Add Enterprise AGI/ASI governance blueprint, machine-readable artifacts, validator, and CI enforcement

[OneFineStarstuff]

Motivation

• Provide a regulator-ready, implementation-oriented Enterprise AGI/ASI governance blueprint in both human- and machine-readable form for supervisory evidence readiness.
• Prevent documentation drift by shipping artifact integrity checks, automated static validation, and local pre-commit enforcement.
• Integrate validation into CI so PRs and pushes that touch governance artifacts are blocked until checks pass.
• Surface the blueprint in the project dashboard for discoverability and operator guidance.

Description

• Added the master human-facing blueprint ENTERPRISE_AGI_ASI_GOVERNANCE_BLUEPRINT_2026_2030.md and a dashboard page rag-agentic-dashboard/public/enterprise-agi-asi-governance-blueprint.html, plus a link from whitepaper-suite.html.
• Introduced machine-readable artifacts under governance_blueprint/: control_mapping_matrix.csv, evidence_event_schema.json, opa/release_gate.rego, roadmap_2026_2030.yaml, and artifact_manifest.json.
• Implemented a dependency-light validation suite in governance_blueprint/validation/ including validate_artifacts.py, manifest generator generate_artifact_manifest.py, lint script lint_python_sources.py, dashboard link checker, a suite runner run_validation_suite.py, and stdlib unittest self-tests.
• Added developer ergonomics and automation: Makefile targets for common validation flows, .pre-commit-config.yaml hook for local checks, and a GitHub Actions workflow .github/workflows/governance-artifacts-ci.yml that runs the suite and uploads JSON reports.

Testing

• Executed the validation suite unit tests python3 governance_blueprint/validation/selftest_validate_artifacts.py and python3 governance_blueprint/validation/selftest_run_validation_suite.py, which passed.
• Ran the full suite via the suite runner (run_validation_suite.py) in CI-style mode (quiet + JSON report) which exercised generate_artifact_manifest.py --check, validate_artifacts.py --json, lint_python_sources.py, and validate_dashboard_links.py, and produced governance-artifact-validation-report.json and governance-validation-suite-report.json successfully.
• Lint/compile checks for validation Python sources were included and executed as part of the suite and succeeded.

---

Codex Task

Summary by Sourcery

Add a regulator-focused Enterprise AGI/ASI governance blueprint with associated machine-readable artifacts and integrate automated validation into local workflows and CI.

Enhancements:

• Add machine-readable governance artifacts (control mapping matrix, evidence schema, OPA release gate policy, and roadmap) plus a manifest for integrity tracking.
• Provide a centralized validation suite with artifact checks, dashboard link validation, and stdlib-based self-tests, along with Makefile targets and pre-commit hooks for developer ergonomics.

Build:

• Add Makefile targets to generate/check the governance artifact manifest and run validation suites and reports.

CI:

• Introduce a dedicated GitHub Actions workflow to run the governance validation suite on relevant pushes/PRs and upload JSON reports.

Documentation:

• Introduce a comprehensive Enterprise AGI/ASI governance blueprint document and expose it via a new dashboard page linked from the whitepaper suite.

Tests:

• Add unittest-based self-tests for the governance artifact validator and validation suite runner to ensure correctness of the CI enforcement tooling.

Summary by CodeRabbit

• New Features

  • Added Enterprise AGI/ASI Governance Blueprint—comprehensive documentation with multi-phase 2026-2030 roadmap, control frameworks, role definitions, and risk tiering
  • Added automated governance artifact validation system for compliance and integrity verification
  • Added governance framework overview dashboard pages
  • Added CI/CD validation to enforce governance artifact checks on pull requests

• Documentation

  • Added governance validation system documentation with CLI usage guide and validation reference

[code-genius-code-coverage]

The files' contents are under analysis for test generation.

[semanticdiff-com]

Review changes with  

Changed Files

File	Status
.github/workflows/governance-artifacts-ci.yml	0% smaller
.pre-commit-config.yaml	0% smaller
ENTERPRISE_AGI_ASI_GOVERNANCE_BLUEPRINT_2026_2030.md	Unsupported file format
Makefile	Unsupported file format
governance_blueprint/artifact_manifest.json	0% smaller
governance_blueprint/control_mapping_matrix.csv	Unsupported file format
governance_blueprint/evidence_event_schema.json	0% smaller
governance_blueprint/opa/release_gate.rego	Unsupported file format
governance_blueprint/roadmap_2026_2030.yaml	0% smaller
governance_blueprint/validation/README.md	Unsupported file format
governance_blueprint/validation/generate_artifact_manifest.py	0% smaller
governance_blueprint/validation/lint_python_sources.py	0% smaller
governance_blueprint/validation/run_validation_suite.py	0% smaller
governance_blueprint/validation/selftest_run_validation_suite.py	0% smaller
governance_blueprint/validation/selftest_validate_artifacts.py	0% smaller
governance_blueprint/validation/validate_artifacts.py	0% smaller
governance_blueprint/validation/validate_dashboard_links.py	0% smaller
rag-agentic-dashboard/public/enterprise-agi-asi-governance-blueprint.html	0% smaller
rag-agentic-dashboard/public/whitepaper-suite.html	0% smaller

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
v0-one-fine-starstuff-github-io	Ready	Preview, Comment, Open in v0	Apr 27, 2026 6:23am

[gitnotebooks]

Review these changes at https://app.gitnotebooks.com/OneFineStarstuff/OneFineStarstuff.github.io/pull/62

[sourcery-ai]

Reviewer's Guide

Introduces an Enterprise AGI/ASI governance blueprint with both human- and machine-readable artifacts, plus a lightweight Python validation/CI pipeline and dashboard integration to keep those artifacts consistent and regulator-ready.

