hermes/steev
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
91d4e7f08bdd85d8bde300da8c10008da1c6a79a
steev/tools/validate_steev_child.py
T

262 lines
11 KiB
Python
Executable File
Raw Blame History

#!/usr/bin/env python3
"""Validate the Steev-named personal-agent profile distribution."""
from __future__ import annotations
import json
from pathlib import Path
import yaml
ROOT = Path(__file__).resolve().parents[1]
REQUIRED = [
"AGENTS.md",
"README.md",
"WORKBOARD.yaml",
"manifest.yaml",
"AGENT.md",
"CONTRACT.md",
"DISCLOSURE.md",
"docs/STEEV-MASTER.md",
"docs/contracts/personal-agent-profile-surface-contract.json",
"docs/contracts/personal-agent-bluebubbles-binding.json",
"docs/prd/2026-06-14-personal-agent-context-runtime-prd.md",
"docs/issues/2026-06-14-personal-agent-context-runtime-work-orders.md",
"docs/supersession/2026-06-14-personal-agent-context-runtime-supersession-register.md",
]
REQUIRED_SURFACES = {
"imessage.read",
"mail.read",
"mail.draft",
"mail.send_with_confirmation",
"calendar.read",
"calendar.propose_event",
"calendar.write_with_confirmation",
"contacts.read",
"contacts.write_with_confirmation",
"drive.read",
"drive.write_with_confirmation",
"browser.host_runtime.full_control",
}
REQUIRED_REDACTION_TERMS = {
"raw_messages",
"mail_bodies",
"contact_details",
"calendar_event_details",
"drive_file_names",
"endpoint_payloads",
"credentials",
"cookies",
"keychain_values",
"password_manager_values",
"secret_values",
}
def read_text(rel: str) -> str:
return (ROOT / rel).read_text(encoding="utf-8")
def load_contract(errors: list[str]) -> dict:
return load_json("docs/contracts/personal-agent-profile-surface-contract.json", errors)
def load_json(rel: str, errors: list[str]) -> dict:
path = ROOT / rel
if not path.exists():
return {}
try:
return json.loads(path.read_text(encoding="utf-8"))
except json.JSONDecodeError as exc:
errors.append(f"json_invalid:{rel}:{exc.lineno}:{exc.colno}")
return {}
def main() -> int:
errors: list[str] = []
for rel in REQUIRED:
if not (ROOT / rel).exists():
errors.append(f"missing:{rel}")
board = ROOT / "WORKBOARD.yaml"
if board.exists():
text = board.read_text(encoding="utf-8")
for snippet in ["STEEV-WORK-001", "PACR-001", "PACR-002", "PACR-003", "status: candidate", "owner: jp"]:
if snippet not in text:
errors.append(f"workboard_missing:{snippet}")
agents = ROOT / "AGENTS.md"
if agents.exists():
text = agents.read_text(encoding="utf-8")
for snippet in ["child-local", "not Cortex OS Core authority", "python3 tools/validate_steev_child.py"]:
if snippet not in text:
errors.append(f"agents_missing:{snippet}")
manifest = ROOT / "manifest.yaml"
if manifest.exists():
data = yaml.safe_load(manifest.read_text(encoding="utf-8")) or {}
if data.get("profile_identity") != "personal-agent":
errors.append("manifest_profile_identity_not_personal_agent")
if data.get("display_name") != "Steev":
errors.append("manifest_display_name_not_steev")
if data.get("profile") != "steev":
errors.append("manifest_distribution_alias_not_steev")
contract = load_contract(errors)
if contract:
if contract.get("profile_identity") != "personal-agent":
errors.append("contract_profile_identity_not_personal_agent")
if contract.get("display_name") != "Steev":
errors.append("contract_display_name_not_steev")
if contract.get("distribution_alias") != "steev":
errors.append("contract_distribution_alias_not_steev")
memory = contract.get("memory_policy", {})
if memory.get("allowed_target") != "secondbrain-personal":
errors.append("contract_memory_allowed_target_not_secondbrain_personal")
if "orgbrain" not in memory.get("forbidden_targets", []):
errors.append("contract_memory_orgbrain_not_forbidden")
if "proposal-only" not in memory.get("durable_write_policy", ""):
errors.append("contract_memory_not_proposal_only")
credential = contract.get("credential_policy", {})
if credential.get("mode") != "keyvault-reference-names-only":
errors.append("contract_credential_policy_not_keyvault_refs_only")
redaction = set(contract.get("proof_redaction_policy", {}).get("forbidden_in_core_or_proof", []))
missing_redaction = sorted(REQUIRED_REDACTION_TERMS - redaction)
if missing_redaction:
errors.append(f"contract_redaction_missing:{','.join(missing_redaction)}")
states = set(contract.get("readiness_states", []))
for state in ["ready", "degraded", "pending", "blocked", "disabled"]:
if state not in states:
errors.append(f"contract_readiness_state_missing:{state}")
surfaces = contract.get("surfaces", [])
surface_names = {surface.get("name") for surface in surfaces}
missing_surfaces = sorted(REQUIRED_SURFACES - surface_names)
if missing_surfaces:
errors.append(f"contract_surfaces_missing:{','.join(missing_surfaces)}")
for surface in surfaces:
name = surface.get("name", "<unknown>")
if not surface.get("capability_package"):
errors.append(f"surface_missing_capability_package:{name}")
if not isinstance(surface.get("allowed_effects"), list):
errors.append(f"surface_allowed_effects_not_list:{name}")
