feat(UGI+KACG+GAF): Unified Governance Index, Kafka ACL Governance Engine, AGI/ASI Governance Architectures#50
Open
OneFineStarstuff wants to merge 5 commits intomainfrom
Open
feat(UGI+KACG+GAF): Unified Governance Index, Kafka ACL Governance Engine, AGI/ASI Governance Architectures#50OneFineStarstuff wants to merge 5 commits intomainfrom
OneFineStarstuff wants to merge 5 commits intomainfrom
Conversation
… — 7-domain implementation reference New deliverables for GAF-GSIFI-WP-017: ## Markdown Report (docs/reports/AGI_ASI_GOVERNANCE_ARCHITECTURES_FRAMEWORKS.md) - 740+ lines comprehensive implementation reference covering 7 governance domains - Domain 1: 6-layer enterprise governance (accountability, policy, risk, data, dev/deploy, monitoring) - Domain 2: 8 regulatory frameworks (EU AI Act, NIST AI RMF, ISO 42001, OECD, GDPR, FCRA/ECOA, SR 11-7, UK AISI) - Domain 3: 5 reference architectures (EAIP, Sentinel, HA-RAG, WorkflowAI, CCaaS) + 7-layer trust stack - Domain 4: 15 global governance components (GACRA, GASO, GFMCF, GAICS, GAIVS, GACP, GATI, GACMO, FTEWS, GAI-SOC, GAIGA, GACRLS, GFCO, GAID, GASCF) - Domain 5: Financial services (SR 11-7, FCRA/ECOA, credit scoring, fair lending DI tests) - Domain 6: AGI safety (10-stage evolution, CRP v2.1, 8 crisis simulations, MVAGS, trust-by-design) - Domain 7: Master blueprint (Sentinel architecture, ARL 1-7, 30/60/90-day rollout, 8-week plan) ## Server.js Data Object + 56 API Endpoints - GOVERNANCE_ARCHITECTURES_FRAMEWORKS object (747 lines) with full 7-domain data model - 56 RESTful endpoints under /api/governance-architectures-frameworks/* - Total server.js: 11,870 lines ## Interactive HTML Dashboard - rag-agentic-dashboard/public/governance-architectures-frameworks.html - Real-time API-driven dashboard with all 7 domains visualized ## Machine-Readable Artifacts - JSON Schema: governance-architecture.schema.json, compute-registry.schema.json - OpenAPI 3.1: gaf-openapi.yaml (56 endpoint specification) - OPA Rego: fair_lending_disparate_impact.rego, agent_governance_depths.rego - CSV: global-governance-components.csv, agi-readiness-assessment.csv, rollout-30-60-90.csv ## Key Metrics - 336 OPA rules | 1,024 Sentinel rules | 1.8M daily evals | 12,200 RPC/s @ 99.98% - ARS 58.2 (14 dimensions) | HA-RAG F1 92.1% | DI >= 0.80 all protected classes - $68.4M investment | NPV $118.6M | IRR 42.3% | Payback 2.1yr Regression: 82/82 endpoints PASS, 0 failures
|
The files' contents are under analysis for test generation. |
|
Review these changes at https://app.gitnotebooks.com/OneFineStarstuff/OneFineStarstuff.github.io/pull/50 |
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
There was a problem hiding this comment.
Sorry @OneFineStarstuff, your pull request is larger than the review limit of 150000 diff characters
![gstraccini[bot]](https://avatars.githubusercontent.com/in/480132?s=60&v=4){kind=small}
📝 WalkthroughWalkthroughAdds a large set of AI governance artifacts: Kafka ACL matrix and authorizer, multiple OPA/Rego policies (DEPTHS, GDPR, NIST, ISO42001, EU AI Act, Basel III, fair lending), schemas (JSON/Avro/OpenAPI), templates/workflows/CLI, dashboards, and documentation. Changes
Sequence DiagramssequenceDiagram
participant Client as Kafka Client
participant Broker as Kafka Broker
participant OPA as OPA (kafka.authz)
participant ACL as data.kafka.acl_matrix
participant BreakGlass as BreakGlass Service
Client->>Broker: Produce/Consume request
Broker->>OPA: Evaluate(request.action, principal, resource)
OPA->>ACL: Lookup topic config (produce/consume, exclusiveWrite, transactional)
ACL-->>OPA: Topic config
OPA->>BreakGlass: Check break-glass status for principal
alt Break-glass active & approved
BreakGlass-->>OPA: Approved (expiry, dual approvers)
OPA-->>Broker: ALLOW
else
OPA->>OPA: Enforce exclusiveWrite, denies, cluster/schema admin checks
alt principal matches ACL & rules satisfied
OPA-->>Broker: ALLOW
else
OPA-->>Broker: DENY
end
end
sequenceDiagram
participant Deployer as Deployment System
participant DepthsPolicy as OPA (agent_governance.depths)
participant AgentRegistry as Agent Registry
participant ControlsDB as Controls DB
Deployer->>DepthsPolicy: Validate agent deployment (input.agent)
DepthsPolicy->>AgentRegistry: Fetch agent metadata (DEPTHS, autonomy, system_access)
AgentRegistry-->>DepthsPolicy: Agent metadata
DepthsPolicy->>ControlsDB: Retrieve required controls for level
alt L5 self-multiplying
DepthsPolicy->>DepthsPolicy: Enforce no Tier-0 write access invariant
alt Tier-0 write present
DepthsPolicy-->>Deployer: DENY
end
end
alt Missing required controls (kill-switch/sidecar/audit/board approval)
DepthsPolicy-->>Deployer: DENY with messages
else
DepthsPolicy-->>Deployer: ALLOW
end
sequenceDiagram
participant Model as AI Model
participant ComplianceSvc as Governance Service (OPA)
participant BaselPolicy as BaselIII Policy
participant FairLend as FairLending Policy
participant EvidenceStore as WORM S3
Model->>ComplianceSvc: Submit model metadata/tests
ComplianceSvc->>BaselPolicy: Evaluate basel_iii_compliant(input)
BaselPolicy-->>ComplianceSvc: Result + violations
ComplianceSvc->>FairLend: Evaluate disparate impact tests
FairLend-->>ComplianceSvc: PASS/WARN/DENY + messages
ComplianceSvc->>EvidenceStore: Persist signed evidence bundle
EvidenceStore-->>ComplianceSvc: Evidence ID + signature
ComplianceSvc-->>Model: Return governance decision + evidence ID
Estimated code review effort🎯 5 (Critical) | ⏱️ ~120 minutes Suggested labels
Suggested reviewers
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
View changes in DiffLens |
Contributor
|
Failed to generate code suggestions for PR |
Not up to standards ⛔🔴 Issues
|
| Category | Results |
|---|---|
| BestPractice | 10 minor |
| CodeStyle | 90 minor |
🟢 Metrics 50 complexity · 4 duplication
Metric Results Complexity 50 Duplication 4
TIP This summary will be updated as you push new changes. Give us feedback
|
View changes in DiffLens |
❌ Deploy Preview for onefinestarstuff failed.
|
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: ca192a35f2
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Comment on lines
+18
to
+19
| paths: | ||
| /metadata: |
There was a problem hiding this comment.
The OpenAPI artifact is incomplete relative to the routes added in rag-agentic-dashboard/server.js: I checked the GAF route block and found 57 app.get('/api/governance-architectures-frameworks...') handlers, while artifacts/schemas/gaf-openapi.yaml only defines 43 path entries under paths (missing endpoints like /data-infrastructure, /monitoring, and /blueprint/global-compute). Because this file is positioned as the machine-readable contract, client generation and contract testing from the spec will silently miss live endpoints and drift from the server implementation.
Useful? React with 👍 / 👎.
Micro-Learning Topic: Cross-site scripting (Detected by phrase)Matched on "xSs"Cross-site scripting vulnerabilities occur when unescaped input is rendered into a page displayed to the user. When HTML or script is included in the input, it will be processed by a user's browser as HTML or script and can alter the appearance of the page or execute malicious scripts in their user context. Try a challenge in Secure Code WarriorHelpful references
Micro-Learning Topic: External entity injection (Detected by phrase)Matched on "XxE"An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server-side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts. Try a challenge in Secure Code WarriorHelpful references
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 15
Note
Due to the large number of review comments, Critical, Major severity comments were prioritized as inline comments.
🟡 Minor comments (8)
artifacts/schemas/governance-event.avsc-5-5 (1)
5-5:⚠️ Potential issue | 🟡 MinorFix initiative code typo in schema documentation.
Line 5 references
KACG-GSIFI-WP-017, while this PR is scoped toGAF-GSIFI-WP-017. This can break audit traceability between artifacts and work package IDs.Proposed fix
- "doc": "KACG-GSIFI-WP-017: Core governance event schema for Kafka ACL Governance & Continuous Compliance Engine. All AI governance telemetry flows through this schema. Registered in Confluent Schema Registry with BACKWARD_TRANSITIVE compatibility.", + "doc": "GAF-GSIFI-WP-017: Core governance event schema for Kafka ACL Governance & Continuous Compliance Engine. All AI governance telemetry flows through this schema. Registered in Confluent Schema Registry with BACKWARD_TRANSITIVE compatibility.",🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@artifacts/schemas/governance-event.avsc` at line 5, The schema's "doc" field contains the wrong initiative code (KACG-GSIFI-WP-017) which should be GAF-GSIFI-WP-017; update the "doc" string in governance-event.avsc to replace KACG-GSIFI-WP-017 with GAF-GSIFI-WP-017 so the documentation matches the PR/work package ID and preserves audit traceability (edit the "doc" field in the top-level record definition).artifacts/schemas/governance-event.avsc-114-117 (1)
114-117:⚠️ Potential issue | 🟡 MinorJurisdiction examples conflict with stated ISO format.
Line 116 says ISO 3166-1 alpha-2, but examples include
UKandEU. For strict ISO alpha-2,GBshould be used for the United Kingdom; mixing non-ISO tokens will create inconsistent downstream filtering/aggregation.Proposed doc correction
- "doc": "ISO 3166-1 alpha-2 jurisdiction code (e.g., US, EU, UK, SG)" + "doc": "ISO 3166-1 alpha-2 jurisdiction code (e.g., US, GB, SG)"🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@artifacts/schemas/governance-event.avsc` around lines 114 - 117, The "jurisdiction" Avro field doc claims ISO 3166-1 alpha-2 codes but lists non-strict examples; update the doc string for the "jurisdiction" field to use only valid ISO alpha-2 examples (e.g., replace "UK" with "GB" and remove "EU" or note reserved codes if intentionally allowed) so downstream filtering/aggregation uses consistent ISO codes.docs/reports/AGI_ASI_GOVERNANCE_ARCHITECTURES_FRAMEWORKS.md-7-9 (1)
7-9:⚠️ Potential issue | 🟡 MinorThe API count is internally inconsistent.
Line 9 says “72 API endpoints”, Appendix B enumerates 56, and
artifacts/schemas/gaf-openapi.yamlcurrently defines 43 operations. Please reconcile the number before publishing.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@docs/reports/AGI_ASI_GOVERNANCE_ARCHITECTURES_FRAMEWORKS.md` around lines 7 - 9, The "72 API endpoints" metric is inconsistent with Appendix B (56) and artifacts/schemas/gaf-openapi.yaml (43); reconcile by verifying the actual implemented OpenAPI operations in gaf-openapi.yaml (count operations/paths), update Appendix B to match that canonical source or add the missing endpoint definitions to gaf-openapi.yaml if the doc is correct, and then update the Key Metrics line in AGI_ASI_GOVERNANCE_ARCHITECTURES_FRAMEWORKS.md to the verified number; ensure all three sources (the Key Metrics text, Appendix B, and artifacts/schemas/gaf-openapi.yaml) match and commit the aligned value.artifacts/policies/agent_governance_depths.rego-69-77 (1)
69-77:⚠️ Potential issue | 🟡 MinorFix the GASCF violation text.
This rule only fires for
L4andL5, but the message says “Level 3+”. Update the text or extend the requirement toL3as well.Suggested fix
- "CERTIFICATION VIOLATION: Agent '%s' (DEPTHS %s) requires GASCF certification (Level 3+) before deployment.", + "CERTIFICATION VIOLATION: Agent '%s' (DEPTHS %s) requires GASCF certification (Level 4+) before deployment.",🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@artifacts/policies/agent_governance_depths.rego` around lines 69 - 77, The DENY rule (deny contains msg) currently reports "Level 3+" though it only triggers when depths_levels[level].requires_gascf is true for L4 and L5; update the sprintf message to correctly refer to "DEPTHS L4+" or "Level 4+" (e.g., change the substring "Level 3+" to "Level 4+") so the error text matches the actual condition, leaving the rest of the rule (level, depths_levels, requires_gascf, input.agent.gascf_certified) unchanged.artifacts/schemas/governance-architecture.schema.json-83-95 (1)
83-95:⚠️ Potential issue | 🟡 MinorRequire at least one regulatory mapping.
regulatoryAlignmentis top-level required, but it can still be[]. That lets an “aligned” architecture document validate with no framework coverage at all.Suggested fix
"regulatoryAlignment": { "type": "array", + "minItems": 1, "items": {🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@artifacts/schemas/governance-architecture.schema.json` around lines 83 - 95, The schema allows an empty regulatoryAlignment array; enforce at least one mapping by adding "minItems": 1 to the regulatoryAlignment array definition so it cannot be [] (keep the existing "items" object and its required properties such as framework and jurisdiction intact).rag-agentic-dashboard/public/governance-architectures-frameworks.html-184-184 (1)
184-184:⚠️ Potential issue | 🟡 MinorMissing error handling for individual fetch failures.
The
gaf()helper doesn't checkresponse.okbefore parsing JSON. A 4xx/5xx response would still attempt.json(), potentially throwing a confusing parse error instead of a clear HTTP error.🛠️ Proposed fix: Add response status check
-async function gaf(path) { const r = await fetch(`${API}${path}`); return r.json(); } +async function gaf(path) { + const r = await fetch(`${API}${path}`); + if (!r.ok) throw new Error(`API error: ${r.status} ${r.statusText}`); + return r.json(); +}🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@rag-agentic-dashboard/public/governance-architectures-frameworks.html` at line 184, The gaf() helper currently calls response.json() without checking response.ok; update the async function gaf(path) to await fetch, then check r.ok and if false throw an Error containing the HTTP status and statusText (or response text) so callers get a clear HTTP error instead of a JSON parse failure; only call r.json() when r.ok is true and consider wrapping the json parse in a try/catch to surface parsing errors with context.rag-agentic-dashboard/public/kafka-acl-governance.html-269-271 (1)
269-271:⚠️ Potential issue | 🟡 MinorError handling should provide user feedback.
Same issue as the other dashboard — errors are only logged to console, leaving "Loading..." placeholders visible indefinitely.
🛠️ Proposed fix
- } catch(e) { console.error('Dashboard load error:', e); } + } catch(e) { + console.error('Dashboard load error:', e); + document.querySelectorAll('.loading').forEach(el => { + el.innerHTML = 'Failed to load. <a href="javascript:location.reload()">Retry</a>'; + }); + }🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@rag-agentic-dashboard/public/kafka-acl-governance.html` around lines 269 - 271, The init() function currently swallows errors by only calling console.error in its catch(e) block; update that catch to both log the error and present clear user feedback by replacing any "Loading..." placeholders with an error message and stopping further UI loading. Specifically, inside the catch(e) of init(), keep console.error(e) but also select the DOM element(s) that show loading (e.g., document.getElementById('loading') or document.querySelectorAll('.loading-placeholder')) and set their textContent/innerHTML to a user-friendly message (e.g., "Failed to load dashboard: <brief action>"). Optionally add a retry button or visible class toggle (e.g., remove 'loading' class or add 'error' class) so the user can retry; ensure the code references init() and the catch(e) block when you make the change.rag-agentic-dashboard/public/governance-architectures-frameworks.html-325-326 (1)
325-326:⚠️ Potential issue | 🟡 MinorError handling only logs to console; users see stale "Loading..." text.
When an error occurs, the catch block logs to console but leaves all placeholders showing "Loading..." indefinitely. Users have no indication that data failed to load.
🛠️ Proposed fix: Show user-facing error state
- } catch (e) { console.error('Dashboard load error:', e); } + } catch (e) { + console.error('Dashboard load error:', e); + document.querySelectorAll('.loading').forEach(el => { + el.textContent = 'Failed to load data. Please refresh the page.'; + el.style.color = 'var(--danger)'; + }); + } }🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@rag-agentic-dashboard/public/governance-architectures-frameworks.html` around lines 325 - 326, The catch block that currently does console.error('Dashboard load error:', e) must also update the UI to show a user-facing error state instead of leaving "Loading..." placeholders; in the catch (e) handler (the block logging 'Dashboard load error'), set a visible error message and stop any loading spinners or replace loading placeholders (e.g., update innerText/innerHTML of the dashboard container or call an existing renderError/renderDashboardError function) and include a brief friendly message plus optional retry action so users know data failed to load.
🧹 Nitpick comments (6)
artifacts/policies/kafka_acl_governance.rego (2)
8-8: Directory structure doesn't match package namespace (Regal hint).The file is at
artifacts/policies/kafka_acl_governance.regobut declarespackage kafka.authz. Regal recommends mirroring the package in the directory structure (e.g.,policies/kafka/authz.rego). This is a style preference that aids discoverability but isn't functionally required.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@artifacts/policies/kafka_acl_governance.rego` at line 8, The file declares package kafka.authz but its path artifacts/policies/kafka_acl_governance.rego does not mirror that namespace; either move this file into a directory structure matching the package (e.g., policies/kafka/authz.rego) or update the package declaration to match the current path; locate the package line "package kafka.authz" and apply the chosen fix so package namespace and file path are consistent for discoverability.
106-110: Break-glass rule has redundant time check.Rule K-008 checks
time.now_ns() < data.break_glass.expiry_nsat the rule level, butis_break_glass_active()already validates session status. Consider whether the global expiry check is intentional (cluster-wide break-glass timeout) or should be per-session in the helper.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@artifacts/policies/kafka_acl_governance.rego` around lines 106 - 110, The allow rule combines a per-session helper and a separate global expiry check creating redundancy: either remove the global time.now_ns() < data.break_glass.expiry_ns check from the allow rule and rely on is_break_glass_active(input.requestContext.principal.name) to validate session expiry, or consolidate the global timeout into the helper (e.g., update is_break_glass_active to also check data.break_glass.expiry_ns against time.now_ns()) so the expiry logic lives in one place; update the allow rule (K-008) accordingly to reference only the appropriate check.rag-agentic-dashboard/public/kafka-acl-governance.html (1)
173-268: API calls could be parallelized for faster load.Multiple independent API calls (
/dashboard,/compliance-engine/pipeline,/worm-storage,/auditor) are made sequentially. UsingPromise.all()would improve load performance.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@rag-agentic-dashboard/public/kafka-acl-governance.html` around lines 173 - 268, The init() function currently awaits load('/dashboard'), then sequentially awaits load('/compliance-engine/pipeline'), load('/worm-storage') and load('/auditor'); parallelize these independent calls by invoking them together with Promise.all (e.g. Promise.all([load('/dashboard'), load('/compliance-engine/pipeline'), load('/worm-storage'), load('/auditor')]) and destructuring the results into d, pipeline, worm, auditor) so DOM updates that consume those responses remain the same; keep the existing try/catch and ensure any downstream uses still reference the destructured variables.rag-agentic-dashboard/public/governance-architectures-frameworks.html (1)
182-206: Parallel API calls would improve dashboard load time.The
init()function makes many sequential API calls (e.g.,/kpis,/domains,/governance-layers, etc.). Since these are independent, fetching them in parallel usingPromise.all()would significantly reduce total load time.♻️ Example parallelization for initial fetches
async function init() { try { - // KPIs - const kpis = await gaf('/kpis'); - document.getElementById('kpiBar').innerHTML = kpis.slice(0, 8).map(k => - `<div class="kpi"><div class="val">${k.current}</div><div class="lbl">${k.name}</div></div>` - ).join(''); - - // Domains - const domains = await gaf('/domains'); + // Parallel fetch for independent data + const [kpis, domains, layerData, risk, regData, isoData, archData, trustData, gcData, flData, earlData, evoData, arlData, weekData, invData, riskData, rolloutData] = await Promise.all([ + gaf('/kpis'), + gaf('/domains'), + gaf('/governance-layers'), + gaf('/risk-management'), + gaf('/regulatory/frameworks'), + gaf('/regulatory/iso42001'), + gaf('/architectures'), + gaf('/trust-stack'), + gaf('/global-governance/components'), + gaf('/financial-services/fair-lending'), + gaf('/financial-services/earl'), + gaf('/agi-safety/evolution'), + gaf('/blueprint/agi-readiness'), + gaf('/blueprint/8-week-plan'), + gaf('/investment'), + gaf('/investment/risks'), + gaf('/blueprint/rollout') + ]); + + // Then render all sections...🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@rag-agentic-dashboard/public/governance-architectures-frameworks.html` around lines 182 - 206, The init() function currently calls gaf() sequentially for independent endpoints (e.g., '/kpis', '/domains', '/governance-layers', etc.), slowing page load; refactor init() to fire these independent fetches in parallel with Promise.all (or Promise.allSettled) by creating an array of gaf() calls for each endpoint, await the combined promise, then destructure the responses into variables (kpis, domains, governanceLayers, ...) and proceed to update the DOM; preserve error handling around the combined await and handle individual failures gracefully (fallback UI or skips) so a single failed fetch doesn't break the whole init flow.docs/reports/KAFKA_ACL_GOVERNANCE_COMPLIANCE_ENGINE.md (1)
75-126: Consider adding language specifier to ASCII diagram code blocks.Static analysis flagged this code block (and others at lines 157, 362, 403, 446, 689) as missing a language specifier. For ASCII art diagrams, you can use
```textor```plaintextto satisfy linters while preserving readability.📝 Example fix
-``` +```text ┌─────────────────────────────────────────────────────────────────────────┐ │ AI GOVERNANCE EVENT PRODUCERS │🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@docs/reports/KAFKA_ACL_GOVERNANCE_COMPLIANCE_ENGINE.md` around lines 75 - 126, The ASCII diagram code fences in KAFKA_ACL_GOVERNANCE_COMPLIANCE_ENGINE.md are missing a language specifier; update the opening triple-backtick for the shown Kafka ASCII art block (and the other flagged ASCII blocks) to use a plain text specifier (e.g., change ``` to ```text or ```plaintext) so linters accept them while preserving the diagram; search for the ASCII diagram blocks (the large box diagram and the additional blocks flagged in the review) and replace their opening fences accordingly.artifacts/templates/kafka-governance-terraform.json (1)
1-145: Consider pinning provider versions more precisely.Module specifications reference providers like
"Mongey/kafka"and"aws"without version constraints. While the top-levelterraformVersionis specified, pinning provider versions in module specs (e.g.,"~> 0.7"for Mongey/kafka as shown in the documentation) would improve reproducibility.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@artifacts/templates/kafka-governance-terraform.json` around lines 1 - 145, The modules list references providers like "Mongey/kafka" and "aws" without version constraints (see module ids/names such as M1 kafka-cluster, M2 kafka-acl-governance, M3 schema-registry, M4 worm-s3-storage, M5 compliance-engine, M6 opa-engine, M7 monitoring-stack, M8 evidence-signing); update each module's provider declaration to pin provider versions (e.g., add explicit version constraints for Mongey/kafka and aws per module, such as using the recommended "~> 0.7" style for Mongey/kafka and an appropriate aws constraint) so module specs include reproducible provider versions.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@artifacts/policies/agent_governance_depths.rego`:
- Around line 15-22: The current depths_levels map allows lookups to return
undefined for unknown depth_level or autonomy strings, causing malformed inputs
like depth_level:"L6" or observed_autonomy:"delegated_batch" to bypass deny
rules; update the policy to perform explicit validation: add a rule that checks
depth_level exists in depths_levels (e.g., using depths_levels[depth_level]) and
that observed_autonomy is a member of the allowed autonomy set (e.g.,
["none","suggestion","approved_actions","independent_in_scope","self_directed_in_domain","spawn_sub_agents"]);
if either check fails, emit a deny/validation_error for the request (rather than
falling through), and update any places that use depths_levels or
observed_autonomy lookups to rely on these validators before using attributes
like max_autonomy or requires_kill_switch.
