rezabarkhordary commited on
Commit
43840fd
·
verified ·
1 Parent(s): c2110aa

Create sovereign_control_plane_profile.py

Browse files
Files changed (1) hide show
  1. sovereign_control_plane_profile.py +224 -0
sovereign_control_plane_profile.py ADDED
@@ -0,0 +1,224 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ # sovereign_control_plane_profile.py
2
+ from __future__ import annotations
3
+
4
+ import json
5
+ from datetime import datetime, timezone
6
+ from typing import Any, Dict, List, Optional
7
+
8
+ from sovereign_crypto_seal import SovereignCryptoSeal
9
+
10
+
11
+ def _utc_now() -> str:
12
+ return datetime.now(timezone.utc).isoformat()
13
+
14
+
15
+ class SovereignControlPlaneProfileBuilder:
16
+ """
17
+ Builds a bank-grade control-plane / admin-governance profile.
18
+
19
+ Purpose:
20
+ - Define which administrative actions exist
21
+ - Clarify which actions are audited / approval-bound / dual-control-bound
22
+ - Forbid unsafe administrative classes for autonomous execution
23
+ - Provide machine-readable control-plane governance artifact
24
+ """
25
+
26
+ def __init__(self, sealer: Optional[SovereignCryptoSeal] = None) -> None:
27
+ self.sealer = sealer or SovereignCryptoSeal()
28
+
29
+ def _admin_actions(self) -> List[Dict[str, Any]]:
30
+ return [
31
+ {
32
+ "action": "view_runtime_status",
33
+ "status": "supported",
34
+ "sensitivity": "low",
35
+ "execution_class": "read_only",
36
+ "human_approval_required": False,
37
+ "dual_control_required": False,
38
+ "audit_required": True,
39
+ "description": "Read-only visibility into runtime state, health, or status outputs.",
40
+ },
41
+ {
42
+ "action": "view_artifact_inventory",
43
+ "status": "supported",
44
+ "sensitivity": "low",
45
+ "execution_class": "read_only",
46
+ "human_approval_required": False,
47
+ "dual_control_required": False,
48
+ "audit_required": True,
49
+ "description": "Read-only visibility into manifests, sealed artifacts, and evidence inventory.",
50
+ },
51
+ {
52
+ "action": "review_freeze_case",
53
+ "status": "supported",
54
+ "sensitivity": "medium",
55
+ "execution_class": "review_action",
56
+ "human_approval_required": True,
57
+ "dual_control_required": False,
58
+ "audit_required": True,
59
+ "description": "Review an active freeze case and inspect reasoning/evidence.",
60
+ },
61
+ {
62
+ "action": "release_freeze_case",
63
+ "status": "supported_with_controls",
64
+ "sensitivity": "high",
65
+ "execution_class": "state_mutation",
66
+ "human_approval_required": True,
67
+ "dual_control_required": True,
68
+ "audit_required": True,
69
+ "description": "Release a freeze case and permit resumed execution only through controlled operator decision.",
70
+ },
71
+ {
72
+ "action": "escalate_freeze_to_block",
73
+ "status": "supported_with_controls",
74
+ "sensitivity": "high",
75
+ "execution_class": "state_mutation",
76
+ "human_approval_required": True,
77
+ "dual_control_required": True,
78
+ "audit_required": True,
79
+ "description": "Escalate a freeze state into a hard block decision under reviewed conditions.",
80
+ },
81
+ {
82
+ "action": "update_policy_configuration",
83
+ "status": "supported_with_controls",
84
+ "sensitivity": "high",
85
+ "execution_class": "policy_mutation",
86
+ "human_approval_required": True,
87
+ "dual_control_required": True,
88
+ "audit_required": True,
89
+ "description": "Modify bank policy configuration only through controlled and auditable change flow.",
90
+ },
91
+ {
92
+ "action": "rotate_sealing_material",
93
+ "status": "supported_with_controls",
94
+ "sensitivity": "high",
95
+ "execution_class": "crypto_admin",
96
+ "human_approval_required": True,
97
+ "dual_control_required": True,
98
+ "audit_required": True,
99
+ "description": "Rotate or update cryptographic sealing material under controlled governance.",
100
+ },
101
+ {
102
+ "action": "rebuild_package_artifacts",
103
+ "status": "supported",
104
+ "sensitivity": "medium_high",
105
+ "execution_class": "artifact_generation",
106
+ "human_approval_required": True,
107
+ "dual_control_required": False,
108
+ "audit_required": True,
109
+ "description": "Rebuild technical identity, package manifests, or delivery artifacts in a controlled manner.",
110
+ },
111
+ {
112
+ "action": "disable_audit_path",
