Add AGI/ASI governance artifacts, validation rules, and tests (Sentinel v2.4, 2026–2035 roadmap)#141
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
The files' contents are under analysis for test generation. |
Changed Files
|
|
Review these changes at https://app.gitnotebooks.com/OneFineStarstuff/OneFineStarstuff.github.io/pull/141 |
Reviewer's GuideExtends the artifact validation pipeline and manifest to cover new 2026–2035 AGI/ASI governance assets (reference architecture, roadmap, OSCAL catalog, Rego gate, TLA+, Circom, templates, CSV mappings), adding structured validators and tests so the CLI and checksum manifest robustly enforce schema, content, and semantic requirements for these long-horizon governance artifacts. Sequence diagram for extended AGI/ASI artifact validation in run_validationsequenceDiagram
actor User
participant ValidateArtifactsCLI
participant ValidatorModule
User->>ValidateArtifactsCLI: run_validation()
ValidateArtifactsCLI->>ValidatorModule: validate_control_catalog()
ValidateArtifactsCLI->>ValidatorModule: validate_roadmap()
ValidateArtifactsCLI->>ValidatorModule: validate_report_template()
ValidateArtifactsCLI->>ValidatorModule: validate_extended_artifacts()
alt 2026_2035_extended_artifacts
ValidatorModule->>ValidatorModule: validate_extended_markdown_report()
ValidatorModule->>ValidatorModule: validate_roadmap(min_year=2026, max_year=2035)
ValidatorModule->>ValidatorModule: validate_regulatory_mapping_csv()
ValidatorModule->>ValidatorModule: validate_oscal_catalog()
ValidatorModule->>ValidatorModule: validate_rego_policy()
ValidatorModule->>ValidatorModule: validate_tla_spec()
ValidatorModule->>ValidatorModule: validate_circom_circuit()
ValidatorModule->>ValidatorModule: validate_gc_ir_event()
ValidatorModule->>ValidatorModule: validate_extended_report_template()
end
ValidateArtifactsCLI-->>User: validation result including extended_2026_2035_artifacts
File-Level Changes
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
|
View changes in DiffLens |
1 similar comment
|
View changes in DiffLens |
|
|
Overall Grade |
Security Reliability Complexity Hygiene |
Code Review Summary
| Analyzer | Status | Updated (UTC) | Details |
|---|---|---|---|
| Python | Jul 6, 2026 8:35a.m. | Review ↗ | |
| JavaScript | Jul 6, 2026 8:35a.m. | Review ↗ | |
| Shell | Jul 6, 2026 8:35a.m. | Review ↗ |
Important
AI Review is run only on demand for your team. We're only showing results of static analysis review right now. To trigger AI Review, comment @deepsourcebot review on this thread.
There was a problem hiding this comment.
Hey - I've found 1 security issue, and left some high level feedback:
Security issues:
- The native Python
xmllibrary is vulnerable to XML External Entity (XXE) attacks. These attacks can leak confidential data and "XML bombs" can cause denial of service. Do not use this library to parse untrusted input. Instead the Python documentation recommends usingdefusedxml. (link)
General comments:
- The roadmap validator’s conditional use of
"outcomes" if max_year > 2030 else "objectives"makes the schema logic implicit and tied to the horizon; consider making phase schema explicit (e.g., a mode flag or separate validator) instead of relying onmax_yearto choose required keys. - Several of the new validators (Rego, TLA+, Circom, extended markdown) rely on brittle substring/snippet checks that will break with minor formatting changes; consider normalizing/structuring the inputs (e.g., simple parsing, tokenization, or regex-based checks) so they validate semantics rather than exact text fragments.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- The roadmap validator’s conditional use of `"outcomes" if max_year > 2030 else "objectives"` makes the schema logic implicit and tied to the horizon; consider making phase schema explicit (e.g., a mode flag or separate validator) instead of relying on `max_year` to choose required keys.