In `@artifacts/policies/basel_iii_model_risk.rego`:
- Around line 148-181: The composite predicate basel_iii_compliant and the
violations set currently only reference a subset of controls (BAS-004, BAS-005,
BAS-006, BAS-011, BAS-014); update basel_iii_compliant to require all control
predicates (e.g., include predicates corresponding to BAS-001, BAS-002, BAS-003,
BAS-007, BAS-008, BAS-009, BAS-010, BAS-012, BAS-013, BAS-015 in addition to
model_registered, model_risk_classified, model_documentation_complete,
independent_validation_complete, monitoring_active) and extend the violations
rules to emit messages for each missing control; alternatively, create a single
canonical list of expected control predicates and iterate over it to both
compute basel_iii_compliant (all true) and generate violations[msg] for any
control predicate that is false, referencing the existing basel_iii_compliant
and violations symbols to locate where to make the changes.
- Around line 90-95: The rule pii_handling_compliant currently forces
input.data.pii_detected == true, preventing non-PII models from being compliant;
change the logic so models without PII are treated compliant by allowing
pii_handling_compliant when input.data.pii_detected == false, and only enforce
input.data.pii_encrypted == true and input.data.consent_verified == true when
input.data.pii_detected == true (i.e., implement an OR: either no PII detected
OR (PII detected AND encrypted AND consent verified)); update the rule
referencing pii_handling_compliant, input.data.pii_detected,
input.data.pii_encrypted, and input.data.consent_verified accordingly.
In `@artifacts/policies/fair_lending_disparate_impact.rego`:
- Around line 33-84: The DI deny/warn rules are not scoped to credit-scoring
models and thus fire for any input with di_tests; modify the top DENY rule and
both WARN rules to require input.model_type == "credit_scoring" (same guard used
in the other deny rules that reference input.model_type), i.e., add the
condition input.model_type == "credit_scoring" to the rules that reference
input.di_tests/test.disparate_impact (the first deny block and the two warn
blocks) so findings only apply to credit-scoring models.
In `@artifacts/policies/kafka_acl_governance.rego`:
- Around line 168-191: The policy defines deny rules (deny, e.g., RULE
K-011/K-012/K-013) but the final decision only exposes allow so denies never
take effect; update the final authorization decision to combine denies and
allows (e.g., introduce a top-level authorize rule such as
data.kafka.authz.authorize that returns deny if any deny rules apply, otherwise
returns allow), or modify the existing allow rule to require not deny (e.g.,
ensure allow checks include not deny), and update callers to query
data.kafka.authz.authorize (or rename the combined decision back to allow) so
blocked principals (and kill-switch/evidence constraints) are enforced;
reference policy symbols deny, allow, authorize and is_break_glass_active when
making the change.
- Around line 136-157: The policy references missing external data documents
(data.kafka.consumer_groups, data.kafka.transactional_ids,
data.kafka.blocked_principals, data.kafka.governance_principals,
data.kafka.cluster_admins, data.kafka.schema_admins, data.break_glass.sessions,
data.break_glass.expiry_ns) causing runtime failures; either provision these
documents in the bundle (e.g., add JSON/YAML files under artifacts/data with the
expected shapes) or make the Rego rules defensive by guarding lookups (e.g.,
check data.kafka != null and data.kafka.consumer_groups != null before
iterating) and supply safe defaults (empty maps/arrays) so rules like
valid_consumer_group, valid_transaction_principal, blocked_principal,
is_governance_principal and any rules referencing cluster_admins/schema_admins
or break_glass fields do not error when the external data is absent.
In `@artifacts/schemas/compute-registry.schema.json`:
- Around line 7-8: The JSON schema's "required" array is missing the fields
"interconnect" and "ai_training_pct" even though those properties exist; update
the schema by adding "interconnect" and "ai_training_pct" to the "required"
array so the validator enforces them (update the "required" array that currently
lists facility_id, operator, jurisdiction, total_flops, gpu_type, gpu_count,
power_mw, pue, frontier_model_training, safety_cert_level, last_audit_date,
reporting_cadence to also include "interconnect" and "ai_training_pct"); ensure
any other occurrences of the same "required" list in this file (lines around the
second occurrence mentioned) are updated likewise.
In `@artifacts/schemas/evidence-bundle-manifest.schema.json`:
- Line 7: The manifest currently allows omitting evidenceFiles while
evidenceCount can be >0; update the JSON Schema by adding "evidenceFiles" to the
top-level "required" array so the property is mandatory, and add a schema-level
conditional to validate consistency with "evidenceCount" (e.g., an if/then that
when "evidenceCount" > 0 requires "evidenceFiles" to have minItems: 1 and
ideally an additional check that evidenceFiles.length equals evidenceCount) so
the manifest is independently complete and consistent; apply the same change to
the corresponding schema block referenced around lines 151-163.
- Around line 75-99: The schema forces previousBundleHash to always be present
which breaks genesis bundles; update the hashChain definition so
previousBundleHash is not mandatory and can be null for the first bundle.
Specifically, remove "previousBundleHash" from the hashChain "required" array
(or replace that array entry) and change the previousBundleHash property to
accept either a SHA-256 hex string or null (e.g., using anyOf with {type:
"string", pattern: "^[a-f0-9]{64}$"} and {type: "null"}) so genesis manifests
validate without a fake hash; refer to the hashChain object and the
previousBundleHash property in the schema.
In `@artifacts/schemas/gaf-openapi.yaml`:
- Around line 14-16: The OpenAPI servers.url
("/api/governance-architectures-frameworks") does not match the backend route
pattern ("/api/n/*") referenced by the frontend call to
governance-architectures-frameworks.html; either update the spec or the server
route so all three align. Fix by changing the OpenAPI servers entry
(servers.url) to the actual backend base path or modify the backend route
handler that registers "/api/n/*" to use
"/api/governance-architectures-frameworks" (and ensure the frontend call matches
that same base path). Verify the route string
"/api/governance-architectures-frameworks" is used consistently in the OpenAPI
servers.url, the backend route registration, and the frontend call.
- Around line 18-439: The OpenAPI paths list is missing 13 routes referenced in
Appendix B; add entries for the missing endpoints (e.g. /data-infrastructure,
/dev-deploy, /dev-deploy/gates, /monitoring, /trust-stack/model-registry,
/trust-stack/cicd-gates, /global-governance/compute-registry,
/global-governance/sentinel-integration, /financial-services/earl,
/blueprint/global-compute and the three rollout detail routes) by creating
corresponding GET operations with sensible operationId names (e.g.
getDataInfrastructure, getDevDeploy, getDevDeployGates, getMonitoring,
getModelRegistry, getCICDGates, getComputeRegistry, getSentinelIntegration,
getEARL, getGlobalCompute, getRolloutDetailX), appropriate tags (matching their
domains like Domain 3, Domain 4, Domain 5, Domain 7 or Investment & Risk), brief
summary strings, and a '200' response with a description (and JSON schema refs
where applicable); consult Appendix B
(docs/reports/AGI_ASI_GOVERNANCE_ARCHITECTURES_FRAMEWORKS.md:837-895) to copy
exact route names, summaries and response schemas to ensure parity with the
documented 56 routes.
- Around line 80-439: Many GET operations (e.g., operationId
getGovernanceLayers, getAccountability, getPolicyInfrastructure, getOPAGroups,
getRiskManagement, getARS, getRegulatory, getArchitectures, getArchitectureById,
getTrustStack, getGlobalGovernance, getICGC, getGlobalComponents,
getFinancialServices, getSR117, getCreditScoring, getFairLending, getAGISafety,
getEvolution, getCRP, getCrisisSimulations, getMVAGS, getTrustByDesign,
getBlueprint, getSentinel, getAGIReadiness, getRollout, get8WeekPlan,
getInvestment, getRiskRegister, getMetrics, getSummary, getDashboard,
getArtifacts) only have descriptions for 200 responses and lack response bodies;
update each 200 response to include a content/application/json schema ($ref) to
the appropriate component schema (create component schemas if missing) so
codegen and contract validation can use concrete payload contracts — map each
operationId to a clear component like GovernanceLayers, Accountability,
PolicyInfrastructure, OPAGroups, RiskManagement, ARS, Regulatory,
RegulatoryFrameworks, EUAIAct, NIST, ISO42001, Obligations, Architectures,
Architecture (for getArchitectureById), TrustStack, GlobalGovernance, ICGC,
GlobalComponents, FinancialServices, SR117, CreditScoring, FairLending,
AGISafety, Evolution, CRP, CrisisSimulations, MVAGS, TrustByDesign, Blueprint,
Sentinel, AGIReadiness, RolloutPlan (8WeekPlan), InvestmentProfile,
RiskRegister, Metrics, Summary, DashboardPayload, ArtifactsCatalog and reference
them under responses.'200'.content.'application/json'.schema.$ref.
In `@artifacts/schemas/governance-event.avsc`:
- Around line 108-112: The schema currently exposes a raw user identifier via
the "userId" field; change this to a pseudonymous subject field (e.g., rename
"userId" to "subjectKey") and update its docstring to require a non-reversible
pseudonymous value (hashed ID with controlled salt rotation or synthetic subject
key) instead of plain PII, keep the type as ["null","string"] with default null,
and ensure any downstream producers/consumers use the hashed/pseudonymous value
rather than direct user identifiers.
In `@rag-agentic-dashboard/public/governance-architectures-frameworks.html`:
- Around line 204-206: The rendered KPI/dashboard templates currently inject API
strings directly into innerHTML (e.g.,
document.getElementById('kpiBar').innerHTML with k.current and k.name), creating
an XSS risk; fix it by introducing a small HTML-escaping utility (escapeHtml)
and apply it to all interpolated API fields (k.name, k.current, d.name, f.name,
etc.) or, preferably, build DOM nodes and set their textContent instead of using
innerHTML; update all template constructions that render API data to use the
sanitizer or DOM creation approach so no raw API strings are inserted unescaped.
In `@rag-agentic-dashboard/public/kafka-acl-governance.html`:
- Around line 164-171: The load() helper and inline HTML rendering are unsafe:
update load() (the function named load and the API constant API) to check the
fetch response (use response.ok or status) and throw or return a clear error for
non-2xx responses before calling response.json(); remove or sanitize direct
innerHTML usage and apply an HTML-escaping helper (e.g., escapeHtml) to any
user/API-derived values used inside template literals in badge() and all other
render templates or, better, set textContent or create DOM nodes instead of
assigning innerHTML to eliminate XSS vectors.
---
Minor comments:
In `@artifacts/policies/agent_governance_depths.rego`:
- Around line 69-77: The DENY rule (deny contains msg) currently reports "Level
3+" though it only triggers when depths_levels[level].requires_gascf is true for
L4 and L5; update the sprintf message to correctly refer to "DEPTHS L4+" or
"Level 4+" (e.g., change the substring "Level 3+" to "Level 4+") so the error
text matches the actual condition, leaving the rest of the rule (level,
depths_levels, requires_gascf, input.agent.gascf_certified) unchanged.
In `@artifacts/schemas/governance-architecture.schema.json`:
- Around line 83-95: The schema allows an empty regulatoryAlignment array;
enforce at least one mapping by adding "minItems": 1 to the regulatoryAlignment
array definition so it cannot be [] (keep the existing "items" object and its
required properties such as framework and jurisdiction intact).
In `@artifacts/schemas/governance-event.avsc`:
- Line 5: The schema's "doc" field contains the wrong initiative code
(KACG-GSIFI-WP-017) which should be GAF-GSIFI-WP-017; update the "doc" string in
governance-event.avsc to replace KACG-GSIFI-WP-017 with GAF-GSIFI-WP-017 so the
documentation matches the PR/work package ID and preserves audit traceability
(edit the "doc" field in the top-level record definition).
- Around line 114-117: The "jurisdiction" Avro field doc claims ISO 3166-1
alpha-2 codes but lists non-strict examples; update the doc string for the
"jurisdiction" field to use only valid ISO alpha-2 examples (e.g., replace "UK"
with "GB" and remove "EU" or note reserved codes if intentionally allowed) so
downstream filtering/aggregation uses consistent ISO codes.
In `@docs/reports/AGI_ASI_GOVERNANCE_ARCHITECTURES_FRAMEWORKS.md`:
- Around line 7-9: The "72 API endpoints" metric is inconsistent with Appendix B
(56) and artifacts/schemas/gaf-openapi.yaml (43); reconcile by verifying the
actual implemented OpenAPI operations in gaf-openapi.yaml (count
operations/paths), update Appendix B to match that canonical source or add the
missing endpoint definitions to gaf-openapi.yaml if the doc is correct, and then
update the Key Metrics line in AGI_ASI_GOVERNANCE_ARCHITECTURES_FRAMEWORKS.md to
the verified number; ensure all three sources (the Key Metrics text, Appendix B,
and artifacts/schemas/gaf-openapi.yaml) match and commit the aligned value.
In `@rag-agentic-dashboard/public/governance-architectures-frameworks.html`:
- Line 184: The gaf() helper currently calls response.json() without checking
response.ok; update the async function gaf(path) to await fetch, then check r.ok
and if false throw an Error containing the HTTP status and statusText (or
response text) so callers get a clear HTTP error instead of a JSON parse
failure; only call r.json() when r.ok is true and consider wrapping the json
parse in a try/catch to surface parsing errors with context.
- Around line 325-326: The catch block that currently does
console.error('Dashboard load error:', e) must also update the UI to show a
user-facing error state instead of leaving "Loading..." placeholders; in the
catch (e) handler (the block logging 'Dashboard load error'), set a visible
error message and stop any loading spinners or replace loading placeholders
(e.g., update innerText/innerHTML of the dashboard container or call an existing
renderError/renderDashboardError function) and include a brief friendly message
plus optional retry action so users know data failed to load.
In `@rag-agentic-dashboard/public/kafka-acl-governance.html`:
- Around line 269-271: The init() function currently swallows errors by only
calling console.error in its catch(e) block; update that catch to both log the
error and present clear user feedback by replacing any "Loading..." placeholders
with an error message and stopping further UI loading. Specifically, inside the
catch(e) of init(), keep console.error(e) but also select the DOM element(s)
that show loading (e.g., document.getElementById('loading') or
document.querySelectorAll('.loading-placeholder')) and set their
textContent/innerHTML to a user-friendly message (e.g., "Failed to load
dashboard: <brief action>"). Optionally add a retry button or visible class
toggle (e.g., remove 'loading' class or add 'error' class) so the user can
retry; ensure the code references init() and the catch(e) block when you make
the change.
---
Nitpick comments:
In `@artifacts/policies/kafka_acl_governance.rego`:
- Line 8: The file declares package kafka.authz but its path
artifacts/policies/kafka_acl_governance.rego does not mirror that namespace;
either move this file into a directory structure matching the package (e.g.,
policies/kafka/authz.rego) or update the package declaration to match the
current path; locate the package line "package kafka.authz" and apply the chosen
fix so package namespace and file path are consistent for discoverability.
- Around line 106-110: The allow rule combines a per-session helper and a
separate global expiry check creating redundancy: either remove the global
time.now_ns() < data.break_glass.expiry_ns check from the allow rule and rely on
is_break_glass_active(input.requestContext.principal.name) to validate session
expiry, or consolidate the global timeout into the helper (e.g., update
is_break_glass_active to also check data.break_glass.expiry_ns against
time.now_ns()) so the expiry logic lives in one place; update the allow rule
(K-008) accordingly to reference only the appropriate check.
In `@artifacts/templates/kafka-governance-terraform.json`:
- Around line 1-145: The modules list references providers like "Mongey/kafka"
and "aws" without version constraints (see module ids/names such as M1
kafka-cluster, M2 kafka-acl-governance, M3 schema-registry, M4 worm-s3-storage,
M5 compliance-engine, M6 opa-engine, M7 monitoring-stack, M8 evidence-signing);
update each module's provider declaration to pin provider versions (e.g., add
explicit version constraints for Mongey/kafka and aws per module, such as using
the recommended "~> 0.7" style for Mongey/kafka and an appropriate aws
constraint) so module specs include reproducible provider versions.
In `@docs/reports/KAFKA_ACL_GOVERNANCE_COMPLIANCE_ENGINE.md`:
- Around line 75-126: The ASCII diagram code fences in
KAFKA_ACL_GOVERNANCE_COMPLIANCE_ENGINE.md are missing a language specifier;
update the opening triple-backtick for the shown Kafka ASCII art block (and the
other flagged ASCII blocks) to use a plain text specifier (e.g., change ``` to
```text or ```plaintext) so linters accept them while preserving the diagram;
search for the ASCII diagram blocks (the large box diagram and the additional
blocks flagged in the review) and replace their opening fences accordingly.
In `@rag-agentic-dashboard/public/governance-architectures-frameworks.html`:
- Around line 182-206: The init() function currently calls gaf() sequentially
for independent endpoints (e.g., '/kpis', '/domains', '/governance-layers',
etc.), slowing page load; refactor init() to fire these independent fetches in
parallel with Promise.all (or Promise.allSettled) by creating an array of gaf()
calls for each endpoint, await the combined promise, then destructure the
responses into variables (kpis, domains, governanceLayers, ...) and proceed to
update the DOM; preserve error handling around the combined await and handle
individual failures gracefully (fallback UI or skips) so a single failed fetch
doesn't break the whole init flow.
In `@rag-agentic-dashboard/public/kafka-acl-governance.html`:
- Around line 173-268: The init() function currently awaits load('/dashboard'),
then sequentially awaits load('/compliance-engine/pipeline'),
load('/worm-storage') and load('/auditor'); parallelize these independent calls
by invoking them together with Promise.all (e.g.
