Svrnty
455 lines
22 KiB
Python
Executable File
455 lines
22 KiB
Python
Executable File
#!/usr/bin/env python3
|
|
"""Validate the Steev-named personal-agent profile distribution."""
|
|
from __future__ import annotations
|
|
|
|
import json
|
|
from pathlib import Path
|
|
|
|
import yaml
|
|
|
|
ROOT = Path(__file__).resolve().parents[1]
|
|
REQUIRED = [
|
|
"AGENTS.md",
|
|
"README.md",
|
|
"WORKBOARD.yaml",
|
|
"manifest.yaml",
|
|
"AGENT.md",
|
|
"CONTRACT.md",
|
|
"DISCLOSURE.md",
|
|
"docs/STEEV-MASTER.md",
|
|
"docs/contracts/personal-agent-profile-surface-contract.json",
|
|
"docs/contracts/personal-agent-bluebubbles-binding.json",
|
|
"docs/contracts/personal-agent-proton-rclone-package.json",
|
|
"docs/prd/2026-06-14-personal-agent-context-runtime-prd.md",
|
|
"docs/issues/2026-06-14-personal-agent-context-runtime-work-orders.md",
|
|
"docs/supersession/2026-06-14-personal-agent-context-runtime-supersession-register.md",
|
|
]
|
|
|
|
REQUIRED_SURFACES = {
|
|
"imessage.read",
|
|
"mail.read",
|
|
"mail.draft",
|
|
"mail.send_with_confirmation",
|
|
"calendar.read",
|
|
"calendar.propose_event",
|
|
"calendar.write_with_confirmation",
|
|
"contacts.read",
|
|
"contacts.write_with_confirmation",
|
|
"drive.read",
|
|
"drive.write_with_confirmation",
|
|
"browser.host_runtime.full_control",
|
|
}
|
|
|
|
REQUIRED_REDACTION_TERMS = {
|
|
"raw_messages",
|
|
"mail_bodies",
|
|
"contact_details",
|
|
"calendar_event_details",
|
|
"drive_file_names",
|
|
"endpoint_payloads",
|
|
"credentials",
|
|
"cookies",
|
|
"keychain_values",
|
|
"password_manager_values",
|
|
"secret_values",
|
|
}
|
|
|
|
REQUIRED_PROTON_RCLONE_SURFACES = {
|
|
"mail.read",
|
|
"mail.draft",
|
|
"mail.send_with_confirmation",
|
|
"calendar.read",
|
|
"calendar.propose_event",
|
|
"calendar.write_with_confirmation",
|
|
"contacts.read",
|
|
"contacts.write_with_confirmation",
|
|
"drive.read",
|
|
"drive.write_with_confirmation",
|
|
}
|
|
|
|
REQUIRED_PROTON_RCLONE_DENIED_EFFECTS = {
|
|
"send_without_confirmation",
|
|
"calendar_write_without_confirmation",
|
|
"contact_mutation_without_confirmation",
|
|
"drive_delete",
|
|
"orgbrain_write",
|
|
}
|
|
|
|
|
|
def read_text(rel: str) -> str:
|
|
return (ROOT / rel).read_text(encoding="utf-8")
|
|
|
|
|
|
def load_contract(errors: list[str]) -> dict:
|
|
return load_json("docs/contracts/personal-agent-profile-surface-contract.json", errors)
|
|
|
|
|
|
def load_json(rel: str, errors: list[str]) -> dict:
|
|
path = ROOT / rel
|
|
if not path.exists():
|
|
return {}
|
|
try:
|
|
return json.loads(path.read_text(encoding="utf-8"))
|
|
except json.JSONDecodeError as exc:
|
|
errors.append(f"json_invalid:{rel}:{exc.lineno}:{exc.colno}")
|
|
return {}
|
|
|
|
|
|
def main() -> int:
|
|
errors: list[str] = []
|
|
for rel in REQUIRED:
|
|
if not (ROOT / rel).exists():
|
|
errors.append(f"missing:{rel}")
|
|
board = ROOT / "WORKBOARD.yaml"
|
|
if board.exists():
|
|
text = board.read_text(encoding="utf-8")
|
|
for snippet in [
|
|
"STEEV-WORK-001",
|
|
"PACR-001",
|
|
"PACR-002",
|
|
"PACR-003",
|
|
"PACR-004",
|
|
"status: candidate",
|
|
"owner: jp",
|
|
]:
|
|
if snippet not in text:
|
|
errors.append(f"workboard_missing:{snippet}")
|
|
agents = ROOT / "AGENTS.md"
|
|
if agents.exists():
|
|
text = agents.read_text(encoding="utf-8")
|
|
