From b843a05f43f0f8cd32f47618b0f4f353ef5b1b6c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=F0=9D=90=8E=F0=9D=90=A7=F0=9D=90=9E=20=F0=9D=90=85?= =?UTF-8?q?=F0=9D=90=A2=F0=9D=90=A7=F0=9D=90=9E=20=F0=9D=90=92=F0=9D=90=AD?= =?UTF-8?q?=F0=9D=90=9A=F0=9D=90=AB=F0=9D=90=AC=F0=9D=90=AD=F0=9D=90=AE?= =?UTF-8?q?=F0=9D=90=9F=F0=9D=90=9F?= Date: Mon, 1 Jun 2026 16:04:54 +0630 Subject: [PATCH 1/2] Derive dummy artifact hash in manifest-generator selftests --- .gitignore | 2 + ...I_GOVERNANCE_MASTER_REFERENCE_2026_2035.md | 279 ++++++++++++++++++ Makefile | 10 +- governance_blueprint/artifact_manifest.json | 17 +- .../regulatory_playbook_mapping_2026_2035.csv | 18 ++ governance_blueprint/roadmap_2026_2035.yaml | 55 ++++ governance_blueprint/validation/README.md | 44 +++ .../validation/generate_artifact_manifest.py | 11 +- .../validation/run_validation_suite.py | 1 + .../selftest_generate_artifact_manifest.py | 132 +++++++++ .../selftest_run_validation_suite.py | 41 +++ .../validation/selftest_validate_artifacts.py | 122 ++++++++ .../validation/validate_artifacts.py | 118 ++++++++ 13 files changed, 839 insertions(+), 11 deletions(-) create mode 100644 ENTERPRISE_AGI_ASI_GOVERNANCE_MASTER_REFERENCE_2026_2035.md create mode 100644 governance_blueprint/regulatory_playbook_mapping_2026_2035.csv create mode 100644 governance_blueprint/roadmap_2026_2035.yaml create mode 100644 governance_blueprint/validation/selftest_generate_artifact_manifest.py diff --git a/.gitignore b/.gitignore index a819196..ad66079 100644 --- a/.gitignore +++ b/.gitignore @@ -40,3 +40,5 @@ __pycache__/ # Governance test artifacts artifacts/test-results/ +governance-artifact-validation-report.json +governance-validation-suite-report.json diff --git a/ENTERPRISE_AGI_ASI_GOVERNANCE_MASTER_REFERENCE_2026_2035.md b/ENTERPRISE_AGI_ASI_GOVERNANCE_MASTER_REFERENCE_2026_2035.md new file mode 100644 index 0000000..2c6497b --- /dev/null +++ b/ENTERPRISE_AGI_ASI_GOVERNANCE_MASTER_REFERENCE_2026_2035.md @@ -0,0 +1,279 @@ +# Enterprise AGI/ASI Governance Implementation Roadmap & Master Reference (2026–2035) + +## Document Intent +This reference is a regulator-ready implementation blueprint for Fortune 500, Global 2000, and G‑SIFIs implementing high-impact AGI/ASI capabilities between **2026 and 2035**. + +It is designed to be directly operationalized through policy-as-code, formal specification, supervisory evidence pipelines, and cross-jurisdiction control mapping. + +> **Important**: This document is an implementation reference, not legal advice. Local counsel and supervisory guidance should validate jurisdiction-specific obligations. + +--- + +## 1) Reference Architecture and Stack Baseline + +### 1.1 Stack Components (Normative Baseline) +- **Sentinel AI Governance Stack v2.4**: policy decision, runtime enforcement, evidence signing, control orchestration. +- **WorkflowAI Pro**: workflow orchestration, human-in-the-loop gates, delegation constraints. +- **G-Stack**: governance data plane, risk analytics, dossier assembly. +- **SIP v2.4**: regulator interface protocol (APIs, schema contracts, signed supervisory exchange). + +### 1.2 Five-Zone Control Topology +1. **Fiduciary Zone**: board-level approvals, risk appetite, accountability (SMCR-like named owners). +2. **Policy Zone**: machine-enforced policies (OPA/Rego), change control, exception governance. +3. **Verification Zone**: TLA+ invariants, conformance tests, release gates. +4. **Runtime Zone**: Omni-Sentinel containment, ASAs, intervention automations. +5. **Supervisory Zone**: regulator APIs, OSCAL bundles, ARRE/VAR evidence delivery. + +### 1.3 Mandatory Cross-Cutting Controls +- Cryptographic evidence immutability. +- Segregation of duty: model builders cannot unilaterally alter runtime policy. +- Deny-by-default on high-impact autonomous actions. +- Jurisdiction-aware localization for controls, logging, and retention. + +--- + +## 2) Phased Roadmap (2026–2030) + Extension (2031–2035) + +## Phase 0 — Foundation (Q3 2026 to Q4 2026) +**Target**: Establish governance constitution and inventory completeness. + +**Must-Ship Artifacts** +- AI constitution and fiduciary governance charter. +- Enterprise model/agent inventory with impact tiering (T0–T4). +- Control baseline profile combining NIST AI RMF, ISO/IEC 42001, SR 11-7 principles. + +**Exit Criteria** +- >95% model inventory coverage. +- 100% T0/T1 systems mapped to named control owners. + +## Phase 1 — Policy/Specification Industrialization (2027) +**Target**: Convert policy narratives into executable controls and verified invariants. + +**Must-Ship Artifacts** +- Rego policy packs by jurisdiction and risk tier. +- TLA+ specifications for critical agent workflows. +- Annex IV-ready dossier templates with machine-fillable fields. + +**Exit Criteria** +- 100% T0/T1 deployments gated by policy checks. +- Spec-to-policy traceability map complete for all critical paths. + +## Phase 2 — Runtime Containment and Perpetual Assurance (2028) +**Target**: Operate AGI containment and SOC-grade monitoring at enterprise scale. + +**Must-Ship Artifacts** +- Omni-Sentinel containment rings in enforce mode. +- GAI-SOC telemetry fabric with signed event lineage. +- Red Dawn simulation program (quarterly). + +**Exit Criteria** +- MTTC for critical governance breach < 90s. +- 24/7 telemetry for all T0/T1 systems. + +## Phase 3 — Prudential Stress Regime (2029) +**Target**: Basel-style AI stress testing integrated with risk appetite and buffers. + +**Must-Ship Artifacts** +- G‑SRI methodology and scorecards. +- BBOM perpetual assurance dashboard. +- Annual supervisory stress package and board response protocol. + +**Exit Criteria** +- Stress program cycles completed within 30 business days. +- No unremediated critical findings past quarter close. + +## Phase 4 — Supervisory Interoperability (2030) +**Target**: API-first supervision and cross-border evidence portability. + +**Must-Ship Artifacts** +- SIP v2.4 regulator APIs (evidence, incidents, stress, policy). +- OSCAL exports with ARRE + VAR packages. +- zk-SNARK