From e6828a78c8b218161f051940e0d34e7b7f4e0622 Mon Sep 17 00:00:00 2001 From: Tanishq Date: Mon, 23 Mar 2026 23:28:15 -0700 Subject: [PATCH 1/2] docs: update all documentation to v4.3.5 --- CHANGELOG.md | 136 +++++++++++++++++++------ CONTRIBUTING.md | 82 ++++++++------- README.md | 263 +++++++++++++++++++----------------------------- USAGE.md | 214 +++++++++++++++++++++------------------ 4 files changed, 367 insertions(+), 328 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 968f0b0..237117a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,33 +4,125 @@ All notable changes to Anchor are documented here. Format follows [Keep a Change --- +## [4.3.5] — 2026-03-23 + +### Landing Page & Public Documentation +- Deployed production landing page at [anchorgovernance.tech](https://anchorgovernance.tech) via Cloudflare Pages. +- Full mobile responsiveness via `useIsMobile` React hook — all section grids stack on screens < 768px. +- Terminal animation uses `pre-wrap` + `wordBreak: break-all` to prevent horizontal overflow on mobile. +- Ticker bar hidden on mobile to prevent `max-content` width overflow. + +### Documentation +- Updated `README.md` — corrected version, license (Apache 2.0), PyPI install, domain URL, and coverage stats. +- Updated `USAGE.md` — corrected version header, added PyPI install option. +- Updated `CHANGELOG.md` — added all v4.1.x through v4.3.5 entries. + +### Stats (V4.3.5) +- **43** domain rules across 9 namespaces (SEC, ETH, PRV, ALN, AGT, LEG, OPS, SUP, SHR) +- **9** regulatory frameworks absorbed (3 standards bodies + 6 government regulators) +- **170** total regulatory mappings +- **0** self-audit violations — Anchor audits itself. CLEAN. + +--- + +## [4.3.1] — 2026-03-23 + +### Landing Page +- Replaced Sparkline in StatsSection with `FinancialChart` (SVG-based candlestick/OHLC visualization). +- Replaced CasesSection grid with `AuditGraph` — SVG line chart of real open-source audit findings. +- Added dedicated `ContactSection` with direct email CTA (`tan@anchorgovernance.tech`). +- Standardized Jurisdiction Map items (removed inconsistent rule counts, unified layout). +- Balanced Case Study grid with `gridColumn` spanning for 5-item layouts. +- Updated all contact emails across Nav, Contact, and Footer sections. + +### Fixed +- Removed dangling closing tags causing JSX syntax errors. +- Fixed `Contact` nav link to scroll to `#contact` section instead of firing `mailto:`. + +--- + +## [4.2.0] — 2026-03-23 + +### Deployment +- Configured Cloudflare Pages deployment with root directory set to `landing/`. +- Build command set to `npm install && npm run build` to resolve `npm ci` peer dependency conflicts. +- Added `landing/public/_redirects` for SPA routing support on Cloudflare Pages. +- Linked custom domain `anchorgovernance.tech` — leverages existing Cloudflare DNS and email routing. + +### Repository +- Removed `node_modules` from Git tracking. +- Added comprehensive `.gitignore` covering `node_modules`, `dist`, `.env`, `*.pyc`, `__pycache__`. +- Regenerated `package-lock.json` to resolve lock file version conflicts. + +--- + +## [4.1.4] — 2026-03-23 + +### Landing Page +- Added `AuditGraph` component — SVG line chart plotting real open-source project audit findings. +- Added `ContactSection` with gold CTA button and direct email link. +- Case Studies section redesigned with `AuditGraph` replacing the manual case study card grid. + +--- + +## [4.1.3] — 2026-03-22 + +### Landing Page +- Added `FinancialChart` component — SVG candlestick chart visualizing governance domain rule growth. +- Hero stats bar upgraded to use `FinancialChart` instead of flat `Sparkline`. +- `DataBar` upgraded with `MiniBarChart` for "Total Coverage" metric. +- Jurisdiction Map expanded to 3 columns: Domain Rules, Standards Bodies, Government Regulators. + +--- + +## [4.1.2] — 2026-03-22 + +### Landing Page — Bloomberg Terminal Aesthetic +- Introduced Bloomberg Terminal-inspired mono typography and color palette. +- Added `Terminal` component with live cascading audit simulation. +- Added `DataBar` ticker with live stats: domain rules, frameworks, regulatory mappings. +- Added `AmbientParticles` and `DigitalMark` seal components. +- Added `LiveClock` in IST to nav bar. +- Added `Ticker` news bar with real regulatory headlines. +- Jurisdiction Map redesigned with three-column layout (Domain Rules / Standards / Regulators). + +### Fixed +- Multi-ID violation suppression — canonical ID deduplication to prevent double-firing of `ANC-NNN` and `FINOS-NNN` aliases. +- PyPI performance — lazy-loaded tree-sitter grammars per language; eliminated ~3.5s startup overhead on cold installs. + +--- + +## [4.1.0] — 2026-03-22 + +### Landing Page +- `ViolationsSection` — interactive enforcement output with per-severity color-coded badges and statute references. +- `StatsSection` — animated counters with sparklines and a "Anchor audited itself. CLEAN." self-audit card. +- `CoverageSection` (Jurisdiction Map) — three-tier coverage display with domain/framework/regulator classification. + +--- + ## [4.0.0] — 2026-03-18 ### Architecture -- **Federated domain model** — replaced monolithic `risk_catalog.yaml` with structured governance directories: `domains/`, `frameworks/`, `government/`. Each layer has clear ownership and versioning. +- **Federated domain model** — replaced monolithic `risk_catalog.yaml` with structured governance directories: `domains/`, `frameworks/`, `government/`. - **All domain files are now mandatory** — SEC, ETH, SHR, ALN, AGT, PRV, LEG, OPS, SUP load automatically. Frameworks and regulators remain opt-in via `constitution.anchor`. -- **`constitution.anchor` is now the single manifest** — declares active frameworks and regulators. Domains require no declaration. +- **`constitution.anchor` is now the single manifest** — declares active frameworks and regulators. ### New: Diamond Cage (Behavioral Verification) - WASM-based sandbox using WasmEdge for behavioral verification of AI-adjacent code and proposed patches. -- Proves security invariants at scan time — not just static pattern matching. - Reports as `Diamond Cage: ACTIVE` in CLI output. ### New: GOVERNANCE.lock (Remote Integrity Verification) -- Replaces local `.anchor.sig` with a remote hash registry model. -- `anchor check` fetches `GOVERNANCE.lock` from the Anchor registry and verifies per-file SHA-256 hashes against the local governance directory. -- `seal_check: strict` in `constitution.anchor` — aborts on mismatch. -- `offline_behaviour: warn` (default) — continues with warning if remote unreachable; set to `abort` for enterprise CI/CD. +- `anchor check` fetches `GOVERNANCE.lock` from the Anchor registry and verifies per-file SHA-256 hashes. +- `seal_check: strict` in `constitution.anchor` aborts on mismatch. ### New: Commands -- `anchor sync --restore` — fetches authoritative governance files from registry and restores any tampered or modified files. Logs restores to `.anchor/logs/sync.log` with chain hash. -- `anchor init --all` — installs all available domains, frameworks, and regulators in one command. -- `anchor init --no-sign` — skips remote GOVERNANCE.lock fetch for offline initialisation. Scans run in UNVERIFIED mode until `anchor sync --restore` is run. UNVERIFIED reports