for snippet in ["child-local", "not Cortex OS Core authority", "python3 tools/validate_steev_child.py"]:
|
|
if snippet not in text:
|
|
errors.append(f"agents_missing:{snippet}")
|
|
|
|
manifest = ROOT / "manifest.yaml"
|
|
if manifest.exists():
|
|
data = yaml.safe_load(manifest.read_text(encoding="utf-8")) or {}
|
|
if data.get("profile_identity") != "personal-agent":
|
|
errors.append("manifest_profile_identity_not_personal_agent")
|
|
if data.get("display_name") != "Steev":
|
|
errors.append("manifest_display_name_not_steev")
|
|
if data.get("profile") != "steev":
|
|
errors.append("manifest_distribution_alias_not_steev")
|
|
|
|
contract = load_contract(errors)
|
|
if contract:
|
|
if contract.get("profile_identity") != "personal-agent":
|
|
errors.append("contract_profile_identity_not_personal_agent")
|
|
if contract.get("display_name") != "Steev":
|
|
errors.append("contract_display_name_not_steev")
|
|
if contract.get("distribution_alias") != "steev":
|
|
errors.append("contract_distribution_alias_not_steev")
|
|
memory = contract.get("memory_policy", {})
|
|
if memory.get("allowed_target") != "secondbrain-personal":
|
|
errors.append("contract_memory_allowed_target_not_secondbrain_personal")
|
|
if "orgbrain" not in memory.get("forbidden_targets", []):
|
|
errors.append("contract_memory_orgbrain_not_forbidden")
|
|
if "proposal-only" not in memory.get("durable_write_policy", ""):
|
|
errors.append("contract_memory_not_proposal_only")
|
|
credential = contract.get("credential_policy", {})
|
|
if credential.get("mode") != "keyvault-reference-names-only":
|
|
errors.append("contract_credential_policy_not_keyvault_refs_only")
|
|
redaction = set(contract.get("proof_redaction_policy", {}).get("forbidden_in_core_or_proof", []))
|
|
missing_redaction = sorted(REQUIRED_REDACTION_TERMS - redaction)
|
|
if missing_redaction:
|
|
errors.append(f"contract_redaction_missing:{','.join(missing_redaction)}")
|
|
states = set(contract.get("readiness_states", []))
|
|
for state in ["ready", "degraded", "pending", "blocked", "disabled"]:
|
|
if state not in states:
|
|
errors.append(f"contract_readiness_state_missing:{state}")
|
|
surfaces = contract.get("surfaces", [])
|
|
surface_names = {surface.get("name") for surface in surfaces}
|
|
missing_surfaces = sorted(REQUIRED_SURFACES - surface_names)
|
|
if missing_surfaces:
|
|
errors.append(f"contract_surfaces_missing:{','.join(missing_surfaces)}")
|
|
for surface in surfaces:
|
|
name = surface.get("name", "<unknown>")
|
|
if not surface.get("capability_package"):
|
|
errors.append(f"surface_missing_capability_package:{name}")
|
|
if not isinstance(surface.get("allowed_effects"), list):
|
|
errors.append(f"surface_allowed_effects_not_list:{name}")
|
|
denied = surface.get("denied_effects")
|
|
if not isinstance(denied, list):
|
|
errors.append(f"surface_denied_effects_not_list:{name}")
|
|
elif "orgbrain_write" not in denied:
|
|
errors.append(f"surface_orgbrain_write_not_denied:{name}")
|
|
if not surface.get("confirmation"):
|
|
errors.append(f"surface_missing_confirmation_policy:{name}")
|
|
|
|
binding = load_json("docs/contracts/personal-agent-bluebubbles-binding.json", errors)
|
|
if binding:
|
|
if binding.get("profile_identity") != "personal-agent":
|
|
errors.append("bluebubbles_binding_profile_identity_not_personal_agent")
|
|
