Decadal Strategic & Technical Plan 2026–2035 (Sentinel v2.4 / Omni-Sentinel Mesh v4.0 / SCP v3.0) (#139)
* docs(governance): consolidated Decadal Strategic & Technical Plan 2026-2035
Authoritative consolidation of Sentinel v2.4 / Omni-Sentinel Mesh v4.0 / SCP v3.0
program. Every technical claim anchored to a runnable, verified in-repo artifact
(11/11 assurance checks green), with A/B/C/D feasibility tiering and an explicit
integrity statement that ASI containment is control discipline, not a safety proof.
Covers: zero-trust TEE architecture (TDX/SEV-SNP + vTPM PCR_MATCH); confidential
enclave deployment + remote attestation; StaR-MoE (SARA+ACR) routing stabilization;
telemetry attestation + G-SRI; PQC WORM (ML-DSA-65/Dilithium/SPHINCS+ + Kafka/S3
Object Lock); zk systemic-risk proofs (Circom/Groth16 -> zk-STARK migration) +
zk-SNARK/zk-STARK relayer pipelines; OSCAL 1.1.2 + OPA/Rego compliance-as-code with
mappings to EU AI Act/Annex IV, NIST AI RMF, ISO/IEC 42001, Basel III/IV, DORA, NIS2,
GDPR Art.22, MAS/HKMA FEAT, FCA SMCR, ECOA, ICGC/GASO; TLA+ SentinelContainmentProtocol
+ SIP v3.0 invariants; HSM + Terraform multi-region enclaves; GIEN/SIP v3.0 federated
collective defense; security-review patterns (Solidity/OPA/React); 24h monitor +
integrity checks; zkML transition-validity; OmegaActual dead-man's switch; DevSecOps/
GitOps (ArgoCD/Flux); 6-month 2028 G-SIFI pilot; supervisory adoption model; KPIs/KRIs;
phased roadmap through 2035 (consistent with roadmap_2026_2035.yaml); verification ledger.
All cross-referenced artifacts confirmed present; roadmap YAML parses (5 phases + 4 ext).
* feat(governance): roadmap phases 5-8 first-class, runnable 2028 pilot gates, close dashboard High findings
- Roadmap YAML: promoted extension entries to first-class segments phase_5..phase_8
(2031-2035), each with feasibility_tier, objectives, exit_criteria, and gating
preconditions for the Tier C/D phases. 9 phases total; YAML parses clean.
- Pilot: governance_artifacts/pilot/run_pilot_acceptance_gates.py operationalizes
decadal-plan section 14 as a runnable checklist. Executes the 6 Tier-A gates
(terraform validate, OPA gates, PQC WORM tamper, containment TLC, zk relayer,
full assurance) and reports 6 Tier-B/hardware gates as PENDING-EVIDENCE with
precise criteria (never faked). Current: 6/6 automated gates PASS. + README.
- Dashboard security: closed DASH-01/02/03/05/08.
* lib/auth/session.ts - HMAC-signed tokens; principal derived server-side only
(Bearer/cookie), constant-time sig check, expiry enforced; canAccessSubject authz.
* lib/http/guard.ts - 16 KiB body cap + safe JSON parse; SSE/log-injection sanitizer.
* consent route: identity bound to authenticated principal (no body userId);
export requires ownership or dpo role (IDOR closed).
* chat stream route: authn + body cap; unauthenticated GET text-gen removed;
moderation 'block' now ENFORCED (suppresses reply); SSE values sanitized.
* intent route: authn + body cap + validation.
* tests rewritten to assert FIXED behaviour: vitest 14/14 pass (11 security + 3 gov).
* DASHBOARD_SECURITY_REVIEW.md status table updated (Resolved/Open).
* My new files typecheck clean (0 TS errors); pre-existing repo TS errors untouched.
- Decadal plan: noted first-class phases 0-8 and the runnable pilot checklist.
Regression: run_runnable_assurance.sh still 11/11 PASS.
* feat(dashboard+ci): close DASH-04/06/07, add login route, wire CI for pilot + dashboard tests
Dashboard security — all 8 findings now resolved (was 5/8):
- DASH-04: app/api/risk/scores returns synthetic:true + DEMO disclaimer so mock
series can't be mistaken for an SR 11-7 model output.