are not valid for regulatory submission. +- `anchor sync --restore` — fetches authoritative governance files and restores tampered files. +- `anchor init --all` — installs all available domains, frameworks, and regulators. +- `anchor init --no-sign` — skips remote GOVERNANCE.lock fetch for offline initialisation. ### New: Alias Resolution Chain - Legacy V3 `ANC-NNN` IDs resolve through FINOS framework layer: `ANC-NNN → FINOS-NNN`. -- FINOS_Framework.anchor is the Rosetta Stone — full mapping in `constitution.anchor` under `legacy_aliases`. -- Aliases inherit severity floor from canonical rule but do not inherit domain ID directly. ### New: Regulator Domains - `government/RBI_Regulations.anchor` — RBI FREE-AI Report August 2025 @@ -46,19 +138,13 @@ All notable changes to Anchor are documented here. Format follows [Keep a Change - `frameworks/OWASP_LLM.anchor` — OWASP LLM Top 10 2025 ### Fixed -- `loader.py` — empty `policy.anchor` returned `NoneType` instead of `{}`, causing silent fallback to unpopulated V3 cache. Fixed with `raw = yaml.safe_load(...) or {}`. -- `cli.py` — mitigation patterns were mapping to alias IDs instead of canonical IDs, leaving aliases without detection patterns and reporting them as inactive. Patterns now mapped to canonical rules first; aliases inherit fully-populated copies. -- Duplicate findings — `ANC-NNN` and `FINOS-NNN` no longer both fire for the same finding. Deduplicated on canonical ID + file + line. - -### Changed -- `policy.anchor` — `enforce_raise_only: true` is now enforced at the engine level, not just documented. Attempts to lower severity below the constitutional floor are rejected with an error. -- `sealed:` and `seal: "sha256:PENDING"` fields removed from `constitution.anchor` — superseded by `GOVERNANCE.lock`. -- `.anchor/` is now committed to the project repository. `.anchor/cache/` is added to `.gitignore` instead. +- `loader.py` — empty `policy.anchor` returned `NoneType` instead of `{}`, causing silent fallback to unpopulated V3 cache. +- `cli.py` — mitigation patterns were mapping to alias IDs instead of canonical IDs. +- Duplicate findings — `ANC-NNN` and `FINOS-NNN` no longer both fire for the same finding. ### Removed -- Monolithic `risk_catalog.yaml` — fully superseded by federated domain architecture. +- Monolithic `risk_catalog.yaml` — superseded by federated domain architecture. - Local `.anchor.sig` signature file — superseded by remote `GOVERNANCE.lock`. -- `active_domains` section in `constitution.anchor` — all domains are now mandatory, section is redundant. --- @@ -80,12 +166,6 @@ Maintenance updates and dependency refresh for the 2.x line. --- -## [2.4.14] — 2026-02-08 - -Stability and packaging refinements ahead of the 2.4.15 final release. - ---- - ## [1.0.0] — 2026-01-24 Initial release. Architectural drift detection with AST-based comparison against baseline signatures. diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index d16cc53..6dcb0ab 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,6 +1,8 @@ # Contributing to Anchor -Thank you for your interest in contributing to Anchor! This guide will help you get started. +Thank you for your interest in contributing to Anchor. This guide covers everything you need to get started. + +🌐 **[anchorgovernance.tech](https://anchorgovernance.tech)** · ✉️ [tan@anchorgovernance.tech](mailto:tan@anchorgovernance.tech) --- @@ -17,8 +19,10 @@ cd Anchor ```bash python -m venv anchor_dev + # Windows anchor_dev\Scripts\activate + # macOS/Linux source anchor_dev/bin/activate @@ -36,24 +40,22 @@ anchor check --dir . --verbose ## Project Architecture -Understanding the codebase before contributing: - ``` anchor/ -├── cli.py # CLI entry point (Click framework) +├── cli.py # CLI entry point (Click) ├── core/ │ ├── engine.py # PolicyEngine — tree-sitter AST scanning │ ├── constitution.py # SHA-256 integrity verification │ ├── config.py # Pydantic settings (.env loading) -│ ├── policy_loader.py # Federated policy merger -│ └── mapper.py # Threat Model -> Rule mapper +│ ├── loader.py # Federated policy merger +│ └── mapper.py # Threat Model → Rule mapper ├── adapters/ # Language-specific tree-sitter adapters └── plugins/ # Extensible plugin system ``` ### Key Concepts -- **Constitution** (`constitution.anchor`): Defines WHAT risks exist. Do NOT edit directly — changes go through a PR with hash updates. +- **Constitution** (`constitution.anchor`): Defines WHAT risks exist. SHA-256 sealed via remote `GOVERNANCE.lock`. Do NOT edit directly — changes go through a PR with hash updates. - **Mitigation Catalog** (`mitigation.anchor`): Defines HOW to detect risks. This is where most pattern contributions go. - **Policy** (`policy.anchor`): Local project overrides. Not part of the universal package. @@ -63,7 +65,7 @@ anchor/ ### 1. Adding Detection Patterns (Most Common) -The easiest and most impactful contribution. Add a new regex or AST pattern to `mitigation.anchor`: +Add a new regex or AST pattern to `mitigation.anchor`: ```yaml # Example: New pattern for ANC-009 (Prompt Injection) @@ -79,18 +81,18 @@ The easiest and most impactful contribution. Add a new regex or AST pattern to ` **Pattern Guidelines:** -| Rule | Why | -| -------------------------- | ------------------------------------------------------------ | -| Use context-aware patterns | Don't match every f-string — scope to prompt/LLM vars | -| Prefer regex over AST | Regex is faster and more portable across languages | -| Include `severity` | One of: `info`, `warning`, `error`, `blocker` | -| Test on real code | Run `anchor check --dir ./tests --verbose` before submitting | +| Rule | Why | +|---|---| +| Use context-aware patterns | Don't match every f-string — scope to prompt/LLM variables | +| Prefer regex over AST | Regex is faster and more portable across languages | +| Include `severity` | One of: `info`, `warning`, `error`, `blocker` | +| Test on real code | Run `anchor check --dir ./tests --verbose` before submitting | ### 2. Improving Existing Patterns If a pattern produces false positives: -1. Open an issue describing the false positive. +1. Open an issue describing the false positive with a minimal reproduction. 2. Propose a refined pattern in a PR. 3. Include a test fixture in `tests/fixtures/` showing the fix. @@ -102,40 +104,45 @@ Anchor uses `tree-sitter` for AST parsing. To add a new language: 2. Create an adapter in `anchor/adapters/` 3. Register the file extension mapping in `anchor/core/registry.py` -**Standardization Requirement**: You MUST use these capture names in your queries: +**Capture name standardization** (required): + +| Capture | Use For | +|---|---| +| `@func_name` | Function calls | +| `@import_name` | Import statements | +| `@parent_name` | Inheritance / embedding | + +### 4. Case Studies -- `@func_name` for function calls -- `@import_name` for imports -- `@parent_name` for inheritance/embedding +Document real-world audits in `case-studies/governance_audits//`. Include: -### 4. Bug Fixes & Feature Development +- `governance_violations.txt` — raw violation output +- `governance_audit.md` — formatted audit report + +### 5. Bug Fixes & Feature Development 1. Check [open issues](https://github.com/Tanishq1030/Anchor/issues) for existing reports. 