Merge pull request #1 from Keon-Systems/phase5-keon-sdk-v1

feat(sdk): phase5 - src/ layout restructure and v1.0.0 release prep

Author: m0r6aN

.gitignore

@@ -0,0 +1,43 @@
+# Python
+__pycache__/
+*.py[cod]
+*.pyo
+*.pyd
+.Python
+*.egg
+*.egg-info/
+dist/
+build/
+wheels/
+*.whl
+.eggs/
+
+# Virtual environments
+.venv/
+venv/
+env/
+ENV/
+
+# Testing
+.pytest_cache/
+.mypy_cache/
+.coverage
+coverage.xml
+htmlcov/
+.tox/
+nosetests.xml
+*.log
+
+# Environment
+.env
+.env.*
+!.env.example
+
+# IDE
+.vscode/
+.idea/
+*.iml
+
+# OS
+.DS_Store
+Thumbs.db

RELEASE.md

@@ -0,0 +1,87 @@
+# Keon SDK Python — Release Notes
+## v1.0.0 — 2026-02-22
+
+---
+
+## What Shipped
+
+### `subjectHash` Required on `DecideRequest` (Phase 5)
+`DecideRequest` now requires `subjectHash` (alias: `subjectHash`):
+
+```python
+DecideRequest(
+    correlationId="t:my-tenant|c:<uuidv7>",
+    tenantId="my-tenant",
+    actorId="agent-1",
+    action="EXECUTE_WORKFLOW",
+    resourceType="workflow",
+    resourceId="wf-123",
+    subjectHash="<sha256 hex of canonical subject payload>",
+)
+```
+
+**Empty or absent `subjectHash` → `ValidationError` at construction.** Fail-closed by design.
+
+`subjectHash` MUST be the SHA-256 hex digest of the canonical (JCS) subject payload being governed. This binds the policy decision to the specific content being authorized.
+
+### Schema Drift Tripwire Updated
+`_DECIDE_FIELDS_HASH` updated from `6a8c75b57593cd19` → `5c7ae3e6d532d49a`.
+
+Any future unapproved change to `DecideRequest` required fields will trip CI.
+
+---
+
+## Previously Shipped (Sealed at v1.0.0)
+
+- **KEON-SDK-SENTINEL-1a**: `correlationId` required; malformed → rejected; `tenantId` + `actorId` mandatory
+- **KEON-SDK-SENTINEL-1b**: `DecisionReceipt` schema strict; `receiptId` pattern `^dr-<uuidv7>`
+- **KEON-SDK-SENTINEL-1c**: Timeout → `NetworkError` (fail-closed); gateway never allows on failure
+
+---
+
+## Breaking Changes
+
+| Change | Required Action |
+|--------|----------------|
+| `subjectHash` now required on `DecideRequest` | Compute SHA-256 of canonical subject content and pass as `subjectHash` |
+
+**All callers that construct `DecideRequest` must be updated.** Missing `subjectHash` will raise `ValidationError` at runtime.
+
+---
+
+## Computing `subjectHash`
+
+```python
+import hashlib, json
+
+def compute_subject_hash(payload: dict) -> str:
+    """JCS canonical hash of the subject payload."""
+    canonical = json.dumps(payload, sort_keys=True, separators=(",", ":"), ensure_ascii=False)
+    return hashlib.sha256(canonical.encode("utf-8")).hexdigest()
+```
+
+---
+
+## Known Limitations
+
+- `subjectHash` validation is structural only (non-empty string). Hash format (hex, length) is not enforced at SDK level — Keon Runtime validates the binding server-side.
+
+---
+
+## Verify Quickly
+
+```bash
+pytest tests/test_keon_sentinels.py -q -m sentinel
+```
+
+Expected: all sentinels green including new `subjectHash` tests.
+
+---
+
+## Tags
+
+| Tag | Commit |
+|-----|--------|
+| `keon-sdk-python-v1.0.0` | `3e20e01` |
+| `keon-sdk-python-v1.0.0-rc1` | `3e20e01` |
+| `keon-sdk-sentinels-v1.0.0` | sealed prior |