Promise.all([load('/dashboard'), load('/compliance-engine/pipeline'),
load('/worm-storage'), load('/auditor')]) and destructuring the results into d,
pipeline, worm, auditor) so DOM updates that consume those responses remain the
same; keep the existing try/catch and ensure any downstream uses still reference
the destructured variables.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 5fd36bf5-2939-4630-bc83-13d449186b83
⛔ Files ignored due to path filters (5)
artifacts/data/agi-readiness-assessment.csvis excluded by!**/*.csvartifacts/data/global-governance-components.csvis excluded by!**/*.csvartifacts/data/kafka-compliance-controls.csvis excluded by!**/*.csvartifacts/data/kafka-governance-timeline.csvis excluded by!**/*.csvartifacts/data/rollout-30-60-90.csvis excluded by!**/*.csv
📒 Files selected for processing (16)
artifacts/data/kafka-acl-matrix.jsonartifacts/policies/agent_governance_depths.regoartifacts/policies/basel_iii_model_risk.regoartifacts/policies/fair_lending_disparate_impact.regoartifacts/policies/kafka_acl_governance.regoartifacts/schemas/compute-registry.schema.jsonartifacts/schemas/evidence-bundle-manifest.schema.jsonartifacts/schemas/gaf-openapi.yamlartifacts/schemas/governance-architecture.schema.jsonartifacts/schemas/governance-event.avscartifacts/templates/kafka-governance-terraform.jsondocs/reports/AGI_ASI_GOVERNANCE_ARCHITECTURES_FRAMEWORKS.mddocs/reports/KAFKA_ACL_GOVERNANCE_COMPLIANCE_ENGINE.mdrag-agentic-dashboard/public/governance-architectures-frameworks.htmlrag-agentic-dashboard/public/kafka-acl-governance.htmlrag-agentic-dashboard/server.js
Comment on lines
+15
to
+22
| depths_levels := { | ||
| "L0": {"name": "Tool", "max_autonomy": "none", "requires_kill_switch": false, "requires_board_approval": false, "requires_behavioral_sidecar": false, "requires_gascf": false}, | ||
| "L1": {"name": "Assistant", "max_autonomy": "suggestion", "requires_kill_switch": true, "requires_board_approval": false, "requires_behavioral_sidecar": false, "requires_gascf": false}, | ||
| "L2": {"name": "Executor", "max_autonomy": "approved_actions", "requires_kill_switch": true, "requires_board_approval": false, "requires_behavioral_sidecar": false, "requires_gascf": false}, | ||
| "L3": {"name": "Collaborator", "max_autonomy": "independent_in_scope", "requires_kill_switch": true, "requires_board_approval": false, "requires_behavioral_sidecar": true, "requires_gascf": false}, | ||
| "L4": {"name": "Depths-class", "max_autonomy": "self_directed_in_domain", "requires_kill_switch": true, "requires_board_approval": true, "requires_behavioral_sidecar": true, "requires_gascf": true}, | ||
| "L5": {"name": "Self-multiplying", "max_autonomy": "spawn_sub_agents", "requires_kill_switch": true, "requires_board_approval": true, "requires_behavioral_sidecar": true, "requires_gascf": true} | ||
| } |
There was a problem hiding this comment.
Reject unsupported DEPTHS and autonomy values instead of failing open.
Every lookup here becomes undefined for an unrecognized string, so malformed inputs like depth_level: "L6" or observed_autonomy: "delegated_batch" bypass the deny rules instead of being rejected.
Suggested fix
+deny contains msg if {
+ valid_depth_levels := {"L0", "L1", "L2", "L3", "L4", "L5"}
+ not valid_depth_levels[input.agent.depth_level]
+ msg := sprintf(
+ "CONFIG VIOLATION: Agent '%s' has unsupported DEPTHS level '%s'.",
+ [input.agent.agent_id, input.agent.depth_level]
+ )
+}
+
+deny contains msg if {
+ valid_autonomy_levels := {"none", "suggestion", "approved_actions", "independent_in_scope", "self_directed_in_domain", "spawn_sub_agents"}
+ not valid_autonomy_levels[input.agent.observed_autonomy]
+ msg := sprintf(
+ "CONFIG VIOLATION: Agent '%s' has unsupported observed autonomy '%s'.",
+ [input.agent.agent_id, input.agent.observed_autonomy]
+ )
+}Also applies to: 36-120, 123-132
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@artifacts/policies/agent_governance_depths.rego` around lines 15 - 22, The
current depths_levels map allows lookups to return undefined for unknown
depth_level or autonomy strings, causing malformed inputs like depth_level:"L6"
or observed_autonomy:"delegated_batch" to bypass deny rules; update the policy
to perform explicit validation: add a rule that checks depth_level exists in
depths_levels (e.g., using depths_levels[depth_level]) and that
observed_autonomy is a member of the allowed autonomy set (e.g.,
["none","suggestion","approved_actions","independent_in_scope","self_directed_in_domain","spawn_sub_agents"]);
if either check fails, emit a deny/validation_error for the request (rather than
falling through), and update any places that use depths_levels or
observed_autonomy lookups to rely on these validators before using attributes
like max_autonomy or requires_kill_switch.
Comment on lines
+90
to
+95
| # BAS-010: PII handling must comply with data governance policy | ||
| pii_handling_compliant if { | ||
| input.data.pii_detected == true | ||
| input.data.pii_encrypted == true | ||
| input.data.consent_verified == true | ||
| } |
There was a problem hiding this comment.
Treat non-PII models as compliant for BAS-010.
pii_handling_compliant currently requires input.data.pii_detected == true, so models that do not process PII can never satisfy this rule. This should only enforce encryption and consent when PII is actually present.
Suggested fix
pii_handling_compliant if {
+ not input.data.pii_detected == true
+}
+
+pii_handling_compliant if {
input.data.pii_detected == true
input.data.pii_encrypted == true
input.data.consent_verified == true
}📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| # BAS-010: PII handling must comply with data governance policy | |
| pii_handling_compliant if { | |
| input.data.pii_detected == true | |
| input.data.pii_encrypted == true | |
| input.data.consent_verified == true | |
| } | |
| # BAS-010: PII handling must comply with data governance policy | |
| pii_handling_compliant if { | |
| not input.data.pii_detected == true | |
| } | |
| pii_handling_compliant if { | |
| input.data.pii_detected == true | |
| input.data.pii_encrypted == true | |
| input.data.consent_verified == true | |
| } |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@artifacts/policies/basel_iii_model_risk.rego` around lines 90 - 95, The rule
pii_handling_compliant currently forces input.data.pii_detected == true,
preventing non-PII models from being compliant; change the logic so models
without PII are treated compliant by allowing pii_handling_compliant when
input.data.pii_detected == false, and only enforce input.data.pii_encrypted ==
true and input.data.consent_verified == true when input.data.pii_detected ==
true (i.e., implement an OR: either no PII detected OR (PII detected AND
encrypted AND consent verified)); update the rule referencing
pii_handling_compliant, input.data.pii_detected, input.data.pii_encrypted, and
input.data.consent_verified accordingly.
Comment on lines
+148
to
+181
| # Overall Basel III compliance (all CRE sections) | ||
| basel_iii_compliant if { | ||
| model_registered | ||
| model_risk_classified | ||
| model_documentation_complete | ||
| independent_validation_complete | ||
| monitoring_active | ||
| } | ||
|
|
||
| # Compliance violations list | ||
| violations[msg] { | ||
| not model_registered | ||
| msg := "BAS-004: Model not registered in inventory (CRE 30.3)" | ||
| } | ||
|
|
||
| violations[msg] { | ||
| not model_risk_classified | ||
| msg := "BAS-005: Model risk classification missing (CRE 30.3)" | ||
| } | ||
|
|
||
| violations[msg] { | ||
| not model_documentation_complete | ||
| msg := "BAS-006: Model documentation incomplete (CRE 30.3)" | ||
| } | ||
|
|
||
| violations[msg] { | ||
| not independent_validation_complete | ||
| msg := "BAS-011: Independent validation not complete (CRE 35)" | ||
| } | ||
|
|
||
| violations[msg] { | ||
| not monitoring_active | ||
| msg := "BAS-014: Continuous monitoring not active (CRE 36)" | ||
| } |
There was a problem hiding this comment.
The composite output ignores most of the implemented controls.
basel_iii_compliant and violations only use BAS-004, BAS-005, BAS-006, BAS-011, and BAS-014. If callers rely on those exported results, failures in BAS-001, BAS-002, BAS-003, BAS-007, BAS-008, BAS-009, BAS-010, BAS-012, BAS-013, and BAS-015 never affect the decision.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@artifacts/policies/basel_iii_model_risk.rego` around lines 148 - 181, The
composite predicate basel_iii_compliant and the violations set currently only
reference a subset of controls (BAS-004, BAS-005, BAS-006, BAS-011, BAS-014);
update basel_iii_compliant to require all control predicates (e.g., include
predicates corresponding to BAS-001, BAS-002, BAS-003, BAS-007, BAS-008,
BAS-009, BAS-010, BAS-012, BAS-013, BAS-015 in addition to model_registered,
model_risk_classified, model_documentation_complete,
independent_validation_complete, monitoring_active) and extend the violations
rules to emit messages for each missing control; alternatively, create a single
canonical list of expected control predicates and iterate over it to both
compute basel_iii_compliant (all true) and generate violations[msg] for any
control predicate that is false, referencing the existing basel_iii_compliant
and violations symbols to locate where to make the changes.
Comment on lines
+33
to
+84
| # DENY: Model fails disparate impact test for any protected class | ||
| deny contains msg if { | ||
| some test in input.di_tests | ||
| test.disparate_impact < di_threshold | ||
| msg := sprintf( | ||
| "FCRA/ECOA VIOLATION: Model '%s' fails DI test for protected class '%s' — DI %.3f < threshold %.2f. Adverse action notice required per FCRA ss. 615.", | ||
| [input.model_id, test.protected_class, test.disparate_impact, di_threshold] | ||
| ) | ||
| } | ||
|
|
||
| # DENY: No DI test results provided for a credit scoring model | ||
| deny contains msg if { | ||
| input.model_type == "credit_scoring" | ||
| not input.di_tests | ||
| msg := sprintf( | ||
| "ECOA VIOLATION: Credit scoring model '%s' has no disparate impact test results. DI testing is mandatory per ECOA Reg B and EU AI Act Art. 10(2)(f).", | ||
| [input.model_id] | ||
| ) | ||
| } | ||
|
|
||
| # DENY: Missing protected class in DI tests | ||
| deny contains msg if { | ||
| input.model_type == "credit_scoring" | ||
| some pc in protected_classes | ||
| not class_tested(pc) | ||
| msg := sprintf( | ||
| "ECOA VIOLATION: Model '%s' missing DI test for protected class '%s'. All protected classes must be tested.", | ||
| [input.model_id, pc] | ||
| ) | ||
| } | ||
|
|
||
| # WARN: Model approaches DI threshold (within 5% of minimum) | ||
| warn contains msg if { | ||
| some test in input.di_tests | ||
| test.disparate_impact >= di_threshold | ||
| test.disparate_impact < (di_threshold + 0.05) | ||
| msg := sprintf( | ||
| "DI WARNING: Model '%s' protected class '%s' — DI %.3f is within 5%% of threshold. Recommend remediation.", | ||
| [input.model_id, test.protected_class, test.disparate_impact] | ||
| ) | ||
| } | ||
|
|
||
| # WARN: Model below enhanced threshold (post-2027 target) | ||
| warn contains msg if { | ||
| some test in input.di_tests | ||
| test.disparate_impact >= di_threshold | ||
| test.disparate_impact < enhanced_di_threshold | ||
| msg := sprintf( | ||
| "ENHANCED DI: Model '%s' class '%s' — DI %.3f meets minimum but below enhanced target %.2f (Q4 2027 target).", | ||
| [input.model_id, test.protected_class, test.disparate_impact, enhanced_di_threshold] | ||
| ) | ||
| } |
There was a problem hiding this comment.
Scope these DI findings to credit-scoring models.
The file description and the other deny rules make this policy credit-scoring-specific, but the threshold deny and warn rules are unscoped. Any other model carrying di_tests will get FCRA/ECOA findings even when those obligations are out of scope.
Suggested fix
deny contains msg if {
+ input.model_type == "credit_scoring"
some test in input.di_tests
test.disparate_impact < di_threshold
msg := sprintf(
@@
warn contains msg if {
+ input.model_type == "credit_scoring"
some test in input.di_tests
test.disparate_impact >= di_threshold
test.disparate_impact < (di_threshold + 0.05)
@@
warn contains msg if {
+ input.model_type == "credit_scoring"
some test in input.di_tests
test.disparate_impact >= di_threshold
test.disparate_impact < enhanced_di_threshold🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@artifacts/policies/fair_lending_disparate_impact.rego` around lines 33 - 84,
The DI deny/warn rules are not scoped to credit-scoring models and thus fire for
any input with di_tests; modify the top DENY rule and both WARN rules to require
input.model_type == "credit_scoring" (same guard used in the other deny rules
that reference input.model_type), i.e., add the condition input.model_type ==
"credit_scoring" to the rules that reference
input.di_tests/test.disparate_impact (the first deny block and the two warn
blocks) so findings only apply to credit-scoring models.
Comment on lines
+136
to
+157
| valid_consumer_group(principal, topic) if { | ||
| group := data.kafka.consumer_groups[principal] | ||
| group.topics[_] == topic | ||
| group.status == "ACTIVE" | ||
| } | ||
|
|
||
| # Validate transactional principal | ||
| valid_transaction_principal(principal, topic) if { | ||
| tx := data.kafka.transactional_ids[principal] | ||
| tx.allowed_topics[_] == topic | ||
| tx.status == "ACTIVE" | ||
| } | ||
|
|
||
| # Check principal not in block list | ||
| blocked_principal(principal) if { | ||
| data.kafka.blocked_principals[_] == principal | ||
| } | ||
|
|
||
| # Check if principal is a governance service | ||
| is_governance_principal(principal) if { | ||
| data.kafka.governance_principals[_] == principal | ||
| } |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Search for additional data files that might provide the missing data documents
echo "Searching for data files providing consumer_groups, transactional_ids, etc..."
fd -e json -e yaml . artifacts/ | xargs grep -l -E "(consumer_groups|transactional_ids|blocked_principals|cluster_admins|schema_admins|governance_principals|break_glass)" 2>/dev/null || echo "No matching data files found"
echo ""
echo "Checking if these are documented as external data requirements..."
rg -i "consumer_groups|transactional_ids|blocked_principals" docs/ --type md -C 2Repository: OneFineStarstuff/OneFineStarstuff.github.io
Length of output: 2049
🏁 Script executed:
# First, let's look at the structure of the artifacts directory
find artifacts/ -type f \( -name "*.json" -o -name "*.yaml" -o -name "*.yml" -o -name "*.rego" \) | head -20Repository: OneFineStarstuff/OneFineStarstuff.github.io
Length of output: 704
🏁 Script executed:
# Read the policy file to confirm all data document references
cat -n artifacts/policies/kafka_acl_governance.rego | head -200Repository: OneFineStarstuff/OneFineStarstuff.github.io
Length of output: 9392
🏁 Script executed:
# Check if kafka-acl-matrix.json exists
find artifacts/ -name "*kafka-acl*" -o -name "*acl-matrix*"Repository: OneFineStarstuff/OneFineStarstuff.github.io
Length of output: 123
🏁 Script executed:
# Examine the kafka-governance-terraform.json file to see if it provides data documents
cat artifacts/templates/kafka-governance-terraform.json | head -100Repository: OneFineStarstuff/OneFineStarstuff.github.io
Length of output: 4865
🏁 Script executed:
# Check the content of kafka-acl-matrix.json to see what data it actually provides
head -50 artifacts/data/kafka-acl-matrix.jsonRepository: OneFineStarstuff/OneFineStarstuff.github.io
Length of output: 2702
🏁 Script executed:
# Search for any OPA policy bundles or data loading configuration
find artifacts/ -name "*bundle*" -o -name "*data*" -o -name "*manifest*" | grep -E "\.(json|yaml|yml)$"Repository: OneFineStarstuff/OneFineStarstuff.github.io
Length of output: 141
🏁 Script executed:
# Look for any imports or external data references in the policy files
rg "import|include" artifacts/policies/ -A 2Repository: OneFineStarstuff/OneFineStarstuff.github.io
Length of output: 1279
🏁 Script executed:
# Check if there are any other .rego files that might define or provide data
rg "data\." artifacts/policies/ | grep -v "input\." | sort -uRepository: OneFineStarstuff/OneFineStarstuff.github.io
Length of output: 1164
🏁 Script executed:
# Final check: search for any OPA data bundle files or external data loading configuration
find artifacts/ -type f \( -name "*.opa" -o -name "*bundle*" -o -name "*data*" \)
rg "data\.kafka\.(consumer_groups|cluster_admins|schema_admins|blocked_principals|governance_principals|transactional_ids)" artifacts/ || echo "No data definitions found"Repository: OneFineStarstuff/OneFineStarstuff.github.io
Length of output: 966
🏁 Script executed:
# Check if there's any dynamic data provisioning or external references documented
rg -i "break_glass|consumer.group|transactional" artifacts/ --type json --type yaml 2>/dev/null | head -20Repository: OneFineStarstuff/OneFineStarstuff.github.io
Length of output: 2154
Policy requires external data documents not provided in this PR.
The policy references multiple data documents that are not included:
data.kafka.consumer_groups(lines 98, 99, 137)data.kafka.transactional_ids(line 144)data.kafka.blocked_principals(line 151)data.kafka.governance_principals(line 156)data.kafka.cluster_admins(line 117)data.kafka.schema_admins(line 128)data.break_glass.sessionsanddata.break_glass.expiry_ns(lines 109, 161)
Only artifacts/data/kafka-acl-matrix.json provides data.kafka.acl_matrix. Rules K-002, K-003, K-006, K-007, K-008, K-009, K-010, K-011, K-012, and K-013 will fail at runtime when attempting to access the missing data documents. These data sources must be provisioned through OPA policy bundles, external APIs, or configuration that should be included in this PR or documented as external requirements.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@artifacts/policies/kafka_acl_governance.rego` around lines 136 - 157, The
policy references missing external data documents (data.kafka.consumer_groups,
data.kafka.transactional_ids, data.kafka.blocked_principals,
data.kafka.governance_principals, data.kafka.cluster_admins,
data.kafka.schema_admins, data.break_glass.sessions, data.break_glass.expiry_ns)
causing runtime failures; either provision these documents in the bundle (e.g.,
add JSON/YAML files under artifacts/data with the expected shapes) or make the
Rego rules defensive by guarding lookups (e.g., check data.kafka != null and
data.kafka.consumer_groups != null before iterating) and supply safe defaults
(empty maps/arrays) so rules like valid_consumer_group,
valid_transaction_principal, blocked_principal, is_governance_principal and any
rules referencing cluster_admins/schema_admins or break_glass fields do not
error when the external data is absent.
