feat(#263): WallGuard collaboration and delegation admission gate — gate module, extended fixtures, Makefile target#302
Open
mdheller wants to merge 15 commits into
Open
Conversation
…del civic architecture (#154) - CivicStackRunCapsule schema: run_id, actor_ref, oql_plan_id, artifact_manifest_id, policy_decision_id, tool_grants, action_dispatch_records, oql_plan_acceptance, oac_compiler_invocation, subagent_delegations, attestation_events, rationalgrl_trace, hellgraph_evidence_refs, delivery_excellence_signal_ref, provenance_refs, timestamps - RationalGRL trace: goals_addressed (goal/softgoal), tasks_executed, dependencies_blocked with defeater_reason on blocked tasks and denied goals - OQL plan acceptance with OQL-to-agent-task mappings - OAC compiler invocation with artifact emission refs - Policy gates: deny outcome enforces empty tool_grants + all dispatches blocked; blocked dispatches require defeater_reason; oac failure forbids artifact_emission_refs - 2 valid fixtures (allow + deny/policy-blocked) + 3 reject fixtures - validate-civic-stack-runtime-evidence wired into Makefile aggregate validate target - Upstream anchors: ontogenesis#80, #81, policy-fabric#72, sociosphere#323, delivery-excellence#28
…sational services (#149) - ConversationalActionEvidence schema: binds conversation session/turn to AgentPlane execution artifact — action_type (8-value enum), policy_decision_ref, execution_artifact_ref, replay_linkage (eligible/verified/divergence_detected/scope), hellgraph_evidence_refs - ConversationalReplayRecord schema: replay artifact for conversational triggers — status (completed/failed/diverged/pending), replay_scope (turn/session/execution_artifact), divergence_record (conditional required when status=diverged) with divergence_type and resolution_status enums, non_claims required - Policy gates: approval_denial forces deny/escalate outcome; replay_divergence_detected requires replay_divergence_ref; diverged status requires divergence_record - 4 valid fixtures (trigger-execution, approval-denial, replay-completed, replay-diverged) + 2 reject fixtures - validate-conversational-evidence wired into Makefile aggregate validate target
…cybernetic oversteer controls (#136) - docs/doctrine/tensegrity-runtime-contract.md: compression members (agent/tool/service/model/repo/host) vs tension members (policy/identity/provenance/tests/signatures/audits/ledgers/capability_grants/replay/revocation) and five tensegrity invariants: policy always required, closed chain, revocation dissolves immediately, replay seals the loop, oversteer is a governance obligation - docs/specs/agent-action-tension-members-v0.md: tension member obligations matrix by action type; structural rules (policy always required, replay for mutation actions, audit for blocked/intervention, revocation path at R2+, provenance must include upstream anchor) - docs/specs/capability-radius-v0.md: R0 observe-local through R5 deployment-host-mutation; radius/tool-grant contract; rapid_radius_escalation oversteer indicator - docs/specs/cybernetic-oversteer-v0.md: 10 oversteer indicators with tension member under strain mapping; detection contract (HellGraph emission, delivery_excellence degraded, escalate elevation, RationalGRL softgoal); oversteer vs. error distinction - examples/tensegrity/agent-action-tension-members.example.json: full tension member declaration for R3 write - examples/reachability/agent-capability-radius.example.json: R3 actor profile with conditional R4 gate - examples/governance/oversteer-indicators.example.json: policy_flip_flops + repeated_failed_validations simultaneous firing → escalate elevation + delivery excellence degraded signal
…with replay semantics (#134) - ConceptToArtifactLineageReceipt schema: concept_kind (10-value enum: term/definition/geometry_relation/ projection_relation/scenario/prototype/artifact/commons_impact_claim/dymaxion_metric_claim/cross_reference), source_anchor (type/confidence/assumptions), geometry_projection with mandatory distortion_assumptions, artifact_linkage with lineage_chain_refs, commons_impact with evidence_basis enum, dymaxion_metric with required assumptions - extraction_mode 4-value enum: deterministic_extraction → exact replay; model_assisted → near_equivalent; human_review → indicative_only; non_replayable_interpretive_judgment → not_replayable - Policy gates: non_replayable mode forces is_replayable=false + non_replayable_reason required; distortion_assumptions and dymaxion_metric.assumptions must be non-empty; asserted_without_evidence commons claims cannot be peer_reviewed; non_claims required on all receipts - 3 valid fixtures: Dymaxion artifact lineage (model_assisted), geodesic projection claim (human_review), interpretive judgment (non_replayable) + 2 reject fixtures - validate-concept-to-artifact-lineage wired into Makefile aggregate validate target - Integration targets: ontogenesis#61, gaia-world-model#21, sherlock-search#42, sociosphere#291
…ecution artifacts (#119) - ModelRoutingLaneDecisionReceipt schema: run_ref, chain_stage (planning/execution/verification/ reflection/synthesis), task_class (8 values), requested_lane, selected_lane (5 lanes: no_model through pro), lane_decision_outcome (lane_selected/downgraded/escalated/denied/deferred), cost_class, prompt_evidence_policy (hash_only default — raw prompts never stored), context_tool_posture, verification_mode - High-end/pro conditional: selected_lane=high_end or pro requires escalation_receipt_ref + de_escalation_required_after_stage (schema conditional allOf) - Policy gates: denied outcome must de-escalate to no_model; verification stage must not use model_primary; high-end without escalation_receipt → denied; no raw prompts enforced - 4 valid fixtures: standard lane_selected, escalated high_end with receipt+de-escalation, verification no_model mechanical_tools_only, denied high_end without escalation de-escalated to no_model - 2 reject fixtures - validate-model-routing-lane-receipts wired into Makefile aggregate validate target - Consumers: model-router (AgentExecutionModelRoutingPolicy), guardrail-fabric integration
- SHIRGovernedChainJob schema: job_type const (shir.governed_chain.v0.1), 4 required inputs (input_ref, schema_ref, ontology_profile_ref, out_ref), policy_mode (advisory/fail_closed/review_required), relation_strategy (default relation_node), all 4 stages (rdf_to_shir/shir_to_pyg/semantic_leakage/chain_receipt), full artifact manifest (11 artifact refs), 8 failure modes - job_status conditional: requires_review/failed_closed require failure_mode + policy_outcome - Policy gates: fail_closed + semantic_leakage_blocking → failed_closed; completed requires chain_receipt completed; shir_to_pyg completed requires projection_loss_report_ref - 2 valid fixtures: clean TopoLVM run (allowed) + leakage review_required (semantic_leakage_blocking) - 2 reject fixtures: wrong job_type const, requires_review without failure_mode - validate-shir-governed-chain-job wired into Makefile aggregate validate target - Non-goals enforced: no tensor materialization, no GNN training, no ontology promotion, no PyTorch/PyG/DGL - Upstream: mlops-ts-suite#36-39, #45, #46
…r device orchestration (#111) - DeviceActuationBoundaryReceipt schema: 14 action_class values (phone/home/browser/shell/device_generic + 8 high-risk: lock/alarm/camera/vehicle/payment/identity_token/health_relevant/os_mutation/irreversible_deletion), capability_class (low_risk/medium_risk/high_risk), 6 proposal_status values (proposed/denied/approved/executed/rolled_back/failed) - Conditional: high_risk + approved/executed requires approval_ref + approval_authority_ref - Policy gates: high-risk action_class forces capability_class=high_risk; denied requires denial_reason; rolled_back requires rollback_artifact_ref; high_risk proposed must not have policy_outcome=allow (no bypass from proposal to approval without explicit approval step) - 3 valid fixtures: low-risk browser (executed/allow), high-risk payment (denied), high-risk lock (approved+executed with approval refs) - 2 reject fixtures - validate-device-actuation-boundary wired into Makefile - Non-goals enforced: no direct ecosystem integration, no NL-to-actuation bypass path
…Plane evidence and replay (#109) - ReasoningRunEvidenceReceipt schema: seals SourceOS ReasoningReceipt/ReplayPlan import into AgentPlane evidence lifecycle — run_id, sourceos_receipt_ref, replay_class (4 values: exact/ best-effort/evidence-only/non-replayable-side-effect preserved from ReasoningReplayPlan), safe_trace_posture (mode const=operational-trace-only, raw_private_reasoning const=not-collected), benchmark_passed (required for promotion), hellgraph_evidence_refs - Invariants enforced: raw_private_reasoning=not-collected (const); operational-trace-only mode; benchmark_passed=false blocks reasoning_status=completed - Authority boundaries preserved: cognition loop in Superconscious, schemas in sourceos-spec, evidence sealing and replay here in AgentPlane - 2 valid fixtures: deterministic M1 receipt (exact replay, m1-smoke), best-effort replay - 2 reject fixtures: raw_private_reasoning=collected (const violation), wrong kind - validate-reasoning-run-evidence wired into Makefile - Existing validate-superconscious-reasoning-import (import_superconscious_reasoning.py) unaffected
…106) - GraphAwareWorkOrder schema: work_order_type (code_fix/documentation_update/policy_review/ pr_impact_review), RepoGraphContext (repo, commit_ref, changed_paths, affected_node_ids, affected_edge_ids, source_anchor_refs, required_tests/docs/policies, provenance_receipt_refs, policy_status, prophet_understand_artifact_ref, graph_artifact_staleness) - scope_warnings: missing_graph_artifact/stale_graph_artifact/unknown_affected_nodes/edges — stale or missing graph requires explicit warning rather than silent failure - CitationRequirements: must_cite_affected_nodes/edges/source_anchors, architectural_impact_claim_requires_graph_evidence (when true, output must cite graph evidence) - Policy gates: stale/missing staleness requires scope_warning; architectural impact claim with missing/unknown graph requires scope_warnings - 2 valid fixtures: code_fix with full graph context, pr_impact_review with stale graph + warnings - 1 reject fixture - validate-graph-aware-work-orders wired into Makefile - Non-goals enforced: AgentPlane does not own graph generation; graph facts ≠ mutation authority
- OrgGovWorkOrderEvidenceBridge schema: work_order_id + workroom_id carried into all evidence artifacts, actor_ref/role_ref/authority_ref, policy_decision_ref, ExecutionLifecycle (bundle_validation/ placement/run/replay with status enums), output_hash (sha256 pattern), review_status, reversal_ref, score_ref, canonical_fields vs imported_fields registry - lifecycle.run.status: completed/failed/stand_in/pending (stand_in for fixture/dogfood runs) - Policy gates: completed run requires run_artifact_ref; replay_verified=true requires replay_artifact_ref; output_hash validated as sha256 pattern - 2 valid fixtures: GitHub issue → full lifecycle dogfood run (approved), stand_in run (evidence-only replay) - 1 reject fixture - validate-orggov-work-order-evidence-bridge wired into Makefile - Non-goals enforced: AgentPlane is not the product UX or policy authority; no secrets or raw prompts stored
…e access (#90) - SubstrateTrustGate schema: substrate_type (7 values: local_state/memory_lane/repo_index/policy_state/ repair_lane/quarantine_lane/secure_lane), report_ref to SourceOS State Integrity Report, diagnosis_status (healthy/degraded/stale/repairing/unsafe/unknown), lane_status, report_freshness (current/stale/expired/missing), replay_lag_acceptable, heartbeat_fresh, migration_complete, repair_complete, attestation_required, secure_lane_redaction_required, gate_decision (allow/allow_degraded/deny/fail_closed) - Conditional: gate_decision=allow_degraded requires degraded_mode_authorization_ref - Policy gates: unsafe/unknown diagnosis forces fail_closed/deny; expired/missing freshness forces fail_closed/deny; allow_degraded requires explicit policy authorization ref; attestation_required with allow/allow_degraded requires attestation_ref; secure_lane with redaction_required blocks allow - 3 valid fixtures: healthy memory allow, degraded repo allow_degraded (with authorization), unsafe secure fail_closed - 2 reject fixtures - validate-substrate-trust-gates wired into Makefile
…nd GuardrailReplayArtifact (#92) - HumanOverrideArtifact schema: 6 override_types (ci_waiver/protected_branch_write/critical_deny_override/ stop_gate_waiver/quarantine_release/replay_skip), required authority_ref (no anonymous overrides), override_reason (minLength:1, must not be empty), scope_constraints, expires_at, audit_ref - GuardrailReplayArtifact schema: guardrail-fabric PolicyDecisionArtifact replay — replay_class (4 values), replay_status (completed/failed/diverged/pending), divergence_record conditional (required when diverged, 4 divergence_types: policy_change/data_drift/guardrail_version_change/output_mismatch) - Policy gates: override_reason must not be empty; authority_ref required; diverged requires divergence_record - 2 valid fixtures: CI waiver override (with scope constraints + audit), guardrail replay completed - 2 reject fixtures: empty override_reason, replay diverged without divergence_record - validate-workcell-stop-gates wired into Makefile - Non-goals enforced: AgentPlane consumes guardrail-fabric decisions; no policy logic implemented here - Existing validate-guarded-workcell-artifact and validate-stop-gate-evaluator unaffected
…ator RollbackRestoreRequest v0.1: requires rollback_boundary_ref, admission_ref, active authority_state, safe_root-scoped restore_target_paths, before_digest. RollbackRestoreReceipt v0.1: completed restores must carry before/after digests both verified. Validator enforces authority-state gate, path-escape detection, and digest-verification completeness. 1 valid + 6 reject fixtures; Makefile target validate-rollback-restore wired. Docs in docs/specs/rollback-restore-v0.md.
