Add governance artifact validation suite, schemas, Rego policies and CI

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -47,14 +47,14 @@ body:
       label: Steps to Reproduce
       description: How can we reproduce the bug?
       placeholder: |
-        Example: 
+        Example:
         1. Go to "Upload"
         2. Click on "Select File"
         3. Choose a large file (over 100MB)
         4. Click "Upload"
         5. See error
       value: |
-        1. 
+        1.
     validations:
       required: true
 

.github/workflows/cmake-single-platform.yml

@@ -4,9 +4,9 @@
 
 on:
   push:
     branches: [ "main" ]
   pull_request:
     branches: [ "main" ]
 
 env:
   # Customize the CMake build type here (Release, Debug, RelWithDebInfo, etc.)
@@ -20,7 +20,7 @@
     runs-on: ubuntu-latest
 
     steps:
     - uses: actions/checkout@v4
 
     - name: Configure CMake
       # Configure CMake in a 'build' subdirectory. `CMAKE_BUILD_TYPE` is only required if you are using a single-configuration generator such as make.
@@ -36,4 +36,3 @@
       # Execute tests defined by the CMake configuration.
       # See https://cmake.org/cmake/help/latest/manual/ctest.1.html for more detail
       run: ctest -C ${{env.BUILD_TYPE}}
-

.github/workflows/datadog-synthetics.yml

@@ -15,24 +15,22 @@
 
 on:
   push:
     branches: [ "main" ]
   pull_request:
     branches: [ "main" ]
 
 jobs:
   build:
     runs-on: ubuntu-latest
 
     steps:
     - uses: actions/checkout@v2
 
     # Run Synthetic tests within your GitHub workflow.
     # For additional configuration options visit the action within the marketplace: https://github.com/marketplace/actions/datadog-synthetics-ci
     - name: Run Datadog Synthetic tests
       uses: DataDog/synthetics-ci-github-action@87b505388a22005bb8013481e3f73a367b9a53eb # v1.4.0
       with:
         api_key: ${{secrets.DD_API_KEY}}
         app_key: ${{secrets.DD_APP_KEY}}
         test_search_query: 'tag:e2e-tests' #Modify this tag to suit your tagging strategy
-
-

.github/workflows/go-ossf-slsa3-publish.yml

@@ -23,11 +23,11 @@
   # ========================================================================================================================================
   #     Prerequesite: Create a .slsa-goreleaser.yml in the root directory of your project.
   #       See format in https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/go/README.md#configuration-file
   #=========================================================================================================================================
   build:
     permissions:
       id-token: write # To sign.
       contents: write # To upload release assets.
       actions: read   # To read workflow path.
     uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.4.0
     with:
@@ -35,4 +35,3 @@
       # =============================================================================================================
       #     Optional: For more options, see https://github.com/slsa-framework/slsa-github-generator#golang-projects
       # =============================================================================================================
-

.github/workflows/governance-artifacts-ci.yml

@@ -1,13 +1,30 @@
+name: governance-artifacts-ci
+
+on:
+  push:
+    paths:
+      - 'docs/schemas/**'
+      - 'docs/reports/ENTERPRISE_CIVILIZATIONAL_AGI_ASI_BLUEPRINT_2026_2030.md'
+      - '.github/workflows/governance-artifacts-ci.yml'
+      - 'Makefile'
+      - '.yamllint'
+  pull_request:
+    paths:
+      - 'docs/schemas/**'
+      - 'docs/reports/ENTERPRISE_CIVILIZATIONAL_AGI_ASI_BLUEPRINT_2026_2030.md'
+      - '.github/workflows/governance-artifacts-ci.yml'
+      - 'Makefile'
+      - '.yamllint'
 name: Governance Artifacts CI
 
 on:
   pull_request:
     paths:
       - 'ENTERPRISE_AGI_ASI_GOVERNANCE_BLUEPRINT_2026_2030.md'
       - 'governance_blueprint/**'
       - '.github/workflows/governance-artifacts-ci.yml'
   push:
     branches: [ main, master ]
     paths:
       - 'ENTERPRISE_AGI_ASI_GOVERNANCE_BLUEPRINT_2026_2030.md'
       - 'governance_blueprint/**'
@@ -16,12 +33,59 @@
 jobs:
   validate-governance-artifacts:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    env:
+      PYTHONUNBUFFERED: '1'
     timeout-minutes: 10
 