2. Create a feature branch: `git checkout -b feature/your-feature` -3. Make your changes and test. +3. Make your changes and test thoroughly. 4. Submit a PR with a clear description. --- ## Testing -### Run the Test Suite - ```bash # Run all tests python -m pytest tests/ -v -# Run compliance test (validates 23-risk detection) +# Run compliance test (validates 43-rule detection) python tests/compliance_test.py -# Run a quick scan on the project itself +# Quick self-audit anchor check --dir . --verbose ``` ### Adding Test Fixtures -Place test files in `tests/fixtures/`: - ``` tests/ ├── fixtures/ @@ -161,36 +168,34 @@ These files are **SHA-256 sealed**. If your PR modifies them: 3. Update the hash in `anchor/core/constitution.py`. 4. Clearly document why the change is needed in the PR description. -> **Note**: Hash changes will be reviewed with extra scrutiny to prevent weakening of security rules. +> **Note**: Hash changes are reviewed with extra scrutiny to prevent weakening of security rules. ### Using Suppression Comments -If your code legitimately triggers a rule (e.g., a security tool using `subprocess`), you can suppress it: - ```python +# Governance tool legitimately using subprocess result = subprocess.run(cmd, capture_output=True) # anchor: ignore ANC-018 ``` **Suppression guidelines:** -| Rule | Why | -| ------------------------------- | ----------------------------------------------------------- | -| Use per-rule suppression | `# anchor: ignore ANC-XXX`, not `# anchor: ignore-all` | -| Add a justification comment | Explain **why** the suppression is needed on the line above | -| Never suppress in test fixtures | Test files should trigger rules intentionally | -| Suppressions are git-blamed | Your name is permanently attached to the suppression | +| Rule | Why | +|---|---| +| Use per-rule suppression | `# anchor: ignore ANC-XXX`, not `# anchor: ignore-all` | +| Add a justification comment | Explain **why** the suppression is needed on the line above | +| Never suppress in test fixtures | Test files should trigger rules intentionally | +| Suppressions are git-blamed | Your name is permanently attached to the suppression | --- ## PR Checklist -Before submitting your pull request: - - [ ] Code follows the existing project style - [ ] New patterns are context-aware (no overly broad matching) - [ ] Tests pass: `python -m pytest tests/ -v` - [ ] SHA-256 hashes updated if governance files were modified - [ ] Suppressions use `# anchor: ignore ANC-XXX` (not `ignore-all`) +- [ ] CHANGELOG.md entry added - [ ] PR description explains the change and its rationale --- @@ -205,6 +210,7 @@ Be respectful and constructive. We are building tools that govern AI safety — - Open a [Discussion](https://github.com/Tanishq1030/Anchor/discussions) - File an [Issue](https://github.com/Tanishq1030/Anchor/issues) +- Email: [tan@anchorgovernance.tech](mailto:tan@anchorgovernance.tech) --- diff --git a/README.md b/README.md index 125fecd..755d72f 100644 --- a/README.md +++ b/README.md @@ -1,72 +1,75 @@ -# Anchor — The Federated Governance Engine for AI +# Anchor — Governance Engine for AI -[![License: MIT](https://img.shields.io/badge/License-MIT-gray.svg)](https://opensource.org/licenses/MIT) +[![License: Apache 2.0](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) [![Python 3.8+](https://img.shields.io/badge/python-3.8+-blue.svg)](https://www.python.org/downloads/) -[![Status: GA](https://img.shields.io/badge/Status-GA-green.svg)]() -[![Version: 4.0.0](https://img.shields.io/badge/Version-4.0.0-blue.svg)]() +[![PyPI](https://img.shields.io/badge/PyPI-anchor--audit-gold.svg)](https://pypi.org/project/anchor-audit/) +[![Version: 4.3.5](https://img.shields.io/badge/Version-4.3.5-green.svg)]() -> "Code drifts. Intent shouldn't. Governance must scale." +> "Governance without enforcement is documentation." -Anchor is an **autonomous governance platform** for the AI-Native era. It ensures that your **Codebase**, **AI Models**, and **Agent Pipelines** comply with universal standards and local company policies — enforced deterministically via AST analysis, runtime interceptors, and behavioral verification (Diamond Cage). +Anchor is the **surveillance and enforcement layer for AI**. It audits AI-adjacent code against a cryptographically sealed constitutional rule set, mapping every violation to the exact statute it breaches — enforced deterministically via AST analysis, runtime interceptors, and behavioral verification (Diamond Cage). ---- - -- **Diamond Cage (Behavioral Verification)**: WASM-based sandbox (WasmEdge) validating AI-adjacent behavior alongside static findings. Reported as `Diamond Cage: ACTIVE`. -- **Federated Governance Workspace**: Structured `.anchor/` directory with mandatory core domains (SEC, ETH, SHR, ALN, AGT, PRV, LEG, OPS, SUP) and opt-in frameworks/regulators declared in `constitution.anchor`. -- **Hybrid Healer (Sovereign Scalpel)**: Moves beyond detection to remediation. Proposes file-specific fixes and applies them in-place via the `anchor heal` command. -- **Interceptor SDK**: First-party support for 20+ LLM providers. Includes `AnchorGuard` for manual pipeline integration and `register_provider` for custom/internal model support. -- **Multi-Language Adapters**: Expanded AST scanning for Python, Go, Java, Rust, and more. -- **Quad-Match Exclusion Engine**: Robust scoping logic supporting Exact, Prefix, DirGlob, and Fnmatch strategies to eliminate false positives in tests and documentation. -- **Architectural Drift Check**: The `anchor check drift` command analyzes if code intent has drifted from its original design patterns. +🌐 **[anchorgovernance.tech](https://anchorgovernance.tech)** --- -## The Federated Model +## Why Anchor Exists -Anchor operates on a three-layer architecture inspired by Constitutional Law: +| Event | Date | Amount | +|---|---|---| +| Goldman Sachs CFPB enforcement — AI explainability failure | Oct 2024 | **$45M** | +| EU AI Act full enforcement begins — credit scoring, AML, fraud | Aug 2026 | Mandatory | +| SEC AI Governance — named #1 examination priority, above crypto | 2026 | Mandatory | +| RBI FREE-AI — 26 mandatory recommendations, per-decision audit trails | Aug 2025 | Mandatory | -| Layer | File | Purpose | -| ---------------------- | --------------------- | --------------------------------------------------------------------------------------------- | -| **Constitution** | `constitution.anchor` | Defines **WHAT** risks exist (domains + frameworks + regulators). Manifest sealed via remote `GOVERNANCE.lock`. | -| **Mitigation Catalog** | `mitigation.anchor` | Defines **HOW** to detect each risk (regex + AST patterns). Cloud-synced, SHA-256 sealed. | -| **State Law** | `policy.anchor` | **Your** local overrides. Change severity, add company-specific rules. Fully editable. | - -**Merge Strategy**: State Law overrides Constitution by rule ID, **but only within the constitutional floor**. Each rule has a `min_severity` — the absolute minimum that no local policy can go below. Critical security rules (e.g., `ANC-007`, `ANC-022`) are locked at `blocker`. Companies can add entirely new rules or make existing rules stricter. +The regulators have started counting. Anchor enforces. --- -## Key Capabilities - -### 1. Multi-Language Enforcement +## What Anchor Does -Turns governance taxonomies into executable CI/CD blockers using high-speed AST analysis (`tree-sitter`). +- **Static Code Analysis (Layer 01)** — Tree-sitter AST scanning against a cryptographically sealed constitutional rule set. Every violation gets a `violation_id` mapped to the exact regulation it breaches. +- **Diamond Cage (Layer 02)** — WASM-based behavioral verification sandbox. Proves security invariants at scan time, not just static pattern matching. Reports as `Diamond Cage: ACTIVE`. +- **Hybrid Healer (Sovereign Scalpel)** — Goes beyond detection to remediation. Proposes file-specific AST patches, applied via `anchor heal --apply`. +- **Interceptor SDK** — First-party support for 20+ LLM providers. Secure prompts and responses mid-flight with `AnchorGuard`. +- **Federated Governance Workspace** — Structured `.anchor/` directory with mandatory core domains and opt-in frameworks/regulators declared in `constitution.anchor`. -- **Cross-Language**: Support for Python, Go, Java, and Rust. -- **23+ Risk Catalog**: Mapped to industry standards like FINOS and OWASP LLM Top 10. -- **Bridge Mode**: Parses Markdown Threat Models and activates relevant rules dynamically. +--- -### 2. Hybrid Healer +## The Federated Model -Deterministic AST patching replaces dangerous code with secure alternatives. +Anchor operates on a three-layer constitutional architecture: -- **Automated Suggestions**: Fixes proposed directly in the violation report. -- **Interactive Remediation**: Review and apply fixes via `anchor heal --apply`. +| Layer | File | Purpose | +|---|---|---| +| **Constitution** | `constitution.anchor` | Defines **WHAT** risks exist. Domain + framework + regulator manifest. SHA-256 sealed via remote `GOVERNANCE.lock`. | +| **Mitigation Catalog** | `mitigation.anchor` | Defines **HOW** to detect each risk. Regex + AST patterns. Cloud-synced. | +| **State Law** | `policy.anchor` | **Your** local overrides. Change severity, add company-specific rules. | -### 3. Interceptor SDK +**Merge Strategy**: State Law overrides Constitution by rule ID, but only within the constitutional floor. Critical security rules (e.g., `ANC-007`) are locked at `blocker`. Local policy can make rules stricter, never weaker. -Secure your AI pipeline mid-flight. +--- -- **AnchorGuard**: Explicitly scan prompts and responses in your own application code. -- **Global Interceptors**: Auto-patch common SDKs (OpenAI, Anthropic, LangChain) to enforce policy at the network boundary. -- **Provider Agnostic**: Unified detection patterns regardless of the underlying model. +## Coverage — V4.3.5 -### 4. Model Auditing (Diamond Cage) +| Tier | Content | Count | +|---|---|---| +| **Domain Rules** | SEC, ETH, PRV, ALN, AGT, LEG, OPS, SUP, SHR | 43 rules | +| **Standards Bodies** | FINOS AI Governance, OWASP LLM Top 10 · 2025, NIST AI RMF 1.0 | 3 frameworks | +| **Government Regulators** | RBI FREE-AI 2025, EU AI Act 2024/1689, SEBI AI/ML 2025, CFPB Reg B, FCA 2024, SEC 2026 | 6 regulators | +| **Total Regulatory Mappings** | | **170 mappings** | --- ## Quick Start -### 1. Install +### Install from PyPI + +```bash +pip install anchor-audit +``` + +### Or install from source ```bash git clone https://github.com/Tanishq1030/Anchor.git @@ -74,87 +77,38 @@ cd Anchor pip install -e . ``` -### 2. Initialize - -Sets up `.anchor/`, syncs the constitution & mitigation catalog, and installs the Git pre-commit hook. +### Initialize your project ```bash anchor init ``` -### 3. Scan Your Code - -```bash -# Security audit -anchor check ./src - -# Architectural drift audit -anchor check drift ./src -``` +Sets up `.anchor/`, syncs the constitution & mitigation catalog, and installs the Git pre-commit hook. -### 4. Review and Apply Fixes +### Scan your code ```bash -# Review suggested fixes -anchor heal +# Full governance audit +anchor check ./src -# Apply all auto-fixable issues -anchor heal --apply +# Scan with all frameworks and regulators +anchor init --all && anchor check ./src ``` -### 5. Audit a Model +### Review and apply fixes ```bash -anchor check --model ./my-model.gguf +anchor heal # Review suggested fixes +anchor heal --apply # Apply all auto-fixable issues ``` **Full command reference**: [USAGE.md](USAGE.md) --- -## Suppressing Findings - -When a finding is a **justified use** (e.g., your governance tool legitimately needs `subprocess`), suppress it with an inline comment: - -### Suppress a Specific Rule - -```python -result = subprocess.run(cmd, capture_output=True) # anchor: ignore ANC-018 -``` - -### Suppress All Rules on a Line - -```python -os.environ.get("SECRET_KEY") # anchor: ignore-all -``` - -### How It Works - -| Feature | Details | -| --------------- | ----------------------------------------------------------------------------- | -| **Syntax** | `# anchor: ignore ANC-XXX` (per-rule) or `# anchor: ignore-all` | -| **Scope** | Line-level only — the comment must be on the same line as the flagged code | -| **Audit Trail** | Anchor uses `git blame` to record **who** authorized each suppression | -| **Visibility** | Suppressed findings appear in the report as "suppressed" with the author name | - -> **Important**: Suppressions are tracked. Every suppressed finding is logged with the git blame author so your security team can audit who bypassed which rule and when. - -### Example Report Output - -``` -TOTAL FINDINGS: 2 - BLOCKER : 0 - ERROR : 0 - WARNING : 2 - INFO : 0 -6 suppressed findings (See report for audit trail) -``` - ---- - ## CI/CD Integration -Anchor acts as the "Gatekeeper" in GitHub Actions. If a PR violates the constitution, Anchor blocks the merge with a detailed violation report. +Anchor acts as the enforcement gate in GitHub Actions. If a PR violates the constitution, Anchor blocks the merge with a detailed violation report. ```yaml # .github/workflows/anchor-audit.yml @@ -166,6 +120,26 @@ Anchor acts as the "Gatekeeper" in GitHub Actions. If a PR violates the constitu --- +## Suppressing Findings + +When a finding is a justified use (e.g., your governance tool legitimately needs `subprocess`), suppress it with an inline comment: + +```python +# Per-rule suppression +result = subprocess.run(cmd, capture_output=True) # anchor: ignore ANC-018 + +# Suppress all rules on a line +os.environ.get("SECRET_KEY") # anchor: ignore-all +``` + +| Feature | Details | +|---|---| +| **Scope** | Line-level only | +| **Audit Trail** | Anchor uses `git blame` to record who authorized each suppression | +| **Visibility** | Suppressed findings appear in the report with the author's name | + +--- + ## Project Structure ``` @@ -174,47 +148,40 @@ Anchor/ │ ├── cli.py # CLI entry point (click) │ ├── core/ │ │ ├── engine.py # PolicyEngine — AST scanning via tree-sitter -│ │ ├── healer.py # Hybrid Healer fix suggestion and patching +│ │ ├── healer.py # Hybrid Healer — fix suggestion and patching │ │ ├── constitution.py # SHA-256 integrity verification -│ │ ├── policy_loader.py # Federated policy merger -│ │ ├── mapper.py # GenAI threat model -> rule mapper -│ │ └── model_auditor.py # Model weight validation (Diamond Cage) +│ │ ├── loader.py # Federated policy merger +│ │ └── mapper.py # GenAI threat model → rule mapper │ ├── runtime/ # Interceptor SDK │ │ ├── guard.py # AnchorGuard application safety API │ │ └── interceptors/ # SDK and HTTP library patches -│ ├── adapters/ # Language-specific tree-sitter adapters (Go, Java, Rust) +│ └── adapters/ # Language-specific tree-sitter adapters ├── tests/ # Test suite -│ ├── compliance_test.py # 23-risk compliance validation -│ ├── test_integration.py # Integration tests -│ └── fixtures/ # Test fixtures -├── constitution.anchor # Universal Constitution (23 FINOS risks) -├── mitigation.anchor # Mitigation Catalog (detection patterns) -├── .env.example # Environment variable reference -├── setup.py # Package configuration +├── .anchor/ # Governance workspace (committed) +│ ├── domains/ # Core domain rules (SEC, ETH, PRV ...) +│ ├── frameworks/ # FINOS, OWASP, NIST +│ └── government/ # RBI, EU AI Act, SEBI, CFPB, FCA, SEC +├── constitution.anchor # Active framework/regulator manifest +├── mitigation.anchor # Detection pattern catalog ├── case-studies/ # Real-world audit case studies -├── docs/ # Documentation -└── V3_TECHNICAL_ROADMAP.md # v3 "Sovereign Scalpel" roadmap +└── docs/ # Architecture documentation ``` --- -## Security Architecture - -### Tamper-Proofing - -The universal `constitution.anchor` and `mitigation.anchor` are **cloud-fetched** and **SHA-256 sealed**: +## Security Architecture — SHA-256 Tamper Proofing ``` ┌─────────────────────────────────────────────────┐ │ GitHub Raw (Source of Truth) │ -│ constitution.anchor -> SHA-256: 3745014B... │ -│ mitigation.anchor -> SHA-256: E3E32531... │ +│ constitution.anchor → SHA-256: 3745014B... │ +│ mitigation.anchor → SHA-256: E3E32531... │ └────────────────┬────────────────────────────────┘ │ fetch + verify ┌────────────────▼────────────────────────────────┐ │ .anchor/cache/ (Local) │ -│ Hash mismatch -> INTEGRITY VIOLATION │ -│ Hash match -> Proceed with audit │ +│ Hash mismatch → INTEGRITY VIOLATION │ +│ Hash match → Proceed with audit │ └─────────────────────────────────────────────────┘ ``` @@ -224,56 +191,28 @@ No developer can weaken the rules to pass the audit. The hashes are baked into t ## Configuration -All settings are optional and loaded from `.env` or environment variables: - -| Variable | Default | Description | -| ------------------------- | -------------- | ------------------------------------- | +| Variable | Default | Description | +|---|---|---| | `ANCHOR_CONSTITUTION_URL` | GitHub Raw URL | Override for air-gapped/mirror setups | -| `ANCHOR_MITIGATION_URL` | GitHub Raw URL | Override for the mitigation catalog | -| `ANCHOR_VERBOSE` | `false` | Enable detailed debug output | -| `ANCHOR_FETCH_TIMEOUT` | `10` | Timeout (seconds) for cloud sync | - -See [`.env.example`](.env.example) for a full reference. +| `ANCHOR_MITIGATION_URL` | GitHub Raw URL | Override for the mitigation catalog | +| `ANCHOR_VERBOSE` | `false` | Enable detailed debug output | +| `ANCHOR_FETCH_TIMEOUT` | `10` | Timeout (seconds) for cloud sync | --- ## Contributing -We welcome contributions! Whether it's new detection patterns, bug fixes, or documentation improvements. - -**Quick links:** - - [Contributing Guide](CONTRIBUTING.md) - [Open an Issue](https://github.com/Tanishq1030/Anchor/issues) -- [Discussions](https://github.com/Tanishq1030/Anchor/discussions) - -### Ways to Contribute - -1. **Add Mitigation Patterns** — Propose new detection rules for the 23 FINOS risks via PR to `mitigation.anchor`. -2. **Improve Detection** — Refine existing patterns to reduce false positives. -3. **Language Adapters** — Add tree-sitter support for new languages (Go, Rust, Java). -4. **Case Studies** — Document real-world audits in `case-studies/`. - ---- - -## Risk Coverage Summary - -Anchor v4.0.0 covers the complete federated risk taxonomy across core domains and opt-in frameworks/regulators: - -| Tier | Risks | Coverage | -| ------------------------------- | ------------------------------------------------------------------------ | ----------------------------- | -| **Tier 1** — Code-Scannable | Prompt Injection, Data Poisoning, Model Tampering, Credential Harvesting | Direct AST/Regex detection | -| **Tier 2** — Model Audit | Model Leakage, Weight Corruption, Versioning Drift | Diamond Cage inspection | -| **Tier 3** — Mitigation Absence | Hallucination, Bias, Explainability, Availability | "Missing safeguard" detection | - -Full risk mapping: core domains (SEC, ETH, SHR, ALN, AGT, PRV, LEG, OPS, SUP) plus frameworks/regulators in [`constitution.anchor`](constitution.anchor). +- [PyPI Package](https://pypi.org/project/anchor-audit/) +- ✉️ [tan@anchorgovernance.tech](mailto:tan@anchorgovernance.tech) --- ## License -MIT License. Built for the era of AI-Assisted Engineering and Automated Governance. +Apache 2.0 — Open source. Built for the era of AI-Assisted Engineering. --- -_Anchor v4.0.0 — Deterministic Governance for the AI-Native Stack._ +_Anchor V4.3.5 · [anchorgovernance.tech](https://anchorgovernance.tech) · Apache 2.0_ diff --git a/USAGE.md b/USAGE.md index ddef066..235cb6b 100644 --- a/USAGE.md +++ b/USAGE.md @@ -1,10 +1,25 @@ -# Anchor CLI Command Reference +# Anchor CLI — Command Reference -Anchor v4.0.0 provides a unified interface for security auditing, architectural drift analysis, autonomous remediation, and runtime governance. +Anchor V4.3.5 — Deterministic Governance for the AI-Native Stack. + +🌐 **[anchorgovernance.tech](https://anchorgovernance.tech)** --- -## 1. **anchor init** +## Installation + +```bash +# From PyPI (recommended) +pip install anchor-audit + +# Or from source +git clone https://github.com/Tanishq1030/Anchor.git +cd Anchor && pip install -e . +``` + +--- + +## 1. `anchor init` Initializes the Anchor governance environment in the current directory. @@ -14,48 +29,60 @@ anchor init [OPTIONS] ### Options -| Flag | Description | -| -------------------- | -------------------------------------------------------------------- | -| `--domains` | Comma-separated domains (all core domains load by default: SEC, ETH, SHR, ALN, AGT, PRV, LEG, OPS, SUP) | -| `--frameworks` | Comma-separated frameworks (finos, owasp, nist, all) | -| `--regulators` | Comma-separated regulators (rbi, eu, sebi, cfpb, fca, sec, all) | -| `--all` | Install all available domains, frameworks, and regulators | -| `--sandbox` | Installs the **Diamond Cage** (WASM sandbox) for secure model audits | -| `--policy-name TEXT` | Name for your local policy file. Default: `policy.anchor` | +| Flag | Description | +|---|---| +| `--domains` | Comma-separated domains (all 9 core domains load by default: SEC, ETH, SHR, ALN, AGT, PRV, LEG, OPS, SUP) | +| `--frameworks` | Comma-separated frameworks: `finos`, `owasp`, `nist`, `all` | +| `--regulators` | Comma-separated regulators: `rbi`, `eu`, `sebi`, `cfpb`, `fca`, `sec`, `all` | +| `--all` | Install all available domains, frameworks, and regulators | +| `--sandbox` | Installs the **Diamond Cage** (WASM sandbox) for behavioral verification | +| `--no-sign` | Skips remote GOVERNANCE.lock fetch for offline initialisation | +| `--policy-name TEXT` | Name for your local policy file (default: `policy.anchor`) | ### What It Does -1. Creates the `.anchor/` workspace with standard subdirectories: - - `violations/`: For detailed text results (`governance_violations.txt`, `drift_violations.txt`). - - `reports/`: For markdown documentation (`governance_audit.md`, `drift_audit.md`). - - `telemetry/`: For CI/CD JSON exports (`governance_report.json`, `drift_report.json`). -2. Deploys reference copies of the Constitution and Mitigation Catalog; installs all core domains by default (SEC, ETH, SHR, ALN, AGT, PRV, LEG, OPS, SUP). -3. Generates a boilerplate local `policy.anchor` for project-specific overrides. +1. Creates the `.anchor/` workspace: + - `domains/` — core domain rule files + - `frameworks/` — FINOS, OWASP, NIST + - `government/` — RBI, EU AI Act, SEBI, CFPB, FCA, SEC + - `violations/` — `governance_violations.txt`, `drift_violations.txt` + - `reports/` — `governance_audit.md`, `drift_audit.md` + - `telemetry/` — `governance_report.json`, `drift_report.json` +2. Deploys and verifies the Constitution and Mitigation Catalog. +3. Generates a boilerplate `policy.anchor` for project-specific overrides. 