- DASH-06: next.config.js sets CSP + X-Content-Type-Options/X-Frame-Options/
Referrer-Policy/Permissions-Policy/HSTS; middleware.ts + lib/http/rateLimit.ts
add per-client rate limiting (120 req/min) on /api/*.
- DASH-07: consentLedger.ts signs each event hash (HMAC stand-in for the
Dilithium/ML-DSA HSM signer), verifies the chain on export, and FAILS CLOSED on
prevHash read errors (no silent new chain). Also fixed pre-existing invalid
'catch (e: Error)' TypeScript in this file.
- Added app/api/auth/login/route.ts: demo login issuing a signed, HttpOnly,
SameSite=Strict sentinel_session cookie via mintToken (real IdP/OIDC in prod).
- Tests extended to assert the fixes: vitest 19/19 pass (16 security + 3 gov).
New/modified files typecheck clean (0 TS errors).
CI (.github/workflows/runnable-assurance.yml):
- Install solc (contracts) so assurance steps 7 (zk relayer) + 10 (contract
compile) actually run in CI; install Terraform 1.9.8 for the pilot IaC gate.
- Add contract-logic pytest to unit tests.
- Add '2028 pilot acceptance-gate checklist' step (6/6 automated gates).
- Add separate 'dashboard-tests' job running next-app vitest.
- Trigger on governance_blueprint/** and next-app/** too.
Regression: run_runnable_assurance.sh 11/11 PASS; pilot 6/6 automated; vitest 19/19.
* feat(oscal): runnable OSCAL 1.1.2 catalog conformance validator (12th assurance check)
Closes a real compliance-as-code integrity gap: the OSCAL control catalogs
carried machine-readable cross-references (tla-spec / rego-policy / circuit /
simulator props and regime #href links) that nothing verified, and the regime
links were in fact DANGLING (catalogs had no back-matter).
- governance_artifacts/oscal/oscal_conformance.py (new): for every control in
every catalog under oscal/, runs 8 falsifiable checks —
C1 OSCAL 1.1.2 structure (catalog/metadata/groups, id + statement part)
C2 feasibility-tier in {A,B,C,D}
C3 freshness-sla is a valid ISO-8601 duration (or P.../P... retest pair)
C4 tla-spec resolves to a real .tla module (handles Module::label)
C5 rego-policy resolves to a real declared package
C6 circuit logical id resolves via CIRCUIT_REGISTRY to a real .circom file
C7 simulator path exists on disk
C8 every internal #href resolves to a back-matter anchor (no dangling)
--json for machine-readable output; exit non-zero on any failure.
Result on repo catalogs: 43 passed, 0 failed across 2 catalogs.
- Both catalogs: added back-matter resources defining each regime anchor
(EU AI Act Art.12/14/15, DORA ICT-risk/resilience, Basel op-risk, NIST AI RMF
MEASURE, SR 11-7, plus Tier-C/D design fixtures clearly remarked as speculative),
so the previously-dangling regime links now resolve.
- run_runnable_assurance.sh: renumbered to 12 steps; new step 12 runs the
validator. Suite now 12/12 PASS.
- tests/governance/test_governance_artifacts.py: +2 tests — positive (repo
catalogs conform) and negative (a catalog with a dangling href / bad tla-spec /
bad tier / bad SLA fails with exit 1), proving the check is not vacuous.
- CI: unit-test job also runs the OSCAL pytest (-k oscal).
- Docs synced to 12/12: RUNNABLE_ASSURANCE.md (new row 12), DECADAL plan
(verification ledger + counts), pilot checklist P6-REPRO + README.
Tier A (in-repo cross-reference integrity). Does NOT assert the named regimes
are satisfied in production — only that the catalog's claims are internally
consistent and anchored to real, runnable artifacts.
Regression: assurance 12/12 PASS; pilot 6/6 automated PASS; governance pytest 12/12.
* feat(oscal): OSCAL-native Annex IV dossier generator (13th assurance check)
Turns the now-verified OSCAL catalogs + live assurance evidence into an
auto-assembled EU AI Act Annex IV technical-documentation dossier — the
regulator deliverable the compliance-as-code stack was built to produce.
New artifacts:
- governance_artifacts/oscal/annex_iv_section_map.yaml: auditable bridge mapping
each Annex IV section (A-H) to the OSCAL control ids that evidence it, plus a
provider narrative. Control ids must exist in a catalog (no dangling refs).
- governance_artifacts/oscal/generate_annex_iv_dossier.py: assembles an
OSCAL-flavoured JSON dossier + human-readable Markdown. For each section it
resolves controls, pulls statement/tier/SLA/regime-citation/evidence-query,
and attaches LIVE evidence by running each control's backing assurance check
(TLA+ TLC, PQC WORM pytest, zk proof, routing simulator). Honesty model:
* SATISFIED only when a mapped control's runnable check passed in this run;
* PARTIAL when runnable-backed but not green this run;
* PENDING-EVIDENCE for organisational/hardware-dependent evidence (e.g.
env-02 enclave key custody, reported truthfully as n/a organisational).
Refuses to assemble on a non-conformant catalog or an unknown control id.
Embeds an integrity statement: assembly-integrity artifact, NOT a conformity
assessment; does not assert the institution is compliant.
Result on repo: 8/8 sections SATISFIED, catalog conformance 0 failures.
- governance_artifacts/oscal/generated/annex_iv_dossier.{json,md}: sample output.
- governance_artifacts/oscal/README.md: documents the OSCAL tooling + honesty model.
Wired in:
- run_runnable_assurance.sh: renumbered to 13 steps; step 13 verifies the dossier
assembles end-to-end (8 sections A-H, 0 conformance failures). Suite 13/13 PASS.
- tests/governance/test_governance_artifacts.py: +3 tests — all section-map
controls resolve; live-evidence assembly (SATISFIED implies a green check;
integrity statement disclaims conformity); --no-verify never fabricates
SATISFIED. Governance pytest 15/15.
- CI: unit-test job runs '-k "oscal or annex"'; new steps assemble the dossier
with live evidence and upload it as a build artifact (annex-iv-dossier).
- Docs synced to 13/13: RUNNABLE_ASSURANCE.md (new row 13 + count), DECADAL plan
(ledger + counts), pilot P6-REPRO + README.
Tier A (assembly integrity). Regression: assurance 13/13 PASS; pilot 6/6
automated; governance pytest 15/15.
* feat(oscal): multi-framework regulator deliverables — DORA ICT-risk register + NIST AI RMF crosswalk (14th & 15th assurance checks)
One verified OSCAL 1.1.2 catalog (source of truth) -> multiple regulator
deliverables. Extends the round-4 Annex IV dossier generator to two more
frameworks, all assembled from the same conformance-verified catalog + live
re-run evidence.
New shared engine:
- crosswalk_common.py: load_catalogs, CONTROL_EVIDENCE, run_conformance
(refuses to assemble against a non-conformant catalog), EvidenceRunner
(re-runs each control's backing assurance check this run), status_for
(SATISFIED / PARTIAL / PENDING-EVIDENCE), resolve_controls.
New deliverables (Tier A, runnable):
- generate_dora_ict_register.py + dora_framework_map.yaml: DORA
(Reg. (EU) 2022/2554) 5-pillar ICT-risk register. Result 3/5 pillars
SATISFIED; P4 (third-party) and P5 (info-sharing) reported as HONEST
coverage gaps (is_coverage_gap=true, PENDING-EVIDENCE), not hidden.
- generate_nist_rmf_crosswalk.py + nist_ai_rmf_map.yaml: NIST AI RMF 1.0
4-function (GOVERN/MAP/MEASURE/MANAGE) crosswalk with per-function
coverage analysis. Result 4/4 functions SATISFIED (100%).
- generated/{dora_ict_register,nist_ai_rmf_crosswalk}.{json,md} samples.
Honesty guarantees (preserved): each generator embeds an integrity_statement
('not a DORA conformity attestation' / 'not a certification'); both refuse a
non-conformant catalog and raise on unknown control ids (falsifiable —
negative tests confirm exit 1).
Wiring:
- run_runnable_assurance.sh: 13 -> 15 steps (14=DORA, 15=NIST), using
--no-verify --print piped to inline python validators.