Comment on lines
+18
to
+439
| paths: | ||
| /metadata: | ||
| get: | ||
| summary: Document metadata and scope | ||
| operationId: getMetadata | ||
| tags: [Overview] | ||
| responses: | ||
| '200': | ||
| description: Document metadata | ||
| content: | ||
| application/json: | ||
| schema: | ||
| $ref: '#/components/schemas/Metadata' | ||
|
|
||
| /kpis: | ||
| get: | ||
| summary: Key performance indicators | ||
| operationId: getKPIs | ||
| tags: [Overview] | ||
| responses: | ||
| '200': | ||
| description: Array of KPI objects | ||
| content: | ||
| application/json: | ||
| schema: | ||
| type: array | ||
| items: | ||
| $ref: '#/components/schemas/KPI' | ||
|
|
||
| /domains: | ||
| get: | ||
| summary: All 7 governance domains summary | ||
| operationId: getDomains | ||
| tags: [Overview] | ||
| responses: | ||
| '200': | ||
| description: Domain summaries | ||
| content: | ||
| application/json: | ||
| schema: | ||
| type: array | ||
| items: | ||
| $ref: '#/components/schemas/DomainSummary' | ||
|
|
||
| /domains/{id}: | ||
| get: | ||
| summary: Individual domain detail | ||
| operationId: getDomainById | ||
| tags: [Overview] | ||
| parameters: | ||
| - name: id | ||
| in: path | ||
| required: true | ||
| schema: | ||
| type: string | ||
| enum: [D1, D2, D3, D4, D5, D6, D7] | ||
| responses: | ||
| '200': | ||
| description: Domain detail | ||
| '404': | ||
| description: Domain not found | ||
|
|
||
| /governance-layers: | ||
| get: | ||
| summary: 6-layer governance architecture | ||
| operationId: getGovernanceLayers | ||
| tags: [Domain 1 - Enterprise Governance] | ||
| responses: | ||
| '200': | ||
| description: Governance layers | ||
|
|
||
| /accountability: | ||
| get: | ||
| summary: Accountability roles and RACI matrix | ||
| operationId: getAccountability | ||
| tags: [Domain 1 - Enterprise Governance] | ||
| responses: | ||
| '200': | ||
| description: Roles and RACI | ||
|
|
||
| /policy-infrastructure: | ||
| get: | ||
| summary: OPA + Sentinel policy infrastructure | ||
| operationId: getPolicyInfrastructure | ||
| tags: [Domain 1 - Enterprise Governance] | ||
| responses: | ||
| '200': | ||
| description: Policy infrastructure details | ||
|
|
||
| /policy-infrastructure/opa-groups: | ||
| get: | ||
| summary: 12 OPA policy group details | ||
| operationId: getOPAGroups | ||
| tags: [Domain 1 - Enterprise Governance] | ||
| responses: | ||
| '200': | ||
| description: OPA policy groups | ||
|
|
||
| /risk-management: | ||
| get: | ||
| summary: 14-dimension risk taxonomy | ||
| operationId: getRiskManagement | ||
| tags: [Domain 1 - Enterprise Governance] | ||
| responses: | ||
| '200': | ||
| description: Risk taxonomy and ARS | ||
|
|
||
| /risk-management/ars: | ||
| get: | ||
| summary: Current ARS score and breakdown | ||
| operationId: getARS | ||
| tags: [Domain 1 - Enterprise Governance] | ||
| responses: | ||
| '200': | ||
| description: ARS details | ||
|
|
||
| /regulatory: | ||
| get: | ||
| summary: Multi-regime regulatory summary | ||
| operationId: getRegulatory | ||
| tags: [Domain 2 - Regulatory] | ||
| responses: | ||
| '200': | ||
| description: Regulatory overview | ||
|
|
||
| /regulatory/frameworks: | ||
| get: | ||
| summary: 8 regulatory frameworks detail | ||
| operationId: getRegulatoryFrameworks | ||
| tags: [Domain 2 - Regulatory] | ||
| responses: | ||
| '200': | ||
| description: Framework details | ||
|
|
||
| /regulatory/eu-ai-act: | ||
| get: | ||
| summary: EU AI Act implementation timeline | ||
| operationId: getEUAIAct | ||
| tags: [Domain 2 - Regulatory] | ||
| responses: | ||
| '200': | ||
| description: EU AI Act timeline | ||
|
|
||
| /regulatory/nist: | ||
| get: | ||
| summary: NIST AI RMF function mapping | ||
| operationId: getNIST | ||
| tags: [Domain 2 - Regulatory] | ||
| responses: | ||
| '200': | ||
| description: NIST mapping | ||
|
|
||
| /regulatory/iso42001: | ||
| get: | ||
| summary: ISO/IEC 42001 AIMS roadmap | ||
| operationId: getISO42001 | ||
| tags: [Domain 2 - Regulatory] | ||
| responses: | ||
| '200': | ||
| description: ISO 42001 roadmap | ||
|
|
||
| /regulatory/obligations: | ||
| get: | ||
| summary: Cross-regime obligation mapping | ||
| operationId: getObligations | ||
| tags: [Domain 2 - Regulatory] | ||
| responses: | ||
| '200': | ||
| description: Obligation mapping | ||
|
|
||
| /architectures: | ||
| get: | ||
| summary: 5 reference architecture summaries | ||
| operationId: getArchitectures | ||
| tags: [Domain 3 - Architectures] | ||
| responses: | ||
| '200': | ||
| description: Architecture list | ||
|
|
||
| /architectures/{id}: | ||
| get: | ||
| summary: Individual architecture detail | ||
| operationId: getArchitectureById | ||
| tags: [Domain 3 - Architectures] | ||
| parameters: | ||
| - name: id | ||
| in: path | ||
| required: true | ||
| schema: | ||
| type: string | ||
| enum: [ARCH-1, ARCH-2, ARCH-3, ARCH-4, ARCH-5] | ||
| responses: | ||
| '200': | ||
| description: Architecture detail | ||
| '404': | ||
| description: Architecture not found | ||
|
|
||
| /trust-stack: | ||
| get: | ||
| summary: 7-layer trust and compliance stack | ||
| operationId: getTrustStack | ||
| tags: [Domain 3 - Architectures] | ||
| responses: | ||
| '200': | ||
| description: Trust stack layers | ||
|
|
||
| /global-governance: | ||
| get: | ||
| summary: Global governance overview | ||
| operationId: getGlobalGovernance | ||
| tags: [Domain 4 - Global Governance] | ||
| responses: | ||
| '200': | ||
| description: Global governance overview | ||
|
|
||
| /global-governance/icgc: | ||
| get: | ||
| summary: ICGC structure and charter | ||
| operationId: getICGC | ||
| tags: [Domain 4 - Global Governance] | ||
| responses: | ||
| '200': | ||
| description: ICGC details | ||
|
|
||
| /global-governance/components: | ||
| get: | ||
| summary: 15 global governance components | ||
| operationId: getGlobalComponents | ||
| tags: [Domain 4 - Global Governance] | ||
| responses: | ||
| '200': | ||
| description: Global components | ||
|
|
||
| /financial-services: | ||
| get: | ||
| summary: Financial services governance overview | ||
| operationId: getFinancialServices | ||
| tags: [Domain 5 - Financial Services] | ||
| responses: | ||
| '200': | ||
| description: Financial services overview | ||
|
|
||
| /financial-services/sr117: | ||
| get: | ||
| summary: SR 11-7 model risk framework | ||
| operationId: getSR117 | ||
| tags: [Domain 5 - Financial Services] | ||
| responses: | ||
| '200': | ||
| description: SR 11-7 framework | ||
|
|
||
| /financial-services/credit-scoring: | ||
| get: | ||
| summary: Credit scoring AI governance | ||
| operationId: getCreditScoring | ||
| tags: [Domain 5 - Financial Services] | ||
| responses: | ||
| '200': | ||
| description: Credit scoring governance | ||
|
|
||
| /financial-services/fair-lending: | ||
| get: | ||
| summary: Fair lending DI compliance | ||
| operationId: getFairLending | ||
| tags: [Domain 5 - Financial Services] | ||
| responses: | ||
| '200': | ||
| description: Fair lending tests | ||
|
|
||
| /agi-safety: | ||
| get: | ||
| summary: AGI safety overview | ||
| operationId: getAGISafety | ||
| tags: [Domain 6 - AGI Safety] | ||
| responses: | ||
| '200': | ||
| description: AGI safety summary | ||
|
|
||
| /agi-safety/evolution: | ||
| get: | ||
| summary: 10-stage AI evolution model | ||
| operationId: getEvolution | ||
| tags: [Domain 6 - AGI Safety] | ||
| responses: | ||
| '200': | ||
| description: Evolution stages | ||
|
|
||
| /agi-safety/crp: | ||
| get: | ||
| summary: Cognitive Resonance Protocol v2.1 | ||
| operationId: getCRP | ||
| tags: [Domain 6 - AGI Safety] | ||
| responses: | ||
| '200': | ||
| description: CRP details | ||
|
|
||
| /agi-safety/crisis-simulations: | ||
| get: | ||
| summary: Crisis simulation program (8 scenarios) | ||
| operationId: getCrisisSimulations | ||
| tags: [Domain 6 - AGI Safety] | ||
| responses: | ||
| '200': | ||
| description: Crisis simulations | ||
|
|
||
| /agi-safety/mvags: | ||
| get: | ||
| summary: Minimum Viable AI Governance Stack | ||
| operationId: getMVAGS | ||
| tags: [Domain 6 - AGI Safety] | ||
| responses: | ||
| '200': | ||
| description: MVAGS components | ||
|
|
||
| /agi-safety/trust-by-design: | ||
| get: | ||
| summary: 10 Trust-by-Design principles | ||
| operationId: getTrustByDesign | ||
| tags: [Domain 6 - AGI Safety] | ||
| responses: | ||
| '200': | ||
| description: Trust principles | ||
|
|
||
| /blueprint: | ||
| get: | ||
| summary: Master blueprint overview | ||
| operationId: getBlueprint | ||
| tags: [Domain 7 - Blueprint] | ||
| responses: | ||
| '200': | ||
| description: Blueprint overview | ||
|
|
||
| /blueprint/sentinel: | ||
| get: | ||
| summary: Sentinel platform architecture | ||
| operationId: getSentinel | ||
| tags: [Domain 7 - Blueprint] | ||
| responses: | ||
| '200': | ||
| description: Sentinel architecture | ||
|
|
||
| /blueprint/agi-readiness: | ||
| get: | ||
| summary: AGI readiness layers (ARL 1-7) | ||
| operationId: getAGIReadiness | ||
| tags: [Domain 7 - Blueprint] | ||
| responses: | ||
| '200': | ||
| description: ARL layers | ||
|
|
||
| /blueprint/rollout: | ||
| get: | ||
| summary: 30/60/90-day rollout plan | ||
| operationId: getRollout | ||
| tags: [Domain 7 - Blueprint] | ||
| responses: | ||
| '200': | ||
| description: Full rollout plan | ||
|
|
||
| /blueprint/8-week-plan: | ||
| get: | ||
| summary: 8-week technical implementation plan | ||
| operationId: get8WeekPlan | ||
| tags: [Domain 7 - Blueprint] | ||
| responses: | ||
| '200': | ||
| description: 8-week plan | ||
|
|
||
| /investment: | ||
| get: | ||
| summary: Investment and financial summary | ||
| operationId: getInvestment | ||
| tags: [Investment & Risk] | ||
| responses: | ||
| '200': | ||
| description: Investment profile | ||
|
|
||
| /investment/risks: | ||
| get: | ||
| summary: Risk register (12 entries) | ||
| operationId: getRiskRegister | ||
| tags: [Investment & Risk] | ||
| responses: | ||
| '200': | ||
| description: Risk register | ||
|
|
||
| /metrics: | ||
| get: | ||
| summary: Consolidated metrics dashboard | ||
| operationId: getMetrics | ||
| tags: [Overview] | ||
| responses: | ||
| '200': | ||
| description: Key metrics | ||
|
|
||
| /summary: | ||
| get: | ||
| summary: Executive summary with all KPIs | ||
| operationId: getSummary | ||
| tags: [Overview] | ||
| responses: | ||
| '200': | ||
| description: Executive summary | ||
|
|
||
| /dashboard: | ||
| get: | ||
| summary: Full dashboard data payload | ||
| operationId: getDashboard | ||
| tags: [Overview] | ||
| responses: | ||
| '200': | ||
| description: Dashboard payload | ||
|
|
||
| /artifacts: | ||
| get: | ||
| summary: Machine-readable artifact catalog | ||
| operationId: getArtifacts | ||
| tags: [Artifacts] | ||
| responses: | ||
| '200': | ||
| description: Artifact catalog | ||
|
|
There was a problem hiding this comment.
Thirteen documented routes are missing from paths.
Appendix B in docs/reports/AGI_ASI_GOVERNANCE_ARCHITECTURES_FRAMEWORKS.md:837-895 lists 56 routes, but this file only defines 43. Missing routes include /data-infrastructure, /dev-deploy, /dev-deploy/gates, /monitoring, /trust-stack/model-registry, /trust-stack/cicd-gates, /global-governance/compute-registry, /global-governance/sentinel-integration, /financial-services/earl, /blueprint/global-compute, and the three rollout detail routes.
🧰 Tools
🪛 Checkov (3.2.510)
[medium] 43-48: Ensure that arrays have a maximum number of items
(CKV_OPENAPI_21)
🪛 GitHub Check: Codacy Static Code Analysis
[warning] 43-43: artifacts/schemas/gaf-openapi.yaml#L43
Ensure that arrays have a maximum number of items
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@artifacts/schemas/gaf-openapi.yaml` around lines 18 - 439, The OpenAPI paths
list is missing 13 routes referenced in Appendix B; add entries for the missing
endpoints (e.g. /data-infrastructure, /dev-deploy, /dev-deploy/gates,
/monitoring, /trust-stack/model-registry, /trust-stack/cicd-gates,
/global-governance/compute-registry, /global-governance/sentinel-integration,
/financial-services/earl, /blueprint/global-compute and the three rollout detail
routes) by creating corresponding GET operations with sensible operationId names
(e.g. getDataInfrastructure, getDevDeploy, getDevDeployGates, getMonitoring,
getModelRegistry, getCICDGates, getComputeRegistry, getSentinelIntegration,
getEARL, getGlobalCompute, getRolloutDetailX), appropriate tags (matching their
domains like Domain 3, Domain 4, Domain 5, Domain 7 or Investment & Risk), brief
summary strings, and a '200' response with a description (and JSON schema refs
where applicable); consult Appendix B
(docs/reports/AGI_ASI_GOVERNANCE_ARCHITECTURES_FRAMEWORKS.md:837-895) to copy
exact route names, summaries and response schemas to ensure parity with the
documented 56 routes.
Comment on lines
+80
to
+439
| /governance-layers: | ||
| get: | ||
| summary: 6-layer governance architecture | ||
| operationId: getGovernanceLayers | ||
| tags: [Domain 1 - Enterprise Governance] | ||
| responses: | ||
| '200': | ||
| description: Governance layers | ||
|
|
||
| /accountability: | ||
| get: | ||
| summary: Accountability roles and RACI matrix | ||
| operationId: getAccountability | ||
| tags: [Domain 1 - Enterprise Governance] | ||
| responses: | ||
| '200': | ||
| description: Roles and RACI | ||
|
|
||
| /policy-infrastructure: | ||
| get: | ||
| summary: OPA + Sentinel policy infrastructure | ||
| operationId: getPolicyInfrastructure | ||
| tags: [Domain 1 - Enterprise Governance] | ||
| responses: | ||
| '200': | ||
| description: Policy infrastructure details | ||
|
|
||
| /policy-infrastructure/opa-groups: | ||
| get: | ||
| summary: 12 OPA policy group details | ||
| operationId: getOPAGroups | ||
| tags: [Domain 1 - Enterprise Governance] | ||
| responses: | ||
| '200': | ||
| description: OPA policy groups | ||
|
|
||
| /risk-management: | ||
| get: | ||
| summary: 14-dimension risk taxonomy | ||
| operationId: getRiskManagement | ||
| tags: [Domain 1 - Enterprise Governance] | ||
| responses: | ||
| '200': | ||
| description: Risk taxonomy and ARS | ||
|
|
||
| /risk-management/ars: | ||
| get: | ||
| summary: Current ARS score and breakdown | ||
| operationId: getARS | ||
| tags: [Domain 1 - Enterprise Governance] | ||
| responses: | ||
| '200': | ||
| description: ARS details | ||
|
|
||
| /regulatory: | ||
| get: | ||
| summary: Multi-regime regulatory summary | ||
| operationId: getRegulatory | ||
| tags: [Domain 2 - Regulatory] | ||
| responses: | ||
| '200': | ||
| description: Regulatory overview | ||
|
|
||
| /regulatory/frameworks: | ||
| get: | ||
| summary: 8 regulatory frameworks detail | ||
| operationId: getRegulatoryFrameworks | ||
| tags: [Domain 2 - Regulatory] | ||
| responses: | ||
| '200': | ||
| description: Framework details | ||
|
|
||
| /regulatory/eu-ai-act: | ||
| get: | ||
| summary: EU AI Act implementation timeline | ||
| operationId: getEUAIAct | ||
| tags: [Domain 2 - Regulatory] | ||
| responses: | ||
| '200': | ||
| description: EU AI Act timeline | ||
|
|
||
| /regulatory/nist: | ||
| get: | ||
| summary: NIST AI RMF function mapping | ||
| operationId: getNIST | ||
| tags: [Domain 2 - Regulatory] | ||
| responses: | ||
| '200': | ||
| description: NIST mapping | ||
|
|
||
| /regulatory/iso42001: | ||
| get: | ||
| summary: ISO/IEC 42001 AIMS roadmap | ||
| operationId: getISO42001 | ||
| tags: [Domain 2 - Regulatory] | ||
| responses: | ||
| '200': | ||
| description: ISO 42001 roadmap | ||
|
|
||
| /regulatory/obligations: | ||
| get: | ||
| summary: Cross-regime obligation mapping | ||
| operationId: getObligations | ||
| tags: [Domain 2 - Regulatory] | ||
| responses: | ||
| '200': | ||
| description: Obligation mapping | ||
|
|
||
| /architectures: | ||
| get: | ||
| summary: 5 reference architecture summaries | ||
| operationId: getArchitectures | ||
| tags: [Domain 3 - Architectures] | ||
| responses: | ||
| '200': | ||
| description: Architecture list | ||
|
|
||
| /architectures/{id}: | ||
| get: | ||
| summary: Individual architecture detail | ||
| operationId: getArchitectureById | ||
| tags: [Domain 3 - Architectures] | ||
| parameters: | ||
| - name: id | ||
| in: path | ||
| required: true | ||
| schema: | ||
| type: string | ||
| enum: [ARCH-1, ARCH-2, ARCH-3, ARCH-4, ARCH-5] | ||
| responses: | ||
| '200': | ||
| description: Architecture detail | ||
| '404': | ||
| description: Architecture not found | ||
|
|
||
| /trust-stack: | ||
| get: | ||
| summary: 7-layer trust and compliance stack | ||
| operationId: getTrustStack | ||
| tags: [Domain 3 - Architectures] | ||
| responses: | ||
| '200': | ||
| description: Trust stack layers | ||
|
|
||
| /global-governance: | ||
| get: | ||
| summary: Global governance overview | ||
| operationId: getGlobalGovernance | ||
| tags: [Domain 4 - Global Governance] | ||
| responses: | ||
| '200': | ||
| description: Global governance overview | ||
|
|
||
| /global-governance/icgc: | ||
| get: | ||
| summary: ICGC structure and charter | ||
| operationId: getICGC | ||
| tags: [Domain 4 - Global Governance] | ||
| responses: | ||
| '200': | ||
| description: ICGC details | ||
|
|
||
| /global-governance/components: | ||
| get: | ||
| summary: 15 global governance components | ||
| operationId: getGlobalComponents | ||
| tags: [Domain 4 - Global Governance] | ||
| responses: | ||
| '200': | ||
| description: Global components | ||
|
|
||
| /financial-services: | ||
| get: | ||
| summary: Financial services governance overview | ||
| operationId: getFinancialServices | ||
| tags: [Domain 5 - Financial Services] | ||
| responses: | ||
| '200': | ||
| description: Financial services overview | ||
|
|
||
| /financial-services/sr117: | ||
| get: | ||
| summary: SR 11-7 model risk framework | ||
| operationId: getSR117 | ||
| tags: [Domain 5 - Financial Services] | ||
| responses: | ||
| '200': | ||
| description: SR 11-7 framework | ||
|
|
||
| /financial-services/credit-scoring: | ||
| get: | ||
| summary: Credit scoring AI governance | ||
| operationId: getCreditScoring | ||
| tags: [Domain 5 - Financial Services] | ||
| responses: | ||
| '200': | ||
| description: Credit scoring governance | ||
|
|
||
| /financial-services/fair-lending: | ||
| get: | ||
| summary: Fair lending DI compliance | ||
| operationId: getFairLending | ||
| tags: [Domain 5 - Financial Services] | ||
| responses: | ||
| '200': | ||
| description: Fair lending tests | ||
|
|
||
| /agi-safety: | ||
| get: | ||
| summary: AGI safety overview | ||
| operationId: getAGISafety | ||
| tags: [Domain 6 - AGI Safety] | ||
| responses: | ||
| '200': | ||
| description: AGI safety summary | ||
|
|
||
| /agi-safety/evolution: | ||
| get: | ||
| summary: 10-stage AI evolution model | ||
| operationId: getEvolution | ||
| tags: [Domain 6 - AGI Safety] | ||
| responses: | ||
| '200': | ||
| description: Evolution stages | ||
|
|
||
| /agi-safety/crp: | ||
| get: | ||
| summary: Cognitive Resonance Protocol v2.1 | ||
| operationId: getCRP | ||
| tags: [Domain 6 - AGI Safety] | ||
| responses: | ||
| '200': | ||
| description: CRP details | ||
|
|
||
| /agi-safety/crisis-simulations: | ||
| get: | ||
| summary: Crisis simulation program (8 scenarios) | ||
| operationId: getCrisisSimulations | ||
| tags: [Domain 6 - AGI Safety] | ||
| responses: | ||
| '200': | ||
| description: Crisis simulations | ||
|
|
||
| /agi-safety/mvags: | ||
| get: | ||
| summary: Minimum Viable AI Governance Stack | ||
| operationId: getMVAGS | ||
| tags: [Domain 6 - AGI Safety] | ||
| responses: | ||
| '200': | ||
| description: MVAGS components | ||
|
|
||
| /agi-safety/trust-by-design: | ||
| get: | ||
| summary: 10 Trust-by-Design principles | ||
| operationId: getTrustByDesign | ||
| tags: [Domain 6 - AGI Safety] | ||
| responses: | ||
| '200': | ||
| description: Trust principles | ||
|
|
||
| /blueprint: | ||
| get: | ||
| summary: Master blueprint overview | ||
| operationId: getBlueprint | ||
| tags: [Domain 7 - Blueprint] | ||
| responses: | ||
| '200': | ||
| description: Blueprint overview | ||
|
|
||
| /blueprint/sentinel: | ||
| get: | ||
| summary: Sentinel platform architecture | ||
| operationId: getSentinel | ||
| tags: [Domain 7 - Blueprint] | ||
| responses: | ||
| '200': | ||
| description: Sentinel architecture | ||
|
|
||
| /blueprint/agi-readiness: | ||
| get: | ||
| summary: AGI readiness layers (ARL 1-7) | ||
| operationId: getAGIReadiness | ||
| tags: [Domain 7 - Blueprint] | ||
| responses: | ||
| '200': | ||
| description: ARL layers | ||
|
|
||
| /blueprint/rollout: | ||
| get: | ||
| summary: 30/60/90-day rollout plan | ||
| operationId: getRollout | ||
| tags: [Domain 7 - Blueprint] | ||
| responses: | ||
| '200': | ||
| description: Full rollout plan | ||
|
|
||
| /blueprint/8-week-plan: | ||
| get: | ||
| summary: 8-week technical implementation plan | ||
| operationId: get8WeekPlan | ||
| tags: [Domain 7 - Blueprint] | ||
| responses: | ||
| '200': | ||
| description: 8-week plan | ||
|
|
||
| /investment: | ||
| get: | ||
| summary: Investment and financial summary | ||
| operationId: getInvestment | ||
| tags: [Investment & Risk] | ||
| responses: | ||
| '200': | ||
| description: Investment profile | ||
|
|
||
| /investment/risks: | ||
| get: | ||
| summary: Risk register (12 entries) | ||
| operationId: getRiskRegister | ||
| tags: [Investment & Risk] | ||
| responses: | ||
| '200': | ||
| description: Risk register | ||
|
|
||
| /metrics: | ||
| get: | ||
| summary: Consolidated metrics dashboard | ||
| operationId: getMetrics | ||
| tags: [Overview] | ||
| responses: | ||
| '200': | ||
| description: Key metrics | ||
|
|
||
| /summary: | ||
| get: | ||
| summary: Executive summary with all KPIs | ||
| operationId: getSummary | ||
| tags: [Overview] | ||
| responses: | ||
| '200': | ||
| description: Executive summary | ||
|
|
||
| /dashboard: | ||
| get: | ||
| summary: Full dashboard data payload | ||
| operationId: getDashboard | ||
| tags: [Overview] | ||
| responses: | ||
| '200': | ||
| description: Dashboard payload | ||
|
|
||
| /artifacts: | ||
| get: | ||
| summary: Machine-readable artifact catalog | ||
| operationId: getArtifacts | ||
| tags: [Artifacts] | ||
| responses: | ||
| '200': | ||
| description: Artifact catalog | ||
|
|
There was a problem hiding this comment.
Most detail endpoints still do not describe a response body.
Only Metadata, KPI, and DomainSummary have concrete response schemas. The rest of the 200 responses stop at a description, so codegen and contract validation have no usable payload contract for most detail endpoints.
Also applies to: 440-485
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@artifacts/schemas/gaf-openapi.yaml` around lines 80 - 439, Many GET
operations (e.g., operationId getGovernanceLayers, getAccountability,
getPolicyInfrastructure, getOPAGroups, getRiskManagement, getARS, getRegulatory,
getArchitectures, getArchitectureById, getTrustStack, getGlobalGovernance,
getICGC, getGlobalComponents, getFinancialServices, getSR117, getCreditScoring,
getFairLending, getAGISafety, getEvolution, getCRP, getCrisisSimulations,
getMVAGS, getTrustByDesign, getBlueprint, getSentinel, getAGIReadiness,
getRollout, get8WeekPlan, getInvestment, getRiskRegister, getMetrics,
getSummary, getDashboard, getArtifacts) only have descriptions for 200 responses
and lack response bodies; update each 200 response to include a
content/application/json schema ($ref) to the appropriate component schema
(create component schemas if missing) so codegen and contract validation can use
concrete payload contracts — map each operationId to a clear component like
GovernanceLayers, Accountability, PolicyInfrastructure, OPAGroups,
RiskManagement, ARS, Regulatory, RegulatoryFrameworks, EUAIAct, NIST, ISO42001,
Obligations, Architectures, Architecture (for getArchitectureById), TrustStack,
GlobalGovernance, ICGC, GlobalComponents, FinancialServices, SR117,
CreditScoring, FairLending, AGISafety, Evolution, CRP, CrisisSimulations, MVAGS,
TrustByDesign, Blueprint, Sentinel, AGIReadiness, RolloutPlan (8WeekPlan),
InvestmentProfile, RiskRegister, Metrics, Summary, DashboardPayload,
ArtifactsCatalog and reference them under
responses.'200'.content.'application/json'.schema.$ref.
Comment on lines
+108
to
+112
| "name": "userId", | ||
| "type": ["null", "string"], | ||
| "default": null, | ||
| "doc": "User identifier (if human-initiated event)" | ||
| }, |
There was a problem hiding this comment.
Avoid raw user identifiers in telemetry payloads.
Line 111 allows direct userId capture in a cross-domain governance event stream. This increases PII exposure and retention risk; prefer a pseudonymous subject key (or hashed ID with controlled salt rotation) for default schema fields.
Proposed schema hardening
{
- "name": "userId",
+ "name": "userRef",
"type": ["null", "string"],
"default": null,
- "doc": "User identifier (if human-initiated event)"
+ "doc": "Pseudonymous user reference (if human-initiated event); do not store raw PII identifiers"
},📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| "name": "userId", | |
| "type": ["null", "string"], | |
| "default": null, | |
| "doc": "User identifier (if human-initiated event)" | |
| }, | |
| "name": "userRef", | |
| "type": ["null", "string"], | |
| "default": null, | |
| "doc": "Pseudonymous user reference (if human-initiated event); do not store raw PII identifiers" | |
| }, |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@artifacts/schemas/governance-event.avsc` around lines 108 - 112, The schema
currently exposes a raw user identifier via the "userId" field; change this to a
pseudonymous subject field (e.g., rename "userId" to "subjectKey") and update
its docstring to require a non-reversible pseudonymous value (hashed ID with
controlled salt rotation or synthetic subject key) instead of plain PII, keep
the type as ["null","string"] with default null, and ensure any downstream
producers/consumers use the hashed/pseudonymous value rather than direct user
identifiers.
Comment on lines
+204
to
+206
| document.getElementById('kpiBar').innerHTML = kpis.slice(0, 8).map(k => | ||
| `<div class="kpi"><div class="val">${k.current}</div><div class="lbl">${k.name}</div></div>` | ||
| ).join(''); |
There was a problem hiding this comment.
Potential XSS risk when rendering API data via innerHTML.
The code inserts API response data directly into the DOM using innerHTML without sanitization. If the API returns malicious content (e.g., <script> tags or event handlers in string fields like k.name, d.name, f.name, etc.), this could lead to XSS attacks.
Consider escaping HTML entities or using textContent where possible.
🛡️ Proposed fix: Add HTML escaping utility
+function escapeHtml(str) {
+ const div = document.createElement('div');
+ div.textContent = str;
+ return div.innerHTML;
+}
+
async function init() {
try {
// KPIs
const kpis = await gaf('/kpis');
document.getElementById('kpiBar').innerHTML = kpis.slice(0, 8).map(k =>
- `<div class="kpi"><div class="val">${k.current}</div><div class="lbl">${k.name}</div></div>`
+ `<div class="kpi"><div class="val">${escapeHtml(k.current)}</div><div class="lbl">${escapeHtml(k.name)}</div></div>`
).join('');Apply similar escaping to all other template literals that render API data.
Also applies to: 210-212, 216-218, 229-231, 253-255, 259-261, 307-309
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@rag-agentic-dashboard/public/governance-architectures-frameworks.html` around
lines 204 - 206, The rendered KPI/dashboard templates currently inject API
strings directly into innerHTML (e.g.,
document.getElementById('kpiBar').innerHTML with k.current and k.name), creating
an XSS risk; fix it by introducing a small HTML-escaping utility (escapeHtml)
and apply it to all interpolated API fields (k.name, k.current, d.name, f.name,
etc.) or, preferably, build DOM nodes and set their textContent instead of using
innerHTML; update all template constructions that render API data to use the
sanitizer or DOM creation approach so no raw API strings are inserted unescaped.
Comment on lines
+164
to
+171
| <script> | ||
| const API = '/api/kafka-acl-governance'; | ||
| async function load(path) { const r = await fetch(API + path); return r.json(); } | ||
|
|
||
| function badge(status) { | ||
| const cls = status === 'EXCEEDING' ? 'green' : status === 'MEETING' ? 'blue' : status === 'ACTIVE' ? 'green' : status === 'HIGH' ? 'red' : status === 'MEDIUM' ? 'amber' : status === 'LOW' ? 'green' : status === 'MITIGATING' ? 'amber' : 'blue'; | ||
| return `<span class="badge badge-${cls}">${status}</span>`; | ||
| } |
There was a problem hiding this comment.
Same fetch helper and XSS concerns as the other dashboard.
The load() helper lacks response status checking, and innerHTML usage throughout risks XSS if API data contains malicious content. The same fixes recommended for governance-architectures-frameworks.html apply here.
🛡️ Proposed fix
-async function load(path) { const r = await fetch(API + path); return r.json(); }
+async function load(path) {
+ const r = await fetch(API + path);
+ if (!r.ok) throw new Error(`API error: ${r.status}`);
+ return r.json();
+}
+
+function escapeHtml(str) {
+ if (str == null) return '';
+ const div = document.createElement('div');
+ div.textContent = String(str);
+ return div.innerHTML;
+}Then apply escapeHtml() to all user-facing data rendered via template literals.
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| <script> | |
| const API = '/api/kafka-acl-governance'; | |
| async function load(path) { const r = await fetch(API + path); return r.json(); } | |
| function badge(status) { | |
| const cls = status === 'EXCEEDING' ? 'green' : status === 'MEETING' ? 'blue' : status === 'ACTIVE' ? 'green' : status === 'HIGH' ? 'red' : status === 'MEDIUM' ? 'amber' : status === 'LOW' ? 'green' : status === 'MITIGATING' ? 'amber' : 'blue'; | |
| return `<span class="badge badge-${cls}">${status}</span>`; | |
| } | |
| <script> | |
| const API = '/api/kafka-acl-governance'; | |
| async function load(path) { | |
| const r = await fetch(API + path); | |
| if (!r.ok) throw new Error(`API error: ${r.status}`); | |
| return r.json(); | |
| } | |
| function escapeHtml(str) { | |
| if (str == null) return ''; | |
| const div = document.createElement('div'); | |
| div.textContent = String(str); | |
| return div.innerHTML; | |
| } | |
| function badge(status) { | |
| const cls = status === 'EXCEEDING' ? 'green' : status === 'MEETING' ? 'blue' : status === 'ACTIVE' ? 'green' : status === 'HIGH' ? 'red' : status === 'MEDIUM' ? 'amber' : status === 'LOW' ? 'green' : status === 'MITIGATING' ? 'amber' : 'blue'; | |
| return `<span class="badge badge-${cls}">${status}</span>`; | |
| } |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@rag-agentic-dashboard/public/kafka-acl-governance.html` around lines 164 -
171, The load() helper and inline HTML rendering are unsafe: update load() (the
function named load and the API constant API) to check the fetch response (use
response.ok or status) and throw or return a clear error for non-2xx responses
before calling response.json(); remove or sanitize direct innerHTML usage and
apply an HTML-escaping helper (e.g., escapeHtml) to any user/API-derived values
used inside template literals in badge() and all other render templates or,
better, set textContent or create DOM nodes instead of assigning innerHTML to
eliminate XSS vectors.
Micro-Learning Topic: Missing global error handler (Detected by phrase)Matched on "Missing error handling"ASP.NET applications should not set the 'customError' mode to "off" without providing a global error handler, otherwise they may leak exception information. Try a challenge in Secure Code Warrior |
… + AGI/ASI Governance Architectures
Two major governance deliverables for G-SIFI institutions:
=== KACG-GSIFI-WP-017: Kafka ACL Governance & Continuous Compliance Engine ===
Production-grade Kafka ACL governance with cryptographic evidence signing,
WORM S3 archival, OPA policy-as-code, and auditor workflows.
New in this commit:
- 62 API endpoints under /api/kafka-acl-governance/*
- 1,353-line technical report (docs/reports/KAFKA_ACL_GOVERNANCE_COMPLIANCE_ENGINE.md)
- Interactive dashboard (kafka-acl-governance.html)
- 20 machine-readable artifacts:
* 8 OPA Rego policies (214 total rules) covering:
- Kafka ACL (34 rules), Basel III (28), EU AI Act Kafka (28),
- NIST AI RMF (38), ISO 42001 AIMS (32), GDPR (26),
- SR 11-7, Fair Lending/FCRA/ECOA
* OpenAPI 3.1 specification (kacg-openapi.yaml)
* WORM evidence storage JSON Schema
* Avro governance event schema
* Evidence bundle manifest schema
* Kafka ACL matrix (12 topics, JSON)
* Compliance controls CSV, timeline CSV, evidence bundles CSV
* Terraform IaC config (8 modules, 144 resources)
* GitHub Actions 5-gate CI/CD governance workflow
* Governance verification CLI (verify/sign/chain/retention/audit)
* Drift detection config (6 detectors: TF/Kafka/OPA/WORM/Schema/mTLS)
=== GAF-GSIFI-WP-017: AGI/ASI Governance Architectures & Frameworks ===
Comprehensive 7-domain implementation reference for enterprise through
civilizational-scale AI governance (2026-2030).
- 56 API endpoints under /api/governance-architectures-frameworks/*
- Interactive dashboard, OpenAPI spec, and supporting schemas
Regulatory Alignment: EU AI Act, NIST AI RMF, ISO/IEC 42001, Basel III,
SR 11-7, GDPR, FCRA/ECOA, OECD AI Principles
Regression: 82/82 KACG endpoints PASS, all prior endpoints verified
…rstuff/OneFineStarstuff.github.io into genspark_ai_developer
|
View changes in DiffLens |
genspark-ai-developer
bot
changed the title
|
View changes in DiffLens |
1 similar comment
|
View changes in DiffLens |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 8fd6b04468
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Comment on lines
+359
to
+361
| --terraform-plan terraform/governance.tfplan \ | ||
| --opa-results evidence/opa-results.json \ | ||
| --security-scan evidence/security-scan.json \ |
There was a problem hiding this comment.
Gate 5 invokes generate-evidence-bundle.py with --terraform-plan terraform/governance.tfplan, --opa-results evidence/opa-results.json, and --security-scan evidence/security-scan.json, but this workflow never creates/downloads those files in this job (and jobs run on isolated runners). As written, the evidence-generation step will hit file-not-found and block the pipeline before signing/deploy; add artifact upload/download (or regenerate inputs in Gate 5) so these paths are guaranteed to exist.
Useful? React with 👍 / 👎.
Comment on lines
+104
to
+107
| type: object | ||
| properties: | ||
| kpis: | ||
| type: array |
There was a problem hiding this comment.
The OpenAPI spec defines /kpis as an object containing a kpis array, but the implemented route returns a bare array (res.json(KACG.kpis) in server.js). This contract mismatch will break generated clients/validators that deserialize according to the published schema; update the schema (or the handler) so both sides use the same top-level shape.
Useful? React with 👍 / 👎.
Comment on lines
+263
to
+264
| if prev_hash and bundle.get("previousBundleHash"): | ||
| if bundle["previousBundleHash"] != prev_hash: |
There was a problem hiding this comment.
In chain verification, hash linkage is only checked when previousBundleHash is present, so any non-initial bundle can omit that field and still pass with chain_continuity reported as PASS. Because this tool is supposed to detect gaps/tampering in evidence history, a missing previous-hash reference after the first bundle should be a failure, not silently accepted.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
Actionable comments posted: 17
🧹 Nitpick comments (1)
artifacts/policies/nist_ai_rmf_govern.rego (1)
1-8: Package path does not mirror directory structure.The package is declared as
compliance.nist_ai_rmfbut the file resides atartifacts/policies/. Per OPA conventions flagged by Regal, the directory structure should mirror the package namespace (e.g.,compliance/nist_ai_rmf/govern.rego).This is a linting/organizational concern that affects bundle management and policy discovery in larger OPA deployments.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@artifacts/policies/nist_ai_rmf_govern.rego` around lines 1 - 8, The package declaration "package compliance.nist_ai_rmf" in artifacts/policies/nist_ai_rmf_govern.rego does not mirror the file path; either move this file into a directory tree matching the package (e.g., create directories compliance/nist_ai_rmf/ and rename/move the file to compliance/nist_ai_rmf/govern.rego) or change the package declaration to reflect the current location; ensure the package name and directory structure are consistent so OPA/Regal bundle discovery finds the policy.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@artifacts/policies/eu_ai_act_kafka_enforcement.rego`:
- Around line 289-293: The rule kafka_acl_enforcement currently only checks
boolean flags in input.kafkaConfig; update it to also verify the actual ACL
state by asserting entries exist in the ACL matrix (data.kafka.acl_matrix) for
each governed topic: keep the existing flag checks
(input.kafkaConfig.aclEnforcementEnabled, opaAuthorizerDeployed, defaultDeny)
and add a predicate that iterates over the governed topics (e.g., for each topic
in data.kafka.acl_matrix) and ensures required produce/consume ACL entries exist
(matching the canonical model used in
artifacts/policies/kafka_acl_governance.rego), failing kafka_acl_enforcement
when any governed topic lacks the expected ACL entries.
- Line 9: The package declaration "package compliance.eu_ai_act.kafka" does not
match the file's repository location; fix by making the package and file
location consistent: either move the Rego file into a directory hierarchy that
matches the package (compliance/eu_ai_act/kafka/) so the package declaration
remains "package compliance.eu_ai_act.kafka", or change the package line to
reflect the file's current location (adjust the package name to the directory
namespace used in your repo). Ensure the package token "package
compliance.eu_ai_act.kafka" is updated or the file relocated so Regal idiomatic
package-to-directory conventions are satisfied.
- Around line 271-285: The rule kafka_governance_topics currently checks a
hardcoded 7-topic set against input.kafkaTopics causing false passes; instead
derive the required topic names from the canonical list in
artifacts/data/kafka-acl-matrix.json and use that set for validation. Update the
rule to load the canonical ACL matrix (e.g., data["kafka-acl-matrix"] or similar
data ref) to produce required_topics, then iterate every t in required_topics
and assert some topic in input.kafkaTopics with topic.name == t; ensure
kafka_governance_topics uses that dynamically derived set so missing topics like
ai.agent.telemetry, ai.model.promotions, ai.consent.changes,
ai.erasure.requests, and ai.sentinel.evaluations are caught.
In `@artifacts/policies/gdpr_ai_data_protection.rego`:
- Around line 17-22: The art_5_1a_lawful_processing rule currently requires
processing.transparencyNotice == true but art_13_transparency treats
transparencyNotice as an object, causing valid Art.13 payloads to fail; update
art_5_1a_lawful_processing to accept either a boolean true or an object shape by
replacing the strict equality check with a presence/shape test (e.g., require
processing.transparencyNotice to be defined and either equals true or is an
object with the expected nested fields), and similarly adjust the other rule(s)
referenced around lines 72-80 to use presence/shape checks instead of == true so
both boolean and structured transparencyNotice representations are supported;
reference the art_5_1a_lawful_processing and art_13_transparency rule names when
making the change.
- Around line 208-218: The gdpr_compliance_summary object is hard-coded and
drifts from the module; replace it with a computed summary built from the actual
predicates/metadata: compute totalRules using count of the rule set (e.g.,
totalRules := count({r | <predicate identifying each boolean check>})), compute
kafkaSpecificRules similarly by filtering rules that mention Kafka or
kafka/topic metadata, derive erasureTopicEnabled and consentTopicEnabled by
checking whether any rule or metadata references the erasure or consent topics
(e.g., erasureTopicEnabled := count({r | rule_has_topic(r, "erasure")}) > 0),
and populate articlesTargeted and piiDetectionThreshold from the actual metadata
fields on rules; update the gdpr_compliance_summary binding to use these
computed values (refer to gdpr_compliance_summary, totalRules,
erasureTopicEnabled, consentTopicEnabled and any helpers like rule_has_topic or
the rule predicate names) so the summary always reflects the module state.
In `@artifacts/policies/iso42001_aims_governance.rego`:
- Around line 319-328: The exported certification_readiness object is hardcoded;
replace the constants with derived values: compute totalClauses,
totalAnnexControls, totalRules, and kafkaSpecificRules by counting the
respective clause/annex/rule predicate sets used elsewhere in this rego, and set
evidenceStorageVerification and wormCompliance by evaluating the corresponding
predicates (e.g., evidence_storage_verified/1 or worm_compliance_verified) or
boolean expressions that reflect actual policy results; update
certification_readiness to construct its fields from these computed counts and
predicate outcomes instead of the current literal values so the summary always
reflects real evaluation results.
- Around line 262-271: The rule annex_a_6_1_3_access_controls is only reading
self-attested booleans from input.aiSystem.accessControls and must either be
bound to the authoritative Kafka governance state or be renamed to a posture
attestation; update the rule to consult the canonical Kafka governance structure
used by artifacts/policies/kafka_acl_governance.rego (e.g., check a canonical
symbol such as data.kafka.aclMatrix or the exported predicate from
kafka_acl_governance.rego like kafka_acl_enforced/0) instead of just
acl.kafkaAclEnabled, acl.opaAuthorizerDeployed, acl.spiffeIdentity,
acl.breakGlassProtocol and acl.auditTrailEnabled, or alternatively rename
annex_a_6_1_3_access_controls (and its documentation) to indicate it is a
self-attestation check rather than enforcement verification.
In `@artifacts/policies/nist_ai_rmf_govern.rego`:
- Around line 10-11: The policy uses the Rego `every` keyword but the imports
only include `future.keywords.in` and `future.keywords.if`, causing runtime
failure; add an import for the `every` future keyword (e.g., import
future.keywords.every) alongside the existing imports so the `every` construct
used later in the file is recognized by OPA.
- Around line 379-387: The summary object nist_compliance_summary is wrong:
totalRules is hardcoded to 38 and MEASURE/MANAGE scores are missing. Add the
same counting logic used for GOVERN and MAP to compute measure_pass_count,
measure_total, manage_pass_count, and manage_total (mirror the existing GOV/MAP
counters), include measureScore and manageScore fields in
nist_compliance_summary using sprintf like the others, and set totalRules to 34
so the summary reflects the actual rule counts; ensure you use the existing
symbols govern_pass_count, govern_total, map_pass_count, map_total, and the
newly created measure_pass_count, measure_total, manage_pass_count, manage_total
when constructing the summary.
In `@artifacts/schemas/kacg-openapi.yaml`:
- Around line 1-1383: The OpenAPI document is missing components.securitySchemes
and security requirements so all endpoints are effectively public; add a
components.securitySchemes entry (e.g., bearerAuth or oauth2) and then apply a
global security requirement (security: [{ bearerAuth: [] }]) at the root of the
document, and explicitly mark truly public operations with operation-level
overrides security: [] (for example operationId: getDashboard, getSummary,
getArtifacts and any other dashboard/read-only endpoints). Update protected
operation objects (e.g., getFullReference, getMetadata, getCluster,
getAclGovernance, getOpaFramework, etc.) to inherit the global security or add
operation-level security arrays where needed so generated clients and gateways
will require authentication.