4. Installs a Git pre-commit hook to prevent violations from being committed. -5. Fetches `GOVERNANCE.lock` unless `--no-sign` is passed; `anchor sync --restore` verifies integrity later in CI. +5. Fetches `GOVERNANCE.lock` for integrity verification (unless `--no-sign`). --- +## 2. `anchor check` + +Runs the full governance audit pipeline. + +```bash +anchor check [OPTIONS] [PATH] +``` + ### Core Options -| Flag | Description | -| ----------------------------- | ------------------------------------------------------- | -| `-d, --dir, --directory PATH` | Directory to scan for code violations | -| `-m, --model PATH` | Path to LLM model weights (GGUF, SafeTensors) | -| `-c, --context PATH` | Path to a Markdown Threat Model for dynamic enforcement | +| Flag | Description | +|---|---| +| `-d, --dir PATH` | Directory to scan for code violations | +| `-m, --model PATH` | Path to LLM model weights (GGUF, SafeTensors) | +| `-c, --context PATH` | Path to a Markdown Threat Model for dynamic rule activation | +| `--severity LEVEL` | Minimum severity to report: `info`, `warning`, `error`, `blocker` | ### Reporting -Anchor V4 automatically generates human-readable reports and machine-readable telemetry in the `.anchor/` folder, including severity breakdowns (blocker/error/warning/info) in terminal output. - -| Flag | Description | -| ------------------- | -------------------------------------------------- | +| Flag | Description | +|---|---| | `-j, --json-report` | Force generation of JSON telemetry (auto-on in CI) | -| `-v, --verbose` | Shows detailed sync, loading, and scanning logs | +| `--github-summary` | Write a Markdown summary to `$GITHUB_STEP_SUMMARY` | +| `-v, --verbose` | Shows detailed sync, loading, and scanning logs | --- -## 3. **anchor check drift** +## 3. `anchor check drift` Analyzes the architectural integrity of the codebase. @@ -63,15 +90,11 @@ Analyzes the architectural integrity of the codebase. anchor check drift [PATH] ``` -### What It Does - -1. Analyzes symbols (classes, functions) to determine if their usage matches their original intent. -2. Assigns a verdict: **Aligned**, **Semantic Overload**, **Intent Violation**, or **Dependency Inertia**. -3. Generates `drift_violations.txt` and `drift_audit.md`. +Analyzes symbols (classes, functions) to determine if usage matches original intent. Verdict: **Aligned**, **Semantic Overload**, **Intent Violation**, or **Dependency Inertia**. Generates `drift_violations.txt` and `drift_audit.md`. --- -## 4. **anchor heal** +## 4. `anchor heal` The "Sovereign Scalpel" — autonomous remediation of security violations. @@ -79,18 +102,22 @@ The "Sovereign Scalpel" — autonomous remediation of security violations. anchor heal [OPTIONS] [PATH] ``` -### Options +| Flag | Description | +|---|---| +| `--apply` | Automatically applies all suggested fixes to the code | +| `--status` | Shows a summary of fixed vs. pending violations | -| Flag | Description | -| ---------- | ----------------------------------------------------- | -| `--apply` | Automatically applies all suggested fixes to the code | -| `--status` | Shows a summary of fixed vs. pending violations | +Reads `governance_violations.txt`, proposes deterministic AST patches, and provides an interactive diff before applying. -### What It Does +--- + +## 5. `anchor sync --restore` + +Fetches authoritative governance files from the Anchor registry and restores any tampered or modified files. Logs all restores to `.anchor/logs/sync.log` with a chain hash. -1. Reads the latest `governance_violations.txt`. -2. Proposes deterministic AST patches for high-confidence violations. -3. Provides an interactive diff for developer review. +```bash +anchor sync --restore +``` --- @@ -100,20 +127,23 @@ When you run `anchor check`, the following pipeline executes: ``` ┌──────────────────────────────────────────────────────────┐ -│ 1. SYNC — Fetch constitution.anchor + mitigation.anchor │ -│ from cloud (GitHub Raw). Verify SHA-256 integrity. │ +│ 1. SYNC — Fetch constitution + mitigation catalog │ +│ from cloud. Verify SHA-256 integrity. │ ├──────────────────────────────────────────────────────────┤ -│ 2. JOIN — Merge constitution risks (WHAT) with │ -│ mitigation patterns (HOW) -> Executable Rules. │ +│ 2. JOIN — Merge constitution risks (WHAT) with │ +│ mitigation patterns (HOW) → Executable Rules │ ├──────────────────────────────────────────────────────────┤ │ 3. MERGE — Apply local policy.anchor overrides │ -│ (State Law overrides Constitution by rule ID). │ +│ (State Law overrides Constitution by rule ID) │ ├──────────────────────────────────────────────────────────┤ -│ 4. SCAN — Run PolicyEngine with tree-sitter AST + │ -│ regex patterns against target directory. │ +│ 4. SCAN — Run PolicyEngine with tree-sitter AST + │ +│ regex patterns against target directory │ ├──────────────────────────────────────────────────────────┤ -│ 5. REPORT — Generate violation report, exit with │ -│ code 0 (pass) or 1 (fail). │ +│ 5. CAGE — Diamond Cage behavioral verification │ +│ (WASM sandbox, proves security invariants) │ +├──────────────────────────────────────────────────────────┤ +│ 6. REPORT— Generate violation report, exit 0 (pass) │ +│ or 1 (fail) │ └──────────────────────────────────────────────────────────┘ ``` @@ -123,63 +153,51 @@ When you run `anchor check`, the following pipeline executes: ### A. CI/CD Pipeline Enforcement -Block insecure code from being merged via GitHub Actions. - ```bash anchor check --dir ./src --severity error --json-report --github-summary ``` -### B. Bridge Mode (Threat Model -> Enforcement) - -Enforce only the rules identified in an AI-generated threat model. +### B. Full Regulatory Audit (all frameworks + regulators) ```bash -anchor check --context docs/threat_model.md --dir ./src +anchor init --all && anchor check ./src --verbose ``` -### C. Secure Model Onboarding +### C. Bridge Mode (Threat Model → Enforcement) -Validate a downloaded model before allowing it into production. +Enforce only the rules identified in an AI-generated threat model: ```bash -anchor check --model models/mistral-7b.gguf --metadata data/provenance.json --generate-report +anchor check --context docs/threat_model.md --dir ./src ``` -### D. Local Code Audit +### D. Secure Model Onboarding -Scan your repository against the full 23-risk constitution. +Validate a downloaded model before allowing it into production: ```bash -anchor check --dir . --verbose +anchor check --model models/mistral-7b.gguf --generate-report ``` -### E. Custom Severity Threshold - -Only fail on critical issues during development, but block everything in CI. +### E. Local Dev Scan ```bash -# Development (permissive) -anchor check --dir . --severity error - -# CI/CD (strict) -anchor check --dir . --severity warning --json-report +anchor check --dir . --severity warning ``` --- ## Governance Status Codes -| Exit Code | Meaning | -| --------- | ---------------------------------------------------------------- | -| `0` | **Passed** — No blocking violations found | -| `1` | **Failed** — Critical security or compliance violations detected | +| Exit Code | Meaning | +|---|---| +| `0` | **Passed** — No blocking violations found | +| `1` | **Failed** — Critical security or compliance violations detected | --- ## Suppressing Findings -Suppress justified findings with inline comments: - ```python # Suppress a specific rule result = subprocess.run(cmd) # anchor: ignore ANC-018 @@ -188,22 +206,20 @@ result = subprocess.run(cmd) # anchor: ignore ANC-018 os.environ.get("KEY") # anchor: ignore-all ``` -**Key behavior:** - - **Line-level only** — the comment must be on the same line as the violation. - **Git-blamed** — Anchor records who added each suppression via `git blame`. -- **Auditable** — Suppressed findings appear in the report as "suppressed" with the author name. +- **Auditable** — Suppressed findings appear in the report with the author name. --- ## Floor Severity (Override Protection) -Each constitution rule has a `min_severity` — the floor that local `policy.anchor` overrides cannot go below: +Each constitution rule has a `min_severity` — the floor that `policy.anchor` overrides cannot go below: ```yaml -# Your policy.anchor +# Your policy.anchor — REJECTED because floor is 'error' - id: "ANC-009" - severity: "warning" # REJECTED — floor is "error" + severity: "warning" ``` ``` @@ -211,26 +227,24 @@ Override REJECTED for ANC-009: Cannot downgrade severity to 'warning'. Constitutional floor is 'error'. ``` -| Floor | Allowed Overrides | Blocked Overrides | -| --------- | ------------------ | ----------------- | -| `blocker` | None (locked) | Everything | -| `error` | `error`, `blocker` | `warning`, `info` | -| `warning` | `warning`+ | `info` | -| `info` | Full freedom | — | +| Floor | Allowed Overrides | Blocked Overrides | +|---|---|---| +| `blocker` | None (locked) | Everything | +| `error` | `error`, `blocker` | `warning`, `info` | +| `warning` | `warning`+ | `info` | +| `info` | Full freedom | — | --- ## Environment Variables -All optional. See [`.env.example`](.env.example) for a full reference. - -| Variable | Default | Description | -| ------------------------- | -------------- | ---------------------------------- | -| `ANCHOR_CONSTITUTION_URL` | GitHub Raw URL | Override constitution source | -| `ANCHOR_MITIGATION_URL` | GitHub Raw URL | Override mitigation catalog source | -| `ANCHOR_VERBOSE` | `false` | Enable debug output | -| `ANCHOR_FETCH_TIMEOUT` | `10` | Cloud sync timeout (seconds) | +| Variable | Default | Description | +|---|---|---| +| `ANCHOR_CONSTITUTION_URL` | GitHub Raw URL | Override constitution source | +| `ANCHOR_MITIGATION_URL` | GitHub Raw URL | Override mitigation catalog source | +| `ANCHOR_VERBOSE` | `false` | Enable debug output | +| `ANCHOR_FETCH_TIMEOUT` | `10` | Cloud sync timeout (seconds) | --- -_Anchor v3.0.0-alpha | Deterministic Governance for the AI-Native Stack._ +_Anchor V4.3.5 · [anchorgovernance.tech](https://anchorgovernance.tech) · Apache 2.0_ From bc060a3c7d5f5c50d7e4f0a7235d7bb1b770dd40 Mon Sep 17 00:00:00 2001 From: Tanishq Date: Mon, 23 Mar 2026 23:30:16 -0700 Subject: [PATCH 2/2] docs: changelog engine-only, remove all frontend entries --- CHANGELOG.md | 133 ++++++++++++++------------------------------------- 1 file changed, 36 insertions(+), 97 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 237117a..5b974d6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,128 +1,55 @@ # Changelog -All notable changes to Anchor are documented here. Format follows [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). +All notable changes to the Anchor governance engine are documented here. Format follows [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). --- ## [4.3.5] — 2026-03-23 -### Landing Page & Public Documentation -- Deployed production landing page at [anchorgovernance.tech](https://anchorgovernance.tech) via Cloudflare Pages. -- Full mobile responsiveness via `useIsMobile` React hook — all section grids stack on screens < 768px. -- Terminal animation uses `pre-wrap` + `wordBreak: break-all` to prevent horizontal overflow on mobile. -- Ticker bar hidden on mobile to prevent `max-content` width overflow. - -### Documentation -- Updated `README.md` — corrected version, license (Apache 2.0), PyPI install, domain URL, and coverage stats. -- Updated `USAGE.md` — corrected version header, added PyPI install option. -- Updated `CHANGELOG.md` — added all v4.1.x through v4.3.5 entries. - -### Stats (V4.3.5) -- **43** domain rules across 9 namespaces (SEC, ETH, PRV, ALN, AGT, LEG, OPS, SUP, SHR) -- **9** regulatory frameworks absorbed (3 standards bodies + 6 government regulators) -- **170** total regulatory mappings -- **0** self-audit violations — Anchor audits itself. CLEAN. - ---- - -## [4.3.1] — 2026-03-23 - -### Landing Page -- Replaced Sparkline in StatsSection with `FinancialChart` (SVG-based candlestick/OHLC visualization). -- Replaced CasesSection grid with `AuditGraph` — SVG line chart of real open-source audit findings. -- Added dedicated `ContactSection` with direct email CTA (`tan@anchorgovernance.tech`). -- Standardized Jurisdiction Map items (removed inconsistent rule counts, unified layout). -- Balanced Case Study grid with `gridColumn` spanning for 5-item layouts. -- Updated all contact emails across Nav, Contact, and Footer sections. - -### Fixed -- Removed dangling closing tags causing JSX syntax errors. -- Fixed `Contact` nav link to scroll to `#contact` section instead of firing `mailto:`. - ---- - -## [4.2.0] — 2026-03-23 - -### Deployment -- Configured Cloudflare Pages deployment with root directory set to `landing/`. -- Build command set to `npm install && npm run build` to resolve `npm ci` peer dependency conflicts. -- Added `landing/public/_redirects` for SPA routing support on Cloudflare Pages. -- Linked custom domain `anchorgovernance.tech` — leverages existing Cloudflare DNS and email routing. - -### Repository -- Removed `node_modules` from Git tracking. -- Added comprehensive `.gitignore` covering `node_modules`, `dist`, `.env`, `*.pyc`, `__pycache__`. -- Regenerated `package-lock.json` to resolve lock file version conflicts. - ---- - -## [4.1.4] — 2026-03-23 - -### Landing Page -- Added `AuditGraph` component — SVG line chart plotting real open-source project audit findings. -- Added `ContactSection` with gold CTA button and direct email link. -- Case Studies section redesigned with `AuditGraph` replacing the manual case study card grid. - ---- - -## [4.1.3] — 2026-03-22 - -### Landing Page -- Added `FinancialChart` component — SVG candlestick chart visualizing