Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
588 changes: 588 additions & 0 deletions docs/reports/DAILY_GIEN_DOSSIER_2026-07-10.md

Large diffs are not rendered by default.

10 changes: 9 additions & 1 deletion governance_artifacts/RUNNABLE_ASSURANCE.md
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ the master reference documents assert that a control "holds," the artifacts here
bash governance_artifacts/run_runnable_assurance.sh
```

Runs all eleven checks below and fails fast on any error.
Runs all nineteen checks below and fails fast on any error.

## What is proven, and against which control

Expand All @@ -34,6 +34,14 @@ Runs all eleven checks below and fails fast on any error.
| 9 | PQC WORM audit log — real CRYSTALS-Dilithium (ML-DSA-65) signatures + tamper-evident hash chain + S3 Object Lock retention | Python (`dilithium-py`) + pytest | `cry-02` | DORA, EU AI Act Art. 12 logging |
| 10 | OmegaActual contract hardening — both contracts compile (0 warnings); 7 logic tests prove original exploitable & hardened blocks SEC-01..06 | solc 0.8.26 + pytest | `con-07` settlement | EU AI Act Art. 14, DORA |
| 11 | Governance artifact schema validation | Python validator | manifest/schema integrity | OSCAL, evidence logging (EU AI Act Art. 12) |
| 12 | OSCAL catalog conformance — every control's `tla-spec` / `rego-policy` / `circuit` / `simulator` prop resolves to a real in-repo artifact; every regime `#href` resolves to a back-matter anchor (no dangling references); `feasibility-tier ∈ {A,B,C,D}`; `freshness-sla` is a valid ISO-8601 duration (43 cross-reference checks, falsifiable) | Python (`oscal_conformance.py`) + pytest | all `con-*`, `cry-*`, `env-*`, `rte-*` | OSCAL 1.1.2 compliance-as-code integrity (EU AI Act Annex IV, NIST AI RMF, DORA, Basel, SR 11-7) |
| 13 | Annex IV dossier auto-assembly — builds an OSCAL-native 8-section (A–H) EU AI Act technical-documentation dossier from the conformant catalog + live assurance evidence; refuses to run on a non-conformant catalog or unknown control id; never marks a section SATISFIED without a green runnable check | Python (`generate_annex_iv_dossier.py`) + pytest | all controls → Annex IV §A–H | EU AI Act Annex IV technical documentation (auto-assembled deliverable) |
| 14 | DORA ICT-risk register auto-assembly — builds a 5-pillar (P1–P5) DORA register from the same catalog + live evidence; reports P4/P5 as honest coverage gaps; same refusal/honesty guarantees | Python (`generate_dora_ict_register.py`) + pytest | `env-*`, `cry-02`, `con-04/07` → DORA pillars | DORA (Reg. (EU) 2022/2554) ICT-risk register (auto-assembled deliverable) |
| 15 | NIST AI RMF profile crosswalk auto-assembly — builds a 4-function (GOVERN/MAP/MEASURE/MANAGE) crosswalk with per-function coverage analysis from the same catalog + live evidence; same refusal/honesty guarantees | Python (`generate_nist_rmf_crosswalk.py`) + pytest | all controls → NIST AI RMF functions | NIST AI RMF 1.0 coverage crosswalk (auto-assembled deliverable) |
| 16 | Verified distribution-bundle packaging — collects all three regulator deliverables (6 artifacts) into a `dist/` bundle and emits a `MANIFEST.json` with **two** digests per artifact and per bundle: a **`bundle_sha256`** (byte-exact provenance fingerprint of this build — changes each run with the `generated_at` timestamp) and a **`content_digest`** (timestamp-normalized — **stable/reproducible** across regenerations for a given catalog + evidence state). Both recompute from the sorted per-artifact digests; refuses to package on any catalog-conformance failure; reports coverage gaps (DORA P4/P5), never inflates them | Python (`package_distribution_bundle.py`) + pytest | all deliverables → one auditable bundle | Regulator-facing distribution package (assembly-integrity + reproducibility, not a certification) |