- Several of the new validators (Rego, TLA+, Circom, extended markdown) rely on brittle substring/snippet checks that will break with minor formatting changes; consider normalizing/structuring the inputs (e.g., simple parsing, tokenization, or regex-based checks) so they validate semantics rather than exact text fragments.
## Individual Comments
### Comment 1
<location path="artifacts/validate_artifacts.py" line_range="239" />
<code_context>
tree = ET.parse(path)
</code_context>
<issue_to_address>
**security (python.lang.security.use-defused-xml-parse):** The native Python `xml` library is vulnerable to XML External Entity (XXE) attacks. These attacks can leak confidential data and "XML bombs" can cause denial of service. Do not use this library to parse untrusted input. Instead the Python documentation recommends using `defusedxml`.
```suggestion
tree = defusedxml.etree.ElementTree.parse(path)
```
*Source: opengrep*
</issue_to_address>Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
📝 WalkthroughWalkthroughThis PR adds a set of 2026–2035 AGI/ASI governance artifacts: a reference architecture document, a roadmap YAML, an OSCAL control catalog, a Rego release-gate policy, a TLA+ containment spec, a Circom circuit, JSON/XML templates, updated manifests/README, and extended validator logic with corresponding unit tests. ChangesExtended AGI/ASI Governance Artifacts and Validation
Estimated code review effort: 4 (Complex) | ~60 minutes Possibly related PRs
Suggested labels: Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
⚔️ Resolve merge conflicts
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Not up to standards ⛔🔴 Issues
|
| Category | Results |
|---|---|
| BestPractice | 4 minor |
| Documentation | 17 minor |
| Security | 2 high |
| CodeStyle | 60 minor |
| Complexity | 3 medium 3 minor |
🟢 Metrics 6 complexity · 2 duplication
Metric Results Complexity 6 Duplication 2
NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.
|
View changes in DiffLens |
There was a problem hiding this comment.
Reviewed with a risk-prioritized focus on executable validation and policy logic.
Blocking feedback
- Required evidence is declared but not enforced by the gate decision, so releases can still pass with missing
bbom_current/owner_attestedevidence — artifacts/policies/sentinel_ai_release_gate_v24.rego#L7-L77
Non-blocking feedback (1)
- The failing Guardrails secret alert appears to be a false positive on deterministic checksum values in the manifest — artifacts/artifact-manifest-v1.json#L1-L21.
Consider allowlisting this manifest path/pattern in that scanner so real secret findings stay high-signal.
If you want me to apply fixes, reply with the item numbers (for example: please fix 1).
There was a problem hiding this comment.
Actionable comments posted: 4
🧹 Nitpick comments (6)
artifacts/enterprise-agi-asi-governance-reference-architecture-2026-2035.md (1)
1-7: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value
<title>/<abstract>/<content>tags will likely be stripped by GitHub's markdown renderer.GitHub's HTML sanitizer for GFM only allows tags reachable via Markdown syntax (headings, lists, tables, etc.) plus a small extra allowlist; arbitrary tags like
<title>,<abstract>, and<content>are generally stripped when rendered. Since this pattern mirrors the existingenterprise-civilizational-agi-asi-blueprint-2026-2030.mdconvention (presumably required for the validator's tag-based parsing), this is likely an accepted tradeoff rather than a new defect, but worth confirming the rendered document still reads acceptably on GitHub.artifacts/validate_artifacts.py (1)
304-368: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winExtract the repeated "read text or raise ValidationError" preamble.
validate_extended_markdown_report,validate_rego_policy,validate_tla_spec, andvalidate_circom_circuitall duplicate the same read +FileNotFoundErrorhandling (also flagged by the duplication check). A small helper removes the repetition.♻️ Proposed helper
def read_required_text(path: Path) -> str: try: return path.read_text(encoding="utf-8") except FileNotFoundError as exc: raise ValidationError(f"required artifact file missing: {display_artifact_path(path)}") from excThen each validator becomes e.g.