Sequence diagram for CI governance artifacts validation workflow

sequenceDiagram
  actor Dev
  participant GitHub
  participant Actions as GitHub_Actions
  participant Job as validate-governance-artifacts_job
  participant Suite as run_validation_suite_py
  participant GenManifest as generate_artifact_manifest_py
  participant Validator as validate_artifacts_py
  participant Lint as lint_python_sources_py
  participant DashLinks as validate_dashboard_links_py
  participant SelfVA as selftest_validate_artifacts_py
  participant SelfSuite as selftest_run_validation_suite_py
  participant Reports as JSON_reports

  Dev->>GitHub: Open PR or push touching governance_blueprint/* or blueprint MD
  GitHub-->>Actions: Trigger workflow governance-artifacts-ci_yml
  Actions->>Job: Start validate-governance-artifacts
  Job->>Suite: python3 run_validation_suite.py --quiet --json-report validator.json --suite-report suite.json

  Suite->>GenManifest: generate_artifact_manifest.py --check
  GenManifest-->>Suite: Returncode (0 if manifest up to date)

  alt manifest check fails
    GenManifest-->>Suite: Non-zero returncode
    Suite-->>Job: Exit with failure code
    Job-->>Actions: Mark job failed
    Actions-->>Dev: PR status failed (manifest out of date)
  else manifest check passes
    Suite->>Validator: validate_artifacts.py --json > validator.json
    Validator-->>Suite: Returncode 0 or error
    Suite->>Reports: Write validator.json

    Suite->>Lint: lint_python_sources.py
    Lint-->>Suite: Returncode

    Suite->>DashLinks: validate_dashboard_links.py
    DashLinks-->>Suite: Returncode

    Suite->>SelfVA: selftest_validate_artifacts.py
    SelfVA-->>Suite: Returncode

    Suite->>SelfSuite: selftest_run_validation_suite.py
    SelfSuite-->>Suite: Returncode

    Suite->>Reports: Write suite.json aggregate report
    Suite-->>Job: Final exit code (first non-zero or 0)
    Job-->>Actions: Upload validator.json and suite.json
    Actions-->>Dev: CI result on PR (pass/fail)
  end

Loading

Class diagram for governance blueprint validation and manifest tooling

classDiagram
  class ValidateArtifacts {
    +ROOT : Path
    +ARTIFACTS : Path
    +validate_csv() list~str~
    +validate_json_schema() list~str~
    +validate_rego() list~str~
    +validate_yaml_shape() list~str~
    +validate_manifest_hashes() list~str~
    +run_checks() dict~str, list~str~
    +main() int
  }

  class GenerateArtifactManifest {
    +ROOT : Path
    +ARTIFACTS : Path
    +MANIFEST_PATH : Path
    +DEFAULT_FILES : list~str~
    +sha256_of(path Path) str
    +build_manifest(preserve_timestamp bool) dict
    +main() int
  }

  class RunValidationSuite {
    +ROOT : Path
    +MALFORMED_VALIDATOR_JSON_RC : int
    +_run(cmd list~str~, quiet bool) int
    +build_steps(json_report bool, skip_selftest bool) list~list~str~~
    +_write_suite_report(path Path, step_results list~dict~, validator_report dict) void
    +main() int
  }

  class LintPythonSources {
    +ROOT : Path
    +VALIDATION_DIR : Path
    +main() int
  }

  class ValidateDashboardLinks {
    +ROOT : Path
    +PUBLIC : Path
    +WHITEPAPER : Path
    +BLUEPRINT : Path
    +main() int
  }

  class SelftestValidateArtifacts {
    +ValidateArtifactsTests
    +setUp() void
    +tearDown() void
    +test_all_validators_pass_for_good_assets() void
    +test_schema_missing_model_id_fails() void
    +test_rego_missing_blocks_fails() void
    +test_manifest_hash_mismatch_fails() void
    +test_yaml_shape_fails_when_insufficient_workstreams() void
  }

  class SelftestRunValidationSuite {
    +RunValidationSuiteTests
    +test_build_steps_without_json_report() void
    +test_build_steps_with_json_and_skip_selftest() void
    +test_suite_writes_json_report_path() void
    +test_suite_writes_suite_report() void
    +test_failure_writes_suite_report_with_failed_step() void
    +test_malformed_validator_json_fails() void
    +test_no_fail_fast_runs_all_steps() void
  }

  class HTML_files

  RunValidationSuite --> GenerateArtifactManifest : invokes
  RunValidationSuite --> ValidateArtifacts : invokes
  RunValidationSuite --> LintPythonSources : invokes
  RunValidationSuite --> ValidateDashboardLinks : invokes
  RunValidationSuite --> SelftestValidateArtifacts : runs tests
  RunValidationSuite --> SelftestRunValidationSuite : runs tests

  GenerateArtifactManifest --> ValidateArtifacts : manifest used for hash checks
  ValidateDashboardLinks --> HTML_files : reads

Loading

File-Level Changes

Change	Details	Files
Add human-facing Enterprise AGI/ASI governance blueprint and surface it in the dashboard UI.	Created a comprehensive markdown blueprint describing 2026–2030 AGI/ASI governance operating model, controls, and artifacts. Added a dedicated dashboard HTML page summarizing the blueprint contents and operational commands. Linked the new blueprint page from the whitepaper suite cards and ensured navigation back to the dashboard and suite.	ENTERPRISE_AGI_ASI_GOVERNANCE_BLUEPRINT_2026_2030.md rag-agentic-dashboard/public/enterprise-agi-asi-governance-blueprint.html rag-agentic-dashboard/public/whitepaper-suite.html
Introduce machine-readable governance artifacts and a roadmap to support compliance-as-code and evidence pipelines.	Defined a control mapping matrix CSV with governance control families and anchors. Specified a JSON schema for evidence events used in Kafka/WORM pipelines. Authored an OPA release gate policy encoding risk-tiered release requirements. Added a 2026–2030 YAML roadmap describing phases, objectives, and exit criteria. Generated an artifact manifest JSON with SHA-256 hashes for governance artifacts.	governance_blueprint/control_mapping_matrix.csv governance_blueprint/evidence_event_schema.json governance_blueprint/opa/release_gate.rego governance_blueprint/roadmap_2026_2030.yaml governance_blueprint/artifact_manifest.json
Add a dependency-light Python validation suite (plus self-tests) for governance artifacts and dashboard links.	Implemented a validator script that checks CSV, JSON schema, Rego, YAML shape, and manifest hash integrity with optional JSON output. Added self-test modules using stdlib unittest to exercise validator behavior and the suite runner logic under success and failure scenarios. Provided a suite runner that orchestrates all checks, emits validator and suite JSON reports, supports quiet mode and fail-fast control, and encodes a special return code for malformed JSON. Implemented a Python source linter that compiles validation scripts to catch syntax errors. Added a dashboard link validator ensuring the whitepaper suite links to the blueprint page and that the blueprint page has backlinks.	governance_blueprint/validation/validate_artifacts.py governance_blueprint/validation/selftest_validate_artifacts.py governance_blueprint/validation/selftest_run_validation_suite.py governance_blueprint/validation/run_validation_suite.py governance_blueprint/validation/lint_python_sources.py governance_blueprint/validation/validate_dashboard_links.py
Wire validation into local developer workflows via Make targets and pre-commit.	Added Makefile targets to run manifest generation/check, artifact validation, linting, dashboard checks, self-tests, and suite runs (including JSON/report variants and CI-mode). Configured a local pre-commit hook that runs the validation suite in quiet, fast mode on changes touching governance artifacts or the blueprint markdown.	Makefile .pre-commit-config.yaml
Enforce governance artifact validation in CI and publish reports.	Added a GitHub Actions workflow that runs on PRs and pushes affecting governance artifacts or the blueprint markdown, sets up Python 3.11, executes the validation suite, and uploads JSON reports as artifacts. Ensured CI uses the same suite entrypoint and flags as local tooling for consistent behavior.	.github/workflows/governance-artifacts-ci.yml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request introduces a comprehensive enterprise AGI/ASI governance framework comprising machine-readable artifacts, policy definitions, and a Python-based validation suite with CI/CD integration. The changes include a master governance blueprint document, structured artifact schemas, OPA release policies, automated validators with self-tests, and dashboard documentation pages.