compliance proof delivery for privacy-preserving attestations. + +**Exit Criteria** +- >95% recurring supervisory requests fulfilled via API. +- Manual dossier assembly reduced below 5% of volume. + +## 2031–2035 Extension +- 2031–2032: dynamic risk budgets + automated guardrail retuning under formal constraints. +- 2033: shared utility model for systemic incident intelligence. +- 2034: coordinated multi-regulator simulation sandboxes. +- 2035: near-real-time cross-border prudential AI supervision. + +--- + +## 3) AGI/ASI Technical Governance Architecture + +### 3.1 Omni-Sentinel Containment +- **Ring 0**: compute and execution kernel constraints. +- **Ring 1**: runtime policy enforcement for tool use and capability exposure. +- **Ring 2**: workflow-level dual control and transaction gates. +- **Ring 3**: enterprise blast-radius limits (DLP/fraud/legal escalation). + +### 3.2 AGI Containment Labs +- Air-gapped adversarial simulation clusters. +- Digital twins for critical finance/operations pathways. +- Reproducible red-team corpora and scenario registries. + +### 3.3 GAI-SOC +- Canonical telemetry schema: prompt lineage, policy decision, tool effect, intervention state. +- Correlation for autonomy drift, collusion indicators, and policy evasion attempts. +- Signed intervention trail for post-incident supervisory replay. + +### 3.4 Red Dawn Simulations +- Quarterly severe-but-plausible exercises across cyber/model/operational axes. +- Mandatory after-action governance remediation, tracked to closure SLAs. + +### 3.5 Autonomous Supervisory Agents (ASAs) +- **Compliance ASA**: statutory and policy constraint checks. +- **Risk ASA**: dynamic risk throttles and exposure caps. +- **Fiduciary ASA**: customer impact safeguards and outcome fairness checks. + +All ASAs are subordinate to human-ratified constitutional policy with immutable priority ordering. + +--- + +## 4) Formal Verification and Policy-as-Code Conformance + +### 4.1 TLA+ Verification Objectives +Critical invariants include: +1. No irreversible external actuation without approved path. +2. No unauthorized privilege transition across rings. +3. No bypass of human checkpoint for designated high-impact actions. + +### 4.2 OPA/Rego Enforcement Objectives +- Jurisdiction-aware modules with deterministic reason codes. +- Deny-by-default for missing evidence or missing approvals. +- Explicit exception handling with expiry and owner attribution. + +### 4.3 CI/CD Gate (Required) +1. TLA+ lint/model-check pass. +2. Rego unit + scenario test pass. +3. Spec-vs-runtime conformance test pass. +4. Artifact signing and evidence registration. +5. Change approval by independent control owner. + +### 4.4 Conformance Chain +`spec hash -> policy hash -> build attestation -> deploy attestation -> runtime decision hash -> dossier evidence` + +--- + +## 5) Basel-Style AI Stress Testing (G‑SRI + BBOM) + +### 5.1 G-SRI Components +- Interconnectedness. +- Substitutability. +- Complexity and autonomy depth. +- Cross-border spillover potential. +- Concentration across providers and compute. + +### 5.2 Required Scenario Families +- Multi-agent collusion and strategic manipulation. +- Safety classifier false-negative spike during crisis load. +- Policy engine latency and cascading gate failures. +- Compute region outage with policy-localization mismatch. + +### 5.3 BBOM Perpetual Assurance +- Continuous behavior indicators with threshold-triggered escalation ladders. +- Board and regulator reporting cadence fed from signed telemetry and stress outputs. + +--- + +## 6) Regulator-Grade Dossier Factory (OSCAL + ARRE + VAR) + +### 6.1 ARRE (AI Risk & Resilience Evidence) +Minimum sections: +- Governance and accountability. +- Lifecycle controls and test evidence. +- Runtime containment and incidents. +- Stress results and residual risk. +- Remediation commitments and closure status. + +### 6.2 VAR (Validation Attestation Record) +Minimum sections: +- Independent validation opinion. +- Scope and coverage statement. +- Limitations/exceptions. +- Time-bound mitigation commitments. + +### 6.3 OSCAL Annexes +- Component definitions, control implementations, assessment results, and plans of action. +- Mappable references to Annex IV technical documentation fields. + +--- + +## 7) Privacy-Preserving Supervisory Assurance (zk-SNARKs) + +Use zk proofs to demonstrate compliance without disclosing sensitive model internals or customer data. + +Required proof families: +- Threshold compliance at decision time. +- Policy version conformance by jurisdiction. +- Containment response within mandated SLA. + +--- + +## 8) Regulator-Facing APIs and Dashboards (SIP v2.4) + +### 8.1 APIs +- **Evidence API**: signed artifacts and lineage proofs. +- **Incident API**: timeline, impact, containment, remediation. +- **Stress API**: scenario catalog, outputs, trend deltas. +- **Policy API**: active rules, versions, exceptions. + +### 8.2 Dashboard Requirements +- Jurisdictional heatmaps. +- Early warning indicators and breach forecasts. +- Drill-through from KPI to signed raw evidence. + +--- + +## 9) Regulatory Mapping Playbooks (Control Objectives) + +### EU AI Act (Annex IV, Articles 48, 71, 72) +- Annex IV dossier completeness and traceability automation. +- Supervisory cooperation and incident escalation integration. +- Penalty-exposure readiness workflow with legal/compliance triage. + +### NIST AI RMF 1.0 / AI 600-1 +- GOVERN-MAP-MEASURE-MANAGE mapped to executable control objectives. +- Sector profile overlays and periodic maturity re-baselining. + +### ISO/IEC 42001 AIMS +- Management system alignment across policy, competence, operation, evaluation, improvement. + +### MAS FEAT + MAS AI Guidelines +- Fairness/transparency/accountability gates embedded in product lifecycle. + +### Basel III/IV, SR 11-7, SR 26-2 +- Model risk governance, validation independence, issue governance discipline. + +### DORA, NIS2, FCA, UK SMCR/Consumer Duty +- Operational resilience, third-party risk, accountability regime mapping, customer outcome controls. + +### HKMA Fintech 