- tests/governance: +3 tests (18 total): DORA gaps reported, NIST full
coverage with live evidence, and --no-verify does not fabricate SATISFIED.
- CI: pytest selector adds dora/nist/crosswalk; assembles all 3 deliverables
and uploads them as the 'regulator-deliverables' artifact.
Docs synced: RUNNABLE_ASSURANCE.md (rows 14-15, thirteen->fifteen), DECADAL
plan (13/13 -> 15/15 + 2 verification-ledger rows), pilot P6-REPRO 15/15,
oscal/README.md.
Verification (this commit):
- bash governance_artifacts/run_runnable_assurance.sh -> 15/15 PASS
- pytest tests/governance/test_governance_artifacts.py -> 18 passed
- pilot acceptance gates -> 6/6 automated PASS (P6-REPRO 15/15)
- DORA 3/5 SATISFIED (P4/P5 gaps); NIST 4/4 SATISFIED (100%);
catalog conformance 0 failures for both.
* feat(packaging): verified distribution-bundle packager — finalize, package & distribute the stack (16th assurance check)
Adds the 'finalize, package, and distribute' step the stack has been building
toward: instead of asserting regulator-readiness in prose, this PRODUCES an
auditable, tamper-evident distribution bundle whose contents are exactly the
artifacts that passed THIS run.
New tool — governance_artifacts/package_distribution_bundle.py:
- Re-runs the 3 OSCAL-native regulator-deliverable generators with LIVE
evidence (Annex IV dossier, DORA ICT-risk register, NIST AI RMF crosswalk).
- Collects all 6 deliverable artifacts (JSON+MD) into governance_artifacts/dist/.
- Emits MANIFEST.json: per-artifact SHA-256 + byte size, the live
SATISFIED/PARTIAL/PENDING-EVIDENCE status per unit, declared coverage gaps,
and a single bundle_sha256 = SHA-256 over the sorted per-artifact digests
(whole-bundle tamper evidence).
- Writes a regulator-facing DISTRIBUTION_README.md + a guided
EXECUTION_CHECKLIST.md (command-by-command independent reproduction).
- --with-suite runs the full runnable-assurance suite and gates on it.
Honesty guarantees (falsifiable):
- REFUSES to package (exit 1) if any deliverable reports a catalog-conformance
failure — verified by a negative test (monkeypatched conformance failure).
- bundle_sha256 recomputes from the per-artifact digests (verified in suite + test).
- Coverage gaps (DORA P4/P5) are reported, never inflated to SATISFIED.
- Explicitly an assembly-integrity + reproducibility bundle, NOT a conformity
assessment, certification, or safety proof; ASI containment is a control
discipline, not a guarantee.
Result this run: 6 artifacts across 3 deliverables; 15/17 units SATISFIED;
2 declared gaps (DORA P4/P5); all catalogs conformant.
Wiring:
- run_runnable_assurance.sh: 15 -> 16 steps (step 16 packages the bundle,
--no-regenerate --print, asserts 3 deliverables / 6 artifacts / digest
recomputes / all conformant).
- tests/governance: +3 tests -> 21 total (manifest tamper-evidence, DORA gaps
not hidden, refuses non-conformant deliverable).
- CI: pytest selector adds 'bundle'; packages bundle with --with-suite and
uploads it as the 'distribution-bundle' artifact (dist/ stays gitignored —
fully reproducible output).
Docs synced: RUNNABLE_ASSURANCE.md (row 16, fifteen->sixteen), DECADAL plan
(15/15 -> 16/16 + verification-ledger row), pilot P6-REPRO 16/16,
governance_artifacts/README.md (package & distribute section), oscal/README.md.
Verification (this commit):
- bash governance_artifacts/run_runnable_assurance.sh -> 16/16 PASS
- pytest tests/governance/test_governance_artifacts.py -> 21 passed
- pilot acceptance gates -> 6/6 automated PASS (P6-REPRO 16/16)
* fix(packaging): make distribution bundle deterministically reproducible (content_digest)
Closes a real honesty gap in the round-6 packager: the EXECUTION_CHECKLIST
claimed the bundle digest "matches the value above (timestamps aside)", but
bundle_sha256 in fact changed on EVERY regeneration because each deliverable
embeds a fresh generated_at timestamp. A supervisor following the checklist
would get a different digest each run, undermining the reproducibility claim.