| 17 | Recipient-side bundle verification — a **standalone** verifier (`verify_distribution_bundle.py`, stdlib-only; deliberately does NOT import the packager — digest rules independently re-implemented) re-checks a received `dist/` bundle: per-artifact byte + timestamp-normalized digests, both bundle-level digest recomputations, digest distinctness, and **manifest-vs-content consistency** (unit counts / coverage gaps / conformance recomputed from the bundled deliverable JSONs — a manifest that inflates SATISFIED or hides a gap FAILS). The packager's `--sign` emits a detached **ML-DSA-65 (FIPS 204)** `MANIFEST.sig.json`; the suite verifies it in strict `--require-signature` mode. Tamper negatives proven by tests (artifact edit, forged manifest claims, single-byte manifest change) | Python (`verify_distribution_bundle.py`) + `dilithium-py` + pytest | all deliverables → independently verifiable received bundle | Recipient/regulator-side integrity check (proves assembly integrity + signer key continuity, not identity without an out-of-band fingerprint comparison) |
| 18 | Evidence freshness-SLA gate — the catalogs declare per-control `freshness-sla` props (e.g. `env-01` attestation evidence ≤ PT5M old, `cry-05` zk proof ≤ P3M); until now check C3 validated only the *format*. `check_evidence_freshness.py --run` re-executes every control's mapped assurance check (the same single-source-of-truth `CONTROL_EVIDENCE` map the deliverable generators use) and records **when** each piece of evidence was produced in a digest-protected ledger (`oscal/generated/evidence_freshness_ledger.json`); `--audit` then enforces each declared SLA against those instants (stated conversion: 1M=30d, 1Y=365d; compound `P1D/P90D` enforces the first period). STALE / FAILED / NOT-RECORDED / FUTURE-DATED / tampered-ledger → gate FAILS; organisational-evidence controls (`env-02`) are disclosed `NOT-RUNNABLE`, never counted fresh. Tamper/staleness negatives proven by 7 pytest checks | Python (`check_evidence_freshness.py`) + pytest | all runnable controls' `freshness-sla` props | Evidence-recency enforcement (EU AI Act Art. 12 record-keeping, DORA ICT monitoring; the ledger digest detects casual edits, is not a signature — pair with checks 16/17 for signed provenance) |
| 19 | Multi-jurisdiction override consistency + Sentinel Governance Index v6.0 — `MultiJurisdictionOverride.tla` models concurrent supervisory overrides from multiple jurisdictions ({EU, US, SG}) over the severity lattice NORMAL < RESTRICT < HALT and TLC-checks four safety invariants: **`MultiJurisdictionOverrideConsistency`** (effective posture ALWAYS equals the most restrictive active override — the constitutional *Lex Severior* rule; a violation is either an override bypass or unauditable over-enforcement), `NoUnilateralWeakening` (no single jurisdiction can lower the posture while another's override is active), `HaltReleaseAudited` (HALT→NORMAL requires a `unanimous_release` record in the append-only override log — silent de-escalation impossible) and `LogWellFormed`. 2,523 distinct states, 0 errors; mutation-tested (a unilateral-release bug is caught by TLC immediately). Then `validate_governance_index.py` proves the **Sentinel Governance Index v6.0** is truthful: exactly 24 artifacts SGI-01..SGI-24, every path exists, no duplicates, GIES modules valid, every tier-A artifact names invariants + a resolvable suite step, and every TLA invariant named in the index is defined in its module (8 falsifiable IDX checks) | TLA+/TLC + Python (`validate_governance_index.py`) | multi-jurisdiction supervisory override chain; SGI v6.0 (24 artifacts) | Supervisory-college override discipline (EU AI Act Art. 65–68 market surveillance, DORA oversight colleges, cross-border coordination); index integrity is the constitutional table of contents for the GIES |

### Companion reviews & plan (this iteration)

Expand Down
Loading
Loading