2030 + ICGC Compute Governance +- Cross-border compute attestation and concentration-risk reporting. + +--- + +## 10) Implementation Checklist (First 180 Days) + +1. Appoint named AI accountable executives and control owners. +2. Stand up governance PMO and change approval board. +3. Onboard T0/T1 systems to containment + telemetry. +4. Deploy initial Rego packs and CI/CD gate. +5. Formalize top-10 TLA+ invariants for critical workflows. +6. Execute first Red Dawn simulation and close findings. +7. Produce first Annex IV/OSCAL ARRE+VAR packet. +8. Publish first G‑SRI baseline and BBOM dashboard. + +--- + +## 11) Quantitative KPI Targets +- Policy decision latency P95 < 50ms. +- Unauthorized critical autonomous actions = 0 per quarter. +- Spec-to-runtime conformance > 99.5%. +- T0/T1 pre-deployment verification coverage = 100%. +- Severe incident containment SLA adherence > 99%. +- On-demand supervisory packet generation < 72 hours. + diff --git a/Makefile b/Makefile index aba1401..46adde6 100644 --- a/Makefile +++ b/Makefile @@ -65,7 +65,7 @@ governance-validate-json-check: python3 -c 'import json; p=json.load(open("/tmp/governance_validation.json", "r", encoding="utf-8")); assert p.get("status")=="passed", f"Validator JSON status not passed: {p}"; print("Validator JSON status is passed.")' governance-check: governance-test governance-validate governance-validate-json-check -.PHONY: governance-setup governance-deps-check governance-lint governance-validate governance-artifact-inventory governance-policy-test governance-validator-test governance-evidence-manifest governance-evidence-verify governance-evidence-schema governance-report governance-report-schema governance-check-generated +.PHONY: governance-setup governance-deps-check governance-lint governance-schema-validate governance-artifact-inventory governance-policy-test governance-validator-test governance-evidence-manifest governance-evidence-verify governance-evidence-schema governance-report governance-report-schema governance-check-generated governance-setup: python -m pip install -r docs/schemas/requirements-governance.txt @@ -77,7 +77,7 @@ governance-lint: yamllint -c .yamllint docs/schemas/agi_asi_governance_profile_2026_2030.yaml python -m json.tool docs/schemas/compliance_control_mapping.json > /dev/null -governance-validate: governance-deps-check governance-lint +governance-schema-validate: governance-deps-check governance-lint python docs/schemas/governance_artifacts_validation.py governance-artifact-inventory: @@ -119,7 +119,7 @@ governance-check-generated: python docs/schemas/check_generated_artifacts.py PYTHON ?= python3 -.PHONY: gov-manifest gov-manifest-check gov-validate gov-validate-json gov-lint gov-dashboard-check gov-selftest gov-suite gov-suite-json gov-suite-report gov-suite-ci gov-clean +.PHONY: gov-manifest gov-manifest-check gov-validate gov-validate-json gov-lint gov-dashboard-check gov-selftest gov-selftest-discover gov-suite gov-suite-json gov-suite-report gov-suite-ci gov-clean gov-manifest: $(PYTHON) governance_blueprint/validation/generate_artifact_manifest.py @@ -141,8 +141,12 @@ gov-dashboard-check: gov-selftest: $(PYTHON) governance_blueprint/validation/selftest_validate_artifacts.py + $(PYTHON) governance_blueprint/validation/selftest_generate_artifact_manifest.py $(PYTHON) governance_blueprint/validation/selftest_run_validation_suite.py +gov-selftest-discover: + $(PYTHON) -m unittest discover -s governance_blueprint/validation -p "selftest_*.py" + gov-suite: $(PYTHON) governance_blueprint/validation/run_validation_suite.py diff --git a/governance_blueprint/artifact_manifest.json b/governance_blueprint/artifact_manifest.json index 4b68145..d728ac4 100644 --- a/governance_blueprint/artifact_manifest.json +++ b/governance_blueprint/artifact_manifest.json @@ -1,17 +1,20 @@ { "package": "enterprise_agi_asi_governance_blueprint", - "version": "1.3.1", - "generated_utc": "2026-04-27T06:11:04Z", + "version": "1.4.0", + "generated_utc": "2026-05-06T09:06:00Z", "artifacts": { "control_mapping_matrix.csv": "8af4170e62e6aec3c12f3f554d29fe31e6c59c196cd9b3e1590f1238597ce228", "evidence_event_schema.json": "7c84f8fce1cefeff08308a2763c086eb4ede05881881cd53c484e879df04196a", "opa/release_gate.rego": "bd117bddd2c77a0fd5cc4741aa6805b6f1f711d2baa5732ca037ea4db7b60c43", "roadmap_2026_2030.yaml": "35132b486b360d91ceab94e7949278c755a28dbab0cccf64e0b3a776d7dab485", - "validation/validate_artifacts.py": "0908bb44ecf2b209861fb3fe0259bad2b652d94b1f6c50c45592b074f52848e0", - "validation/selftest_validate_artifacts.py": "50414aa4ecf39166268d76ab0363ad2ec9ac32cde6b27ae5c631764fd7bce29b", - "validation/generate_artifact_manifest.py": "654479289df4a57ab58288adcbb5c9e23861f3b3a6e4d524b8214bb8c992d060", - "validation/run_validation_suite.py": "4c7038c4d3da1d6fb3f4c43bddd5b2237856b90bd568a17d03a1d16cfc904781", - "validation/selftest_run_validation_suite.py": "2f987933769c0530eaa7ad51a0454781e8bd90bb700c120219dae5a96645adbe", + "roadmap_2026_2035.yaml": "d0dea65b7a4e6a6b58a84e032ca676db5785e581227c0b78e218b287bc4987d0", + "regulatory_playbook_mapping_2026_2035.csv": "4b7fe3dd0ba9d7371d1e7df30c9611f0cf346bc9f9680def62f144b575f9605d", + "validation/validate_artifacts.py": "1c87eecb899b4b5ce98a0ae88d45146ab9b5dfb7842f4e0b0f11fdea13bf212d", + "validation/selftest_validate_artifacts.py": "7fb6f397bb8247d9c9668e4dc3e28bced027fcb75e99cbdf69109581f2c0f60f", + "validation/selftest_generate_artifact_manifest.py": "5ee98a79e65473870addf150c38d84424e3fb2091d0c925d1fee04940e7e10c5", + "validation/generate_artifact_manifest.py": "3305d6a4b18f1e8d15a580dbbaf45e9d4110ecd948f1a7a3085ecb83295f6c5d", + "validation/run_validation_suite.py": "b7147dae309723216a23078689c910e76bc6fa3934fb0c4516be1ff9239d2edc", + "validation/selftest_run_validation_suite.py": "58618918af699ec6f7e2358fd6932d5d3b85ce5efc0187e6c9e69d4d8520fd5a", "validation/lint_python_sources.py": "52b36b1427679624fd9778dc93cb7b318b4c882930e78c0947a37d5185dafae9", "validation/validate_dashboard_links.py": "e854e2c61ac6e31f880fce8e28c6ed95856d13a85fdfdbcf124df74925b1461a" } diff --git a/governance_blueprint/regulatory_playbook_mapping_2026_2035.csv b/governance_blueprint/regulatory_playbook_mapping_2026_2035.csv new file mode 100644 index 0000000..a2911f1 --- /dev/null +++ b/governance_blueprint/regulatory_playbook_mapping_2026_2035.csv @@ -0,0 +1,18 @@ +framework,obligation,control_family,evidence_artifact,automation_mechanism +EU AI Act Annex IV,technical documentation completeness,dossier_factory,arre_var_bundle,oscal_export_pipeline +EU AI Act Article 48,oversight and quality management,human_oversight_and_qms,oversight_logs,sip_supervisory_endpoint +EU AI Act Articles 71-72,supervisory cooperation and enforcement readiness,incident_and_penalty_workflow,incident_casepack,incident_api +NIST AI RMF 1.0,GOVERN MAP MEASURE MANAGE operationalization,policy_and_metrics,control_kpi_dashboard,rego_policy_pack +NIST AI 600-1,implementation profile and assurance cadence,sector_profile_controls,profile_attestation,spec_policy_trace_map +ISO IEC 42001 AIMS,management system conformance,aims_management_controls,aims_review_pack,continuous_assurance_pipeline +MAS FEAT,fairness ethics accountability transparency,fairness_and_fiduciary_controls,model_outcome_assessment,lifecycle_gates +Basel III IV,model risk and prudential discipline,prudential_model_risk,stress_pack_and_validation,g_sri_bbom_engine +SR 11-7,model inventory and independent validation,model_risk_governance,validation_attestation,var_records +SR 26-2,supervisory expectations for risk governance,enterprise_risk_governance,board_risk_pack,risk_committee_reporting +DORA,operational resilience and ICT risk,operational_resilience,operational_resilience_register,resilience_dashboard +NIS2,cybersecurity governance and reporting,cyber_governance,cyber_incident_bundle,gai_soc_correlation +FCA requirements,consumer and conduct risk controls,conduct_and_governance,conduct_outcome_review,policy_exception_workflow +UK SMCR,senior manager accountability,named_accountability,smcr_responsibility_map,approval_workflow +UK Consumer Duty,good customer outcomes,fiduciary_outcomes,consumer_outcome_assessment,fiduciary_asa_rules +HKMA Fintech 2030,fintech risk governance and innovation controls,fintech_governance,hkma_readiness_packet,regulator_api_profile +ICGC compute governance,compute concentration and cross-border controls,compute_governance,compute_attestation_bundle,zk_proof_attestations diff --git a/governance_blueprint/roadmap_2026_2035.yaml b/governance_blueprint/roadmap_2026_2035.yaml new file mode 100644 index 0000000..cd5730a --- /dev/null +++ b/governance_blueprint/roadmap_2026_2035.yaml @@ -0,0 +1,55 @@ +program: enterprise_agi_asi_governance +version: 1.0 +horizon: + start: 2026-07-01 + end: 2035-12-31 +segments: + - name: phase_0_foundation + period: 2026-Q3_to_2026-Q4 + objectives: + - establish_ai_constitution + - complete_model_agent_inventory + exit_criteria: + model_inventory_coverage_pct: 95 + t0_t1_named_owners_pct: 100 + - name: phase_1_policy_spec_industrialization + period: 2027 + objectives: + - convert_controls_to_rego + - verify_critical_workflows_with_tla + exit_criteria: + t0_t1_policy_gate_coverage_pct: 100 + critical_traceability_complete: true + - name: phase_2_containment_perpetual_assurance + period: 2028 + objectives: + - enforce_omni_sentinel_rings + - operate_gai_soc_24x7 + exit_criteria: + critical_breach_mttc_seconds_max: 90 + t0_t1_telemetry_coverage_pct: 100 + - name: phase_3_prudential_stress + period: 2029 + objectives: + - operationalize_g_sri + - run_annual_basel_style_stress_program + exit_criteria: + stress_pack_completion_business_days_max: 30 + unresolved_critical_findings: 0 + - name: phase_4_supervisory_interoperability + period: 2030 + objectives: + - deliver_sip_v2_4_apis + - automate_arre_var_oscal_delivery + exit_criteria: + supervisory_requests_via_api_pct: 95 + manual_dossier_assembly_pct_max: 5 +extension: + - period: 2031-2032 + objective: dynamic_risk_budgeting_with_formal_constraints + - period: 2033 + objective: shared_systemic_incident_intelligence_utility + - period: 2034 + objective: coordinated_multiregulator_simulation_sandboxes + - period: 2035 + objective: near_real_time_cross_border_prudential_supervision diff --git a/governance_blueprint/validation/README.md b/governance_blueprint/validation/README.md index 4211ac2..113f70d 100644 --- a/governance_blueprint/validation/README.md +++ b/governance_blueprint/validation/README.md @@ -16,9 +16,24 @@ Run validator self-tests (stdlib `unittest`): ```bash python3 governance_blueprint/validation/selftest_validate_artifacts.py +python3 governance_blueprint/validation/selftest_generate_artifact_manifest.py python3 governance_blueprint/validation/selftest_run_validation_suite.py ``` +Equivalent convenience target: + +```bash +make gov-selftest +``` + +Discover/run all validator selftests via unittest pattern: + +```bash +make gov-selftest-discover +``` + +Note: default `python -m unittest discover` uses pattern `test*.py`; this repo's validator tests use `selftest_*.py`, so pass `-p "selftest_*.py"` (or use the Make target above). + Run full suite (manifest check + validator + lint + dashboard check + self-tests): ```bash @@ -31,6 +46,10 @@ Optional full suite execution report (includes per-step statuses and embedded va python3 governance_blueprint/validation/run_validation_suite.py --json-report governance-artifact-validation-report.json --suite-report governance-validation-suite-report.json ``` +The generated report files are intentionally git-ignored: +- `governance-artifact-validation-report.json` +- `governance-validation-suite-report.json` + Quiet mode (less log noise in local scripts): ```bash @@ -69,9 +88,23 @@ python3 governance_blueprint/validation/generate_artifact_manifest.py --check What the validator checks: - Required headers and non-empty values in `control_mapping_matrix.csv`. +- Required headers and minimum row count in `regulatory_playbook_mapping_2026_2035.csv`. +- Required baseline framework coverage in `regulatory_playbook_mapping_2026_2035.csv` (case-insensitive