governance domain rule growth. -- Hero stats bar upgraded to use `FinancialChart` instead of flat `Sparkline`. -- `DataBar` upgraded with `MiniBarChart` for "Total Coverage" metric. -- Jurisdiction Map expanded to 3 columns: Domain Rules, Standards Bodies, Government Regulators. +### Changed +- License corrected to **Apache 2.0** across `README.md`, `setup.py`, and PyPI metadata. +- PyPI package renamed to `anchor-audit` — `pip install anchor-audit`. +- Updated coverage stats: **43 domain rules**, **170 regulatory mappings**, **9 frameworks/regulators**. --- ## [4.1.2] — 2026-03-22 -### Landing Page — Bloomberg Terminal Aesthetic -- Introduced Bloomberg Terminal-inspired mono typography and color palette. -- Added `Terminal` component with live cascading audit simulation. -- Added `DataBar` ticker with live stats: domain rules, frameworks, regulatory mappings. -- Added `AmbientParticles` and `DigitalMark` seal components. -- Added `LiveClock` in IST to nav bar. -- Added `Ticker` news bar with real regulatory headlines. -- Jurisdiction Map redesigned with three-column layout (Domain Rules / Standards / Regulators). - ### Fixed -- Multi-ID violation suppression — canonical ID deduplication to prevent double-firing of `ANC-NNN` and `FINOS-NNN` aliases. -- PyPI performance — lazy-loaded tree-sitter grammars per language; eliminated ~3.5s startup overhead on cold installs. +- **Multi-ID deduplication** — `ANC-NNN` and `FINOS-NNN` aliases no longer both fire for the same violation. Deduplicated on canonical ID + file + line at reporting time. +- **Alias pattern mapping** — mitigation patterns were being mapped to alias IDs instead of canonical IDs, leaving aliases without detection patterns and reporting them as inactive. Patterns now bind to the canonical rule first; aliases receive fully-populated copies. ---- - -## [4.1.0] — 2026-03-22 - -### Landing Page -- `ViolationsSection` — interactive enforcement output with per-severity color-coded badges and statute references. -- `StatsSection` — animated counters with sparklines and a "Anchor audited itself. CLEAN." self-audit card. -- `CoverageSection` (Jurisdiction Map) — three-tier coverage display with domain/framework/regulator classification. +### Performance +- **Lazy grammar loading** — tree-sitter grammars now load per-language on first use rather than at package import. Eliminates ~3.5s startup overhead on cold installs with multiple language adapters installed. --- ## [4.0.0] — 2026-03-18 ### Architecture -- **Federated domain model** — replaced monolithic `risk_catalog.yaml` with structured governance directories: `domains/`, `frameworks/`, `government/`. +- **Federated domain model** — replaced monolithic `risk_catalog.yaml` with structured governance directories: `domains/`, `frameworks/`, `government/`. Each layer has clear ownership and versioning. - **All domain files are now mandatory** — SEC, ETH, SHR, ALN, AGT, PRV, LEG, OPS, SUP load automatically. Frameworks and regulators remain opt-in via `constitution.anchor`. -- **`constitution.anchor` is now the single manifest** — declares active frameworks and regulators. +- **`constitution.anchor` is now the single manifest** — declares active frameworks and regulators. Domains require no declaration. ### New: Diamond Cage (Behavioral Verification) - WASM-based sandbox using WasmEdge for behavioral verification of AI-adjacent code and proposed patches. +- Proves security invariants at scan time — not just static pattern matching. - Reports as `Diamond Cage: ACTIVE` in CLI output. ### New: GOVERNANCE.lock (Remote Integrity Verification) -- `anchor check` fetches `GOVERNANCE.lock` from the Anchor registry and verifies per-file SHA-256 hashes. -- `seal_check: strict` in `constitution.anchor` aborts on mismatch. +- Replaces local `.anchor.sig` with a remote hash registry model. +- `anchor check` fetches `GOVERNANCE.lock` from the Anchor registry and verifies per-file SHA-256 hashes against the local governance directory. +- `seal_check: strict` in `constitution.anchor` — aborts on mismatch. +- `offline_behaviour: warn` (default) — continues with warning if remote unreachable; set to `abort` for enterprise CI/CD. ### New: Commands -- `anchor sync --restore` — fetches authoritative governance files and restores tampered files. -- `anchor init --all` — installs all available domains, frameworks, and regulators. -- `anchor init --no-sign` — skips remote GOVERNANCE.lock fetch for offline initialisation. +- `anchor sync --restore` — fetches authoritative governance files from registry and restores any tampered or modified files. Logs restores to `.anchor/logs/sync.log` with chain hash. +- `anchor init --all` — installs all available domains, frameworks, and regulators in one command. +- `anchor init --no-sign` — skips remote GOVERNANCE.lock fetch for offline initialisation. Scans run in UNVERIFIED mode until `anchor sync --restore` is run. ### New: Alias Resolution Chain - Legacy V3 `ANC-NNN` IDs resolve through FINOS framework layer: `ANC-NNN → FINOS-NNN`. +- FINOS_Framework.anchor is the Rosetta Stone — full mapping in `constitution.anchor` under `legacy_aliases`. ### New: Regulator Domains - `government/RBI_Regulations.anchor` — RBI FREE-AI Report August 2025 @@ -138,13 +65,19 @@ All notable changes to Anchor are documented here. Format follows [Keep a Change - `frameworks/OWASP_LLM.anchor` — OWASP LLM Top 10 2025 ### Fixed -- `loader.py` — empty `policy.anchor` returned `NoneType` instead of `{}`, causing silent fallback to unpopulated V3 cache. -- `cli.py` — mitigation patterns were mapping to alias IDs instead of canonical IDs. -- Duplicate findings — `ANC-NNN` and `FINOS-NNN` no longer both fire for the same finding. +- `loader.py` — empty `policy.anchor` returned `NoneType` instead of `{}`, causing silent fallback to unpopulated V3 cache. Fixed with `raw = yaml.safe_load(...) or {}`. +- `cli.py` — mitigation patterns were mapping to alias IDs instead of canonical IDs. Patterns now mapped to canonical rules first; aliases inherit fully-populated copies. +- Duplicate findings — `ANC-NNN` and `FINOS-NNN` no longer both fire for the same finding. Deduplicated on canonical ID + file + line. + +### Changed +- `policy.anchor` — `enforce_raise_only: true` is now enforced at the engine level. Attempts to lower severity below the constitutional floor are rejected with an error. +- `sealed:` and `seal: "sha256:PENDING"` fields removed from `constitution.anchor` — superseded by `GOVERNANCE.lock`. +- `.anchor/` is now committed to the project repository. `.anchor/cache/` is added to `.gitignore` instead. ### Removed -- Monolithic `risk_catalog.yaml` — superseded by federated domain architecture. +- Monolithic `risk_catalog.yaml` — fully superseded by federated domain architecture. - Local `.anchor.sig` signature file — superseded by remote `GOVERNANCE.lock`. +- `active_domains` section in `constitution.anchor` — all domains are now mandatory. --- @@ -166,6 +99,12 @@ Maintenance updates and dependency refresh for the 2.x line. --- +## [2.4.14] — 2026-02-08 + +Stability and packaging refinements ahead of the 2.4.15 final release. + +--- + ## [1.0.0] — 2026-01-24 Initial release. Architectural drift detection with AST-based comparison against baseline signatures.