Changes

Cohort / File(s)	Summary
Governance Blueprint & Documentation ENTERPRISE_AGI_ASI_GOVERNANCE_BLUEPRINT_2026_2030.md, governance_blueprint/roadmap_2026_2030.yaml, rag-agentic-dashboard/public/enterprise-agi-asi-governance-blueprint.html, rag-agentic-dashboard/public/whitepaper-suite.html	Master governance blueprint defining three-lines-of-defense structure, risk tiers, role definitions, compliance-as-code architecture, and phased 2026–2030 implementation roadmap. Includes regulator engagement workflows, control principles, and AGI/ASI safety frameworks. Dashboard pages provide overview and cross-linking to whitepaper suite.
Machine-Readable Governance Artifacts governance_blueprint/evidence_event_schema.json, governance_blueprint/artifact_manifest.json, governance_blueprint/opa/release_gate.rego	Structured artifact definitions: JSON Schema for governance evidence events with required fields and type constraints; manifest file with SHA-256 hash integrity checks; OPA/Rego policy module (aigov.release) implementing risk-tier-based release gates with baseline and escalated approval requirements.
Validation Suite Core governance_blueprint/validation/validate_artifacts.py, governance_blueprint/validation/validate_dashboard_links.py, governance_blueprint/validation/generate_artifact_manifest.py, governance_blueprint/validation/lint_python_sources.py	Independent validators for CSV headers/values, JSON schema structure, Rego policy tokens/blocks, YAML shape/indentation, manifest hash integrity, Python syntax, and dashboard link connectivity. Each validator outputs human-readable or JSON reports.
Validation Suite Orchestration & Testing governance_blueprint/validation/run_validation_suite.py, governance_blueprint/validation/selftest_run_validation_suite.py, governance_blueprint/validation/selftest_validate_artifacts.py, governance_blueprint/validation/README.md	Orchestration script (run_validation_suite.py) sequentially executes validators with configurable JSON/suite reporting, fail-fast control, and command echoing. Self-test suites validate orchestration logic, validator outputs, error handling, and artifact seeding via temporary directories. Comprehensive README documents CLI usage, validation responsibilities, and CI integration points.
CI/CD & Build Configuration .github/workflows/governance-artifacts-ci.yml, .pre-commit-config.yaml, Makefile	GitHub Actions workflow for governance artifact validation on PRs/pushes; pre-commit hook configuration for local governance validation; Makefile targets (gov-*) standardizing manifest generation, artifact validation, linting, self-testing, suite runs (plain/JSON/CI modes), and cleanup.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~30 minutes

Suggested labels

documentation, enhancement, Review effort [1-5]: 5

Suggested reviewers

• gstraccini
• reviewabot

Poem

🐰 Ah, what splendid governance we weave!
With blueprints, schemas, and Rego decrees,
Three lines of defense from the risk-tiered tree,
CI gates and validators dance with such ease—
AGI safety now wears regulator sleeves! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 2.78% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title comprehensively and accurately describes the primary change: introducing an enterprise AGI/ASI governance blueprint alongside machine-readable artifacts, a validator suite, and CI enforcement.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/create-ai-governance-implementation-blueprint

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[difflens]

View changes in DiffLens

[difflens]

View changes in DiffLens

[difflens]

View changes in DiffLens

[sourcery-ai]

New security issues found

[difflens]

View changes in DiffLens

[sourcery-ai]

Hey - I've found 3 security issues, 5 other issues, and left some high level feedback:

Security issues:

• Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'. (link)
• Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'. (link)
• Detected subprocess function 'run' with user controlled data. A malicious actor could leverage this to perform command injection. You may consider using 'shlex.quote()'. (link)

General comments:

• The governance validation workflow and pre-commit hook are only triggered on the markdown and governance_blueprint/** paths, but validate_dashboard_links.py depends on the dashboard HTML files; consider extending the CI paths filters and pre-commit files pattern to include the relevant rag-agentic-dashboard/public/*.html files so link regressions are caught when those pages change.
• Several validation scripts (e.g., validate_artifacts.py and validate_dashboard_links.py) assume their target files exist and will raise if they are missing; it would be more robust to add existence checks with clear error messages to avoid unhandled exceptions when artifacts are renamed or removed.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The governance validation workflow and pre-commit hook are only triggered on the markdown and `governance_blueprint/**` paths, but `validate_dashboard_links.py` depends on the dashboard HTML files; consider extending the CI `paths` filters and pre-commit `files` pattern to include the relevant `rag-agentic-dashboard/public/*.html` files so link regressions are caught when those pages change.
- Several validation scripts (e.g., `validate_artifacts.py` and `validate_dashboard_links.py`) assume their target files exist and will raise if they are missing; it would be more robust to add existence checks with clear error messages to avoid unhandled exceptions when artifacts are renamed or removed.

## Individual Comments

### Comment 1
<location path="governance_blueprint/validation/validate_artifacts.py" line_range="23" />
<code_context>
+
+def validate_csv() -> list[str]:
+    errors: list[str] = []
+    path = ARTIFACTS / "control_mapping_matrix.csv"
+    required_headers = {
+        "control_family",
</code_context>
<issue_to_address>
**issue:** Handle missing or unreadable CSV with a controlled error instead of raising an uncaught exception.