In `@artifacts/schemas/worm-evidence-storage.schema.json`:
- Around line 251-299: The ACL item schemas for readAccess, writeAccess, and
auditAccess allow empty objects because none of the properties are required;
update the item schemas for "readAccess" (require "role" and "scope" and
"mfaRequired" as appropriate), "writeAccess" (require "role" and "appendOnly"
and "sourceValidation", and keep appendOnly as const true), and "auditAccess"
(require "role" and "accessType" and "sessionDurationMinutes" or
"requiresApproval" as applicable) by adding a "required" array for each item
object so malformed/omitted fields like role, appendOnly, sourceValidation, and
accessType are rejected by validation.
- Around line 70-90: The replication object can validate with enabled=true while
missing critical fields; add a JSON Schema conditional on the replication
object: include an "if" that checks {"properties": {"enabled": {"const": true}}}
and a corresponding "then" that sets "required": ["destinationRegion",
"destinationBucket", "replicateObjectLock"] so when replication.enabled is true
those three fields must be present (note: keep the existing properties and the
replicateObjectLock const:true but make it required in the then block).
- Around line 14-28: The schema currently advertises multiple providers via the
"provider" enum but only models AWS/S3 fields (bucket, region, objectLockMode,
algorithm/kmsKeyId) and leaves aws:kms semantics underconstrained; update the
JSON Schema to add provider-specific conditional branches using "if": {
"properties": { "provider": { "const": "AWS_S3" } } } / "then": { ... } and
analogous "if/then" blocks for "AZURE_IMMUTABLE" and "GCS_RETENTION" so each
branch requires and documents the correct fields and enums (e.g., AWS branch
requires "bucket", "region", enforces S3 naming "pattern", and makes "kmsKeyId"
required when "algorithm" is "aws:kms"; Azure branch requires Azure-specific
fields and names; GCS branch requires GCS-specific fields and names). Ensure
common top-level "provider" enum remains, move provider-specific descriptions
into their respective "then" blocks, and add a nested conditional in the AWS
branch to require "kmsKeyId" when "algorithm" == "aws:kms" to enforce KMS ARN
semantics.
In `@artifacts/templates/governance-verify-cli.py`:
- Around line 100-115: The CLI currently enforces a hardcoded required_fields
list (required_fields) that expects top-level docRef and timestamp in bundle and
causes false failures; replace this with schema-driven validation by loading
artifacts/schemas/evidence-bundle-manifest.schema.json and using its "required"
array (or jsonschema.validate) to determine missing fields for bundle, then
update the result["checks"] entry ("required_fields") accordingly; also remove
any parallel checks or serialization that assume top-level docRef/timestamp
(e.g., places that set audit_report fields to None) so they follow the schema
(notably the duplicate check at the other section referenced).
- Around line 290-335: The verify_retention function is currently only echoing
hardcoded policy metadata and never reads bundle_path; update verify_retention
to open and parse the evidence bundle at bundle_path, validate the bundle exists
and extract its retention/creation/expiry fields (e.g., timestamps or
retention_days) and compute the actual retention age in days, then compare that
value against a single authoritative policy table (do not duplicate
retention_policies—import or load the canonical mapping used by the
system/schema, mapping schema keys like SR_11_7/GDPR_ART_30 to the internal
keys), and for each policy (use the function verify_retention, variable
retention_policies/policies) set each check's status to PASS or FAIL with a
clear detail message and adjust result["status"] to FAIL if any required
retention is not met; also handle missing bundle or missing timestamps as FAIL
with appropriate error details in result["checks"].
- Around line 216-287: verify_chain currently hashes the file path and only
looks for a top-level previousBundleHash (and skips missing links), and it
ignores start_date/end_date; update verify_chain to (1) compute the hash of the
bundle contents (e.g., pass the file bytes or the loaded bundle dict into
compute_sha256) instead of compute_sha256(str(bundle_path)), (2) read the link
from the nested path hashChain.previousBundleHash (fall back to
bundle.get("previousBundleHash") only if schema allows) and treat a missing
previous link when prev_hash exists as a gap (mark FAIL and append to
result["gaps"]), and (3) apply start_date/end_date by parsing each bundle's
timestamp (e.g., bundle["manifest"]["createdAt"] or the schema field that
records creation time) and skip bundles outside the range before verifying
continuity; adjust references to verify_chain, compute_sha256, bundles,
previousBundleHash, hashChain.previousBundleHash, start_date, and end_date
accordingly.
- Around line 145-213: The verify_signature function currently treats any
well-formed JSON or any non-JSON file as a valid signature; change it to fail
closed by actually using bundle_path and public_key_path to perform Ed25519
verification (or return FAIL if public_key_path is missing or verification
cannot be performed). Specifically, in verify_signature: require public_key_path
to be provided, read bundle bytes from bundle_path, read signature from
signature_path (if JSON expect algorithm == "Ed25519" and base64-encoded
"signature", otherwise treat raw bytes), load the public key (Ed25519PublicKey
from cryptography) from public_key_path and call
public_key.verify(signature_bytes, bundle_bytes); on any exception set
result["status"]="FAIL" and add a failing "cryptographic_verification" check
with the exception detail, only mark PASS when verify succeeds. Use function
names/keys verify_signature, signature_structure, and cryptographic_verification
to locate and update logic.
---
Nitpick comments:
In `@artifacts/policies/nist_ai_rmf_govern.rego`:
- Around line 1-8: The package declaration "package compliance.nist_ai_rmf" in
artifacts/policies/nist_ai_rmf_govern.rego does not mirror the file path; either
move this file into a directory tree matching the package (e.g., create
directories compliance/nist_ai_rmf/ and rename/move the file to
compliance/nist_ai_rmf/govern.rego) or change the package declaration to reflect
the current location; ensure the package name and directory structure are
consistent so OPA/Regal bundle discovery finds the policy.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: aadc0681-6553-4291-b6d0-86f679439566
⛔ Files ignored due to path filters (1)
artifacts/data/kafka-evidence-bundles.csvis excluded by!**/*.csv
📒 Files selected for processing (11)
artifacts/policies/eu_ai_act_kafka_enforcement.regoartifacts/policies/gdpr_ai_data_protection.regoartifacts/policies/iso42001_aims_governance.regoartifacts/policies/nist_ai_rmf_govern.regoartifacts/schemas/kacg-openapi.yamlartifacts/schemas/worm-evidence-storage.schema.jsonartifacts/templates/drift-detection-config.jsonartifacts/templates/github-actions-governance.yamlartifacts/templates/governance-verify-cli.pyrag-agentic-dashboard/public/kafka-acl-governance.htmlrag-agentic-dashboard/server.js
✅ Files skipped from review due to trivial changes (2)
- artifacts/templates/drift-detection-config.json
- artifacts/templates/github-actions-governance.yaml
🚧 Files skipped from review as they are similar to previous changes (1)
- rag-agentic-dashboard/public/kafka-acl-governance.html
| # Framework: EU AI Act (Regulation (EU) 2024/1689) | ||
| # Last Updated: 2026-04-03 | ||
|
|
||
| package compliance.eu_ai_act.kafka |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
fd -e rego | while read -r f; do
pkg=$(rg -n '^package ' "$f" | head -n1 | sed -E 's/^[0-9]+:package //')
[[ -z "${pkg}" ]] && continue
pkg_path=$(echo "$pkg" | tr '.' '/')
if [[ "$f" != *"$pkg_path"* ]]; then
echo "MISMATCH: $f -> package $pkg (expected path to include: $pkg_path)"
fi
doneRepository: OneFineStarstuff/OneFineStarstuff.github.io
Length of output: 1493
Resolve package-to-directory mismatch to align with Regal idiomatic standards.
The file path artifacts/policies/eu_ai_act_kafka_enforcement.rego does not match the declared package compliance.eu_ai_act.kafka. Either rename the file to match the package structure (e.g., place it under a compliance/eu_ai_act/kafka/ directory) or adjust the package declaration to match the file location.
🧰 Tools
🪛 Regal (0.39.0)
[error] 9-9: Directory structure should mirror package
(idiomatic)
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@artifacts/policies/eu_ai_act_kafka_enforcement.rego` at line 9, The package
declaration "package compliance.eu_ai_act.kafka" does not match the file's
repository location; fix by making the package and file location consistent:
either move the Rego file into a directory hierarchy that matches the package
(compliance/eu_ai_act/kafka/) so the package declaration remains "package
compliance.eu_ai_act.kafka", or change the package line to reflect the file's
current location (adjust the package name to the directory namespace used in
your repo). Ensure the package token "package compliance.eu_ai_act.kafka" is
updated or the file relocated so Regal idiomatic package-to-directory
conventions are satisfied.
Comment on lines
+271
to
+285
| kafka_governance_topics if { | ||
| topics := input.kafkaTopics | ||
| required_topics := { | ||
| "ai.inference.events", | ||
| "ai.training.events", | ||
| "ai.governance.decisions", | ||
| "ai.bias.alerts", | ||
| "ai.drift.detections", | ||
| "ai.killswitch.events", | ||
| "ai.compliance.evidence" | ||
| } | ||
| every t in required_topics { | ||
| some topic in topics | ||
| topic.name == t | ||
| } |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
python - <<'PY'
import json, re, pathlib
rego_path = pathlib.Path("artifacts/policies/eu_ai_act_kafka_enforcement.rego")
matrix_path = pathlib.Path("artifacts/data/kafka-acl-matrix.json")
rego = rego_path.read_text()
block = re.search(r"required_topics\s*:=\s*\{([^}]*)\}", rego, re.S)
hardcoded = set(re.findall(r'"(ai\.[^"]+)"', block.group(1) if block else ""))
matrix = json.loads(matrix_path.read_text())
canonical = set(matrix.get("topics", {}).keys())
print("Hardcoded topic count:", len(hardcoded))
print("Canonical topic count:", len(canonical))
print("Missing from policy:", sorted(canonical - hardcoded))
print("Extra in policy:", sorted(hardcoded - canonical))
PYRepository: OneFineStarstuff/OneFineStarstuff.github.io
Length of output: 296
kafka_governance_topics is incomplete versus canonical topic inventory.
Line 273 hardcodes 7 topics, but artifacts/data/kafka-acl-matrix.json defines 12 canonical governance topics. This allows false compliance passes when critical topics (ai.agent.telemetry, ai.model.promotions, ai.consent.changes, ai.erasure.requests, ai.sentinel.evaluations) are missing.
🔧 Proposed fix (derive required topics from canonical ACL matrix)
kafka_governance_topics if {
- topics := input.kafkaTopics
- required_topics := {
- "ai.inference.events",
- "ai.training.events",
- "ai.governance.decisions",
- "ai.bias.alerts",
- "ai.drift.detections",
- "ai.killswitch.events",
- "ai.compliance.evidence"
- }
+ topics := {t.name | some t in input.kafkaTopics}
+ required_topics := {t | data.kafka.acl_matrix[t]}
every t in required_topics {
- some topic in topics
- topic.name == t
+ t in topics
}
}📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| kafka_governance_topics if { | |
| topics := input.kafkaTopics | |
| required_topics := { | |
| "ai.inference.events", | |
| "ai.training.events", | |
| "ai.governance.decisions", | |
| "ai.bias.alerts", | |
| "ai.drift.detections", | |
| "ai.killswitch.events", | |
| "ai.compliance.evidence" | |
| } | |
| every t in required_topics { | |
| some topic in topics | |
| topic.name == t | |
| } | |
| kafka_governance_topics if { | |
| topics := {t.name | some t in input.kafkaTopics} | |
| required_topics := {t | data.kafka.acl_matrix[t]} | |
| every t in required_topics { | |
| t in topics | |
| } | |
| } |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@artifacts/policies/eu_ai_act_kafka_enforcement.rego` around lines 271 - 285,
The rule kafka_governance_topics currently checks a hardcoded 7-topic set
against input.kafkaTopics causing false passes; instead derive the required
topic names from the canonical list in artifacts/data/kafka-acl-matrix.json and
use that set for validation. Update the rule to load the canonical ACL matrix
(e.g., data["kafka-acl-matrix"] or similar data ref) to produce required_topics,
then iterate every t in required_topics and assert some topic in
input.kafkaTopics with topic.name == t; ensure kafka_governance_topics uses that
dynamically derived set so missing topics like ai.agent.telemetry,
ai.model.promotions, ai.consent.changes, ai.erasure.requests, and
ai.sentinel.evaluations are caught.
Comment on lines
+289
to
+293
| kafka_acl_enforcement if { | ||
| input.kafkaConfig.aclEnforcementEnabled == true | ||
| input.kafkaConfig.opaAuthorizerDeployed == true | ||
| input.kafkaConfig.defaultDeny == true | ||
| } |
There was a problem hiding this comment.
kafka_acl_enforcement checks flags, not enforceable ACL state.
Lines 289-293 validate only booleans in input.kafkaConfig. They do not assert that produce/consume ACLs actually exist for governed topics (the canonical model used in artifacts/policies/kafka_acl_governance.rego is data.kafka.acl_matrix[topic]). This can mark an empty ACL matrix as compliant.
🔧 Proposed fix (assert ACL entries exist for each required topic)
kafka_acl_enforcement if {
input.kafkaConfig.aclEnforcementEnabled == true
input.kafkaConfig.opaAuthorizerDeployed == true
input.kafkaConfig.defaultDeny == true
+ required_topics := {t | data.kafka.acl_matrix[t]}
+ every t in required_topics {
+ count(data.kafka.acl_matrix[t].produce) > 0
+ count(data.kafka.acl_matrix[t].consume) > 0
+ }
}📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| kafka_acl_enforcement if { | |
| input.kafkaConfig.aclEnforcementEnabled == true | |
| input.kafkaConfig.opaAuthorizerDeployed == true | |
| input.kafkaConfig.defaultDeny == true | |
| } | |
| kafka_acl_enforcement if { | |
| input.kafkaConfig.aclEnforcementEnabled == true | |
| input.kafkaConfig.opaAuthorizerDeployed == true | |
| input.kafkaConfig.defaultDeny == true | |
| required_topics := {t | data.kafka.acl_matrix[t]} | |
| every t in required_topics { | |
| count(data.kafka.acl_matrix[t].produce) > 0 | |
| count(data.kafka.acl_matrix[t].consume) > 0 | |
| } | |
| } |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@artifacts/policies/eu_ai_act_kafka_enforcement.rego` around lines 289 - 293,
The rule kafka_acl_enforcement currently only checks boolean flags in
input.kafkaConfig; update it to also verify the actual ACL state by asserting
entries exist in the ACL matrix (data.kafka.acl_matrix) for each governed topic:
keep the existing flag checks (input.kafkaConfig.aclEnforcementEnabled,
opaAuthorizerDeployed, defaultDeny) and add a predicate that iterates over the
governed topics (e.g., for each topic in data.kafka.acl_matrix) and ensures
required produce/consume ACL entries exist (matching the canonical model used in
artifacts/policies/kafka_acl_governance.rego), failing kafka_acl_enforcement
when any governed topic lacks the expected ACL entries.
Comment on lines
+17
to
+22
| art_5_1a_lawful_processing if { | ||
| processing := input.dataProcessing | ||
| processing.legalBasis in ["CONSENT", "CONTRACT", "LEGAL_OBLIGATION", "VITAL_INTERESTS", "PUBLIC_TASK", "LEGITIMATE_INTERESTS"] | ||
| processing.fairnessAssessed == true | ||
| processing.transparencyNotice == true | ||
| } |
There was a problem hiding this comment.
transparencyNotice cannot satisfy both rules in its current shape.
art_5_1a_lawful_processing expects input.dataProcessing.transparencyNotice to be a boolean, but art_13_transparency treats the same field as an object with nested fields. A valid Art. 13 payload therefore makes Art. 5.1a fail. Use separate fields, or change the Art. 5.1a check to test presence/object shape instead of == true.
One simple fix
art_5_1a_lawful_processing if {
processing := input.dataProcessing
processing.legalBasis in ["CONSENT", "CONTRACT", "LEGAL_OBLIGATION", "VITAL_INTERESTS", "PUBLIC_TASK", "LEGITIMATE_INTERESTS"]
processing.fairnessAssessed == true
- processing.transparencyNotice == true
+ processing.transparencyNotice != null
}Also applies to: 72-80
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@artifacts/policies/gdpr_ai_data_protection.rego` around lines 17 - 22, The
art_5_1a_lawful_processing rule currently requires processing.transparencyNotice
== true but art_13_transparency treats transparencyNotice as an object, causing
valid Art.13 payloads to fail; update art_5_1a_lawful_processing to accept
either a boolean true or an object shape by replacing the strict equality check
with a presence/shape test (e.g., require processing.transparencyNotice to be
defined and either equals true or is an object with the expected nested fields),
and similarly adjust the other rule(s) referenced around lines 72-80 to use
presence/shape checks instead of == true so both boolean and structured
transparencyNotice representations are supported; reference the
art_5_1a_lawful_processing and art_13_transparency rule names when making the
change.
Comment on lines
+208
to
+218
| gdpr_compliance_summary := { | ||
| "framework": "GDPR (EU) 2016/679", | ||
| "docRef": "KACG-GSIFI-WP-017", | ||
| "totalRules": 26, | ||
| "kafkaSpecificRules": 5, | ||
| "articlesTargeted": ["5", "13", "14", "17", "22", "25", "30", "32", "35"], | ||
| "piiDetectionThreshold": 0.997, | ||
| "erasureTopicEnabled": true, | ||
| "consentTopicEnabled": true, | ||
| "wormRetentionYears": 5 | ||
| } |
There was a problem hiding this comment.
The GDPR summary is static and already drifted from the rules above.
erasureTopicEnabled and consentTopicEnabled are always true regardless of evaluation input, and totalRules is duplicated as 26 even though this module currently defines 20 boolean checks. Build this object from the actual predicates/metadata instead of hand-maintaining it.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@artifacts/policies/gdpr_ai_data_protection.rego` around lines 208 - 218, The
gdpr_compliance_summary object is hard-coded and drifts from the module; replace
it with a computed summary built from the actual predicates/metadata: compute
totalRules using count of the rule set (e.g., totalRules := count({r |
<predicate identifying each boolean check>})), compute kafkaSpecificRules
similarly by filtering rules that mention Kafka or kafka/topic metadata, derive
erasureTopicEnabled and consentTopicEnabled by checking whether any rule or
metadata references the erasure or consent topics (e.g., erasureTopicEnabled :=
count({r | rule_has_topic(r, "erasure")}) > 0), and populate articlesTargeted
and piiDetectionThreshold from the actual metadata fields on rules; update the
gdpr_compliance_summary binding to use these computed values (refer to
gdpr_compliance_summary, totalRules, erasureTopicEnabled, consentTopicEnabled
and any helpers like rule_has_topic or the rule predicate names) so the summary
always reflects the module state.
Comment on lines
+251
to
+299
| "readAccess": { | ||
| "type": "array", | ||
| "description": "Roles with read access to evidence", | ||
| "items": { | ||
| "type": "object", | ||
| "properties": { | ||
| "role": { "type": "string" }, | ||
| "scope": { | ||
| "type": "string", | ||
| "enum": ["ALL", "OWN_TEAM", "SPECIFIC_REGULATION"] | ||
| }, | ||
| "mfaRequired": { "type": "boolean" } | ||
| } | ||
| } | ||
| }, | ||
| "writeAccess": { | ||
| "type": "array", | ||
| "description": "Roles with write access (append-only, no delete)", | ||
| "items": { | ||
| "type": "object", | ||
| "properties": { | ||
| "role": { "type": "string" }, | ||
| "appendOnly": { "type": "boolean", "const": true }, | ||
| "sourceValidation": { | ||
| "type": "string", | ||
| "description": "How the writer identity is validated", | ||
| "enum": ["SPIFFE_SVID", "OIDC_TOKEN", "MTLS_CERT"] | ||
| } | ||
| } | ||
| } | ||
| }, | ||
| "auditAccess": { | ||
| "type": "array", | ||
| "description": "Roles with audit/examination access", | ||
| "items": { | ||
| "type": "object", | ||
| "properties": { | ||
| "role": { "type": "string" }, | ||
| "accessType": { | ||
| "type": "string", | ||
| "enum": ["FULL_READ", "SUMMARY_ONLY", "FILTERED"] | ||
| }, | ||
| "requiresApproval": { "type": "boolean" }, | ||
| "sessionDurationMinutes": { | ||
| "type": "integer", | ||
| "maximum": 480 | ||
| } | ||
| } | ||
| } |
There was a problem hiding this comment.
ACL entries can currently be empty objects.
Each access array is required, but the item schemas never require their core fields. {} validates in readAccess, writeAccess, and auditAccess, and a writeAccess entry can omit both appendOnly and sourceValidation. If downstream code assumes these keys exist, the schema will miss malformed IAM configs until deploy time.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@artifacts/schemas/worm-evidence-storage.schema.json` around lines 251 - 299,
The ACL item schemas for readAccess, writeAccess, and auditAccess allow empty
objects because none of the properties are required; update the item schemas for
"readAccess" (require "role" and "scope" and "mfaRequired" as appropriate),
"writeAccess" (require "role" and "appendOnly" and "sourceValidation", and keep
appendOnly as const true), and "auditAccess" (require "role" and "accessType"
and "sessionDurationMinutes" or "requiresApproval" as applicable) by adding a
"required" array for each item object so malformed/omitted fields like role,
appendOnly, sourceValidation, and accessType are rejected by validation.
Comment on lines
+100
to
+115
| # Check 3: Required fields | ||
| required_fields = ["bundleId", "docRef", "timestamp", "version"] | ||
| missing = [f for f in required_fields if f not in bundle] | ||
| if missing: | ||
| result["status"] = "FAIL" | ||
| result["checks"].append({ | ||
| "check": "required_fields", | ||
| "status": "FAIL", | ||
| "detail": f"Missing fields: {', '.join(missing)}" | ||
| }) | ||
| else: | ||
| result["checks"].append({ | ||
| "check": "required_fields", | ||
| "status": "PASS", | ||
| "detail": f"All {len(required_fields)} required fields present" | ||
| }) |
There was a problem hiding this comment.
The manifest contract here does not match the schema shipped in this PR.
artifacts/schemas/evidence-bundle-manifest.schema.json:75-100 stores chain metadata under hashChain and does not define top-level docRef or timestamp. Requiring those fields here will fail valid manifests, and audit_report later serializes the same absent fields as None. Use the manifest schema as the source of truth instead of maintaining a parallel field list in the CLI.
Also applies to: 365-369
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@artifacts/templates/governance-verify-cli.py` around lines 100 - 115, The CLI
currently enforces a hardcoded required_fields list (required_fields) that
expects top-level docRef and timestamp in bundle and causes false failures;
replace this with schema-driven validation by loading
artifacts/schemas/evidence-bundle-manifest.schema.json and using its "required"
array (or jsonschema.validate) to determine missing fields for bundle, then
update the result["checks"] entry ("required_fields") accordingly; also remove
any parallel checks or serialization that assume top-level docRef/timestamp
(e.g., places that set audit_report fields to None) so they follow the schema
(notably the duplicate check at the other section referenced).
Comment on lines
+145
to
+213
| def verify_signature(bundle_path: str, signature_path: str, public_key_path: str = None) -> dict: | ||
| """ | ||
| Verify Ed25519 signature of evidence bundle. | ||
|
|
||
| In production, this uses the cryptography library with Ed25519. | ||
| For audit demonstrations, validates signature file structure. | ||
| """ | ||
| result = { | ||
| "status": "PASS", | ||
| "algorithm": "Ed25519", | ||
| "checks": [], | ||
| "timestamp": datetime.now(timezone.utc).isoformat() | ||
| } | ||
|
|
||
| # Check signature file exists | ||
| if not os.path.exists(signature_path): | ||
| result["status"] = "FAIL" | ||
| result["checks"].append({ | ||
| "check": "signature_file_exists", | ||
| "status": "FAIL", | ||
| "detail": f"Signature file not found: {signature_path}" | ||
| }) | ||
| return result | ||
|
|
||
| result["checks"].append({ | ||
| "check": "signature_file_exists", | ||
| "status": "PASS", | ||
| "detail": f"Signature file found: {signature_path}" | ||
| }) | ||
|
|
||
| # Validate signature structure | ||
| try: | ||
| with open(signature_path) as f: | ||
| sig_data = json.load(f) | ||
|
|
||
| sig_fields = ["algorithm", "signature", "signedAt", "keyId"] | ||
| missing = [f for f in sig_fields if f not in sig_data] | ||
| if missing: | ||
| result["status"] = "FAIL" | ||
| result["checks"].append({ | ||
| "check": "signature_structure", | ||
| "status": "FAIL", | ||
| "detail": f"Missing signature fields: {', '.join(missing)}" | ||
| }) | ||
| else: | ||
| result["checks"].append({ | ||
| "check": "signature_structure", | ||
| "status": "PASS", | ||
| "detail": f"Signature structure valid (keyId: {sig_data.get('keyId', 'unknown')})" | ||
| }) | ||
| except (json.JSONDecodeError, Exception) as e: | ||
| # Binary signature format (raw Ed25519) | ||
| result["checks"].append({ | ||
| "check": "signature_structure", | ||
| "status": "PASS", | ||
| "detail": "Binary Ed25519 signature format detected" | ||
| }) | ||
|
|
||
| # In production: verify using Ed25519 public key | ||
| # from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PublicKey | ||
| # public_key.verify(signature_bytes, bundle_bytes) | ||
|
|
||
| result["checks"].append({ | ||
| "check": "cryptographic_verification", | ||
| "status": "INFO", | ||
| "detail": "Ed25519 verification requires HSM-backed public key (production mode)" | ||
| }) | ||
|
|
||
| return result |
There was a problem hiding this comment.
verify-sig returns PASS without doing any cryptographic verification.
bundle_path and public_key_path are unused, any JSON file with four keys passes, and any non-JSON file is accepted as a “binary Ed25519 signature.” That means this command can exit 0 for arbitrary garbage. Fail closed until real signature verification is wired.
Minimal safe change
def verify_signature(bundle_path: str, signature_path: str, public_key_path: str = None) -> dict:
@@
result = {
- "status": "PASS",
+ "status": "FAIL",
"algorithm": "Ed25519",
"checks": [],
"timestamp": datetime.now(timezone.utc).isoformat()
}
@@
- result["checks"].append({
- "check": "cryptographic_verification",
- "status": "INFO",
- "detail": "Ed25519 verification requires HSM-backed public key (production mode)"
- })
+ result["checks"].append({
+ "check": "cryptographic_verification",
+ "status": "FAIL",
+ "detail": "Cryptographic verification is not implemented in this build"
+ })
return result🧰 Tools
🪛 GitHub Check: Precaution Basic
[warning] 178-178: PY009: Deserialization of Untrusted Data
Potential unsafe usage of 'json.load' that can allow instantiation of
arbitrary objects.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@artifacts/templates/governance-verify-cli.py` around lines 145 - 213, The
verify_signature function currently treats any well-formed JSON or any non-JSON
file as a valid signature; change it to fail closed by actually using
bundle_path and public_key_path to perform Ed25519 verification (or return FAIL
if public_key_path is missing or verification cannot be performed).
Specifically, in verify_signature: require public_key_path to be provided, read
bundle bytes from bundle_path, read signature from signature_path (if JSON
expect algorithm == "Ed25519" and base64-encoded "signature", otherwise treat
raw bytes), load the public key (Ed25519PublicKey from cryptography) from
public_key_path and call public_key.verify(signature_bytes, bundle_bytes); on
any exception set result["status"]="FAIL" and add a failing
"cryptographic_verification" check with the exception detail, only mark PASS
when verify succeeds. Use function names/keys verify_signature,
signature_structure, and cryptographic_verification to locate and update logic.
There was a problem hiding this comment.
Micro-Learning Topic: Deserialization of untrusted data (Detected by phrase)
Matched on "Deserialization of Untrusted Data"
It is often convenient to serialize objects for communication or to save them for later use. However, serialized data or code can be modified. This malformed data or unexpected data could be used to abuse application logic, deny service, or execute arbitrary code when deserialized. This is usually done with "gadget chains
Try a challenge in Secure Code Warrior
Helpful references
- OWASP Deserialization Cheat Sheet - This cheatsheet is focused on providing clear, simple, actionable guidance for preventing deserialization flaws in your applications.
- OWASP Deserialization of untrusted data - OWASP community page with comprehensive information about deserialization vulnerabilities, and links to various OWASP resources to help detect or prevent it.
- OWASP Top Ten 2017 A8: Insecure Deserialization - OWASP Top Ten articles provide basic techniques to protect against these high risk problem areas, and guidance on where to go next.
There was a problem hiding this comment.
Skipped: comment is from another GitHub bot.
Comment on lines
+216
to
+287
| def verify_chain(evidence_dir: str, start_date: str = None, end_date: str = None) -> dict: | ||
| """ | ||
| Verify Merkle-tree hash chain integrity across evidence bundles. | ||
|
|
||
| Validates: | ||
| 1. Chronological ordering of bundles | ||
| 2. Each bundle references the previous bundle's hash | ||
| 3. No gaps in the evidence chain | ||
| 4. Chain root hash is consistent | ||
| """ | ||
| result = { | ||
| "status": "PASS", | ||
| "chain_length": 0, | ||
| "gaps": [], | ||
| "checks": [], | ||
| "timestamp": datetime.now(timezone.utc).isoformat() | ||
| } | ||
|
|
||
| # Find all evidence bundles | ||
| evidence_path = Path(evidence_dir) | ||
| bundles = sorted(evidence_path.glob("KACG-EB-*.json")) | ||
|
|
||
| if not bundles: | ||
| result["status"] = "INFO" | ||
| result["checks"].append({ | ||
| "check": "chain_discovery", | ||
| "status": "INFO", | ||
| "detail": f"No evidence bundles found in {evidence_dir}" | ||
| }) | ||
| return result | ||
|
|
||
| result["chain_length"] = len(bundles) | ||
| result["checks"].append({ | ||
| "check": "chain_discovery", | ||
| "status": "PASS", | ||
| "detail": f"Found {len(bundles)} evidence bundles" | ||
| }) | ||
|
|
||
| # Verify chain continuity | ||
| prev_hash = None | ||
| for bundle_path in bundles: | ||
| try: | ||
| with open(bundle_path) as f: | ||
| bundle = json.load(f) | ||
|
|
||
| current_hash = compute_sha256(str(bundle_path)) | ||
|
|
||
| if prev_hash and bundle.get("previousBundleHash"): | ||
| if bundle["previousBundleHash"] != prev_hash: | ||
| result["status"] = "FAIL" | ||
| result["gaps"].append({ | ||
| "bundle": bundle_path.name, | ||
| "expected": prev_hash, | ||
| "found": bundle.get("previousBundleHash") | ||
| }) | ||
|
|
||
| prev_hash = current_hash | ||
| except Exception as e: | ||
| result["checks"].append({ | ||
| "check": "chain_link", | ||
| "status": "WARN", | ||
| "detail": f"Error reading {bundle_path.name}: {str(e)}" | ||
| }) | ||
|
|
||
| if not result["gaps"]: | ||
| result["checks"].append({ | ||
| "check": "chain_continuity", | ||
| "status": "PASS", | ||
| "detail": f"Evidence chain intact ({len(bundles)} bundles, no gaps)" | ||
| }) | ||
|
|
||
| return result |
There was a problem hiding this comment.
verify-chain can report PASS on a broken chain.
Per artifacts/schemas/evidence-bundle-manifest.schema.json:75-100, the link lives at hashChain.previousBundleHash, but this loop only checks a top-level previousBundleHash. Because the comparison is guarded by bundle.get("previousBundleHash"), missing links are silently skipped and the chain can still come back clean. start_date and end_date are also never applied, so filtered runs still scan the full directory.
🧰 Tools
🪛 GitHub Check: Precaution Basic
[warning] 259-259: PY009: Deserialization of Untrusted Data
Potential unsafe usage of 'json.load' that can allow instantiation of
arbitrary objects.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@artifacts/templates/governance-verify-cli.py` around lines 216 - 287,
verify_chain currently hashes the file path and only looks for a top-level
previousBundleHash (and skips missing links), and it ignores
start_date/end_date; update verify_chain to (1) compute the hash of the bundle
contents (e.g., pass the file bytes or the loaded bundle dict into
compute_sha256) instead of compute_sha256(str(bundle_path)), (2) read the link
from the nested path hashChain.previousBundleHash (fall back to
bundle.get("previousBundleHash") only if schema allows) and treat a missing
previous link when prev_hash exists as a gap (mark FAIL and append to
result["gaps"]), and (3) apply start_date/end_date by parsing each bundle's
timestamp (e.g., bundle["manifest"]["createdAt"] or the schema field that
records creation time) and skip bundles outside the range before verifying
continuity; adjust references to verify_chain, compute_sha256, bundles,
previousBundleHash, hashChain.previousBundleHash, start_date, and end_date
accordingly.
There was a problem hiding this comment.
Micro-Learning Topic: Deserialization of untrusted data (Detected by phrase)
Matched on "Deserialization of Untrusted Data"
It is often convenient to serialize objects for communication or to save them for later use. However, serialized data or code can be modified. This malformed data or unexpected data could be used to abuse application logic, deny service, or execute arbitrary code when deserialized. This is usually done with "gadget chains
Try a challenge in Secure Code Warrior
Helpful references
- OWASP Deserialization Cheat Sheet - This cheatsheet is focused on providing clear, simple, actionable guidance for preventing deserialization flaws in your applications.
- OWASP Deserialization of untrusted data - OWASP community page with comprehensive information about deserialization vulnerabilities, and links to various OWASP resources to help detect or prevent it.
- OWASP Top Ten 2017 A8: Insecure Deserialization - OWASP Top Ten articles provide basic techniques to protect against these high risk problem areas, and guidance on where to go next.
There was a problem hiding this comment.
Skipped: comment is from another GitHub bot.
Comment on lines
+290
to
+335
| def verify_retention(bundle_path: str, regulation: str = None) -> dict: | ||
| """ | ||
| Verify evidence bundle retention compliance. | ||
|
|
||
| Retention requirements: | ||
| - SR 11-7: 7 years (2,557 days) | ||
| - GDPR Art. 30: 5 years or until erasure | ||
| - EU AI Act Art. 12: system lifetime + 10 years | ||
| - Basel III: 7 years | ||
| - PRA SS1/23: 7 years | ||
| - MiFID II: 5 years | ||
| """ | ||
| retention_policies = { | ||
| "sr-11-7": {"years": 7, "days": 2557, "name": "SR 11-7"}, | ||
| "gdpr": {"years": 5, "days": 1826, "name": "GDPR Art. 30"}, | ||
| "eu-ai-act": {"years": 10, "days": 3652, "name": "EU AI Act Art. 12"}, | ||
| "basel-iii": {"years": 7, "days": 2557, "name": "Basel III"}, | ||
| "pra-ss1-23": {"years": 7, "days": 2557, "name": "PRA SS1/23"}, | ||
| "mifid-ii": {"years": 5, "days": 1826, "name": "MiFID II"} | ||
| } | ||
|
|
||
| result = { | ||
| "status": "PASS", | ||
| "regulations_checked": [], | ||
| "checks": [], | ||
| "timestamp": datetime.now(timezone.utc).isoformat() | ||
| } | ||
|
|
||
| if regulation: | ||
| policies = {regulation: retention_policies.get(regulation, retention_policies["sr-11-7"])} | ||
| else: | ||
| policies = retention_policies | ||
|
|
||
| for reg_key, policy in policies.items(): | ||
| result["regulations_checked"].append({ | ||
| "regulation": policy["name"], | ||
| "required_retention_days": policy["days"], | ||
| "required_retention_years": policy["years"] | ||
| }) | ||
| result["checks"].append({ | ||
| "check": f"retention_{reg_key}", | ||
| "status": "PASS", | ||
| "detail": f"{policy['name']}: {policy['years']}-year retention requirement acknowledged" | ||
| }) | ||
|
|
||
| return result |
There was a problem hiding this comment.
check-retention is only echoing policy metadata.
bundle_path is never read, so a missing bundle or an out-of-retention bundle still returns PASS. That makes the compliance result meaningless, and the hardcoded regulation keys already diverge from artifacts/schemas/worm-evidence-storage.schema.json (SR_11_7/GDPR_ART_30 vs sr-11-7/gdpr). Parse the bundle and compare it against one authoritative policy table instead of duplicating constants here.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@artifacts/templates/governance-verify-cli.py` around lines 290 - 335, The
verify_retention function is currently only echoing hardcoded policy metadata
and never reads bundle_path; update verify_retention to open and parse the
evidence bundle at bundle_path, validate the bundle exists and extract its
retention/creation/expiry fields (e.g., timestamps or retention_days) and
compute the actual retention age in days, then compare that value against a
single authoritative policy table (do not duplicate retention_policies—import or
load the canonical mapping used by the system/schema, mapping schema keys like
SR_11_7/GDPR_ART_30 to the internal keys), and for each policy (use the function
verify_retention, variable retention_policies/policies) set each check's status
to PASS or FAIL with a clear detail message and adjust result["status"] to FAIL
if any required retention is not met; also handle missing bundle or missing
timestamps as FAIL with appropriate error details in result["checks"].
…gine, AGI/ASI Governance Architectures UNIFIED GOVERNANCE INDEX (UGI): - governance-index.html: 10-section interactive dashboard unifying 8 governance pillars, 8 regulatory frameworks, 19 reports, 35 dashboards, 590+ API endpoints, 33+ artifacts - /api/governance-index/*: 12 endpoints including root, pillars, regulatory, artifacts, stats, regulatory-matrix, evidence-chain, evidence-verify (POST), cicd-pipeline, auditor-workflows, health, cross-links - Cross-module regulatory alignment matrix: 11 modules x 8 frameworks with FULL/PARTIAL/MAPPED coverage - Evidence-chain verification API: 8-stage pipeline, 12 evidence types, SHA-256 Merkle tree, Ed25519 - GitHub Actions CI/CD pipeline: 5 gates, 6 drift detectors, DORA Elite metrics - Auditor workflow automation: 3 modes (Self-Service, Guided Portal, Regulatory Examination) - New artifact: cross-module-regulatory-alignment.csv KAFKA ACL GOVERNANCE (KACG-GSIFI-WP-017): - 62 API endpoints under /api/kafka-acl-governance/* - 1,353-line technical report (KAFKA_ACL_GOVERNANCE_COMPLIANCE_ENGINE.md) - Interactive dashboard (kafka-acl-governance.html) - 20 machine-readable artifacts: 8 OPA Rego policies (214 rules), 4 schemas/specs, 4 CI/CD templates, 4 data assets - Regulatory alignment: EU AI Act, NIST AI RMF, ISO/IEC 42001, Basel III, SR 11-7, GDPR AGI/ASI GOVERNANCE ARCHITECTURES & FRAMEWORKS (GAF-GSIFI-WP-017): - 57 API endpoints under /api/governance-architectures-frameworks/* - 7-domain governance framework (Governance/Regulatory/Architectures/Global/Financial/Safety/Blueprint) - Interactive dashboard (governance-architectures-frameworks.html) - OpenAPI 3.1 spec (gaf-openapi.yaml) LEGACY MODULE FIXES: - 7 /metadata endpoint aliases for gsifi-governance, enterprise-strategy, unified-master-reference, agi-governance-unified, ai-governance, agi-governance, asi-preparedness - AGMB root endpoint (/api/agi-governance-master-blueprint) Regression: 198/198 endpoints passed (14 test categories, covering API, artifacts, dashboards, POST operations)
…rstuff/OneFineStarstuff.github.io into genspark_ai_developer
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
|
View changes in DiffLens |
genspark-ai-developer
bot
changed the title
|
View changes in DiffLens |
Not up to standards ⛔🔴 Issues
|
| Category | Results |
|---|---|
| Compatibility | 1 medium |
| UnusedCode | 1 medium 4 minor |
| BestPractice | 6 minor |
| Documentation | 1 minor |
| ErrorProne | 4 high |
| Security | 6 high |
| CodeStyle | 66 minor |
| Complexity | 5 minor 1 critical 5 medium |
🟢 Metrics 4 duplication
Metric Results Duplication 4
TIP This summary will be updated as you push new changes. Give us feedback
|
View changes in DiffLens |
There was a problem hiding this comment.
Actionable comments posted: 5
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@rag-agentic-dashboard/public/governance-index.html`:
- Line 291: Update the anchor created in the template string that currently
reads `<a href="${r.path}" target="_blank">View</a>` to include rel="noopener
noreferrer" so external pages opened with target="_blank" cannot access
window.opener; locate the template literal that builds the report row (the
string containing `${r.ref}`, `${r.title}`, and `${r.path}`) and add the rel
attribute to the anchor element.
- Around line 359-376: The apiModules array currently contains hardcoded count
literals (apiModules, count field) which can become stale; replace the static
counts by fetching real endpoint metadata at build or runtime (e.g., implement a
getApiMetadata or fetchApiMetadata call) and map results to populate each
module's count field, using the original module.prefix to match endpoints and a
fallbackCount if the fetch fails; update any rendering logic to use the computed
count (e.g., computedCount or module.count after mapping) so displays always
reflect source-of-truth metrics with a graceful fallback.
- Around line 178-186: The async init() currently awaits fetchJSON(...) for
index, stats, reg, artifacts, matrix, evidence but when any fetch returns null
the UI leaves most sections stuck on "Loading..."; update init() to detect
null/failed responses from fetchJSON and populate per-section fallback/error
state objects (e.g., {error: true, message: 'Failed to load'} or minimal empty
arrays) for index, stats, reg, artifacts, and evidence, and set explicit flags
(e.g., indexError, statsError, regError, artifactsError, evidenceError) used by
the render logic so each component shows a concise error/fallback message or
empty-state instead of the loader; keep matrix behavior unchanged but ensure
render code checks these flags before deciding to show loaders.
- Around line 190-200: The metaBar innerHTML assignment injects unsanitized API
data (index.version, index.date, index.pillars, stats.*) and poses an XSS risk;
replace building raw HTML with safe DOM methods and escaping: create elements
via document.createElement, set text using textContent for values like
index.version/index.date and use a strict URL sanitizer/allowlist before
assigning any hrefs, or implement an escapeHtml utility to encode interpolation
values, then append those nodes to document.getElementById('metaBar') instead of
using innerHTML; update all similar template usages throughout the file to
follow the same pattern.
