agi/asi-governance-blueprint-for-finance

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[difflens]

View changes in DiffLens

[secure-code-warrior-for-github]

Micro-Learning Topic: Path traversal (Detected by phrase)

Matched on "path traversal"

What is this? (2min video)

Path traversal vulnerabilities occur when inputs that have not been sufficiently validated or sanitised are used to build directory or file paths. If an attacker can influence the path being accessed by the server, they may be able to gain unauthorised access to files or even execute arbitrary code on the server (when coupled with file upload functionality).

Try a challenge in Secure Code Warrior

Helpful references

• OWASP Input Validation Cheat Sheet - This cheatsheet is focused on providing clear, simple, actionable guidance for preventing injection and input validation flaws in your applications, including defence against path traversal.
• OWASP Path Traversal - OWASP community page with comprehensive information about path traversal, and links to various OWASP resources to help detect or prevent it.

[penify-dev]

Failed to generate code suggestions for PR

[codacy-production]

Not up to standards ⛔

🔴 Issues 1 high · 18 medium · 81 minor

Alerts:
⚠ 100 issues (≤ 0 issues of at least minor severity)

Results:
100 new issues

Category	Results
BestPractice	1 medium 4 minor
Documentation	6 minor
Security	12 medium 2 minor 1 high
CodeStyle	66 minor
Complexity	5 medium 3 minor

View in Codacy

🟢 Metrics 176 complexity · 9 duplication

Metric	Results
Complexity	176
Duplication	9

View in Codacy

_{NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.}

[sourcery-ai]

Hey - I've found 5 security issues, and left some high level feedback:

Security issues:

• Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'. (link)
• Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'. (link)
• Detected subprocess function 'run' with user controlled data. A malicious actor could leverage this to perform command injection. You may consider using 'shlex.quote()'. (link)
• Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'. (link)
• Detected subprocess function 'run' with user controlled data. A malicious actor could leverage this to perform command injection. You may consider using 'shlex.quote()'. (link)

General comments:

• The selftest discovery logic is duplicated and slightly diverging between generate_artifact_manifest._default_files() and run_validation_suite._selftest_scripts(); consider centralizing this into a shared helper to keep the git/glob semantics and path-safety checks consistent over time.
• In validate_artifacts.run_checks, the key name "artifact_manifest.schema" is used to run validate_manifest_schema() against artifact_manifest.json; renaming this key to match the actual file being validated would make suite output clearer and reduce confusion when interpreting failures.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The selftest discovery logic is duplicated and slightly diverging between `generate_artifact_manifest._default_files()` and `run_validation_suite._selftest_scripts()`; consider centralizing this into a shared helper to keep the git/glob semantics and path-safety checks consistent over time.
- In `validate_artifacts.run_checks`, the key name `"artifact_manifest.schema"` is used to run `validate_manifest_schema()` against `artifact_manifest.json`; renaming this key to match the actual file being validated would make suite output clearer and reduce confusion when interpreting failures.

## Individual Comments

### Comment 1
<location path="governance_blueprint/validation/run_validation_suite.py" line_range="26" />
<code_context>
    completed = subprocess.run(cmd, cwd=ROOT, env=env)
</code_context>
<issue_to_address>
**security (python.lang.security.audit.dangerous-subprocess-use-audit):** Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.

*Source: opengrep*
</issue_to_address>

### Comment 2
<location path="governance_blueprint/validation/run_validation_suite.py" line_range="178" />
<code_context>
                completed = subprocess.run(cmd, cwd=ROOT, stdout=out, env=env)
</code_context>
<issue_to_address>
**security (python.lang.security.audit.dangerous-subprocess-use-audit):** Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.

*Source: opengrep*
</issue_to_address>

### Comment 3
<location path="governance_blueprint/validation/run_validation_suite.py" line_range="178" />
<code_context>
                completed = subprocess.run(cmd, cwd=ROOT, stdout=out, env=env)
</code_context>
<issue_to_address>
**security (python.lang.security.audit.dangerous-subprocess-use-tainted-env-args):** Detected subprocess function 'run' with user controlled data. A malicious actor could leverage this to perform command injection. You may consider using 'shlex.quote()'.

*Source: opengrep*
</issue_to_address>

### Comment 4
<location path="governance_blueprint/validation/validate_artifacts.py" line_range="324-329" />
<code_context>
            proc = subprocess.run(
                [opa_bin, "parse", str(target)],
                capture_output=True,
                text=True,
                timeout=20,
            )
</code_context>
<issue_to_address>
**security (python.lang.security.audit.dangerous-subprocess-use-audit):** Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.

*Source: opengrep*
</issue_to_address>

### Comment 5
<location path="governance_blueprint/validation/validate_artifacts.py" line_range="325" />
<code_context>
                [opa_bin, "parse", str(target)],
</code_context>
<issue_to_address>
**security (python.lang.security.audit.dangerous-subprocess-use-tainted-env-args):** Detected subprocess function 'run' with user controlled data. A malicious actor could leverage this to perform command injection. You may consider using 'shlex.quote()'.

*Source: opengrep*
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 95498ad816

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[netlify]

❌ Deploy Preview for onefinestarstuff failed.

Name	Link
🔨 Latest commit	95498ad
🔍 Latest deploy log	https://app.netlify.com/projects/onefinestarstuff/deploys/6a1d50024f464c00089e42c7