match), including: + - `EU AI Act Annex IV` + - `NIST AI RMF 1.0` + - `ISO IEC 42001 AIMS` + - `Basel III IV` + - `UK SMCR` + - `ICGC compute governance` - Required top-level fields and property definitions in `evidence_event_schema.json`. - Structural expectations in `opa/release_gate.rego` (baseline block + tiered `allow` rules). - Required roadmap tokens and indentation sanity in `roadmap_2026_2030.yaml`. +- Required segment names/order and extension markers in `roadmap_2026_2035.yaml`. +- Required semantic roadmap tokens in `roadmap_2026_2035.yaml` for horizon and target thresholds: + - `start: 2026-07-01`, `end: 2035-12-31` + - `critical_breach_mttc_seconds_max: 90` + - `supervisory_requests_via_api_pct: 95` + - `manual_dossier_assembly_pct_max: 5` - SHA-256 integrity verification using `artifact_manifest.json`. - Python syntax compile checks across `governance_blueprint/validation/*.py`. - Dashboard navigation link checks between whitepaper and blueprint pages. @@ -112,6 +145,12 @@ make gov-suite-ci make gov-clean ``` +Docs/schemas validation target (repo root): + +```bash +make governance-schema-validate +``` + Note: The suite runner invokes scripts via the active Python interpreter (`sys.executable`) to avoid PATH/interpreter drift across local/CI environments. @@ -124,6 +163,11 @@ Exit code conventions (run_validation_suite.py): - `3`: validator JSON output was malformed when `--json-report` was requested. +Manifest package/version note: +- `governance_blueprint/artifact_manifest.json` is generated by `generate_artifact_manifest.py`. +- Current package metadata version is `1.4.0`, which includes 2026–2035 roadmap and regulatory mapping artifacts. + + `make gov-suite-ci` runs the suite in quiet report mode, matching the CI workflow command line. diff --git a/governance_blueprint/validation/generate_artifact_manifest.py b/governance_blueprint/validation/generate_artifact_manifest.py index 4de8864..8cfea5b 100644 --- a/governance_blueprint/validation/generate_artifact_manifest.py +++ b/governance_blueprint/validation/generate_artifact_manifest.py @@ -17,8 +17,11 @@ "evidence_event_schema.json", "opa/release_gate.rego", "roadmap_2026_2030.yaml", + "roadmap_2026_2035.yaml", + "regulatory_playbook_mapping_2026_2035.csv", "validation/validate_artifacts.py", "validation/selftest_validate_artifacts.py", + "validation/selftest_generate_artifact_manifest.py", "validation/generate_artifact_manifest.py", "validation/run_validation_suite.py", "validation/selftest_run_validation_suite.py", @@ -59,7 +62,7 @@ def build_manifest(*, preserve_timestamp: bool = True) -> dict: return { "package": "enterprise_agi_asi_governance_blueprint", - "version": "1.3.1", + "version": "1.4.0", "generated_utc": generated_utc, "artifacts": artifacts, } @@ -81,6 +84,12 @@ def main() -> int: return 1 current_obj = json.loads(MANIFEST_PATH.read_text(encoding="utf-8")) expected_obj = build_manifest(preserve_timestamp=True) + if current_obj.get("package") != expected_obj.get("package"): + print("artifact_manifest.json has mismatched package metadata") + return 1 + if current_obj.get("version") != expected_obj.get("version"): + print("artifact_manifest.json has mismatched version metadata") + return 1 current_artifacts = current_obj.get("artifacts", {}) expected_artifacts = expected_obj.get("artifacts", {}) if current_artifacts != expected_artifacts: diff --git a/governance_blueprint/validation/run_validation_suite.py b/governance_blueprint/validation/run_validation_suite.py index 5e75b62..e105026 100644 --- a/governance_blueprint/validation/run_validation_suite.py +++ b/governance_blueprint/validation/run_validation_suite.py @@ -45,6 +45,7 @@ def build_steps(*, json_report: bool, skip_selftest: bool) -> list[list[str]]: if not skip_selftest: steps.append([sys.executable, "governance_blueprint/validation/selftest_validate_artifacts.py"]) + steps.append([sys.executable, "governance_blueprint/validation/selftest_generate_artifact_manifest.py"]) steps.append([sys.executable, "governance_blueprint/validation/selftest_run_validation_suite.py"]) return steps diff --git a/governance_blueprint/validation/selftest_generate_artifact_manifest.py b/governance_blueprint/validation/selftest_generate_artifact_manifest.py new file mode 100644 index 0000000..5683f65 --- /dev/null +++ b/governance_blueprint/validation/selftest_generate_artifact_manifest.py @@ -0,0 +1,132 @@ +#!/usr/bin/env python3 +"""Unit tests for generate_artifact_manifest.py behavior.""" + +from __future__ import annotations + +import hashlib +import importlib.util +import json +import sys +import tempfile +import unittest +from contextlib import redirect_stdout +import io +from pathlib import Path +from unittest.mock import patch + +DUMMY_CONTENT = "x" +DUMMY_HASH = hashlib.sha256(DUMMY_CONTENT.encode("utf-8")).hexdigest() + +MODULE_PATH = Path(__file__).with_name("generate_artifact_manifest.py") +spec = importlib.util.spec_from_file_location("generate_artifact_manifest", MODULE_PATH) +gm = importlib.util.module_from_spec(spec) +assert spec and spec.loader +spec.loader.exec_module(gm) + + +class GenerateManifestTests(unittest.TestCase): + def _run_check_with_manifest(self, manifest_payload: dict) -> int: + with tempfile.TemporaryDirectory() as tmp: + tmp_path = Path(tmp) + artifacts_dir = tmp_path / "governance_blueprint" + artifacts_dir.mkdir(parents=True, exist_ok=True) + dummy = artifacts_dir / "dummy.txt" + dummy.write_text(DUMMY_CONTENT, encoding="utf-8") + manifest_path = tmp_path / "artifact_manifest.json" + manifest_path.write_text(json.dumps(manifest_payload), encoding="utf-8") + + old_artifacts = gm.ARTIFACTS + old_manifest_path = gm.MANIFEST_PATH + old_default_files = gm.DEFAULT_FILES + gm.MANIFEST_PATH = manifest_path + gm.ARTIFACTS = artifacts_dir + gm.DEFAULT_FILES = ["dummy.txt"] + try: + with patch.object(sys, "argv", ["generate_artifact_manifest.py", "--check"]): + with redirect_stdout(io.StringIO()): + return gm.main() + finally: + gm.ARTIFACTS = old_artifacts + gm.MANIFEST_PATH = old_manifest_path + gm.DEFAULT_FILES = old_default_files + + def test_build_manifest_has_expected_metadata(self) -> None: + manifest = gm.build_manifest(preserve_timestamp=True) + self.assertEqual(manifest["package"], "enterprise_agi_asi_governance_blueprint") + self.assertEqual(manifest["version"], "1.4.0") + self.assertIn("artifacts", manifest) + + def test_check_fails_on_version_mismatch(self) -> None: + rc = self._run_check_with_manifest( + { + "package": "enterprise_agi_asi_governance_blueprint", + "version": "0.0.0", + "generated_utc": "2026-01-01T00:00:00Z", + "artifacts": {"dummy.txt": DUMMY_HASH}, + } + ) + self.assertEqual(rc, 1) + + def test_check_fails_on_package_mismatch(self) -> None: + rc = self._run_check_with_manifest( + { + "package": "wrong_package_name", + "version": "1.4.0", + "generated_utc": "2026-01-01T00:00:00Z", + "artifacts": {"dummy.txt": DUMMY_HASH}, + } + ) + self.assertEqual(rc, 1) + + def test_check_passes_with_matching_metadata(self) -> None: + rc = self._run_check_with_manifest( + { + "package": "enterprise_agi_asi_governance_blueprint", + "version": "1.4.0", + "generated_utc": "2026-01-01T00:00:00Z", + "artifacts": {"dummy.txt": DUMMY_HASH}, + } + ) + self.assertEqual(rc, 0) + + def test_stamp_now_writes_fresh_timestamp(self) -> None: + with tempfile.TemporaryDirectory() as tmp: + tmp_path = Path(tmp) + artifacts_dir = tmp_path / "governance_blueprint" + artifacts_dir.mkdir(parents=True, exist_ok=True) + (artifacts_dir / "dummy.txt").write_text(DUMMY_CONTENT, encoding="utf-8") + manifest_path = artifacts_dir / "artifact_manifest.json" + manifest_path.write_text( + json.dumps( + { + "package": "enterprise_agi_asi_governance_blueprint", + "version": "1.4.0", + "generated_utc": "2000-01-01T00:00:00Z", + "artifacts": {}, + } + ), + encoding="utf-8", + ) + + old_artifacts = gm.ARTIFACTS + old_manifest_path = gm.MANIFEST_PATH + old_default_files = gm.DEFAULT_FILES + gm.ARTIFACTS = artifacts_dir + gm.MANIFEST_PATH = manifest_path + gm.DEFAULT_FILES = ["dummy.txt"] + try: + with patch.object(sys, "argv", ["generate_artifact_manifest.py", "--stamp-now"]): + with redirect_stdout(io.StringIO()): + rc = gm.main() + self.assertEqual(rc, 0) + generated = json.loads(manifest_path.read_text(encoding="utf-8")) + self.assertNotEqual(generated["generated_utc"], "2000-01-01T00:00:00Z") + self.assertRegex(generated["generated_utc"], r"^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}Z$") + finally: + gm.ARTIFACTS = old_artifacts + gm.MANIFEST_PATH = old_manifest_path + gm.DEFAULT_FILES = old_default_files + + +if __name__ == "__main__": + unittest.main() diff --git a/governance_blueprint/validation/selftest_run_validation_suite.py b/governance_blueprint/validation/selftest_run_validation_suite.py index b244522..4dd43c9 100644 --- a/governance_blueprint/validation/selftest_run_validation_suite.py +++ b/governance_blueprint/validation/selftest_run_validation_suite.py @@ -29,6 +29,7 @@ def test_build_steps_without_json_report(self) -> None: [sys.executable, "governance_blueprint/validation/lint_python_sources.py"], [sys.executable, "governance_blueprint/validation/validate_dashboard_links.py"], [sys.executable, "governance_blueprint/validation/selftest_validate_artifacts.py"], + [sys.executable, "governance_blueprint/validation/selftest_generate_artifact_manifest.py"], [sys.executable, "governance_blueprint/validation/selftest_run_validation_suite.py"], ] self.assertEqual(steps, expected) @@ -43,6 +44,46 @@ def test_build_steps_with_json_and_skip_selftest(self) -> None: ] self.assertEqual(steps, expected) + def test_build_steps_without_json_and_skip_selftest_has_no_selftests(self) -> None: + steps = rs.build_steps(json_report=False, skip_selftest=True) + self.assertTrue(all("selftest_" not in cmd[1] for cmd in steps)) + self.assertEqual( + steps, + [ + [sys.executable, "governance_blueprint/validation/generate_artifact_manifest.py", "--check"], + [sys.executable, "governance_blueprint/validation/validate_artifacts.py"], + [sys.executable, "governance_blueprint/validation/lint_python_sources.py"], + [sys.executable, "governance_blueprint/validation/validate_dashboard_links.py"], + ], + ) + + def test_build_steps_with_selftests_includes_all_three_modules(self) -> None: + steps = rs.build_steps(json_report=False, skip_selftest=False) + selftest_steps = [cmd[1] for cmd in steps if "selftest_" in cmd[1]] + self.assertEqual( + selftest_steps, + [ + "governance_blueprint/validation/selftest_validate_artifacts.py", + "governance_blueprint/validation/selftest_generate_artifact_manifest.py", + "governance_blueprint/validation/selftest_run_validation_suite.py", + ], + ) + + def test_build_steps_with_json_and_selftests_uses_json_validator(self) -> None: + steps = rs.build_steps(json_report=True, skip_selftest=False) + self.assertEqual( + steps[1], + [sys.executable, "governance_blueprint/validation/validate_artifacts.py", "--json"], + ) + self.assertEqual( + [cmd[1] for cmd in steps if "selftest_" in cmd[1]], + [ + "governance_blueprint/validation/selftest_validate_artifacts.py", + "governance_blueprint/validation/selftest_generate_artifact_manifest.py", + "governance_blueprint/validation/selftest_run_validation_suite.py", + ], + ) + def test_suite_writes_json_report_path(self) -> None: with tempfile.TemporaryDirectory() as tmp: report = Path(tmp) / "report.json" diff --git a/governance_blueprint/validation/selftest_validate_artifacts.py b/governance_blueprint/validation/selftest_validate_artifacts.py index e0ed58f..f0d368f 100644 --- a/governance_blueprint/validation/selftest_validate_artifacts.py +++ b/governance_blueprint/validation/selftest_validate_artifacts.py @@ -24,10 +24,16 @@ def setUp(self) -> None: self.artifacts = self.tmp_path / "governance_blueprint" self._seed_valid_artifacts() self.original_artifacts = va.ARTIFACTS + self.original_root = va.ROOT + self.original_master_reference = va.MASTER_REFERENCE_DOC va.ARTIFACTS = self.artifacts + va.ROOT = self.tmp_path + va.MASTER_REFERENCE_DOC = self.tmp_path / "ENTERPRISE_AGI_ASI_GOVERNANCE_MASTER_REFERENCE_2026_2035.md" def