playwright.config.ts

@@ -0,0 +1,82 @@
+/**
+ * Playwright configuration — ForgePilot Canonical Test Doctrine v1.0.0
+ *
+ * Projects:
+ *  forgepilot-e2e   → tests/e2e/forgepilot/  (full user-journey E2E)
+ *  site-smoke       → tests/e2e/site/         (keon.systems smoke + link integrity)
+ *  component        → tests/component/         (UI unit / truthfulness / obs)
+ *
+ * Run targets:
+ *  npx playwright test --project=forgepilot-e2e
+ *  npx playwright test --project=site-smoke
+ *  npx playwright test --project=component
+ */
+
+import { defineConfig, devices } from '@playwright/test'
+
+const BASE_URL = process.env['BASE_URL'] ?? 'http://localhost:3000'
+const SITE_URL = process.env['SITE_URL'] ?? 'https://keon.systems'
+
+export default defineConfig({
+  testDir: './tests',
+  /* Only pick up .spec.ts files — never collide with Python tests/test_*.py */
+  testMatch: '**/*.spec.ts',
+  fullyParallel: true,
+  forbidOnly: !!process.env['CI'],
+  retries: process.env['CI'] ? 2 : 0,
+  workers: process.env['CI'] ? 2 : undefined,
+  timeout: 30_000,
+  expect: { timeout: 8_000 },
+
+  reporter: [
+    ['list'],
+    ['html', { outputFolder: 'playwright-report', open: 'never' }],
+    ['json', { outputFile: 'playwright-report/results.json' }],
+  ],
+
+  use: {
+    baseURL: BASE_URL,
+    trace: 'on-first-retry',
+    screenshot: 'only-on-failure',
+    video: 'retain-on-failure',
+  },
+
+  projects: [
+    {
+      name: 'forgepilot-e2e',
+      testDir: './tests/e2e/forgepilot',
+      use: {
+        ...devices['Desktop Chrome'],
+        baseURL: BASE_URL,
+      },
+    },
+    {
+      name: 'site-smoke',
+      testDir: './tests/e2e/site',
+      use: {
+        ...devices['Desktop Chrome'],
+        baseURL: SITE_URL,
+      },
+    },
+    {
+      name: 'component',
+      testDir: './tests/component',
+      use: {
+        ...devices['Desktop Chrome'],
+        baseURL: BASE_URL,
+      },
+    },
+  ],
+
+  /* Start Next.js dev server for local runs against forgepilot-e2e and component */
+  webServer: {
+    command: 'npm run dev',
+    url: BASE_URL,
+    reuseExistingServer: !process.env['CI'],
+    timeout: 120_000,
+    env: {
+      NODE_ENV: 'test',
+    },
+  },
+})
+