text = read_required_text(path).🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@artifacts/validate_artifacts.py` around lines 304 - 368, The validators duplicate the same “read text or raise ValidationError” preamble, so extract that logic into a shared helper and reuse it. Add a small function like read_required_text(path) that handles Path.read_text and FileNotFoundError with the existing ValidationError message, then update validate_rego_policy, validate_tla_spec, validate_circom_circuit, and validate_extended_markdown_report to call it instead of repeating the try/except block.Source: Linters/SAST tools
artifacts/circuits/g_sri_systemic_risk.circom (1)
34-36: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low valueRedundant public signals: outputs duplicate already-public inputs.
publicPolicyVersion/publicEvidenceCommitmentare just pass-throughs ofpolicyVersion/evidenceCommitment, which are already declared public oncomponent main(line 64). This doubles the exposed public signals for the same two values without adding information.Also applies to: 60-61, 64-64
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@artifacts/circuits/g_sri_systemic_risk.circom` around lines 34 - 36, The circuit exposes redundant public outputs: publicPolicyVersion and publicEvidenceCommitment duplicate values that are already public inputs on component main. Remove these extra output signals from g_sri_systemic_risk.circom and keep the public exposure only on the existing policyVersion and evidenceCommitment inputs, updating the main wiring so the circuit still behaves correctly without duplicating public signals.artifacts/oscal/sentinel-ai-control-catalog-oscal.json (1)
26-26: 🗄️ Data Integrity & Integration | 🔵 Trivial | ⚡ Quick winConsider repeated
maps-toprops instead of semicolon-joined values.Each
maps-toprop packs multiple framework identifiers into a single delimited string (e.g."EU-AI-Act;NIST-AI-RMF-GOVERN;ISO-IEC-42001;FCA-SMCR"). Standard OSCAL consumers expect one value perprop; repeating{"name": "maps-to", "value": "..."}for each framework would be more directly machine-consumable by regulator/enterprise OSCAL tooling, better matching this PR's stated goal.♻️ Example refactor for SG-01
"props": [ - {"name": "maps-to", "value": "EU-AI-Act;NIST-AI-RMF-GOVERN;ISO-IEC-42001;FCA-SMCR"}, + {"name": "maps-to", "value": "EU-AI-Act"}, + {"name": "maps-to", "value": "NIST-AI-RMF-GOVERN"}, + {"name": "maps-to", "value": "ISO-IEC-42001"}, + {"name": "maps-to", "value": "FCA-SMCR"}, {"name": "cadence", "value": "quarterly"} ],Also applies to: 37-37, 54-54, 65-65, 82-82, 93-93
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@artifacts/oscal/sentinel-ai-control-catalog-oscal.json` at line 26, The OSCAL `maps-to` props are using semicolon-delimited multi-framework strings instead of one value per prop, which makes them harder for standard consumers to parse. Update the affected prop entries in `sentinel-ai-control-catalog-oscal.json` so each framework identifier is emitted as its own `{"name": "maps-to", "value": "..."}` entry, and apply the same pattern to all similar occurrences referenced by the comment.artifacts/policies/sentinel_ai_release_gate_v24.rego (1)
1-1: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low valueDirectory layout doesn't mirror the package path.