Root cause (verified): the ONLY non-deterministic content in a deliverable is
the ISO-8601 generated_at instant (JSON "generated_at" + Markdown
**Generated:**). All live evidence and everything else is byte-stable.
Fix - two distinct digests, each with a clear purpose:
- bundle_sha256 (provenance / tamper-evidence): SHA-256 over the sorted
per-artifact BYTE digests. Pins THIS exact build; changes each run. Use to
detect tampering with a specific distributed bundle.
- content_digest (reproducibility): SHA-256 over the sorted per-artifact
digests with embedded ISO-8601 instants normalized to a fixed sentinel.
Depends only on the catalog + live-evidence state, so an independent party
who re-runs the generators derives the SAME value. VERIFIED stable across 3+
regenerations (f6fa38c7...) while bundle_sha256 varies.
Each artifact entry now carries both sha256 and content_sha256.
Honesty wording corrected:
- DISTRIBUTION_README.md: new 'Two digests, two purposes' section.
- EXECUTION_CHECKLIST.md: step 4 now says compare the CONTENT digest (stable),
not bundle_sha256; step 5 adds a runnable standalone command to recompute an
artifact's content_sha256 (verified to match the manifest).
Wiring:
- run_runnable_assurance.sh step 16: now asserts BOTH digests recompute and
that they are distinct.
- tests/governance: +2 tests -> 23 total: content_digest reproducible across
regenerations + recomputes; timestamp normalization changes byte digest only
(falsifiable - a real content change still moves the normalized digest).
- RUNNABLE_ASSURANCE.md row 16, governance_artifacts/README.md, DECADAL ledger
row updated to document the two-digest model.
Verification (this commit):
- bash governance_artifacts/run_runnable_assurance.sh -> 16/16 PASS
- pytest tests/governance/test_governance_artifacts.py -> 23 passed
- pilot acceptance gates -> 6/6 automated PASS
- content_digest stable across 3 regenerations; bundle_sha256 varies as intended
* feat(assurance): recipient-side bundle verifier + detached ML-DSA-65 manifest signing (17th assurance check)
Closes the trust gap left by the round-6/7 packager: a bundle recipient
previously had to trust the packager's own digest arithmetic. This adds the
missing recipient-side half of the distribution story.
New tool — governance_artifacts/verify_distribution_bundle.py:
- Standalone and deliberately INDEPENDENT: stdlib-only (optional
dilithium-py only for the signature branch) and never imports the
packager — the digest rules (byte SHA-256, timestamp-normalized content
SHA-256, sorted-digest bundle digests) are re-implemented from scratch so
a bug or backdoor in the packager cannot vouch for itself (enforced by an
AST-based test).
- 10 named, falsifiable checks: manifest-parse, artifact-presence,
artifact-byte-digest, artifact-content-digest, bundle-digest-recompute,
content-digest-recompute, digests-distinct, summary-consistency,
conformance-claims, signature.
- summary-consistency recomputes the manifest's claimed unit counts /
coverage gaps / conformance from the bundled deliverable JSONs
themselves — a manifest that inflates units_satisfied or hides a DORA
P4/P5 gap FAILS even if every digest still recomputes.
- Exit 0 iff every executed check passes; missing dilithium-py reports the
signature check SKIPPED (never silently passed); --require-signature
turns absence/skip into FAIL.
Packager — package_distribution_bundle.py --sign / --signing-key:
- Emits a detached ML-DSA-65 (FIPS 204) MANIFEST.sig.json over the EXACT
MANIFEST.json bytes, embedding the public key + its SHA-256 fingerprint.
- Honest key semantics: --signing-key FILE persists one signing identity
(0600) so fingerprints are stable across bundles; without it the key is
EPHEMERAL and the signature file says so (key_persistence) — it then
proves integrity-since-packaging, not identity. Identity always requires
an out-of-band fingerprint comparison (stated in the artifact).
Wiring:
- run_runnable_assurance.sh: 16 -> 17 steps. Step 17 packages a signed
bundle and verifies it with the independent verifier in strict
--require-signature mode, asserting all 10 checks PASS.