- Around line 280-286: Replace the positional access index.pillars[6] with an
ID- or property-based lookup: locate the pillar using index.pillars.find(p =>
p.id === 'P7') or index.pillars.find(p => p.sentinelComponents'), assign it to a
local variable (e.g., pillar), guard for its existence, then use
pillar.sentinelComponents when building
document.getElementById('sentinelGrid').innerHTML (keep the existing
map/formatting logic). Ensure you remove the hardcoded [6] access and handle the
case where no matching pillar is found before writing to the DOM.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: b6c3b20f-9cb7-41e5-8d42-1d602902ee22
⛔ Files ignored due to path filters (1)
artifacts/data/cross-module-regulatory-alignment.csvis excluded by!**/*.csv
📒 Files selected for processing (2)
rag-agentic-dashboard/public/governance-index.htmlrag-agentic-dashboard/server.js
Comment on lines
+178
to
+186
| async function init() { | ||
| const [index, stats, reg, artifacts, matrix, evidence] = await Promise.all([ | ||
| fetchJSON('/api/governance-index'), | ||
| fetchJSON('/api/governance-index/stats'), | ||
| fetchJSON('/api/governance-index/regulatory'), | ||
| fetchJSON('/api/governance-index/artifacts'), | ||
| fetchJSON('/api/governance-index/regulatory-matrix'), | ||
| fetchJSON('/api/governance-index/evidence-chain') | ||
| ]); |
There was a problem hiding this comment.
Missing error-state rendering leaves several sections indefinitely “Loading...”.
At Lines 178-186, failed/empty fetches return null, but most sections only render on success and keep loader placeholders forever (except matrix). This degrades operator usability during outages.
🧯 Suggested fallback helper
async function init() {
+ const setFallback = (id, msg) => {
+ const el = document.getElementById(id);
+ if (el) el.innerHTML = `<div class="loading">${msg}</div>`;
+ };
const [index, stats, reg, artifacts, matrix, evidence] = await Promise.all([
fetchJSON('/api/governance-index'),
fetchJSON('/api/governance-index/stats'),
fetchJSON('/api/governance-index/regulatory'),
fetchJSON('/api/governance-index/artifacts'),
fetchJSON('/api/governance-index/regulatory-matrix'),
fetchJSON('/api/governance-index/evidence-chain')
]);
+ if (!stats) setFallback('kpiGrid', 'Statistics unavailable.');
+ if (!index?.pillars) setFallback('pillarsGrid', 'Pillars unavailable.');
+ if (!reg?.frameworks) setFallback('regulatoryCard', 'Regulatory data unavailable.');
+ if (!artifacts) setFallback('artifactGrid', 'Artifacts unavailable.');
+ if (!evidence) setFallback('evidenceGrid', 'Evidence chain unavailable.');📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| async function init() { | |
| const [index, stats, reg, artifacts, matrix, evidence] = await Promise.all([ | |
| fetchJSON('/api/governance-index'), | |
| fetchJSON('/api/governance-index/stats'), | |
| fetchJSON('/api/governance-index/regulatory'), | |
| fetchJSON('/api/governance-index/artifacts'), | |
| fetchJSON('/api/governance-index/regulatory-matrix'), | |
| fetchJSON('/api/governance-index/evidence-chain') | |
| ]); | |
| async function init() { | |
| const setFallback = (id, msg) => { | |
| const el = document.getElementById(id); | |
| if (el) el.innerHTML = `<div class="loading">${msg}</div>`; | |
| }; | |
| const [index, stats, reg, artifacts, matrix, evidence] = await Promise.all([ | |
| fetchJSON('/api/governance-index'), | |
| fetchJSON('/api/governance-index/stats'), | |
| fetchJSON('/api/governance-index/regulatory'), | |
| fetchJSON('/api/governance-index/artifacts'), | |
| fetchJSON('/api/governance-index/regulatory-matrix'), | |
| fetchJSON('/api/governance-index/evidence-chain') | |
| ]); | |
| if (!stats) setFallback('kpiGrid', 'Statistics unavailable.'); | |
| if (!index?.pillars) setFallback('pillarsGrid', 'Pillars unavailable.'); | |
| if (!reg?.frameworks) setFallback('regulatoryCard', 'Regulatory data unavailable.'); | |
| if (!artifacts) setFallback('artifactGrid', 'Artifacts unavailable.'); | |
| if (!evidence) setFallback('evidenceGrid', 'Evidence chain unavailable.'); |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@rag-agentic-dashboard/public/governance-index.html` around lines 178 - 186,
The async init() currently awaits fetchJSON(...) for index, stats, reg,
artifacts, matrix, evidence but when any fetch returns null the UI leaves most
sections stuck on "Loading..."; update init() to detect null/failed responses
from fetchJSON and populate per-section fallback/error state objects (e.g.,
{error: true, message: 'Failed to load'} or minimal empty arrays) for index,
stats, reg, artifacts, and evidence, and set explicit flags (e.g., indexError,
statsError, regError, artifactsError, evidenceError) used by the render logic so
each component shows a concise error/fallback message or empty-state instead of
the loader; keep matrix behavior unchanged but ensure render code checks these
flags before deciding to show loaders.
Comment on lines
+190
to
+200
| document.getElementById('metaBar').innerHTML = [ | ||
| `<span>Version <strong>${index.version}</strong></span>`, | ||
| `<span>Date <strong>${index.date}</strong></span>`, | ||
| `<span>Classification <strong>CONFIDENTIAL</strong></span>`, | ||
| `<span>Pillars <strong>${index.pillars?.length || 8}</strong></span>`, | ||
| `<span>Endpoints <strong>${stats?.totalEndpoints || '580+'}</strong></span>`, | ||
| `<span>OPA Rules <strong>${stats?.totalOpaRules || 280}</strong></span>`, | ||
| `<span>Sentinel <strong>${stats?.totalSentinelRules || 952}</strong></span>`, | ||
| `<span>Kafka Topics <strong>${stats?.kafkaTopics || 12}</strong></span>` | ||
| ].join(''); | ||
| } |
There was a problem hiding this comment.
Unsanitized API data is injected into innerHTML (XSS risk).
At Line 190, API fields are interpolated directly into HTML. The same pattern repeats through Lines 218-383. If any upstream field is compromised, this becomes script/HTML injection in a governance dashboard.
🔒 Suggested hardening (escape text + sanitize href before rendering)
+const ESCAPE_MAP = { '&': '&', '<': '<', '>': '>', '"': '"', "'": ''' };
+const escapeHTML = (v) => String(v ?? '').replace(/[&<>"']/g, ch => ESCAPE_MAP[ch]);
+const safeHref = (raw) => {
+ try {
+ const u = new URL(String(raw ?? ''), window.location.origin);
+ if ((u.protocol === 'http:' || u.protocol === 'https:') && u.origin === window.location.origin) {
+ return `${u.pathname}${u.search}${u.hash}`;
+ }
+ } catch (_) {}
+ return '#';
+};
+
document.getElementById('metaBar').innerHTML = [
- `<span>Version <strong>${index.version}</strong></span>`,
+ `<span>Version <strong>${escapeHTML(index.version)}</strong></span>`,
...
].join('');Apply the same escaping/safe URL pattern anywhere external data is used in template strings.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@rag-agentic-dashboard/public/governance-index.html` around lines 190 - 200,
The metaBar innerHTML assignment injects unsanitized API data (index.version,
index.date, index.pillars, stats.*) and poses an XSS risk; replace building raw
HTML with safe DOM methods and escaping: create elements via
document.createElement, set text using textContent for values like
index.version/index.date and use a strict URL sanitizer/allowlist before
assigning any hrefs, or implement an escapeHtml utility to encode interpolation
values, then append those nodes to document.getElementById('metaBar') instead of
using innerHTML; update all similar template usages throughout the file to
follow the same pattern.
There was a problem hiding this comment.
Micro-Learning Topic: HTML injection (Detected by phrase)
Matched on "HTML injection"
XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. Source: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Try a challenge in Secure Code Warrior
Helpful references
- Prevent Cross-Site Scripting (XSS) in ASP.NET Core - A detailed Microsoft article on how to prevent cross-site scripting in ASP.NET Core.
- OWASP Cross Site Scripting (XSS) Software Attack - OWASP community page with comprehensive information about cross site scripting, and links to various OWASP resources to help detect or prevent it.
- OWASP Cross Site Scripting Prevention Cheat Sheet - This article provides a simple positive model for preventing XSS using output encoding properly.
There was a problem hiding this comment.
Skipped: comment is from another GitHub bot.
Comment on lines
+280
to
+286
| if (index?.pillars?.[6]?.sentinelComponents) { | ||
| const sc = index.pillars[6].sentinelComponents; | ||
| document.getElementById('sentinelGrid').innerHTML = sc.components.map((c, i) => { | ||
| const [abbr, ...rest] = c.split(' - '); | ||
| return `<div class="sentinel-item"><div class="abbr">${abbr}</div><div class="desc">${rest.join(' - ')}</div></div>`; | ||
| }).join(''); | ||
| } |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
server_file="$(fd -t f '^server\.js$' | head -n1)"
echo "Using: ${server_file}"
echo "=== governance-index route payload ==="
rg -n --type=js -C20 "app.get\\('/api/governance-index'" "${server_file}"
echo "=== sentinelComponents occurrences ==="
rg -n --type=js -C5 "sentinelComponents|ICGC Sentinel|components\\s*:" "${server_file}"Repository: OneFineStarstuff/OneFineStarstuff.github.io
Length of output: 150
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# List server.js to understand its structure
echo "=== backend/server.js exists and size ==="
ls -lh backend/server.js 2>/dev/null || echo "File not found"
# Find all app.get routes
echo "=== All GET routes in server.js ==="
rg -n "app\.get\(" backend/server.js | head -20
# Search for governance in server.js
echo "=== Governance-related content ==="
rg -n -i "governance" backend/server.js | head -20Repository: OneFineStarstuff/OneFineStarstuff.github.io
Length of output: 336
🏁 Script executed:
#!/bin/bash
# Check governance-index.html to see what endpoint it's calling
echo "=== Governance-index.html fetch calls ==="
rg -n "fetch|xhr|axios|fetch.*governance\|governance.*fetch" rag-agentic-dashboard/public/governance-index.html | head -20
# Search for where sentinelComponents is defined anywhere in the codebase
echo "=== sentinelComponents anywhere in codebase ==="
rg -n "sentinelComponents" --type=js --type=htmlRepository: OneFineStarstuff/OneFineStarstuff.github.io
Length of output: 914
🏁 Script executed:
#!/bin/bash
# Look at governance-index.html around line 280 for context on where data comes from
echo "=== Context in governance-index.html around line 280 ==="
sed -n '1,50p' rag-agentic-dashboard/public/governance-index.html | head -30
# Search for fetch or data loading in governance-index.html
echo "=== Data loading section in governance-index.html ==="
rg -n -B10 "sentinelGrid" rag-agentic-dashboard/public/governance-index.html | head -40Repository: OneFineStarstuff/OneFineStarstuff.github.io
Length of output: 4096
🏁 Script executed:
#!/bin/bash
# Check the actual server.js in rag-agentic-dashboard
echo "=== /api/governance-index endpoint in rag-agentic-dashboard/server.js ==="
rg -n "app\.get.*governance-index" rag-agentic-dashboard/server.js
# Look at sentinelComponents definition context
echo "=== sentinelComponents definition context (line 12644) ==="
sed -n '12630,12660p' rag-agentic-dashboard/server.js
# Check the pillars structure to see if there's a fixed ordering
echo "=== Pillar structure and ordering ==="
rg -n "pillars.*=|pillars\s*:" rag-agentic-dashboard/server.js | head -30Repository: OneFineStarstuff/OneFineStarstuff.github.io
Length of output: 5807
🏁 Script executed:
#!/bin/bash
# Find where the response object is built to understand structure
echo "=== Finding /api/governance-index response building ==="
rg -n -B30 "sentinelComponents" rag-agentic-dashboard/server.js | head -100
# Check if there's an ID or name-based lookup being used elsewhere
echo "=== Checking pillar access patterns in governance-index.html ==="
rg -n "pillars\[" rag-agentic-dashboard/public/governance-index.html | head -20Repository: OneFineStarstuff/OneFineStarstuff.github.io
Length of output: 2626
🏁 Script executed:
#!/bin/bash
# Check the complete pillars array structure in the /api/governance-index response
echo "=== Full /api/governance-index response pillars array ==="
sed -n '12512,12750p' rag-agentic-dashboard/server.js | head -150
# Count the number of pillars
echo ""
echo "=== Counting pillars with id pattern P[0-9] ==="
sed -n '12506,12735p' rag-agentic-dashboard/server.js | grep -c "id: 'P[0-9]"Repository: OneFineStarstuff/OneFineStarstuff.github.io
Length of output: 11377
🏁 Script executed:
#!/bin/bash
# Check if there are any other references to accessing pillars by index in the codebase
echo "=== Other pillar index accesses ==="
rg -n "pillars\[[0-9]\]" rag-agentic-dashboard/public/governance-index.html
# Check if sentinelComponents is only in P7 or if other pillars have it
echo ""
echo "=== Looking for sentinelComponents in full response ==="
rg -n "sentinelComponents" rag-agentic-dashboard/server.jsRepository: OneFineStarstuff/OneFineStarstuff.github.io
Length of output: 269
Replace hardcoded pillar index with ID-based lookup to avoid brittle positional coupling.
The code at line 280 uses index.pillars[6].sentinelComponents assuming fixed pillar ordering. While sentinelComponents currently exists in the P7 pillar (which is at index 6), relying on array position is fragile—any reordering of the pillars array will cause this section to fail silently.
Use index.pillars.find(p => p.id === 'P7') or index.pillars.find(p => p.sentinelComponents) instead to decouple from position.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@rag-agentic-dashboard/public/governance-index.html` around lines 280 - 286,
Replace the positional access index.pillars[6] with an ID- or property-based
lookup: locate the pillar using index.pillars.find(p => p.id === 'P7') or
index.pillars.find(p => p.sentinelComponents'), assign it to a local variable
(e.g., pillar), guard for its existence, then use pillar.sentinelComponents when
building document.getElementById('sentinelGrid').innerHTML (keep the existing
map/formatting logic). Ensure you remove the hardcoded [6] access and handle the
case where no matching pillar is found before writing to the DOM.
| // Reports | ||
| if (index?.reports) { | ||
| document.getElementById('reportsCard').innerHTML = index.reports.map(r => | ||
| `<div class="report-row"><span class="ref">${r.ref}</span><span class="title">${r.title}</span>${r.path ? `<a href="${r.path}" target="_blank">View</a>` : ''}</div>` |
There was a problem hiding this comment.
target="_blank" is missing rel="noopener noreferrer".
At Line 291, new-tab links can expose window.opener to the target page.
🛡️ Minimal fix
-`<div class="report-row"><span class="ref">${r.ref}</span><span class="title">${r.title}</span>${r.path ? `<a href="${r.path}" target="_blank">View</a>` : ''}</div>`
+`<div class="report-row"><span class="ref">${r.ref}</span><span class="title">${r.title}</span>${r.path ? `<a href="${r.path}" target="_blank" rel="noopener noreferrer">View</a>` : ''}</div>`📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| `<div class="report-row"><span class="ref">${r.ref}</span><span class="title">${r.title}</span>${r.path ? `<a href="${r.path}" target="_blank">View</a>` : ''}</div>` | |
| `<div class="report-row"><span class="ref">${r.ref}</span><span class="title">${r.title}</span>${r.path ? `<a href="${r.path}" target="_blank" rel="noopener noreferrer">View</a>` : ''}</div>` |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@rag-agentic-dashboard/public/governance-index.html` at line 291, Update the
anchor created in the template string that currently reads `<a href="${r.path}"
target="_blank">View</a>` to include rel="noopener noreferrer" so external pages
opened with target="_blank" cannot access window.opener; locate the template
literal that builds the report row (the string containing `${r.ref}`,
`${r.title}`, and `${r.path}`) and add the rel attribute to the anchor element.
Comment on lines
+359
to
+376
| const apiModules = [ | ||
| { module: 'Core Platform', prefix: '/api/state, /api/health, /api/agents', count: 5 }, | ||
| { module: 'Practitioner Master Reference', prefix: '/api/practitioner-master-reference/*', count: 50, docRef: 'PMREF-GSIFI-WP-015' }, | ||
| { module: 'AGI Governance Master Blueprint', prefix: '/api/agi-governance-master-blueprint/*', count: 39, docRef: 'AGMB-GSIFI-WP-016' }, | ||
| { module: 'Kafka ACL Governance', prefix: '/api/kafka-acl-governance/*', count: 54, docRef: 'KACG-GSIFI-WP-017' }, | ||
| { module: 'Governance Architectures & Frameworks', prefix: '/api/governance-architectures-frameworks/*', count: 57, docRef: 'GAF-GSIFI-WP-017' }, | ||
| { module: 'G-SIFI Regulatory Compliance', prefix: '/api/gsifi-governance/*', count: 22, docRef: 'COMP-REG-WP-006' }, | ||
| { module: 'Enterprise AI Strategy', prefix: '/api/enterprise-strategy/*', count: 32, docRef: 'STRAT-G2K-WP-012' }, | ||
| { module: 'Unified Master Reference', prefix: '/api/unified-master-reference/*', count: 28 }, | ||
| { module: 'AGI/ASI Governance Unified', prefix: '/api/agi-governance-unified/*', count: 26 }, | ||
| { module: 'AGI Governance Framework', prefix: '/api/agi-governance/*', count: 76 }, | ||
| { module: 'ASI Preparedness', prefix: '/api/asi-preparedness/*', count: 12, docRef: 'SAFE-AGI-WP-003' }, | ||
| { module: 'AI Governance Analysis', prefix: '/api/ai-governance/*', count: 10 }, | ||
| { module: 'Unified Governance Index', prefix: '/api/governance-index/*', count: 8 }, | ||
| { module: 'EAIP Protocol', prefix: '/api/eaip/*', count: 15 }, | ||
| { module: 'Veridical Reports', prefix: '/api/veridical-week*', count: '60+' }, | ||
| { module: 'CISO/Security', prefix: '/api/ciso-roadmap/*, /api/ciso-report/*', count: 20 } | ||
| ]; |
There was a problem hiding this comment.
Hardcoded endpoint counts can drift from source-of-truth governance metrics.
At Lines 359-376, module counts are static literals (e.g., Kafka ACL count). For compliance/audit views, stale counts are a data-integrity risk.
♻️ Suggested refactor (derive counts from API metadata with fallback)
+const moduleEndpointMap = new Map(
+ (index?.pillars ?? []).flatMap(p =>
+ (p.modules ?? []).map(m => [m.name, m.endpoints])
+ )
+);
const apiModules = [
- { module: 'Kafka ACL Governance', prefix: '/api/kafka-acl-governance/*', count: 54, docRef: 'KACG-GSIFI-WP-017' },
- { module: 'Governance Architectures & Frameworks', prefix: '/api/governance-architectures-frameworks/*', count: 57, docRef: 'GAF-GSIFI-WP-017' },
+ { module: 'Kafka ACL Governance', prefix: '/api/kafka-acl-governance/*', count: moduleEndpointMap.get('Kafka ACL Governance') ?? 54, docRef: 'KACG-GSIFI-WP-017' },
+ { module: 'Governance Architectures & Frameworks', prefix: '/api/governance-architectures-frameworks/*', count: moduleEndpointMap.get('Governance Architectures & Frameworks') ?? 57, docRef: 'GAF-GSIFI-WP-017' },
...
];🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@rag-agentic-dashboard/public/governance-index.html` around lines 359 - 376,
The apiModules array currently contains hardcoded count literals (apiModules,
count field) which can become stale; replace the static counts by fetching real
endpoint metadata at build or runtime (e.g., implement a getApiMetadata or
fetchApiMetadata call) and map results to populate each module's count field,
using the original module.prefix to match endpoints and a fallbackCount if the
fetch fails; update any rendering logic to use the computed count (e.g.,
computedCount or module.count after mapping) so displays always reflect
source-of-truth metrics with a graceful fallback.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Unified AI Governance Platform — Comprehensive Delivery
New: Unified Governance Index (UGI)
Master navigational index unifying all governance modules into a single interactive dashboard with 10 sections.
Dashboard:
governance-index.html— 10-section capstone dashboardAPI: 12 new endpoints under
/api/governance-index/*/api/governance-index/api/governance-index/pillars/api/governance-index/regulatory/api/governance-index/regulatory-matrix/api/governance-index/evidence-chainPOST /api/governance-index/evidence-verify/api/governance-index/cicd-pipeline/api/governance-index/auditor-workflows/api/governance-index/artifacts/api/governance-index/stats/api/governance-index/health/api/governance-index/cross-linksKafka ACL Governance (KACG-GSIFI-WP-017)
/api/kafka-acl-governance/*kafka-acl-governance.html)AGI/ASI Governance Architectures & Frameworks (GAF-GSIFI-WP-017)
/api/governance-architectures-frameworks/*governance-architectures-frameworks.html)gaf-openapi.yaml)Artifacts Delivered (33 total)
Legacy Fixes
/metadataendpoint aliases for all legacy modulesRegression Testing
198/198 endpoints passed across 14 test categories covering all API modules, static artifacts, dashboards, and POST operations.
Summary by CodeRabbit
New Features
Documentation