if binding.get("surface") != "imessage.read":
|
|
errors.append("bluebubbles_binding_surface_not_imessage_read")
|
|
package = binding.get("capability_package", {})
|
|
if package.get("id") != "bluebubbles":
|
|
errors.append("bluebubbles_binding_package_not_bluebubbles")
|
|
if package.get("package_surface") != "bluebubbles.imessage.readonly":
|
|
errors.append("bluebubbles_binding_package_surface_not_readonly")
|
|
if package.get("live_connector") != "hermes-agent":
|
|
errors.append("bluebubbles_binding_live_connector_not_hermes")
|
|
if package.get("profile_local_connector_allowed") is not False:
|
|
errors.append("bluebubbles_binding_profile_local_connector_not_denied")
|
|
if package.get("duplicate_connector_allowed") is not False:
|
|
errors.append("bluebubbles_binding_duplicate_connector_not_denied")
|
|
policy = binding.get("binding_policy", {})
|
|
for key in [
|
|
"profile_consumes_package",
|
|
"package_owns_runtime_wrapper",
|
|
"package_owns_readonly_adapter",
|
|
"package_owns_redacted_health",
|
|
"package_owns_seed_candidate",
|
|
"profile_owns_surface_exposure",
|
|
]:
|
|
if policy.get(key) is not True:
|
|
errors.append(f"bluebubbles_binding_policy_not_true:{key}")
|
|
if policy.get("profile_runtime_readiness_claimed") is not False:
|
|
errors.append("bluebubbles_binding_profile_runtime_readiness_claimed")
|
|
memory = binding.get("memory_policy", {})
|
|
if memory.get("target") != "secondbrain-personal":
|
|
errors.append("bluebubbles_binding_memory_target_not_secondbrain_personal")
|
|
if "orgbrain" not in memory.get("forbidden", []):
|
|
errors.append("bluebubbles_binding_orgbrain_not_forbidden")
|
|
if "proposal-only" not in memory.get("durable_write_policy", ""):
|
|
errors.append("bluebubbles_binding_memory_not_proposal_only")
|
|
denied = set(binding.get("denied_effects", []))
|
|
for effect in [
|
|
"send_message",
|
|
"read_receipt",
|
|
"mark_read",
|
|
"attachment_content_download",
|
|
"secondbrain_durable_write",
|
|
"orgbrain_write",
|
|
"browser_full_control",
|
|
]:
|
|
if effect not in denied:
|
|
errors.append(f"bluebubbles_binding_denied_effect_missing:{effect}")
|
|
forbidden_fields = set(binding.get("proof_policy", {}).get("forbidden_fields", []))
|
|
for field in ["raw_messages", "message_text", "endpoint_payloads", "credentials", "secret_values"]:
|
|
if field not in forbidden_fields:
|
|
errors.append(f"bluebubbles_binding_forbidden_field_missing:{field}")
|
|
evidence = binding.get("bluebubbles_package_evidence", {})
|
|
if evidence.get("validator_command") != "python3 tools/validate_bluebubbles_child.py":
|
|
errors.append("bluebubbles_binding_validator_command_missing")
|
|
if evidence.get("validator_result_observed") != "ok":
|
|
errors.append("bluebubbles_binding_validator_result_not_ok")
|
|
if evidence.get("runtime_claims_from_validator") is not False:
|
|
errors.append("bluebubbles_binding_runtime_claims_not_false")
|
|
refs = set(evidence.get("referenced_artifacts", []))
|
|
for ref in [
|
|
"contracts/personal-agent-imessage-readonly-contract.json",
|
|
"contracts/runtime-compliance-boundary.json",
|
|
"contracts/secondbrain-proposal-envelope-contract.json",
|
|
]:
|
|
if ref not in refs:
|
|
errors.append(f"bluebubbles_binding_reference_missing:{ref}")
|
|
|
|
proton = load_json("docs/contracts/personal-agent-proton-rclone-package.json", errors)
|