denied = surface.get("denied_effects")
if not isinstance(denied, list):
errors.append(f"surface_denied_effects_not_list:{name}")
elif "orgbrain_write" not in denied:
errors.append(f"surface_orgbrain_write_not_denied:{name}")
if not surface.get("confirmation"):
errors.append(f"surface_missing_confirmation_policy:{name}")
binding = load_json("docs/contracts/personal-agent-bluebubbles-binding.json", errors)
if binding:
if binding.get("profile_identity") != "personal-agent":
errors.append("bluebubbles_binding_profile_identity_not_personal_agent")
if binding.get("surface") != "imessage.read":
errors.append("bluebubbles_binding_surface_not_imessage_read")
package = binding.get("capability_package", {})
if package.get("id") != "bluebubbles":
errors.append("bluebubbles_binding_package_not_bluebubbles")
if package.get("package_surface") != "bluebubbles.imessage.readonly":
errors.append("bluebubbles_binding_package_surface_not_readonly")
if package.get("live_connector") != "hermes-agent":
errors.append("bluebubbles_binding_live_connector_not_hermes")
if package.get("profile_local_connector_allowed") is not False:
errors.append("bluebubbles_binding_profile_local_connector_not_denied")
if package.get("duplicate_connector_allowed") is not False:
errors.append("bluebubbles_binding_duplicate_connector_not_denied")
policy = binding.get("binding_policy", {})
for key in [
"profile_consumes_package",
"package_owns_runtime_wrapper",
"package_owns_readonly_adapter",
"package_owns_redacted_health",
"package_owns_seed_candidate",
"profile_owns_surface_exposure",
]:
if policy.get(key) is not True:
errors.append(f"bluebubbles_binding_policy_not_true:{key}")
if policy.get("profile_runtime_readiness_claimed") is not False:
errors.append("bluebubbles_binding_profile_runtime_readiness_claimed")
memory = binding.get("memory_policy", {})
if memory.get("target") != "secondbrain-personal":
errors.append("bluebubbles_binding_memory_target_not_secondbrain_personal")
if "orgbrain" not in memory.get("forbidden", []):
errors.append("bluebubbles_binding_orgbrain_not_forbidden")
if "proposal-only" not in memory.get("durable_write_policy", ""):
errors.append("bluebubbles_binding_memory_not_proposal_only")
denied = set(binding.get("denied_effects", []))
for effect in [
"send_message",
"read_receipt",
"mark_read",
"attachment_content_download",
"secondbrain_durable_write",
"orgbrain_write",
"browser_full_control",
]:
if effect not in denied:
errors.append(f"bluebubbles_binding_denied_effect_missing:{effect}")
forbidden_fields = set(binding.get("proof_policy", {}).get("forbidden_fields", []))
for field in ["raw_messages", "message_text", "endpoint_payloads", "credentials", "secret_values"]:
if field not in forbidden_fields:
errors.append(f"bluebubbles_binding_forbidden_field_missing:{field}")
evidence = binding.get("bluebubbles_package_evidence", {})
if evidence.get("validator_command") != "python3 tools/validate_bluebubbles_child.py":
errors.append("bluebubbles_binding_validator_command_missing")
if evidence.get("validator_result_observed") != "ok":
errors.append("bluebubbles_binding_validator_result_not_ok")
if evidence.get("runtime_claims_from_validator") is not False:
errors.append("bluebubbles_binding_runtime_claims_not_false")
refs = set(evidence.get("referenced_artifacts", []))
for ref in [
"contracts/personal-agent-imessage-readonly-contract.json",
"contracts/runtime-compliance-boundary.json",
"contracts/secondbrain-proposal-envelope-contract.json",
]:
if ref not in refs:
errors.append(f"bluebubbles_binding_reference_missing:{ref}")
for rel in ["AGENT.md", "CONTRACT.md", "DISCLOSURE.md", "README.md", "docs/STEEV-MASTER.md"]:
path = ROOT / rel
if not path.exists():
continue
text = path.read_text(encoding="utf-8")
if "personal-agent" not in text:
errors.append(f"visible_personal_agent_note_missing:{rel}")
if "display name" not in text and "display/distribution alias" not in text:
errors.append(f"visible_display_alias_note_missing:{rel}")
supersession = ROOT / "docs/supersession/2026-06-14-personal-agent-context-runtime-supersession-register.md"
if supersession.exists():
text = supersession.read_text(encoding="utf-8")
for snippet in [
"active-authority",
"active-alias",
"active-capability-package",
"Personal-agent BlueBubbles binding",
"superseded",
"legacy-reference",
"blocked-follow-up",
"secondbrain-personal",
"`orgbrain` as denied",
"PACR-010",
]:
if snippet not in text:
errors.append(f"supersession_missing:{snippet}")
for stale in ["SPCR-", "steev-personal-context-runtime"]:
if stale in text:
errors.append(f"supersession_stale_reference:{stale}")
result = {
"ok": not errors,
"validator": "personal-agent-profile-distribution-v2",
"checked": REQUIRED,
"errors": errors,
"warnings": [],
}
print(json.dumps(result, indent=2, sort_keys=True))
return 0 if result["ok"] else 1
if __name__ == "__main__":
raise SystemExit(main())
Reference in New Issue View Git Blame Copy Permalink