…n, control signals, scheduling AgenticRuntimeState v0.1 schema: 14-state node lifecycle (created through reconciled), 8 control signal types (durable + idempotent with idempotency_key), 9 join strategies (quorum/human-selected/risk-approved subset etc.), 4 fanout strategies (parallel_bounded requires concurrency_limit), 10 scheduling triggers (cron through human_approval_event). Conditionals enforce: quarantined/waiting_for_human requires control_signal; retry_scheduled requires retry_policy; join_resolved/fanout_launched/scheduling_trigger_fired require respective sub-artifacts. 6 valid + 7 reject fixtures; validator + Makefile target wired. Docs in docs/specs/agentic-runtime-semantics-v0.md.
…ed fixtures, Makefile target wallguard_collaboration_gate.py: consume-not-implement gate applying wall context from Agent Registry + policy decisions from Policy Fabric. Invariants: cross-wall denies before payload exposure, missing wall context fails closed, contaminated session never admitted. validate_wallguard_collaboration_gate.py: drives wallguard-runtime/ fixtures (2 valid: same-wall tool_grant + subagent_delegation; 4 reject: cross-wall delegation, cross-wall tool_grant, contaminated session, missing-context tool_grant). Makefile target validate-wallguard-collaboration-gate wired into .PHONY + validate: aggregate.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
tools/wallguard_collaboration_gate.py: Runtime gate module applying WallGuard invariants. Consumes wall context from Agent Registry and policy decisions from Policy Fabric — does not implement policy authority locally. Three invariant paths: cross-wall (deny before payload exposure), missing wall context (fail closed), contaminated session (deny/quarantine, never admit).tools/validate_wallguard_collaboration_gate.py: Validator drivingtests/fixtures/wallguard-runtime/against the existingWallGuardCollaborationAdmissionReceiptschema. 6/6 pass (2 valid, 4 reject).tests/fixtures/wallguard-runtime/: New fixture set —valid.same-wall-tool-grant.json,valid.same-wall-subagent-delegation.json,reject.cross-wall-subagent-delegation.json,reject.cross-wall-tool-grant.json,reject.contaminated-session.json,reject.missing-wall-context-tool-grant.jsonMakefile:validate-wallguard-collaboration-gatewired into.PHONYandvalidate:aggregateGate invariants enforced:
admission_decision=admitandwall_decision_outcome=allowsame_wall_allowedreason code rejectedfail-closedrequired, admitted=false enforcedNo dependency on cascade, presidio, OrchestraOS, or noncanonical code.
Closes #263.
Test plan
make validate-wallguard-collaboration-gatepasses (2 valid + 4 reject)reject.contaminated-session.jsonrejected (contaminated + admitted=true)reject.cross-wall-subagent-delegation.jsonrejected (cross-wall admitted=true)reject.cross-wall-tool-grant.jsonrejected (cross-wall admitted=true)reject.missing-wall-context-tool-grant.jsonrejected (unknown wall + admitted=true)