tearDown(self) -> None: va.ARTIFACTS = self.original_artifacts + va.ROOT = self.original_root + va.MASTER_REFERENCE_DOC = self.original_master_reference self.tmp.cleanup() def _write(self, path: Path, text: str) -> None: @@ -99,6 +105,42 @@ def _seed_valid_artifacts(self) -> None: " - two\n" " - three\n", ) + self._write( + self.artifacts / "roadmap_2026_2035.yaml", + "program: p\n" + "version: 1\n" + "horizon:\n" + " start: 2026-07-01\n" + " end: 2035-12-31\n" + "segments:\n" + " - name: phase_0_foundation\n" + " - name: phase_1_policy_spec_industrialization\n" + " - name: phase_2_containment_perpetual_assurance\n" + " exit_criteria:\n" + " critical_breach_mttc_seconds_max: 90\n" + " - name: phase_3_prudential_stress\n" + " - name: phase_4_supervisory_interoperability\n" + " exit_criteria:\n" + " supervisory_requests_via_api_pct: 95\n" + " manual_dossier_assembly_pct_max: 5\n" + "extension:\n" + " - period: 2035\n", + ) + self._write( + self.artifacts / "regulatory_playbook_mapping_2026_2035.csv", + "framework,obligation,control_family,evidence_artifact,automation_mechanism\n" + "EU AI Act Annex IV,B,C,D,E\nNIST AI RMF 1.0,C,D,E,F\nISO IEC 42001 AIMS,D,E,F,G\n" + "Basel III IV,E,F,G,H\nUK SMCR,F,G,H,I\nICGC compute governance,G,H,I,J\n" + "DORA,H,I,J,K\nNIS2,I,J,K,L\nHKMA Fintech 2030,J,K,L,M\nMAS FEAT,K,L,M,N\n", + ) + self._write( + self.tmp_path / "ENTERPRISE_AGI_ASI_GOVERNANCE_MASTER_REFERENCE_2026_2035.md", + "# Enterprise AGI/ASI Governance Implementation Roadmap & Master Reference (2026–2035)\n" + "## 2) Phased Roadmap (2026–2030) + Extension (2031–2035)\n" + "## 4) Formal Verification and Policy-as-Code Conformance\n" + "## 9) Regulatory Mapping Playbooks (Control Objectives)\n" + "## 11) Quantitative KPI Targets\n", + ) # Generate manifest hashes for seeded files. hash_targets = [ @@ -106,6 +148,8 @@ def _seed_valid_artifacts(self) -> None: "evidence_event_schema.json", "opa/release_gate.rego", "roadmap_2026_2030.yaml", + "roadmap_2026_2035.yaml", + "regulatory_playbook_mapping_2026_2035.csv", ] manifest = { "package": "test", @@ -123,8 +167,86 @@ def test_all_validators_pass_for_good_assets(self) -> None: self.assertEqual(va.validate_json_schema(), []) self.assertEqual(va.validate_rego(), []) self.assertEqual(va.validate_yaml_shape(), []) + self.assertEqual(va.validate_roadmap_2035_shape(), []) + self.assertEqual(va.validate_regulatory_mapping_csv(), []) + self.assertEqual(va.validate_master_reference_markdown(), []) self.assertEqual(va.validate_manifest_hashes(), []) + def test_master_reference_fails_when_section_missing(self) -> None: + (self.tmp_path / "ENTERPRISE_AGI_ASI_GOVERNANCE_MASTER_REFERENCE_2026_2035.md").write_text( + "# Enterprise AGI/ASI Governance Implementation Roadmap & Master Reference (2026–2035)\n", + encoding="utf-8", + ) + errors = va.validate_master_reference_markdown() + self.assertTrue(any("missing required section:" in e for e in errors)) + + def test_2035_roadmap_shape_fails_when_phase_missing(self) -> None: + (self.artifacts / "roadmap_2026_2035.yaml").write_text( + "program: p\nhorizon: h\nsegments:\n - name: phase_0_foundation\nextension:\n - period: 2035\n", + encoding="utf-8", + ) + errors = va.validate_roadmap_2035_shape() + self.assertTrue(any("segment order mismatch" in e for e in errors)) + + def test_2035_roadmap_shape_fails_when_semantic_token_missing(self) -> None: + (self.artifacts / "roadmap_2026_2035.yaml").write_text( + "program: p\nversion: 1\nhorizon:\n start: 2026-07-01\nsegments:\n" + " - name: phase_0_foundation\n" + " - name: phase_1_policy_spec_industrialization\n" + " - name: phase_2_containment_perpetual_assurance\n" + " - name: phase_3_prudential_stress\n" + " - name: phase_4_supervisory_interoperability\n" + "extension:\n - period: 2035\n", + encoding="utf-8", + ) + errors = va.validate_roadmap_2035_shape() + self.assertTrue(any("missing required semantic token" in e for e in errors)) + + def test_2035_roadmap_shape_fails_on_duplicate_segments(self) -> None: + (self.artifacts / "roadmap_2026_2035.yaml").write_text( + "program: p\nversion: 1\nhorizon:\n start: 2026-07-01\n end: 2035-12-31\nsegments:\n" + " - name: phase_0_foundation\n" + " - name: phase_1_policy_spec_industrialization\n" + " - name: phase_2_containment_perpetual_assurance\n" + " - name: phase_2_containment_perpetual_assurance\n" + " - name: phase_4_supervisory_interoperability\n" + " exit_criteria:\n" + " supervisory_requests_via_api_pct: 95\n" + " manual_dossier_assembly_pct_max: 5\n" + "extension:\n - period: 2035\n" + "critical_breach_mttc_seconds_max: 90\n", + encoding="utf-8", + ) + errors = va.validate_roadmap_2035_shape() + self.assertTrue(any("duplicate segment names" in e for e in errors)) + + def test_regulatory_mapping_csv_fails_on_missing_column(self) -> None: + (self.artifacts / "regulatory_playbook_mapping_2026_2035.csv").write_text( + "framework,obligation,control_family,evidence_artifact\nA,B,C,D\n", + encoding="utf-8", + ) + errors = va.validate_regulatory_mapping_csv() + self.assertTrue(any("missing required headers" in e for e in errors)) + + def test_regulatory_mapping_csv_fails_when_required_frameworks_missing(self) -> None: + (self.artifacts / "regulatory_playbook_mapping_2026_2035.csv").write_text( + "framework,obligation,control_family,evidence_artifact,automation_mechanism\n" + "Only One,A,B,C,D\n", + encoding="utf-8", + ) + errors = va.validate_regulatory_mapping_csv() + self.assertTrue(any("missing required framework mappings" in e for e in errors)) + + def test_regulatory_mapping_csv_framework_match_is_case_insensitive(self) -> None: + (self.artifacts / "regulatory_playbook_mapping_2026_2035.csv").write_text( + "framework,obligation,control_family,evidence_artifact,automation_mechanism\n" + "eu ai act annex iv,A,B,C,D\nnist ai rmf 1.0,B,C,D,E\niso iec 42001 aims,C,D,E,F\n" + "basel iii iv,D,E,F,G\nuk smcr,E,F,G,H\nicgc compute governance,F,G,H,I\n" + "dora,G,H,I,J\nnis2,H,I,J,K\nhkma fintech 2030,I,J,K,L\nmas feat,J,K,L,M\n", + encoding="utf-8", + ) + self.assertEqual(va.validate_regulatory_mapping_csv(), []) + def test_schema_missing_model_id_fails(self) -> None: schema_path = self.artifacts / "evidence_event_schema.json" schema = json.loads(schema_path.read_text(encoding="utf-8")) diff --git a/governance_blueprint/validation/validate_artifacts.py b/governance_blueprint/validation/validate_artifacts.py index 76436cd..d3d3843 100644 --- a/governance_blueprint/validation/validate_artifacts.py +++ b/governance_blueprint/validation/validate_artifacts.py @@ -16,6 +16,7 @@ ROOT = Path(__file__).resolve().parents[2] ARTIFACTS = ROOT / "governance_blueprint" +MASTER_REFERENCE_DOC = ROOT / "ENTERPRISE_AGI_ASI_GOVERNANCE_MASTER_REFERENCE_2026_2035.md" def validate_csv() -> list[str]: @@ -152,6 +153,120 @@ def validate_yaml_shape() -> list[str]: return errors +def validate_roadmap_2035_shape() -> list[str]: + errors: list[str] = [] + path = ARTIFACTS / "roadmap_2026_2035.yaml" + text = path.read_text(encoding="utf-8") + + required_tokens = [ + "program:", + "horizon:", + "segments:", + "phase_0_foundation", + "phase_4_supervisory_interoperability", + "extension:", + "period: 2035", + ] + for token in required_tokens: + if token not in text: + errors.append(f"YAML 2035 roadmap missing expected token: {token}") + + segment_names = re.findall(r"^\s*-\s+name:\s*([a-zA-Z0-9_]+)\s*$", text, flags=re.MULTILINE) + expected = [ + "phase_0_foundation", + "phase_1_policy_spec_industrialization", + "phase_2_containment_perpetual_assurance", + "phase_3_prudential_stress", + "phase_4_supervisory_interoperability", + ] + if segment_names[:5] != expected: + errors.append(f"YAML 2035 roadmap segment order mismatch: expected {expected}, got {segment_names[:5]}") + if len(segment_names) != len(set(segment_names)): + errors.append("YAML 2035 roadmap contains duplicate segment names.") + + # Lightweight semantic checks to ensure horizon and key thresholds are present. + semantic_tokens = [ + "start: 2026-07-01", + "end: 2035-12-31", + "critical_breach_mttc_seconds_max: 90", + "supervisory_requests_via_api_pct: 95", + "manual_dossier_assembly_pct_max: 5", + ] + for token in semantic_tokens: + if token not in text: + errors.append(f"YAML 2035 roadmap missing required semantic token: {token}") + + return errors + + +def validate_regulatory_mapping_csv() -> list[str]: + errors: list[str] = [] + path = ARTIFACTS / "regulatory_playbook_mapping_2026_2035.csv" + required_headers = { + "framework", + "obligation", + "control_family", + "evidence_artifact", + "automation_mechanism", + } + + with path.open(newline="", encoding="utf-8") as f: + reader = csv.DictReader(f) + if reader.fieldnames is None: + return ["Regulatory playbook CSV has no header row."] + + missing = required_headers.difference(reader.fieldnames) + if missing: + errors.append(f"Regulatory playbook CSV missing required headers: {sorted(missing)}") + + rows = list(reader) + if len(rows) < 10: + errors.append("Regulatory playbook CSV must contain at least 10 mappings.") + seen_frameworks: set[str] = set() + for i, row in enumerate(rows, start=2): + for key in required_headers: + if not (row.get(key) or "").strip(): + errors.append(f"Regulatory playbook CSV row {i} has empty '{key}'.") + framework = (row.get("framework") or "").strip() + if framework: + seen_frameworks.add(framework) + + expected_frameworks = { + "eu ai act annex iv", + "nist ai rmf 1.0", + "iso iec 42001 aims", + "basel iii iv", + "uk smcr", + "icgc compute governance", + } + normalized_seen = {value.casefold() for value in seen_frameworks} + missing_frameworks = sorted(expected_frameworks.difference(normalized_seen)) + if missing_frameworks: + errors.append( + f"Regulatory playbook CSV missing required framework mappings: {missing_frameworks}" + ) + return errors + + +def validate_master_reference_markdown() -> list[str]: + errors: list[str] = [] + if not MASTER_REFERENCE_DOC.exists(): + return [f"Master reference document not found: {MASTER_REFERENCE_DOC.name}"] + + text = MASTER_REFERENCE_DOC.read_text(encoding="utf-8") + required_patterns = { + "document title (2026–2035 scope)": r"^#\s+Enterprise AGI/ASI Governance Implementation Roadmap.*2035\)\s*$", + "phase roadmap section": r"^##\s+2\)\s+Phased Roadmap.*2031.?2035.*$", + "formal verification section": r"^##\s+4\)\s+Formal Verification and Policy-as-Code Conformance\s*$", + "regulatory mapping section": r"^##\s+9\)\s+Regulatory Mapping Playbooks.*$", + "KPI targets section": r"^##\s+11\)\s+Quantitative KPI Targets\s*$", + } + for label, pattern in required_patterns.items(): + if not re.search(pattern, text, flags=re.MULTILINE): + errors.append(f"Master reference missing required section: {label}") + return errors + + def validate_manifest_hashes() -> list[str]: errors: list[str] = [] manifest_path = ARTIFACTS / "artifact_manifest.json" @@ -184,6 +299,9 @@ def run_checks() -> dict[str, list[str]]: "evidence_event_schema.json": validate_json_schema, "opa/release_gate.rego": validate_rego, "roadmap_2026_2030.yaml": validate_yaml_shape, + "roadmap_2026_2035.yaml": validate_roadmap_2035_shape, + "regulatory_playbook_mapping_2026_2035.csv": validate_regulatory_mapping_csv, + "ENTERPRISE_AGI_ASI_GOVERNANCE_MASTER_REFERENCE_2026_2035.md": validate_master_reference_markdown, "artifact_manifest.json": validate_manifest_hashes, } From 6986a09af7e5cfe5bdd136de37ee643c4b2f5931 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 1 Jun 2026 09:37:23 +0000 Subject: [PATCH 2/2] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- ENTERPRISE_AGI_ASI_GOVERNANCE_MASTER_REFERENCE_2026_2035.md | 1 - 1 file changed, 1 deletion(-) diff --git a/ENTERPRISE_AGI_ASI_GOVERNANCE_MASTER_REFERENCE_2026_2035.md b/ENTERPRISE_AGI_ASI_GOVERNANCE_MASTER_REFERENCE_2026_2035.md index 2c6497b..aa84b5b 100644 --- a/ENTERPRISE_AGI_ASI_GOVERNANCE_MASTER_REFERENCE_2026_2035.md +++ b/ENTERPRISE_AGI_ASI_GOVERNANCE_MASTER_REFERENCE_2026_2035.md @@ -276,4 +276,3 @@ Required proof families: - T0/T1 pre-deployment verification coverage = 100%. - Severe incident containment SLA adherence > 99%. - On-demand supervisory packet generation < 72 hours. -