If `control_mapping_matrix.csv` is missing or unreadable, `open()` will raise and terminate the validator instead of producing a structured error. Wrap the file access in a try/except (`FileNotFoundError`, `OSError`) and add a clear message to `errors` so failures are reported consistently by this check.
</issue_to_address>

### Comment 2
<location path="governance_blueprint/validation/validate_artifacts.py" line_range="161-162" />
<code_context>
+    if not manifest_path.exists():
+        return ["artifact_manifest.json not found."]
+
+    with manifest_path.open(encoding="utf-8") as f:
+        manifest = json.load(f)
+
+    artifacts = manifest.get("artifacts")
</code_context>
<issue_to_address>
**issue (bug_risk):** Guard against malformed `artifact_manifest.json` rather than allowing `json.load` to raise.

If the file exists but contains invalid JSON, `json.load` will raise and skip your normal error-reporting flow. Consider catching `json.JSONDecodeError` and appending a clear message (e.g., "artifact_manifest.json is malformed JSON") so CI fails gracefully instead of crashing.
</issue_to_address>

### Comment 3
<location path="governance_blueprint/validation/generate_artifact_manifest.py" line_range="47-49" />
<code_context>
+
+def build_manifest(*, preserve_timestamp: bool = True) -> dict:
+    artifacts: dict[str, str] = {}
+    for rel in DEFAULT_FILES:
+        p = ARTIFACTS / rel
+        artifacts[rel] = sha256_of(p)
+
+    generated_utc = _existing_generated_utc() if preserve_timestamp else None
</code_context>
<issue_to_address>
**issue:** Surface missing files in the manifest generation step with a clear message instead of an uncaught error.

If a path in `DEFAULT_FILES` is missing, `sha256_of(p)` will raise when reading the file and produce a generic traceback. Consider checking `p.exists()` and either failing with a clear, actionable error (e.g., naming the missing artifact) or explicitly skipping optional files, per your intended behavior.
</issue_to_address>

### Comment 4
<location path=".github/workflows/governance-artifacts-ci.yml" line_range="33-36" />
<code_context>
+      - name: Run governance validation suite
+        run: python3 governance_blueprint/validation/run_validation_suite.py --quiet --json-report governance-artifact-validation-report.json --suite-report governance-validation-suite-report.json
+
+      - name: Show validation report
+        run: |
+          cat governance-artifact-validation-report.json
+          cat governance-validation-suite-report.json
+
+      - name: Upload validation report
</code_context>
<issue_to_address>
**suggestion:** Guard `cat` calls so the report step does not fail with missing files when the suite itself fails early.

If `run_validation_suite.py` exits before writing one or both JSON files, these `cat` commands will fail with "No such file or directory" and can hide the original error. Consider guarding them, e.g. `if [ -f ... ]; then cat ...; fi`, so the step only prints reports that exist and doesn’t add noisy failures on early exits.

```suggestion
      - name: Show validation report
        run: |
          [ -f governance-artifact-validation-report.json ] && cat governance-artifact-validation-report.json
          [ -f governance-validation-suite-report.json ] && cat governance-validation-suite-report.json
```
</issue_to_address>

### Comment 5
<location path="governance_blueprint/validation/run_validation_suite.py" line_range="64" />
<code_context>
+    }
+
+
+def main() -> int:
+    parser = argparse.ArgumentParser()
+    parser.add_argument("--check", action="store_true", help="Fail if manifest is out of date.")
</code_context>
<issue_to_address>
**issue (complexity):** Consider refactoring `main()` to delegate JSON-report handling and failure logic to helper functions so its control flow is flatter and less duplicated.

You can reduce the branching and duplication in `main()` by:

1. Moving the JSON-report special handling into `_run_step`.
2. Centralizing fail-fast / first-failure logic in a helper.
3. Making `main()` mostly orchestration.

This keeps all behavior but flattens the control flow.

### 1. Extract a unified step runner

Unify normal and `--json` runs:

```python
def _run_step(
    cmd: list[str],
    *,
    quiet: bool,
    json_report_path: Path | None,
) -> tuple[int, dict | None]:
    """Run a single step, optionally capturing validator JSON.

    Returns (rc, validator_payload_if_any).
    """
    if json_report_path is not None and cmd[-1] == "--json":
        json_report_path.parent.mkdir(parents=True, exist_ok=True)
        with json_report_path.open("w", encoding="utf-8") as out:
            completed = subprocess.run(cmd, cwd=ROOT, stdout=out)
        rc = completed.returncode
        validator_payload = None
        if rc == 0:
            try:
                validator_payload = json.loads(json_report_path.read_text(encoding="utf-8"))
            except json.JSONDecodeError:
                rc = MALFORMED_VALIDATOR_JSON_RC
                print("Validator JSON report is malformed.")
        return rc, validator_payload

    rc = _run(cmd, quiet=quiet)
    return rc, None
```

Then `main()`’s loop no longer branches on `cmd[-1]`.

### 2. Centralize failure handling

Factor the repeated “first failure + fail-fast + suite-report” logic:

```python
def _handle_step_result(
    *,
    rc: int,
    first_failure_rc: int,
    step_results: list[dict],
    suite_report_path: Path | None,
    validator_payload: dict | None,
) -> tuple[int, bool]:
    """Update first_failure_rc and optionally write suite report.

    Returns (new_first_failure_rc, should_stop).
    """
    if rc == 0:
        return first_failure_rc, False

    if first_failure_rc == 0:
        first_failure_rc = rc

    if suite_report_path is not None:
        _write_suite_report(suite_report_path, step_results, validator_payload)

    return first_failure_rc, True
```

### 3. Simplify `main()` loop using the helpers

Putting it together (keeps existing behavior):

```python
def main() -> int:
    # ... argparse as before ...

    steps = build_steps(json_report=bool(args.json_report), skip_selftest=args.skip_selftest)
    step_results: list[dict] = []
    validator_payload: dict | None = None
    first_failure_rc = 0

    json_report_path = Path(args.json_report) if args.json_report else None
    suite_report_path = Path(args.suite_report) if args.suite_report else None

    for cmd in steps:
        step_name = Path(cmd[1]).name if len(cmd) > 1 else "unknown"

        rc, maybe_validator_payload = _run_step(
            cmd,
            quiet=args.quiet,
            json_report_path=json_report_path,
        )
        if maybe_validator_payload is not None:
            validator_payload = maybe_validator_payload

        step_results.append({"name": step_name, "command": cmd, "returncode": rc})

        if rc != 0 and not args.no_fail_fast:
            first_failure_rc, _ = _handle_step_result(
                rc=rc,
                first_failure_rc=first_failure_rc,
                step_results=step_results,
                suite_report_path=suite_report_path,
                validator_payload=validator_payload,
            )
            return rc

        if rc != 0 and first_failure_rc == 0:
            first_failure_rc = rc

    if first_failure_rc != 0:
        if suite_report_path is not None:
            _write_suite_report(suite_report_path, step_results, validator_payload)
        return first_failure_rc

    if not args.quiet:
        print("Governance validation suite passed.")
    if suite_report_path is not None:
        _write_suite_report(suite_report_path, step_results, validator_payload)
    return 0
```

This removes the duplicated in-loop failure blocks and the inline JSON-special-case branch, while preserving all existing flags and semantics.
</issue_to_address>

### Comment 6
<location path="governance_blueprint/validation/run_validation_suite.py" line_range="23" />
<code_context>
    completed = subprocess.run(cmd, cwd=ROOT)
</code_context>
<issue_to_address>
**security (python.lang.security.audit.dangerous-subprocess-use-audit):** Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.

*Source: opengrep*
</issue_to_address>

### Comment 7
<location path="governance_blueprint/validation/run_validation_suite.py" line_range="107" />
<code_context>
                completed = subprocess.run(cmd, cwd=ROOT, stdout=out)
</code_context>
<issue_to_address>
**security (python.lang.security.audit.dangerous-subprocess-use-audit):** Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.

*Source: opengrep*
</issue_to_address>

### Comment 8
<location path="governance_blueprint/validation/run_validation_suite.py" line_range="107" />
<code_context>
                completed = subprocess.run(cmd, cwd=ROOT, stdout=out)
</code_context>
<issue_to_address>
**security (python.lang.security.audit.dangerous-subprocess-use-tainted-env-args):** Detected subprocess function 'run' with user controlled data. A malicious actor could leverage this to perform command injection. You may consider using 'shlex.quote()'.

*Source: opengrep*
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[codacy-production]

Not up to standards ⛔

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 122 complexity · 4 duplication

Metric	Results
Complexity	122
Duplication	4

View in Codacy

_{NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 4ee52488ea

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[coderabbitai]

Actionable comments posted: 6

🧹 Nitpick comments (8)

governance_blueprint/evidence_event_schema.json (1)

17-17: event_id description claims UUID but the schema doesn't enforce it.

The description states "UUID for immutable event identity" yet the schema only requires type: "string", so any string passes validation. If UUID is part of the contract, add format: "uuid" (or a regex pattern) so consumers can rely on it.

♻️ Proposed change

-    "event_id": { "type": "string", "description": "UUID for immutable event identity." },
+    "event_id": {
+      "type": "string",
+      "format": "uuid",
+      "description": "UUID for immutable event identity."
+    },

Note: JSON Schema 2020-12 treats format as annotation by default; pair with a validator running in assertion mode, or use a pattern if you need guaranteed enforcement.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@governance_blueprint/evidence_event_schema.json` at line 17, The event_id
property in evidence_event_schema.json is declared as "type": "string" but the
description claims it's a UUID; update the schema for the "event_id" property to
require a UUID by adding "format": "uuid" and, if strict enforcement is needed
regardless of validator mode, add a UUID regex "pattern" as well so consumers
can rely on UUID validation.

governance_blueprint/validation/lint_python_sources.py (1)

15-19: Optional: avoid creating __pycache__/.pyc side effects during lint.

py_compile.compile(str(path), doraise=True) writes a .pyc to __pycache__ as a side effect. For a lint-only check, you can suppress this by directing the bytecode to a throwaway path:

♻️ Proposed change

-import py_compile
-from pathlib import Path
+import os
+import py_compile
+from pathlib import Path
@@
-    for path in sorted(VALIDATION_DIR.glob("*.py")):
-        try:
-            py_compile.compile(str(path), doraise=True)
-        except py_compile.PyCompileError as exc:
-            failures.append(f"{path}: {exc.msg}")
+    for path in sorted(VALIDATION_DIR.glob("*.py")):
+        try:
+            py_compile.compile(str(path), cfile=os.devnull, doraise=True)
+        except py_compile.PyCompileError as exc:
+            failures.append(f"{path}: {exc.msg}")

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@governance_blueprint/validation/lint_python_sources.py` around lines 15 - 19,
The current py_compile.compile(str(path), doraise=True) call creates .pyc files
in __pycache__; change it to direct bytecode to a throwaway file by passing an
explicit cfile argument (e.g., create a temporary file via
tempfile.NamedTemporaryFile or use os.devnull where appropriate) and use
py_compile.compile(str(path), cfile=temp_path, doraise=True), then remove/close
the temp file so no .pyc or __pycache__ are left behind; update the loop that
iterates VALIDATION_DIR.glob("*.py") and the exception handling that appends to
failures to use this temporary cfile approach.

.pre-commit-config.yaml (1)

9-9: files regex misses dashboard HTML targets covered by the suite.

run_validation_suite.py invokes validate_dashboard_links.py, which inspects rag-agentic-dashboard/public/whitepaper-suite.html and rag-agentic-dashboard/public/enterprise-agi-asi-governance-blueprint.html. With the current regex, edits to those HTML files won't trigger the pre-commit hook, so a broken cross-link would only be caught in CI.

♻️ Proposed change

-        files: '^(governance_blueprint/|ENTERPRISE_AGI_ASI_GOVERNANCE_BLUEPRINT_2026_2030\.md)'
+        files: '^(governance_blueprint/|ENTERPRISE_AGI_ASI_GOVERNANCE_BLUEPRINT_2026_2030\.md|rag-agentic-dashboard/public/(whitepaper-suite|enterprise-agi-asi-governance-blueprint)\.html)'

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.pre-commit-config.yaml at line 9, The current .pre-commit-config.yaml
`files` regex only matches governance_blueprint/ and the markdown
ENTERPRISE_AGI_ASI_GOVERNANCE_BLUEPRINT_2026_2030.md, so edits to the dashboard
HTML files won't trigger the hook; update the `files` regex to also match the
two dashboard HTML targets inspected by validate_dashboard_links.py
(rag-agentic-dashboard/public/whitepaper-suite.html and
rag-agentic-dashboard/public/enterprise-agi-asi-governance-blueprint.html) or
use a broader pattern to include rag-agentic-dashboard/public/*.html so
run_validation_suite.py -> validate_dashboard_links.py runs on edits to those
HTML files.

Makefile (1)

42-43: Optional: simplify gov-clean inline Python.

The expr and expr idiom for conditional execution and the throwaway list-comprehension for side effects work but are hard to read. A missing_ok=True unlink (Python 3.8+) avoids the existence check entirely, and a plain for loop expresses intent more clearly.

♻️ Proposed simplification

 gov-clean:
-	$(PYTHON) -c "from pathlib import Path; import shutil; report=Path('governance-artifact-validation-report.json'); suite=Path('governance-validation-suite-report.json'); report.exists() and report.unlink(); suite.exists() and suite.unlink(); [shutil.rmtree(p) for p in Path('governance_blueprint/validation').rglob('__pycache__') if p.is_dir()]"
+	$(PYTHON) -c "from pathlib import Path; import shutil; \
+	  Path('governance-artifact-validation-report.json').unlink(missing_ok=True); \
+	  Path('governance-validation-suite-report.json').unlink(missing_ok=True); \
+	  [shutil.rmtree(p) for p in Path('governance_blueprint/validation').rglob('__pycache__') if p.is_dir()]"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Makefile` around lines 42 - 43, The gov-clean Makefile target uses terse
Python idioms that hurt readability; update the inline Python in the gov-clean
recipe (the Python one-liner currently handling report/suite unlink and rglob
cleanup) to call Path.unlink(missing_ok=True) instead of the existence checks
and to replace the list-comprehension side-effect with an explicit for loop that
iterates over Path('governance_blueprint/validation').rglob('__pycache__') and
calls shutil.rmtree on each directory if p.is_dir(), keeping imports (Path,
shutil) and behavior identical but clearer.

governance_blueprint/validation/validate_artifacts.py (2)

105-107: Make allow block count tolerant of whitespace.

text.count("allow {") requires exactly one space before {. Reformatting (allow{, allow {, or trailing spaces) would silently report fewer blocks even when the policy is structurally correct. A regex avoids this fragility.

♻️ Proposed refactor

-    allow_count = text.count("allow {")
+    allow_count = len(re.findall(r"^\s*allow\s*\{", text, flags=re.MULTILINE))
     if allow_count < 3:
         errors.append("Rego policy must define at least three allow blocks.")

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@governance_blueprint/validation/validate_artifacts.py` around lines 105 -
107, The current count uses text.count("allow {") which fails for differing
whitespace; update the logic that sets allow_count (and the subsequent error
append) to use a regex search that matches the word "allow" followed by any
amount of whitespace and a "{" (for example via re.findall or re.finditer with a
pattern like r'\ballow\s*{', using re.MULTILINE if needed) so the count is
robust to "allow{", "allow  {", or leading/trailing spaces before the brace;
keep the existing error message and variable names (allow_count, errors.append)
unchanged except for how allow_count is computed.

---

143-145: Workstream count check falls back to the whole file when the marker is missing.

text.split("workstreams:")[-1] returns the full file when workstreams: is absent. The missing-token error is already raised earlier, but the regex then scans phase content and may produce a confusing secondary error. Guarding the split keeps the error report focused.

♻️ Proposed refactor

-    workstream_entries = re.findall(r"^\s*-\s+([a-zA-Z0-9_]+)\s*$", text.split("workstreams:")[-1], flags=re.MULTILINE)
-    if len(workstream_entries) < 3:
-        errors.append("YAML roadmap must define at least 3 workstreams.")
+    if "workstreams:" in text:
+        workstreams_section = text.split("workstreams:", 1)[1]
+        workstream_entries = re.findall(r"^\s*-\s+([a-zA-Z0-9_]+)\s*$", workstreams_section, flags=re.MULTILINE)
+        if len(workstream_entries) < 3:
+            errors.append("YAML roadmap must define at least 3 workstreams.")

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@governance_blueprint/validation/validate_artifacts.py` around lines 143 -
145, The workstream count check runs the regex against
text.split("workstreams:")[-1], which falls back to the whole file when the
"workstreams:" marker is missing and can produce a misleading error; update the
logic around workstream_entries to first verify the marker exists (e.g., check
"workstreams:" in text or use text.split("workstreams:", 1) and ensure you got
two parts) and only run the re.findall/count check when the marker is
present—otherwise leave workstream_entries empty or skip appending the "must
define at least 3 workstreams" error so the earlier missing-token error remains
the primary report (refer to the workstream_entries variable, the errors list,
and the text value in this function).

governance_blueprint/validation/run_validation_suite.py (2)

100-123: Validator step identified by fragile cmd[-1] == "--json" and bypasses --quiet echo behavior.

Two minor issues in the special-cased validator block:

1. The validator step is detected positionally via cmd[-1] == "--json". Today only one step ends with --json, but anyone extending build_steps() with another --json flag would silently be routed through this stdout-capture path. Identifying by script name (e.g. Path(cmd[1]).name == "validate_artifacts.py") is more robust and self-documenting.
2. Unlike _run(), this branch never echoes "$ <cmd>" regardless of --quiet. So when running non-quiet, the validator step is the only one that doesn't appear in the console transcript — confusing when reading CI logs.

♻️ Proposed adjustment

-        if args.json_report and cmd[-1] == "--json":
+        if args.json_report and step_name == "validate_artifacts.py" and "--json" in cmd:
+            if not args.quiet:
+                print("$", " ".join(cmd), f"> {args.json_report}")
             report_path = Path(args.json_report)
             report_path.parent.mkdir(parents=True, exist_ok=True)
             with report_path.open("w", encoding="utf-8") as out:
                 completed = subprocess.run(cmd, cwd=ROOT, stdout=out)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@governance_blueprint/validation/run_validation_suite.py` around lines 100 -
123, Detect the validator step by its script name rather than by the last flag
and restore the same echo behavior as _run(): inside the loop over steps,
replace the positional check cmd[-1] == "--json" with a check that
Path(cmd[1]).name == "validate_artifacts.py" (or the actual validator script
name used in build_steps()), and before running the subprocess (when not
args.quiet) print the command string the same way _run() does so the validator
step appears in the console transcript; preserve the existing JSON-report
handling (args.json_report), return-code logic, and calls to
_write_suite_report/step_results/first_failure_rc unchanged.

---

95-144: Consolidate the four _write_suite_report call sites with a single try/finally.

_write_suite_report is invoked from four places (lines 121, 132, 137, 143) with the same arguments. Wrapping the loop in try/finally (or pulling the writes into a single post-loop block) eliminates the duplication and makes it harder to forget the report write on a future control-flow change. Also addresses the Complex Method static analysis hint on main().

♻️ Sketch

-    for cmd in steps:
-        ...
-                if not args.no_fail_fast:
-                    if args.suite_report:
-                        _write_suite_report(Path(args.suite_report), step_results, validator_payload)
-                    return rc
-            continue
-        ...
-                if not args.no_fail_fast:
-                    if args.suite_report:
-                        _write_suite_report(Path(args.suite_report), step_results, validator_payload)
-                    return rc
-
-    if first_failure_rc != 0:
-        if args.suite_report:
-            _write_suite_report(Path(args.suite_report), step_results, validator_payload)
-        return first_failure_rc
-
-    if not args.quiet:
-        print("Governance validation suite passed.")
-    if args.suite_report:
-        _write_suite_report(Path(args.suite_report), step_results, validator_payload)
-    return 0
+    try:
+        for cmd in steps:
+            ...
+            if rc != 0:
+                if first_failure_rc == 0:
+                    first_failure_rc = rc
+                if not args.no_fail_fast:
+                    return rc
+        if first_failure_rc == 0 and not args.quiet:
+            print("Governance validation suite passed.")
+        return first_failure_rc
+    finally:
+        if args.suite_report:
+            _write_suite_report(Path(args.suite_report), step_results, validator_payload)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@governance_blueprint/validation/run_validation_suite.py` around lines 95 -
144, The code currently calls _write_suite_report in four places; refactor by
wrapping the main for loop (the loop over steps built by build_steps) and
subsequent exit logic in a try/finally so that if args.suite_report is set you
call _write_suite_report(Path(args.suite_report), step_results,
validator_payload) exactly once in the finally block; keep existing behavior for
setting first_failure_rc and returning early from the loop (returns should still
happen inside the try), but remove the duplicated _write_suite_report calls at
the sites that currently invoke it (references: _write_suite_report,
step_results, validator_payload, first_failure_rc, args.suite_report, and the
for loop over steps).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/governance-artifacts-ci.yml:
- Around line 33-44: Add the GitHub Actions conditional so both the "Show
validation report" and "Upload validation report" steps always run even if prior
steps fail: update the steps named "Show validation report" and "Upload
validation report" to include if: always(); and for "Upload validation report"
also add if-no-files-found: warn (or error) to make missing-report situations
explicit so governance-artifact-validation-report.json and
governance-validation-suite-report.json are printed and uploaded on failures.

In `@governance_blueprint/validation/generate_artifact_manifest.py`:
- Around line 78-90: The --check branch currently calls
json.loads(MANIFEST_PATH.read_text(...)) directly and will raise an unhandled
JSONDecodeError on a malformed artifact_manifest.json; wrap that json.loads call
(used when args.check is true) in a try/except JSONDecodeError similar to the
_existing_generated_utc helper, log/print a clear message like
"artifact_manifest.json is malformed; please regenerate" and return 1 on error
so CI sees a clean actionable failure; keep the rest of the artifacts comparison
logic (current_obj, expected_obj, current_artifacts, expected_artifacts)
unchanged.

In `@governance_blueprint/validation/run_validation_suite.py`:
- Around line 109-114: When json.loads(report_path.read_text(...)) raises
JSONDecodeError, change handling so the malformed validator report file is not
left as a stale artifact: set rc = MALFORMED_VALIDATOR_JSON_RC, write the
diagnostic to stderr (use sys.stderr or similar) instead of stdout, and remove
or rename the file at args.json_report (report_path) to indicate it is malformed
(e.g., delete report_path or rename to report_path.with_suffix('.malformed')) so
downstream consumers and --suite-report.validator_report do not see an
unparseable file; update the block around report_path,
MALFORMED_VALIDATOR_JSON_RC, and args.json_report accordingly.

In `@governance_blueprint/validation/validate_artifacts.py`:
- Line 37: Each validator (e.g., validate_csv) must not open files without
checking existence; add a guard at the start of each validate_* function to
detect missing artifact paths and append a structured error entry to the
per-artifact results instead of allowing FileNotFoundError to propagate.
Specifically, in validate_csv and the other validators referenced
(validate_json, validate_yaml, validate_*), check path.exists() (or
path.is_file()) before calling path.open(...); if missing, push an error message
into the same results list/structure the function returns (preserving the {ok,
results} JSON contract) and return early, otherwise proceed to open and validate
the file as before.

In `@rag-agentic-dashboard/public/enterprise-agi-asi-governance-blueprint.html`:
- Around line 66-71: The operational commands list is missing several
CI/pre-commit tools; update the HTML snippet that renders the "Operational
commands" card to include the additional script entries run_validation_suite.py,
validate_dashboard_links.py, and lint_python_sources.py (in addition to the
existing validate_artifacts.py, selftest_validate_artifacts.py, and
generate_artifact_manifest.py --check) so the dashboard reflects the real
toolchain invoked by .github/workflows/governance-artifacts-ci.yml; simply add
three new <p><code>...</code></p> lines for each script name in the same card
block so they appear alongside the existing commands.

In `@rag-agentic-dashboard/public/whitepaper-suite.html`:
- Around line 165-177: The fifth report card has no top gradient because the
stylesheet only defines .report-card::before gradients for
.report-card:nth-child(1) through :nth-child(4); add a matching gradient rule
for .report-card:nth-child(5)::before that supplies the same 4px stripe
background (use the same gradient style/palette as the other nth-child rules) so
the new MREF-F500-WP-013 card renders the colored header bar consistently with
the other .report-card elements.

---

Nitpick comments:
In @.pre-commit-config.yaml:
- Line 9: The current .pre-commit-config.yaml `files` regex only matches
governance_blueprint/ and the markdown
ENTERPRISE_AGI_ASI_GOVERNANCE_BLUEPRINT_2026_2030.md, so edits to the dashboard
HTML files won't trigger the hook; update the `files` regex to also match the
two dashboard HTML targets inspected by validate_dashboard_links.py
(rag-agentic-dashboard/public/whitepaper-suite.html and
rag-agentic-dashboard/public/enterprise-agi-asi-governance-blueprint.html) or
use a broader pattern to include rag-agentic-dashboard/public/*.html so
run_validation_suite.py -> validate_dashboard_links.py runs on edits to those
HTML files.