|
if proton:
|
|
if proton.get("schema_version") != "personal-agent-proton-rclone-package/v1":
|
|
errors.append("proton_rclone_schema_version_invalid")
|
|
if proton.get("status") != "package-candidate-unregistered":
|
|
errors.append("proton_rclone_status_not_package_candidate")
|
|
if proton.get("package_id") != "proton-rclone":
|
|
errors.append("proton_rclone_package_id_invalid")
|
|
if proton.get("profile_identity") != "personal-agent":
|
|
errors.append("proton_rclone_profile_identity_not_personal_agent")
|
|
if proton.get("display_name") != "Steev":
|
|
errors.append("proton_rclone_display_name_not_steev")
|
|
for key in [
|
|
"child_workspace_registered",
|
|
"package_runtime_readiness_claimed",
|
|
"profile_runtime_readiness_claimed",
|
|
"seed_readiness_claimed",
|
|
"core_promotion_claimed",
|
|
]:
|
|
if proton.get(key) is not False:
|
|
errors.append(f"proton_rclone_overclaim:{key}")
|
|
boundary = proton.get("authority_boundary", {})
|
|
if boundary.get("profile_owns_surface_exposure") is not True:
|
|
errors.append("proton_rclone_profile_surface_boundary_missing")
|
|
if boundary.get("package_candidate_owns_runtime_inventory") is not True:
|
|
errors.append("proton_rclone_inventory_boundary_missing")
|
|
if boundary.get("legacy_repositories_are_reference_only") is not True:
|
|
errors.append("proton_rclone_legacy_reference_boundary_missing")
|
|
if boundary.get("duplicate_profile_local_connectors_allowed") is not False:
|
|
errors.append("proton_rclone_duplicate_connectors_allowed")
|
|
memory = proton.get("memory_policy", {})
|
|
if memory.get("target") != "secondbrain-personal":
|
|
errors.append("proton_rclone_memory_target_not_secondbrain_personal")
|
|
if "orgbrain" not in memory.get("forbidden", []):
|
|
errors.append("proton_rclone_orgbrain_not_forbidden")
|
|
if "proposal-only" not in memory.get("durable_write_policy", ""):
|
|
errors.append("proton_rclone_memory_not_proposal_only")
|
|
credential = proton.get("credential_policy", {})
|
|
if credential.get("mode") != "keyvault-reference-names-only":
|
|
errors.append("proton_rclone_credential_mode_invalid")
|
|
if credential.get("secret_values_in_contract") is not False:
|
|
errors.append("proton_rclone_secret_values_allowed")
|
|
if credential.get("credential_mutation_allowed") is not False:
|
|
errors.append("proton_rclone_credential_mutation_allowed")
|
|
surfaces = proton.get("surfaces", [])
|
|
surface_names = {surface.get("name") for surface in surfaces}
|
|
missing_surfaces = sorted(REQUIRED_PROTON_RCLONE_SURFACES - surface_names)
|
|
if missing_surfaces:
|
|
errors.append(f"proton_rclone_surfaces_missing:{','.join(missing_surfaces)}")
|
|
readiness_by_surface = {surface.get("name"): surface.get("readiness") for surface in surfaces}
|
|
if readiness_by_surface.get("drive.read") != "degraded":
|
|
errors.append("proton_rclone_drive_read_not_degraded")
|
|
for disabled_surface in [
|
|
"mail.send_with_confirmation",
|
|
"calendar.write_with_confirmation",
|
|
"contacts.write_with_confirmation",
|
|
"drive.write_with_confirmation",
|
|
]:
|
|
if readiness_by_surface.get(disabled_surface) != "disabled":
|
|
errors.append(f"proton_rclone_confirmation_surface_not_disabled:{disabled_surface}")
|
|
observed_denied: set[str] = set()
|
|
for surface in surfaces:
|
|
name = surface.get("name", "<unknown>")
|
|