113
+ "status": "forbidden",
114
+ "sensitivity": "critical",
115
+ "execution_class": "forbidden_mutation",
116
+ "human_approval_required": True,
117
+ "dual_control_required": True,
118
+ "audit_required": True,
119
+ "description": "Disabling audit continuity is forbidden as a normal administrative operation.",
120
+ },
121
+ {
122
+ "action": "disable_fail_safe_controls",
123
+ "status": "forbidden",
124
+ "sensitivity": "critical",
125
+ "execution_class": "forbidden_mutation",
126
+ "human_approval_required": True,
127
+ "dual_control_required": True,
128
+ "audit_required": True,
129
+ "description": "Disabling fail-safe posture is forbidden as a normal administrative operation.",
130
+ },
131
+ {
132
+ "action": "force_unconditional_allow",
133
+ "status": "forbidden",
134
+ "sensitivity": "critical",
135
+ "execution_class": "forbidden_override",
136
+ "human_approval_required": True,
137
+ "dual_control_required": True,
138
+ "audit_required": True,
139
+ "description": "Forcing unconditional ALLOW across critical execution paths is forbidden.",
140
+ },
141
+ ]
142
+
143
+ def _governance_principles(self) -> List[Dict[str, Any]]:
144
+ return [
145
+ {
146
+ "principle": "admin_power_must_be_scoped",
147
+ "status": "required",
148
+ "description": "Administrative authority must remain bounded, auditable, and role-constrained.",
149
+ },
150
+ {
151
+ "principle": "no_silent_control_plane_mutation",
152
+ "status": "required",
153
+ "description": "Sensitive control-plane changes must not occur silently or without audit evidence.",
154
+ },
155
+ {
156
+ "principle": "dual_control_for_high_impact_mutations",
157
+ "status": "required",
158
+ "description": "High-impact state, policy, and crypto changes require stronger human governance and dual control.",
159
+ },
160
+ {
161
+ "principle": "forbidden_admin_classes_must_remain_forbidden",
162
+ "status": "required",
163
+ "description": "Actions that collapse audit, fail-safe, or unconditional execution boundaries should remain forbidden in normal operations.",
164
+ },
165
+ {
166
+ "principle": "read_only_visibility_should_not_mutate_state",
167
+ "status": "required",
168
+ "description": "Read-only operational visibility must not mutate runtime, policy, or evidence state.",
169
+ },
170
+ ]
171
+
172
+ def build(self) -> Dict[str, Any]:
173
+ actions = self._admin_actions()
174
+ principles = self._governance_principles()
175
+
176
+ profile = {
177
+ "profile_type": "Sovereign Control Plane Profile",
178
+ "generated_at": _utc_now(),
179
+ "domain": "banking_and_financial_institutions",
180
+ "admin_actions": actions,
181
+ "governance_principles": principles,
182
+ "summary": {
183
+ "total_actions": len(actions),
184
+ "supported_actions": sum(1 for x in actions if str(x.get("status")) in {"supported", "supported_with_controls"}),
185
+ "forbidden_actions": sum(1 for x in actions if str(x.get("status")) == "forbidden"),
186
+ "dual_control_actions": sum(1 for x in actions if bool(x.get("dual_control_required"))),
187
+ "audit_required_actions": sum(1 for x in actions if bool(x.get("audit_required"))),
188
+ },
189
+ "notes": [
190
+ "This profile defines the intended bank-grade governance posture for administrative and control-plane actions.",
191
+ "High-impact control-plane mutations are not treated as casual operator actions; they remain approval-bound and auditable.",
192
+ "Certain administrative classes remain intentionally forbidden because they would collapse trust, evidence continuity, or fail-safe posture.",
193
+ ],
194
+ }
195
+
196
+ sealed = self.sealer.seal_object(
197
+ profile,
198
+ object_type="control_plane_profile",
199
+ metadata={
200
+ "domain": "banking",
201
+ "artifact_class": "control_plane_profile",
202
+ },
203
+ )
204
+
205
+ return {
206
+ "ok": True,
207
+ "control_plane_profile": profile,
208
+ "crypto_seal": sealed["seal"],
209
+ "sealed": True,
210
+ }
211
+
212
+
213
+ BUILDER = SovereignControlPlaneProfileBuilder()
214
+
215
+
216
+ def generate_control_plane_profile() -> Dict[str, Any]:
217
+ return BUILDER.build()
218
+
219
+
220
+ if __name__ == "__main__":
221
+ out = generate_control_plane_profile()
222
+ print(json.dumps(out, indent=2, ensure_ascii=False))
223
+
224
+