In `@governance_blueprint/evidence_event_schema.json`:
- Line 17: The event_id property in evidence_event_schema.json is declared as
"type": "string" but the description claims it's a UUID; update the schema for
the "event_id" property to require a UUID by adding "format": "uuid" and, if
strict enforcement is needed regardless of validator mode, add a UUID regex
"pattern" as well so consumers can rely on UUID validation.

In `@governance_blueprint/validation/lint_python_sources.py`:
- Around line 15-19: The current py_compile.compile(str(path), doraise=True)
call creates .pyc files in __pycache__; change it to direct bytecode to a
throwaway file by passing an explicit cfile argument (e.g., create a temporary
file via tempfile.NamedTemporaryFile or use os.devnull where appropriate) and
use py_compile.compile(str(path), cfile=temp_path, doraise=True), then
remove/close the temp file so no .pyc or __pycache__ are left behind; update the
loop that iterates VALIDATION_DIR.glob("*.py") and the exception handling that
appends to failures to use this temporary cfile approach.

In `@governance_blueprint/validation/run_validation_suite.py`:
- Around line 100-123: Detect the validator step by its script name rather than
by the last flag and restore the same echo behavior as _run(): inside the loop
over steps, replace the positional check cmd[-1] == "--json" with a check that
Path(cmd[1]).name == "validate_artifacts.py" (or the actual validator script
name used in build_steps()), and before running the subprocess (when not
args.quiet) print the command string the same way _run() does so the validator
step appears in the console transcript; preserve the existing JSON-report
handling (args.json_report), return-code logic, and calls to
_write_suite_report/step_results/first_failure_rc unchanged.
- Around line 95-144: The code currently calls _write_suite_report in four
places; refactor by wrapping the main for loop (the loop over steps built by
build_steps) and subsequent exit logic in a try/finally so that if
args.suite_report is set you call _write_suite_report(Path(args.suite_report),
step_results, validator_payload) exactly once in the finally block; keep
existing behavior for setting first_failure_rc and returning early from the loop
(returns should still happen inside the try), but remove the duplicated
_write_suite_report calls at the sites that currently invoke it (references:
_write_suite_report, step_results, validator_payload, first_failure_rc,
args.suite_report, and the for loop over steps).

In `@governance_blueprint/validation/validate_artifacts.py`:
- Around line 105-107: The current count uses text.count("allow {") which fails
for differing whitespace; update the logic that sets allow_count (and the
subsequent error append) to use a regex search that matches the word "allow"
followed by any amount of whitespace and a "{" (for example via re.findall or
re.finditer with a pattern like r'\ballow\s*{', using re.MULTILINE if needed) so
the count is robust to "allow{", "allow  {", or leading/trailing spaces before
the brace; keep the existing error message and variable names (allow_count,
errors.append) unchanged except for how allow_count is computed.
- Around line 143-145: The workstream count check runs the regex against
text.split("workstreams:")[-1], which falls back to the whole file when the
"workstreams:" marker is missing and can produce a misleading error; update the
logic around workstream_entries to first verify the marker exists (e.g., check
"workstreams:" in text or use text.split("workstreams:", 1) and ensure you got
two parts) and only run the re.findall/count check when the marker is
present—otherwise leave workstream_entries empty or skip appending the "must
define at least 3 workstreams" error so the earlier missing-token error remains
the primary report (refer to the workstream_entries variable, the errors list,
and the text value in this function).

In `@Makefile`:
- Around line 42-43: The gov-clean Makefile target uses terse Python idioms that
hurt readability; update the inline Python in the gov-clean recipe (the Python
one-liner currently handling report/suite unlink and rglob cleanup) to call
Path.unlink(missing_ok=True) instead of the existence checks and to replace the
list-comprehension side-effect with an explicit for loop that iterates over
Path('governance_blueprint/validation').rglob('__pycache__') and calls
shutil.rmtree on each directory if p.is_dir(), keeping imports (Path, shutil)
and behavior identical but clearer.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 074fe84e-1f89-43bd-8917-fa006582e779

📥 Commits

Reviewing files that changed from the base of the PR and between af23df0 and 4ee5248.

⛔ Files ignored due to path filters (1)

• governance_blueprint/control_mapping_matrix.csv is excluded by !**/*.csv

📒 Files selected for processing (18)

• .github/workflows/governance-artifacts-ci.yml
• .pre-commit-config.yaml
• ENTERPRISE_AGI_ASI_GOVERNANCE_BLUEPRINT_2026_2030.md
• Makefile
• governance_blueprint/artifact_manifest.json
• governance_blueprint/evidence_event_schema.json
• governance_blueprint/opa/release_gate.rego
• governance_blueprint/roadmap_2026_2030.yaml
• governance_blueprint/validation/README.md
• governance_blueprint/validation/generate_artifact_manifest.py
• governance_blueprint/validation/lint_python_sources.py
• governance_blueprint/validation/run_validation_suite.py
• governance_blueprint/validation/selftest_run_validation_suite.py
• governance_blueprint/validation/selftest_validate_artifacts.py
• governance_blueprint/validation/validate_artifacts.py
• governance_blueprint/validation/validate_dashboard_links.py
• rag-agentic-dashboard/public/enterprise-agi-asi-governance-blueprint.html
• rag-agentic-dashboard/public/whitepaper-suite.html

[secure-code-warrior-for-github]

Micro-Learning Topic: External entity injection (Detected by phrase)

Matched on "xXE"

What is this? (2min video)

An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server-side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.

Try a challenge in Secure Code Warrior

Helpful references

• OWASP XML External Entity (XXE) Processing - OWASP community page with comprehensive information about XML external entity attacks, and links to various OWASP resources to help detect or prevent it.
• MSDN Security Briefs - XML Denial of Service Attacks and Defenses - An MSDN Magazine article that goes into detail on XML entity attacks and how to defend against them.
• OWASP XML External Entity Prevention Cheat Sheet - This article is focused on providing clear, simple, actionable guidance for preventing XML external entity flaws in your applications.

[netlify]

❌ Deploy Preview for onefinestarstuff failed.

Name	Link
🔨 Latest commit	4ee5248
🔍 Latest deploy log	https://app.netlify.com/projects/onefinestarstuff/deploys/69ef00d4c7274100083ae4f7

[penify-dev]

Failed to generate code suggestions for PR