     steps:
       - name: Checkout
         uses: actions/checkout@v4
 
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+          cache: 'pip'
+          cache-dependency-path: docs/schemas/requirements-governance.txt
+
+      - name: Install Python deps (pinned)
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r docs/schemas/requirements-governance.txt
+
+      - name: Validate governance YAML/JSON artifacts
+        run: make governance-validate
+
+      - name: Setup OPA (pinned)
+        uses: open-policy-agent/setup-opa@v2
+        with:
+          version: v1.15.2
+
+      - name: Rego format and tests
+        run: make governance-policy-test
+
+      - name: Validator and evidence bundle unit tests
+        run: make governance-validator-test
+
+      - name: Build evidence manifest
+        run: make governance-evidence-manifest
+
+      - name: Verify evidence manifest integrity
+        run: make governance-evidence-verify
+
+      - name: Validate evidence manifest schema
+        run: make governance-evidence-schema
+
+      - name: Generate machine-readable validation report
+        run: make governance-report
+
+      - name: Validate run report schema
+        run: make governance-report-schema
+
+      - name: Check generated artifacts are up to date
+        run: make governance-check-generated
       - name: Setup Python
         uses: actions/setup-python@v5
         with:
@@ -38,7 +102,9 @@
       - name: Upload validation report
         uses: actions/upload-artifact@v4
         with:
+          name: governance-validation-report
+          path: docs/schemas/validation_run_report.json
           name: governance-validation-reports
           path: |
             governance-artifact-validation-report.json
             governance-validation-suite-report.json

.github/workflows/octopusdeploy.yml

@@ -1,5 +1,5 @@
 # This workflow uses actions that are not certified by GitHub.
-# They are provided by a third-party and are governed by separate terms of service, 
+# They are provided by a third-party and are governed by separate terms of service,
 # privacy policy, and support documentation.
 #
 # This workflow will build and publish a Docker container which is then deployed through Octopus Deploy.
@@ -12,13 +12,13 @@
 #
 # To configure this workflow:
 #
-# 1. Decide where you are going to host your image. 
+# 1. Decide where you are going to host your image.
 #    This template uses the GitHub Registry for simplicity but if required you can update the relevant DOCKER_REGISTRY variables below.
 #
-# 2. Create and configure an OIDC credential for a service account in Octopus. 
+# 2. Create and configure an OIDC credential for a service account in Octopus.
 #    This allows for passwordless authentication to your Octopus instance through a trust relationship configured between Octopus, GitHub and your GitHub Repository.
-#    https://octopus.com/docs/octopus-rest-api/openid-connect/github-actions 
-#  
+#    https://octopus.com/docs/octopus-rest-api/openid-connect/github-actions
+#
 # 3. Configure your Octopus project details below:
 #      OCTOPUS_URL: update to your Octopus Instance Url
 #      OCTOPUS_SERVICE_ACCOUNT: update to your service account Id
@@ -42,16 +42,16 @@
       packages: write
       contents: read
     env:
-      DOCKER_REGISTRY: ghcr.io                                # TODO: Update to your docker registry uri 
+      DOCKER_REGISTRY: ghcr.io                                # TODO: Update to your docker registry uri
       DOCKER_REGISTRY_USERNAME: ${{ github.actor }}           # TODO: Update to your docker registry username
       DOCKER_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}   # TODO: Update to your docker registry password
     outputs:
       image_tag: ${{ steps.meta.outputs.version }}
     steps:
       - uses: actions/checkout@v4
-      
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
 
       - name: Log in to the Container registry
         uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
@@ -64,7 +64,7 @@
         id: meta
         uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7
         with:
-          images: ${{ env.DOCKER_REGISTRY }}/${{ github.repository }} 
+          images: ${{ env.DOCKER_REGISTRY }}/${{ github.repository }}
           tags: type=semver,pattern={{version}},value=v1.0.0-{{sha}}
 
       - name: Build and push Docker image
@@ -74,13 +74,13 @@
           context: .
           push: true
           tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}      
+          labels: ${{ steps.meta.outputs.labels }}
   deploy:
     name: Deploy
     permissions:
       id-token: write
     runs-on: ubuntu-latest
     needs: [ build ]
     env:
       OCTOPUS_URL: 'https://your-octopus-url'             # TODO: update to your Octopus Instance url
       OCTOPUS_SERVICE_ACCOUNT: 'your-service-account-id'  # TODO: update to your service account Id
@@ -89,22 +89,22 @@
       OCTOPUS_ENVIRONMENT: 'your-environment'             # TODO: update to the name of the environment to recieve the first deployment
 
     steps:
-      - name: Login to Octopus Deploy 
+      - name: Login to Octopus Deploy
         uses: OctopusDeploy/login@34b6dcc1e86fa373c14e6a28c5507d221e4de629  #v1.0.2
-        with: 
+        with:
           server: '${{ env.OCTOPUS_URL }}'
           service_account_id: '${{ env.OCTOPUS_SERVICE_ACCOUNT }}'
 