if not surface.get("runtime_route"):
|
|
errors.append(f"proton_rclone_surface_missing_runtime_route:{name}")
|
|
if surface.get("readiness") not in {"ready", "degraded", "pending", "blocked", "disabled"}:
|
|
errors.append(f"proton_rclone_surface_readiness_invalid:{name}")
|
|
if not isinstance(surface.get("allowed_effects"), list):
|
|
errors.append(f"proton_rclone_allowed_effects_not_list:{name}")
|
|
denied = surface.get("denied_effects")
|
|
if not isinstance(denied, list):
|
|
errors.append(f"proton_rclone_denied_effects_not_list:{name}")
|
|
else:
|
|
observed_denied.update(denied)
|
|
if "orgbrain_write" not in denied:
|
|
errors.append(f"proton_rclone_orgbrain_write_not_denied:{name}")
|
|
if not surface.get("confirmation"):
|
|
errors.append(f"proton_rclone_confirmation_missing:{name}")
|
|
missing_denied = sorted(REQUIRED_PROTON_RCLONE_DENIED_EFFECTS - observed_denied)
|
|
if missing_denied:
|
|
errors.append(f"proton_rclone_denied_effects_missing:{','.join(missing_denied)}")
|
|
inventory = proton.get("runtime_inventory", {})
|
|
if inventory.get("overall_state") != "degraded":
|
|
errors.append("proton_rclone_inventory_overall_state_not_degraded")
|
|
if "MCP facades" not in inventory.get("chosen_runtime_path", ""):
|
|
errors.append("proton_rclone_inventory_chosen_path_missing_mcp")
|
|
mcp = {item.get("name"): item.get("observed_status") for item in inventory.get("mcp_servers", [])}
|
|
for name in ["proton-calendar", "proton-email", "proton-contacts"]:
|
|
if mcp.get(name) != "enabled":
|
|
errors.append(f"proton_rclone_mcp_not_enabled:{name}")
|
|
docker = {item.get("name"): item.get("observed_state") for item in inventory.get("docker_routes", [])}
|
|
for name in ["sdo-calendar-gate", "sdo-email-gate", "sdo-contacts-gate"]:
|
|
if name not in docker:
|
|
errors.append(f"proton_rclone_docker_route_missing:{name}")
|
|
if docker.get("sdo-email-gate") != "exited-127":
|
|
errors.append("proton_rclone_email_gate_state_not_captured")
|
|
if docker.get("sdo-contacts-gate") != "exited-127":
|
|
errors.append("proton_rclone_contacts_gate_state_not_captured")
|
|
units = {item.get("name"): item for item in inventory.get("systemd_user_units", [])}
|
|
if units.get("proton-bridge.service", {}).get("observed_state") != "activating-auto-restart":
|
|
errors.append("proton_rclone_proton_bridge_gap_not_captured")
|
|
for unit in ["rclone-rc.service", "rclone-proxy.service"]:
|
|
if units.get(unit, {}).get("unit_file_state") != "disabled":
|
|
errors.append(f"proton_rclone_rclone_unit_not_disabled:{unit}")
|
|
rclone = inventory.get("rclone", {})
|
|
if rclone.get("remote") != "proton:":
|
|
errors.append("proton_rclone_remote_missing")
|
|
if rclone.get("about_probe") != "ok-redacted":
|
|
errors.append("proton_rclone_about_probe_not_redacted_ok")
|
|
if rclone.get("file_names_observed") is not False:
|
|
errors.append("proton_rclone_file_names_observed")
|
|
if rclone.get("file_contents_observed") is not False:
|
|
errors.append("proton_rclone_file_contents_observed")
|
|
legacy_states = {item.get("path"): item.get("state") for item in proton.get("legacy_sources", [])}
|
|
for path in [
|
|
"/home/svrnty/workspaces/cortex/L4-svrnty.api-proton",
|
|
"/home/svrnty/workspaces/cortex/L4-svrnty.tool-storage",
|
|
"/home/svrnty/workspaces/cortex/L5-vendor.lib-proton-bridge",
|
|