run_manifest.schema.json

@@ -0,0 +1,138 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://keon.systems/schemas/run_manifest.schema.json",
+  "title": "RunManifest",
+  "description": "Canonical evidence record emitted per test run. Schema v1.0.0.",
+  "type": "object",
+  "required": [
+    "schemaVersion",
+    "runId",
+    "timestamp",
+    "env",
+    "layer",
+    "suite",
+    "scenarioId",
+    "status",
+    "source",
+    "evidence"
+  ],
+  "properties": {
+    "schemaVersion": {
+      "type": "string",
+      "const": "1.0.0",
+      "description": "Schema version – always 1.0.0 for this revision."
+    },
+    "runId": {
+      "type": "string",
+      "description": "UUIDv4 uniquely identifying this run attempt.",
+      "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$"
+    },
+    "timestamp": {
+      "type": "string",
+      "format": "date-time",
+      "description": "ISO-8601 UTC timestamp of run start."
+    },
+    "env": {
+      "type": "string",
+      "enum": ["local", "ci", "staging", "production"],
+      "description": "Target environment under test."
+    },
+    "layer": {
+      "type": "string",
+      "description": "Architectural layer under test (e.g. forgepilot.ai, keon.systems)."
+    },
+    "suite": {
+      "type": "string",
+      "enum": ["smoke", "unit", "contract", "integration", "e2e", "chaos", "perf", "obs"],
+      "description": "Test suite tier."
+    },
+    "scenarioId": {
+      "type": "string",
+      "description": "Stable identifier for this test scenario (slug format).",
+      "pattern": "^[a-z0-9][a-z0-9-]*[a-z0-9]$"
+    },
+    "status": {
+      "type": "string",
+      "enum": ["pass", "fail", "skip", "abort"],
+      "description": "Terminal status of this run."
+    },
+    "durationMs": {
+      "type": "integer",
+      "minimum": 0,
+      "description": "Wall-clock duration of the run in milliseconds."
+    },
+    "source": {
+      "type": "object",
+      "required": ["file"],
+      "description": "Origin of the test.",
+      "properties": {
+        "file": { "type": "string", "description": "Source file path relative to repo root." },
+        "line": { "type": "integer", "minimum": 1 },
+        "commit": { "type": "string", "description": "Git commit SHA (short or full)." },
+        "branch": { "type": "string" },
+        "ci": { "type": "string", "description": "CI run URL or job ID if available." }
+      },
+      "additionalProperties": false
+    },
+    "assertions": {
+      "type": "array",
+      "description": "Canonical assertion IDs evaluated during this run.",
+      "items": {
+        "type": "object",
+        "required": ["id", "status"],
+        "properties": {
+          "id": {
+            "type": "string",
+            "description": "Canonical assertion ID e.g. INV-IDEMPOTENCY.",
+            "enum": [
+              "INV-IDEMPOTENCY",
+              "INV-DETERMINISM",
+              "INV-ISOLATION",
+              "INV-TRUTHFULNESS",
+              "INV-OBSERVABILITY",
+              "INV-RESILIENCE",
+              "INV-CONTRACT",
+              "INV-CORRELATION"
+            ]
+          },
+          "status": { "type": "string", "enum": ["pass", "fail", "skip"] },
+          "message": { "type": "string" }
+        },
+        "additionalProperties": false
+      }
+    },
+    "evidence": {
+      "type": "object",
+      "required": ["spoolDir"],
+      "description": "Evidence artifact locations.",
+      "properties": {
+        "spoolDir": {
+          "type": "string",
+          "description": "Local path to the spool directory containing artifacts."
+        },
+        "blobPrefix": {
+          "type": "string",
+          "description": "Azure Blob Storage path prefix for this run."
+        },
+        "traceUrl": { "type": "string", "format": "uri" },
+        "screenshotUrls": {
+          "type": "array",
+          "items": { "type": "string", "format": "uri" }
+        }
+      },
+      "additionalProperties": false
+    },
+    "tags": {
+      "type": "array",
+      "items": { "type": "string" },
+      "description": "Free-form tags for filtering."
+    },
+    "meta": {
+      "type": "object",
+      "description": "Arbitrary key-value metadata.",
+      "additionalProperties": { "type": "string" }
+    }
+  },
+  "additionalProperties": false
+}
+

keon_sdk/__init__.py src/__init__.pykeon_sdk/__init__.py renamed to src/__init__.py

@@ -53,6 +53,12 @@ class DecideRequest(BaseModel):
     action: str = Field(..., min_length=1)
     resource_type: str = Field(..., alias="resourceType", min_length=1)
     resource_id: str = Field(..., alias="resourceId", min_length=1)
+    subject_hash: str = Field(
+        ...,
+        alias="subjectHash",
+        min_length=1,
+        description="SHA-256 hex digest of the canonical subject payload (content being governed)",
+    )
     context: Optional[Dict[str, Any]] = None
 
     @field_validator("correlation_id")