Benjamin_Boenisch/breakpilot-compliance
1
1
Fork 0
Code Issues 24 Pull Requests Actions Packages Projects Releases Wiki Activity

feat(capability): Master Capability Registry v0 (Phase 2C, Compliance Execution domain)

Browse Source 
Third instance of the identity-machine pattern (after Master Controls and Master
Obligations). New compliance/capability/ package: MasterCapability with stable MCAP
ids, CapabilityCandidate minting, seven typed relation types, a VERSIONED derivation
policy, and identity lifecycle (merge/split/deprecate/redirect with provenance).

Stored: identities, sources, relationship types, policy versions, lifecycle events,
provenance. Derived (never stored): confidence/status via evaluate_relation under a
policy version. Hard rule (structurally guarded): a certification alone can never
yield CONFIRMED — only CONFIRMS + concrete artifact (or expert) does.

Built from the Reasoning session per user directive but this IS the Compliance
Execution model (Execution owns Capability) — handed off via the board. Metadata-first:
CapabilityRelation is registry metadata, NOT a new meta-model class (freeze v1.0
untouched). No Company-Gap, no real ISO/cert mappings, no UI/RAG, no generic
canonicalization engine. 11 tests; mypy --strict clean; LOC ok.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Benjamin Admin
2026-06-26 21:35:12 +02:00
parent 7eb7f61483
commit 6ccc6c87c1
5 changed files with 629 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend-compliance/compliance/capability/policy.py
+65
View File
@@ -0,0 +1,65 @@
"""Derivation policy v0 for the Master Capability Registry.
Confidence + status are DERIVED from (relationship_type, evidence_kind) under a
versioned policy — never stored. HARD RULE baked in and structurally guarded: a
CERTIFICATION is a claim, never proof — no certification-backed rule may yield
CONFIRMED. CONFIRMED requires a CONFIRMS relation backed by a concrete ARTIFACT
(or an EXPERT assertion).
Python 3.9 compatible (no `|` unions).
"""
from __future__ import annotations
from .schemas import (
AssertionStatus,
Confidence,
EvidenceKind,
PolicyRule,
PolicyVersion,
RelationType,
)
def _rule(rt: RelationType, ek: EvidenceKind, st: AssertionStatus, cf: Confidence) -> PolicyRule:
return PolicyRule(relationship_type=rt, evidence_kind=ek, status=st, confidence=cf)
# (relationship_type, evidence_kind) -> (status, confidence)
_V0_RULES = [
# concrete artifact / expert confirming the capability -> CONFIRMED
_rule(RelationType.CONFIRMS, EvidenceKind.ARTIFACT, AssertionStatus.CONFIRMED, Confidence.HIGH),
_rule(RelationType.CONFIRMS, EvidenceKind.EXPERT, AssertionStatus.CONFIRMED, Confidence.MEDIUM),
# equivalent capability — certificate or artifact behind it -> INFERRED (never confirmed)
_rule(RelationType.EQUIVALENT, EvidenceKind.CERTIFICATION, AssertionStatus.INFERRED, Confidence.HIGH),
_rule(RelationType.EQUIVALENT, EvidenceKind.ARTIFACT, AssertionStatus.INFERRED, Confidence.HIGH),
# supports — weaker
_rule(RelationType.SUPPORTS, EvidenceKind.CERTIFICATION, AssertionStatus.INFERRED, Confidence.LOW),
_rule(RelationType.SUPPORTS, EvidenceKind.ARTIFACT, AssertionStatus.INFERRED, Confidence.MEDIUM),
# requires = an obligation NEEDS the capability (relevance, not possession)
_rule(RelationType.REQUIRES, EvidenceKind.NONE, AssertionStatus.UNKNOWN, Confidence.LOW),
# broader/narrower certificate -> weak inference
_rule(RelationType.BROADER_THAN, EvidenceKind.CERTIFICATION, AssertionStatus.INFERRED, Confidence.LOW),
_rule(RelationType.NARROWER_THAN, EvidenceKind.CERTIFICATION, AssertionStatus.INFERRED, Confidence.LOW),
_rule(RelationType.RELATED_TO, EvidenceKind.CERTIFICATION, AssertionStatus.UNKNOWN, Confidence.LOW),
]
DEFAULT_POLICY = PolicyVersion(
policy_version="capability-policy-v0",
description="v0: certification never yields CONFIRMED; only CONFIRMS + ARTIFACT/EXPERT does.",
rules=_V0_RULES,
)
def assert_no_certification_confirms(policy: PolicyVersion) -> None:
"""Structural guard for the hard rule: no CERTIFICATION-backed rule is CONFIRMED."""
for r in policy.rules:
if r.evidence_kind == EvidenceKind.CERTIFICATION and r.status == AssertionStatus.CONFIRMED:
raise ValueError(
"policy %s violates hard rule: certification -> confirmed (%s)"
% (policy.policy_version, r.relationship_type.value)
)
# fail fast at import: the shipped default must satisfy the hard rule
assert_no_certification_confirms(DEFAULT_POLICY)