master
96d52884e8
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
- Implemented PolicyDslValidator with command-line options for strict mode and JSON output. - Created PolicySchemaExporter to generate JSON schemas for policy-related models. - Developed PolicySimulationSmoke tool to validate policy simulations against expected outcomes. - Added project files and necessary dependencies for each tool. - Ensured proper error handling and usage instructions across tools.
1.3 KiB
1.3 KiB
Aggregation-Only Contract (AOC) Guardrails
The Aggregation-Only Contract keeps ingestion services deterministic and policy-neutral. Use these checkpoints whenever you add or modify backlog items:
- Ingestion writes raw facts only. Concelier and Excititor append immutable observations/linksets. No precedence, severity, suppression, or "safe fix" hints may be computed at ingest time.
- Derived semantics live elsewhere. Policy Engine overlays, Vuln Explorer composition, and downstream reporting layers attach severity, precedence, policy verdicts, and UI hints.
- Provenance is mandatory. Every ingestion write must include original source metadata, digests, and signing/provenance evidence when available. Reject writes lacking provenance.
- Deterministic outputs. Given the same inputs, ingestion must produce identical documents, hashes, and event payloads across reruns.
- Guardrails everywhere. Roslyn analyzers, schema validators, and CI smoke tests should fail builds that attempt forbidden writes.
For detailed roles and ownership boundaries, see AGENTS.md at the repo root and the module-specific ARCHITECTURE_*.md dossiers.
Need the full contract? Read the Aggregation-Only Contract reference for schemas, error codes, and migration guidance.