Regal flags that
package sentinel.release.v24conventionally expects a matching directory structure (e.g.policies/sentinel/release/v24/...).🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@artifacts/policies/sentinel_ai_release_gate_v24.rego` at line 1, The package declaration in the Rego policy does not match the conventional directory layout expected by Regal. Update the location of the policy file or the package name around package sentinel.release.v24 so the directory structure mirrors the package path (for example, a sentinel/release/v24 hierarchy under policies), keeping the package and path aligned.Source: Linters/SAST tools
artifacts/roadmap-2026-2035.yaml (1)
12-12: 🎯 Functional Correctness | 🔵 Trivial | ⚡ Quick winInconsistent
windowdate-range formats across phases.Four different formats are used for
window:2026-Q2_to_2026-Q4, a bare year (2027), and hyphenated year ranges (2031-2032,2033-2035). Since the validator is stated to add "roadmap date-range support through 2035," a single consistent format (e.g., alwaysstart_date..end_dateor ISO quarter notation) would make automated parsing far less error-prone.Also applies to: 20-20, 50-50, 57-57
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@artifacts/roadmap-2026-2035.yaml` at line 12, The roadmap phases use inconsistent window formats, so update the `window` fields in the roadmap YAML to use one standardized date-range format everywhere. Review the phase entries referenced by the roadmap schema/validator and normalize all `window` values (including the ones for `2026-Q2_to_2026-Q4`, `2027`, `2031-2032`, and `2033-2035`) to the same parseable convention so the validator and downstream automation can handle them consistently.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@artifacts/circuits/g_sri_systemic_risk.circom`:
- Around line 26-49: The weighted sum in GSRIWeightedSum only range-checks
scores[i], so weights[i] can remain unconstrained and distort accum[n] and
inBand. Add an explicit bound check for each weights[i] in the same loop, using
Range100() if weights are percentage-like or the appropriate intended
constraint, and ensure the check is enforced before products[i] is computed.
In `@artifacts/policies/sentinel_ai_release_gate_v24.rego`:
- Around line 7-14: The evidence reporting logic in
sentinel_ai_release_gate_v24.rego is drifting from the actual gate checks, since
required_evidence/evidence_status reads input.evidence while the deny predicates
use separate input.annex_iv_complete, input.model_validation.status,
input.containment.*, and input.zk.last_verified fields. Update the policy so
evidence_status is derived from the same helper predicates used by deny, or
refactor deny to read from input.evidence directly, with shared symbols like
required_evidence, evidence_status, model_validation_approved, and
zk_proof_verified serving as the single source of truth.
In `@artifacts/tla/OmniSentinelContainment.tla`:
- Around line 105-108: The NoPrivilegedSelfModification invariant is currently
vacuous because Next never allows policyVersion, credentialVersion, or
boundaryVersion to change. Update the OmniSentinelContainment model by adding a
concrete unauthorized self-modification action and include it in Next, then
adjust PrivilegedState/related actions so the invariant can actually be violated
by a bad actor and meaningfully test containment. Use the existing symbols
NoPrivilegedSelfModification, Next, and PrivilegedState to place the change.
In `@artifacts/validate_artifacts.py`:
- Around line 298-301: The required-header validation in validate_artifacts.py
is calling strip() on row[header] without handling missing CSV fields, so short
rows can raise an AttributeError instead of ValidationError. Update the row
validation loop in the CSV parsing logic to treat None values as empty strings
before checking emptiness, so the existing ValidationError path is triggered
consistently for malformed rows. Use the row/required_headers check in the
current validation block as the fix point.
---
Nitpick comments:
In `@artifacts/circuits/g_sri_systemic_risk.circom`:
- Around line 34-36: The circuit exposes redundant public outputs:
publicPolicyVersion and publicEvidenceCommitment duplicate values that are
already public inputs on component main. Remove these extra output signals from
g_sri_systemic_risk.circom and keep the public exposure only on the existing
policyVersion and evidenceCommitment inputs, updating the main wiring so the
circuit still behaves correctly without duplicating public signals.
In `@artifacts/oscal/sentinel-ai-control-catalog-oscal.json`:
- Line 26: The OSCAL `maps-to` props are using semicolon-delimited
multi-framework strings instead of one value per prop, which makes them harder
for standard consumers to parse. Update the affected prop entries in
`sentinel-ai-control-catalog-oscal.json` so each framework identifier is emitted
as its own `{"name": "maps-to", "value": "..."}` entry, and apply the same
pattern to all similar occurrences referenced by the comment.
In `@artifacts/policies/sentinel_ai_release_gate_v24.rego`:
- Line 1: The package declaration in the Rego policy does not match the
conventional directory layout expected by Regal. Update the location of the
policy file or the package name around package sentinel.release.v24 so the
directory structure mirrors the package path (for example, a
sentinel/release/v24 hierarchy under policies), keeping the package and path
aligned.