- Generated DISTRIBUTION_README.md + EXECUTION_CHECKLIST.md now include a
'verify as received' section / step 6 for the recipient.
- RUNNABLE_ASSURANCE.md: row 17 documented.
- Refreshed generated OSCAL deliverables from the final suite run.
Tamper negatives (all verified by tests, 30/30 governance tests pass):
- Artifact byte edit -> artifact-byte-digest + artifact-content-digest FAIL.
- Forged manifest claims (inflated SATISFIED, hidden gaps) ->
summary-consistency FAILs (and the signature breaks).
- Single-byte whitespace change to MANIFEST.json with digests intact ->
ONLY the ML-DSA-65 signature check fails (precise localization).
- --require-signature on an unsigned bundle -> FAILED with explicit error.
- Persistent-key double-signing -> identical public-key fingerprints; both
bundles VERIFIED in strict mode.
Full suite result: 17/17 runnable assurance checks PASS.
* feat(assurance): evidence freshness-SLA gate — catalog SLAs enforced against a digest-protected ledger (18th assurance check)
The OSCAL catalogs declare per-control freshness-sla props (env-01 PT5M,
cry-02/rte-01 P1D, con-07 P7D, cry-05 P3M, con-04 P1D/P90D) but check C3
only validated their FORMAT — nothing recorded when evidence was produced
and nothing failed when it went stale. The SLA was prose. This makes it
enforced.
New tool — governance_artifacts/check_evidence_freshness.py:
- --run executes every control's mapped runnable assurance check using the
SAME single-source-of-truth CONTROL_EVIDENCE map the regulator deliverable
generators use (no parallel drift-prone map) and writes a freshness ledger
(oscal/generated/evidence_freshness_ledger.json) recording pass/fail, the
UTC instant evidence was produced, and duration. Entries are protected by
a SHA-256 ledger digest over the canonical entries JSON.
- --audit enforces each catalog-declared SLA against those instants with
named, falsifiable checks: ledger-digest, evidence-recorded,
evidence-passed, evidence-fresh. Per-control statuses: FRESH / STALE /
FAILED / NOT-RECORDED / FUTURE-DATED / SLA-MISSING / SLA-MALFORMED /
NOT-RUNNABLE. Exit 0 iff every runnable control is recorded, passed and
fresh with an intact digest.
- Honest semantics: organisational-evidence controls (env-02) are disclosed
NOT-RUNNABLE, never counted fresh and never silently passed; a failed
check is never fresh; future-dated evidence (forged timestamp/clock skew)
fails; a missing ledger fails, never passes vacuously. Stated conversion
convention (1M=30d, 1Y=365d; compound P1D/P90D enforces the first period)
so audits are reproducible. The ledger digest detects casual edits, is
NOT a signature — pair with the ML-DSA-65-signed bundle (checks 16/17)
for signed provenance. --as-of enables reproducible point-in-time audits.
Wiring:
- run_runnable_assurance.sh: 17 -> 18 steps. Step 18 runs --run --audit
--print and asserts PASS, intact digest, zero failing controls, all
runnable controls FRESH, and >=1 organisational control disclosed.
- RUNNABLE_ASSURANCE.md: row 18 documents the gate and its honesty limits.
Tests (tests/governance/test_governance_artifacts.py — round 8, +7):
- SLA parser conventions (PT5M=300s, P3M=90d, P1D/P90D first period;
malformed P/PT/5M/P-1D/'' rejected).
- Fresh synthetic ledger -> PASS with env-02 disclosed NOT-RUNNABLE.
- Auditing 10 min later flips env-01 (PT5M) STALE and fails the gate while
cry-05 (P3M) stays FRESH — SLA granularity actually matters.
- Timestamp edit without re-digesting -> ledger-digest MISMATCH -> FAIL.
- passed=false is never FRESH; future-dated evidence FAILs; a control
missing from the ledger is NOT-RECORDED; missing ledger file FAILs.
- Single-source-of-truth check: every runnable CONTROL_EVIDENCE control
with a declared SLA is covered by the committed ledger.
Full suite result: 18/18 runnable assurance checks PASS; 37/37 governance
tests PASS.