       - name: Create Release
         id: create_release
         uses: OctopusDeploy/create-release-action@fea7e7b45c38c021b6bc5a14bd7eaa2ed5269214 #v3.2.2
         with:
           project: '${{ env.OCTOPUS_PROJECT }}'
           space: '${{ env.OCTOPUS_SPACE }}'
           packages: '*:${{ needs.build.outputs.image_tag }}'
 
       - name: Deploy Release
-        uses: OctopusDeploy/deploy-release-action@b10a606c903b0a5bce24102af9d066638ab429ac #v3.2.1 
+        uses: OctopusDeploy/deploy-release-action@b10a606c903b0a5bce24102af9d066638ab429ac #v3.2.1
         with:
           project: '${{ env.OCTOPUS_PROJECT }}'
           space: '${{ env.OCTOPUS_SPACE }}'

.pre-commit-config.yaml

@@ -1,4 +1,38 @@
 repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v5.0.0
+    hooks:
+      - id: check-yaml
+      - id: check-json
+      - id: end-of-file-fixer
+      - id: trailing-whitespace
+  - repo: https://github.com/adrienverge/yamllint
+    rev: v1.37.1
+    hooks:
+      - id: yamllint
+        args: ["-c", ".yamllint", "docs/schemas/agi_asi_governance_profile_2026_2030.yaml"]
+  - repo: local
+    hooks:
+      - id: governance-validate
+        name: governance-validate
+        entry: make governance-validate
+        language: system
+        pass_filenames: false
+      - id: governance-policy-test
+        name: governance-policy-test
+        entry: make governance-policy-test
+        language: system
+        pass_filenames: false
+      - id: governance-validator-test
+        name: governance-validator-test
+        entry: make governance-validator-test
+        language: system
+        pass_filenames: false
+      - id: governance-evidence-checks
+        name: governance-evidence-checks
+        entry: make governance-evidence-manifest && make governance-evidence-verify && make governance-evidence-schema && make governance-report-schema && make governance-check-generated
+        language: system
+        pass_filenames: false
   - repo: local
     hooks:
       - id: governance-validation-suite

.yamllint

@@ -0,0 +1,5 @@
+extends: default
+rules:
+  line-length: disable
+  document-start: disable
+  truthy: disable

ABSOLUTE_FINAL_STATUS.txt

@@ -465,8 +465,8 @@ Expected Outcome: $220.6M benefits, 745% ROI, regulatory leadership positioning
 CONCLUSION
 ================================================================================
 
-The Omni-Sentinel Global AI Governance Framework is PRODUCTION READY and 
-represents the most comprehensive AI governance architecture ever implemented 
+The Omni-Sentinel Global AI Governance Framework is PRODUCTION READY and
+represents the most comprehensive AI governance architecture ever implemented
 for a Global Systemically Important Financial Institution (G-SIFI).
 
 This framework delivers:
@@ -478,15 +478,15 @@ This framework delivers:
   - 3-tier human oversight with automation bias mitigation
   - 95%+ governance persistence at 12 months
 
-All technical work is COMPLETE. All files are COMMITTED. All documentation is 
+All technical work is COMPLETE. All files are COMMITTED. All documentation is
 READY. The framework is awaiting YOUR DEPLOYMENT ACTION.
 
-Your next immediate action: Download files from /home/user/webapp/ and deploy 
-using EXECUTIVE_ONE_PAGE_SUMMARY.md or QUICK_ACTION_GUIDE.md within the next 
+Your next immediate action: Download files from /home/user/webapp/ and deploy
+using EXECUTIVE_ONE_PAGE_SUMMARY.md or QUICK_ACTION_GUIDE.md within the next
 24 hours.
 
-This framework will transform AI governance from a compliance cost center into 
-a strategic business capability delivering measurable value and positioning 
+This framework will transform AI governance from a compliance cost center into
+a strategic business capability delivering measurable value and positioning
 the organization as a global leader in responsible AI deployment.
 
 ================================================================================

CITATION.cff

@@ -20,7 +20,7 @@ abstract: >-
   The AGI Pipeline is built to facilitate seamless integration and interaction
   between different AI modules, enabling the development of sophisticated AI
   applications. Key features of the pipeline include:
-  
+
   1. Natural Language Processing (NLP):
      - Utilizes the BART (Bidirectional and Auto-Regressive Transformers) model for text summarization and other NLP tasks.
      - Provides efficient and accurate text processing capabilities.