In `@artifacts/roadmap-2026-2035.yaml`:
- Line 12: The roadmap phases use inconsistent window formats, so update the
`window` fields in the roadmap YAML to use one standardized date-range format
everywhere. Review the phase entries referenced by the roadmap schema/validator
and normalize all `window` values (including the ones for `2026-Q2_to_2026-Q4`,
`2027`, `2031-2032`, and `2033-2035`) to the same parseable convention so the
validator and downstream automation can handle them consistently.
In `@artifacts/validate_artifacts.py`:
- Around line 304-368: The validators duplicate the same “read text or raise
ValidationError” preamble, so extract that logic into a shared helper and reuse
it. Add a small function like read_required_text(path) that handles
Path.read_text and FileNotFoundError with the existing ValidationError message,
then update validate_rego_policy, validate_tla_spec, validate_circom_circuit,
and validate_extended_markdown_report to call it instead of repeating the
try/except block.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 06376665-c2db-4efc-bf14-fc6bfc48b196
⛔ Files ignored due to path filters (1)
artifacts/data/multi_jurisdiction_regulatory_mapping_2026_2035.csvis excluded by!**/*.csv
📒 Files selected for processing (13)
artifacts/README.mdartifacts/artifact-manifest-v1.jsonartifacts/circuits/g_sri_systemic_risk.circomartifacts/enterprise-agi-asi-governance-reference-architecture-2026-2035.mdartifacts/manifest-targets-v1.jsonartifacts/oscal/sentinel-ai-control-catalog-oscal.jsonartifacts/policies/sentinel_ai_release_gate_v24.regoartifacts/roadmap-2026-2035.yamlartifacts/templates/gc-ir-bridge-event.jsonartifacts/templates/regulator-technical-report-2035.xmlartifacts/tla/OmniSentinelContainment.tlaartifacts/validate_artifacts.pyunit_tests/test_artifacts_validation.py
❌ Deploy Preview for onefinestarstuff failed.
|
Motivation
Description
enterprise-agi-asi-governance-reference-architecture-2026-2035.md,roadmap-2026-2035.yaml,data/multi_jurisdiction_regulatory_mapping_2026_2035.csv,oscal/sentinel-ai-control-catalog-oscal.json,policies/sentinel_ai_release_gate_v24.rego,tla/OmniSentinelContainment.tla,circuits/g_sri_systemic_risk.circom,templates/gc-ir-bridge-event.json, andtemplates/regulator-technical-report-2035.xmland updatedartifacts/README.md,artifacts/manifest-targets-v1.json, andartifacts/artifact-manifest-v1.jsonwith new entries and updated timestamp.artifacts/validate_artifacts.pywith new checks and helpers for the 2026–2035 horizon, including: extended markdown report validation, extended XML report template checks, OSCAL catalog validation, regulatory mapping CSV validation, Rego policy snippet and delimiter checks, TLA+ spec checks, Circom circuit checks, GC-IR event schema validation, and roadmap date-range support up to 2035.unit_tests/test_artifacts_validation.pyto assert presence of the new manifest targets and to exercise the new validation code paths (validate_extended_artifacts,validate_oscal_catalog,validate_rego_policy,validate_tla_spec,validate_circom_circuit).Testing
python artifacts/validate_artifacts.py(normal and--jsonmodes) and the extended artifact validations, which completed successfully and report all checks passing.python artifacts/build_manifest.py --check, which passed in check mode.pytestcoveringunit_tests/test_artifacts_validation.py, and all tests including the newly added extended-artifact tests passed.Codex Task
Summary by Sourcery
Add 2026–2035 AGI/ASI governance artifacts and integrate them into the artifact validation pipeline and manifest coverage.
New Features:
Enhancements:
Tests:
Summary by CodeRabbit