"/home/svrnty/workspaces/cortex/L6-vendor.lib-proton-api",
|
|
"/home/svrnty/workspaces/cortex/L6-vendor.lib-rclone",
|
|
]:
|
|
if legacy_states.get(path) != "legacy-reference":
|
|
errors.append(f"proton_rclone_legacy_source_not_reference:{path}")
|
|
duplicate_states = {item.get("id"): item.get("state") for item in proton.get("duplicate_skill_policy", [])}
|
|
for skill in ["skills/proton-tools", "proton-access", "proton-mail-operations", "proton-services"]:
|
|
state = duplicate_states.get(skill, "")
|
|
if "superseded" not in state:
|
|
errors.append(f"proton_rclone_duplicate_skill_not_superseded:{skill}")
|
|
forbidden_fields = set(proton.get("proof_policy", {}).get("forbidden_fields", []))
|
|
for field in [
|
|
"mail_bodies",
|
|
"mail_subjects",
|
|
"contact_details",
|
|
"calendar_event_details",
|
|
"drive_file_names",
|
|
"drive_file_contents",
|
|
"endpoint_payloads",
|
|
"credentials",
|
|
"secret_values",
|
|
]:
|
|
if field not in forbidden_fields:
|
|
errors.append(f"proton_rclone_forbidden_field_missing:{field}")
|
|
commands = set(proton.get("observed_commands", []))
|
|
for command in [
|
|
"hermes -p steev mcp list",
|
|
"rclone --config /home/svrnty/.config/rclone/rclone.conf listremotes",
|
|
"rclone --config /home/svrnty/.config/rclone/rclone.conf about proton: --json",
|
|
]:
|
|
if command not in commands:
|
|
errors.append(f"proton_rclone_observed_command_missing:{command}")
|
|
remaining_gates = proton.get("remaining_gates", {})
|
|
for gate in [
|
|
"registered_child_workspace",
|
|
"email_gate_repair",
|
|
"contacts_gate_repair",
|
|
"systemd_bridge_convergence",
|
|
"secondbrain_durable_apply",
|
|
"seed_package_pickup",
|
|
]:
|
|
if remaining_gates.get(gate) != "blocked-follow-up":
|
|
errors.append(f"proton_rclone_remaining_gate_missing:{gate}")
|
|
|
|
for rel in ["AGENT.md", "CONTRACT.md", "DISCLOSURE.md", "README.md", "docs/STEEV-MASTER.md"]:
|
|
path = ROOT / rel
|
|
if not path.exists():
|
|
continue
|
|
text = path.read_text(encoding="utf-8")
|
|
if "personal-agent" not in text:
|
|
errors.append(f"visible_personal_agent_note_missing:{rel}")
|
|
if "display name" not in text and "display/distribution alias" not in text:
|
|
errors.append(f"visible_display_alias_note_missing:{rel}")
|
|
|
|
supersession = ROOT / "docs/supersession/2026-06-14-personal-agent-context-runtime-supersession-register.md"
|
|
if supersession.exists():
|
|
text = supersession.read_text(encoding="utf-8")
|
|
for snippet in [
|
|
"active-authority",
|
|
"active-alias",
|
|
"active-capability-package",
|
|
"Personal-agent BlueBubbles binding",
|
|
"Proton/rclone package candidate",
|
|
"superseded",
|
|
"legacy-reference",
|
|
"blocked-follow-up",
|
|
"secondbrain-personal",
|
|
"`orgbrain` as denied",
|
|
"PACR-010",
|
|
]:
|
|
if snippet not in text:
|
|
errors.append(f"supersession_missing:{snippet}")
|
|
for stale in ["SPCR-", "steev-personal-context-runtime"]:
|
|
if stale in text:
|
|
errors.append(f"supersession_stale_reference:{stale}")
|
|
|
|
result = {
|
|
"ok": not errors,
|
|
"validator": "personal-agent-profile-distribution-v3",
|
|
"checked": REQUIRED,
|
|
"errors": errors,
|
|
"warnings": [],
|
|
}
|
|
print(json.dumps(result, indent=2, sort_keys=True))
|
|
return 0 if result["ok"] else 1
|
|
|
|
|
|
if __name__ == "__main__":
|
|
raise SystemExit(main())
|