Skip to content

Prototype vendor-neutral capability reconciliation#267

Draft
pengfei-threemoonslab wants to merge 1 commit into
mainfrom
codex/capability-reconciliation
Draft

Prototype vendor-neutral capability reconciliation#267
pengfei-threemoonslab wants to merge 1 commit into
mainfrom
codex/capability-reconciliation

Conversation

@pengfei-threemoonslab

Copy link
Copy Markdown
Contributor

Summary

Prototype a local, vendor-neutral Capability Reconciliation flow that compares:

  • reviewed intended policy
  • the static capability-lock surface
  • sandbox grant snapshots
  • sampled sandbox/eval observations

The prototype emits deterministic, non-gating evidence for excess authority, behavioral drift, denied attempts, missing grants, unobserved grants, enforcement contradictions, and principal changes.

Why

The existing trace-evidence path matches imported trace rows to static capability facts, but intentionally keeps them audit-only and does not model complete grant inventories, resource targets, enforcement outcomes, policy hashes, or principal bindings.

This change adds a separate reviewed intent sidecar and an explicitly untrusted observation bundle. Learning-mode output can reveal risk, but it can never populate policy or create an executable allowlist change.

What changed

  • Added strict experimental v0.1 schemas for reviewed intent, untrusted observations, and reconciliation results.
  • Added a pure local reconciliation engine with three-valued membership and completeness-gated negative conclusions.
  • Added typed tool, MCP, network, filesystem, and generic resource targets with privacy-safe normalization.
  • Added policy/run hash cohorts and optional base snapshots for true principal-change detection.
  • Added manual-only candidate policy changes with fixed human-review invariants.
  • Added a developer-only prototype script, generated schemas, replayable examples, design crosswalk, and comprehensive tests.

Boundaries

  • No AgentBeach-specific adapter.
  • No live sandbox connection, agent execution, tool call, MCP call, or network collection.
  • No new shipgate.yaml field.
  • No report.json or packet field.
  • No public CLI command.
  • No new finding or release verdict.
  • release_decision.decision remains the sole gate.
  • Observation-derived proposals are never Shipgate patches and cannot be auto-applied.

Validation

  • pytest -q — passed
  • ruff check . — passed
  • python scripts/generate_schemas.py --check — passed
  • Targeted reconciliation, capability-lock, trace-evidence, and schema tests — passed
  • Agents Shipgate verifier:
    • merge verdict: mergeable
    • release decision: passed
    • blockers: 0
    • review items: 0
    • policy weakened: false
    • trust root touched: false
    • static analysis only; runtime behavior was not verified

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant