Skip to content

Fix PyPI bundling by moving governance files into anchor package and bump version to 4.1.1 #9

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Tanishq1030 merged 2 commits into from
Mar 22, 2026
Merged

Fix PyPI bundling by moving governance files into anchor package and bump version to 4.1.1 #9

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
a6cce62
Fix PyPI bundling by moving governance files into anchor package and …
Tanishq1030 Mar 22, 2026
e2ca749
Fix CI integrity violation by using local governance files in workflow
Tanishq1030 Mar 22, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 23 additions & 0 deletions .anchor/.anchor.lock
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
version: 4.0.0
Copy link

Copilot AI Mar 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks like a generated lockfile, and it’s pinned to version: 4.0.0 even though the package release is bumped to 4.1.1 (and the bundled constitution is 4.1). If this file is meant to be tracked, its version metadata should be kept consistent; otherwise it should be removed from the repo and covered by .gitignore along with other .anchor/ artifacts.

Suggested change
version: 4.0.0
version: 4.1.1

Copilot uses AI. Check for mistakes.
generated: '2026-03-18T00:00:00Z'
algorithm: sha256
offline_behaviour: warn
files:
domains/agentic.anchor: 659abaa294a1b1f062385a077b41d04fe75e0d708be89c6ef3ebb4ce69169703
domains/alignment.anchor: b8fbdbbabc5e82f620a354829f5a8d70c3e85198ccbc96a4c55bd070f3f3f9db
domains/ethics.anchor: d402bf6d69815bdb0074a9fa7a02ae57fcc349a4a5c359f6f128302be5f7c38c
domains/legal.anchor: b5c061c69526f254ce2e6eb8f046aeceb1313b4e6bb8d763bd97ae2b2722854f
domains/operational.anchor: 9784ffa88b352d49b5643a257fedc3cd88e5d4b4f4591bb5c8610b2ca1aef435
domains/privacy.anchor: aa9204e9a7693e0d70cb09b7d6bd375684cac3b5066a884d9e946baf953805cc
domains/security.anchor: b7756ded815bbe80959e1734badabbaa753608f82486045202c4be89f072b8f8
domains/shared.anchor: 9121d6b2978c307f1b8d1d9cbccfbb77a3df65e17fdf6d54cdda0eb2d5dc0619
domains/supply_chain.anchor: 493ae046e572724609bd46bba1d712f9e5b66c550148f45e723cd785f276f9e4
frameworks/FINOS_Framework.anchor: 60306678ec523f3cc1aca02f7ff23d62a1b22429f23e7994b92fc13a0ded174a
frameworks/NIST_AI_RMF.anchor: 1a0971b93737280564dca779b8bfb6c27552c791c7f0d5bb22a9ff9d11c59ca5
frameworks/OWASP_LLM.anchor: 63b3086c9ebbb78e45437cf73dc69e72b441683e72ccfeb1fa91ccb11a8921b9
government/CFPB_Regulations.anchor: 7005b47e40061e1d47c0ee42439c3c2897a701337359490b09f8113d6dc87ee7
government/EU_AI_Act.anchor: 05063bdd1d5af44d08cedba38bc9549b15ee567d056da7afa217d7da7a185416
government/FCA_Regulations.anchor: f23b61075d323be487b6218a2c0e353d8df445bf3e13904f977edf895123973e
government/RBI_Regulations.anchor: a69dcd38cb0306b6886c1c1aebe8594e9b4e45acbb48d16feeb64615edb9d2b7
government/SEBI_Regulations.anchor: 38dac4c568ecf52d89ee49b027b401d8e8a46b03b40d9f99e9bdf40534247a15
government/SEC_Regulations.anchor: b7819b6dd874892ef5005eb5033221ac4327146dc060239a1e3fbadaeecd4c07
1 change: 1 addition & 0 deletions .anchor/.anchor.sig
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
sha256:0edb5dad2a2dc26c956082c71224edba281569a76bbd41465fc8e6720cf58dd6
0 constitution.anchor → .anchor/constitution.anchor
View file
Open in desktop
File renamed without changes.
0 governance/domains/agentic.anchor → .anchor/domains/agentic.anchor
View file
Open in desktop
File renamed without changes.
0 governance/domains/alignment.anchor → .anchor/domains/alignment.anchor
View file
Open in desktop
File renamed without changes.
0 governance/domains/ethics.anchor → .anchor/domains/ethics.anchor
View file
Open in desktop
File renamed without changes.
0 governance/domains/legal.anchor → .anchor/domains/legal.anchor
View file
Open in desktop
File renamed without changes.
0 governance/domains/operational.anchor → .anchor/domains/operational.anchor
View file
Open in desktop
File renamed without changes.
0 governance/domains/privacy.anchor → .anchor/domains/privacy.anchor
View file
Open in desktop
File renamed without changes.
0 governance/domains/security.anchor → .anchor/domains/security.anchor
View file
Open in desktop
File renamed without changes.
0 governance/domains/shared.anchor → .anchor/domains/shared.anchor
View file
Open in desktop
File renamed without changes.
0 governance/domains/supply_chain.anchor → .anchor/domains/supply_chain.anchor
View file
Open in desktop
File renamed without changes.
0 governance/government/RBI_Regulations.anchor → .anchor/government/RBI_Regulations.anchor
View file
Open in desktop
File renamed without changes.
0 governance/mitigation.anchor → .anchor/mitigation.anchor
View file
Open in desktop
File renamed without changes.
17 changes: 17 additions & 0 deletions .anchor/reports/governance_audit.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
# Anchor Governance Audit

**Status:** PASSED
**Timestamp:** 2026-03-18 21:55:12
**Source:** `D:\Anchor`
Copy link

Copilot AI Mar 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This report file appears to be generated output (includes a machine-specific Windows path in Source:). Generated audit reports generally shouldn’t be committed; consider removing it from the repo and ignoring .anchor/reports/ to avoid noisy diffs and leaking local paths.

Suggested change
**Source:** `D:\Anchor`
**Source:** `Project root`

Copilot uses AI. Check for mistakes.

## Summary

| Category | Count |
|---|---|
| Blockers / Errors | 0 |
| Warnings | 0 |
| Info | 0 |
| Suppressed | 0 |
| Files Scanned | 61 |

> *Suppressed exceptions are authorized security bypasses — verify authors are correct.*
2 changes: 2 additions & 0 deletions .github/workflows/anchor-audit.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,8 @@ jobs:
python -m anchor check --exclude tests --exclude scripts --exclude docs --exclude demo .
env:
ANCHOR_STRICT: "true"
ANCHOR_CONSTITUTION_URL: "file://${{ github.workspace }}/anchor/governance/constitution.anchor"
ANCHOR_MITIGATION_URL: "file://${{ github.workspace }}/anchor/governance/mitigation.anchor"

- name: Generate Step Summary
if: always()
Expand Down
4 changes: 3 additions & 1 deletion .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,6 @@ anchor_dev/
ENV/

# Anchor Specific
.anchor/
*.anchor.example
!governance/examples/*.anchor.example

Expand Down Expand Up @@ -54,3 +53,6 @@ docs_framework/
# Anchor Security & Governance (Local Settings)
/.anchor/violations/
/.anchor/telemetry/

# Anchor governance cache/logs
.anchor/logs/*.tmp
12 changes: 6 additions & 6 deletions MANIFEST.in
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,21 +5,21 @@
include README.md
include USAGE.md
include LICENSE
include constitution.anchor
include anchor/governance/constitution.anchor

recursive-include anchor *.py

# ── V4 Governance Files ───────────────────────────────────────────────────────
# Domain files, framework files, and example templates ship with the package.
# These are the federated governance files that anchor init copies into .anchor/

recursive-include governance/domains *.anchor
recursive-include governance/frameworks *.anchor
recursive-include governance/government *.anchor
recursive-include governance/examples *
recursive-include anchor/governance/domains *.anchor
recursive-include anchor/governance/frameworks *.anchor
recursive-include anchor/governance/government *.anchor
recursive-include anchor/governance/examples *

# ── Mitigation Catalog ────────────────────────────────────────────────────────
include governance/mitigation.anchor
include anchor/governance/mitigation.anchor

# ── Legacy Resources (V3 compatibility) ──────────────────────────────────────
recursive-include anchor/core/resources *
Expand Down
2 changes: 1 addition & 1 deletion anchor/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,4 +2,4 @@
Anchor-Audit — The Federated Governance Engine for AI
"""

__version__ = "2.8.1"
__version__ = "4.1.1"
11 changes: 7 additions & 4 deletions anchor/cli.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,10 @@
from anchor.core.config import settings


from anchor import __version__

@click.group()
@click.version_option(version=__version__)
def cli():
"""
Anchor: The Federated Governance Engine for AI.
Expand Down Expand Up @@ -79,7 +82,8 @@ def init(domains, frameworks, regulators, sandbox, all_items, force, no_sign, po
# ── Package paths ─────────────────────────────────────────
package_root = os.path.dirname(os.path.abspath(__file__))
anchor_pkg_root = os.path.dirname(package_root)
Copy link

Copilot AI Mar 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

anchor_pkg_root is now computed but no longer used after switching governance_root to live under package_root. Removing the unused variable will avoid confusion and keep linters happy.

Suggested change
anchor_pkg_root = os.path.dirname(package_root)

Copilot uses AI. Check for mistakes.
governance_root = os.path.join(anchor_pkg_root, "governance")
# The governance files are now bundled inside the anchor package
governance_root = os.path.join(package_root, "governance")

AVAILABLE_DOMAINS = {
"security": "domains/security.anchor",
Expand Down Expand Up @@ -260,7 +264,7 @@ def copy_file(relative_path, label):
# ── Deploy manifest and example files ─────────────────────
examples_dir = os.path.join(governance_root, "examples")
# Copy master manifest as the project manifest
master_manifest = os.path.join(anchor_pkg_root, "constitution.anchor")
master_manifest = os.path.join(governance_root, "constitution.anchor")
dot_anchor_manifest = os.path.join(dot_anchor, "constitution.anchor")
Comment on lines 264 to 268
Copy link

Copilot AI Mar 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

init() still expects constitution.anchor.example and policy.anchor.example under ${governance_root}/examples, but those example templates were removed from the repo (and anchor/governance/examples/ currently only contains logo.png). Either re-add the templates under anchor/governance/examples/ (and ensure they’re packaged) or remove/update this copy step and the policy_template reference to .anchor/constitution.anchor.example.

Copilot uses AI. Check for mistakes.
if os.path.exists(master_manifest) and (not os.path.exists(dot_anchor_manifest) or force):
shutil.copy2(master_manifest, dot_anchor_manifest)
Expand Down Expand Up @@ -632,8 +636,7 @@ def check(ctx, policy, paths, dir, model, metadata, context, server_mode, genera
rule_dict = {}

package_root = os.path.dirname(os.path.abspath(__file__))
anchor_pkg_root = os.path.dirname(package_root)
governance_root_path = os.path.join(anchor_pkg_root, "governance")
governance_root_path = os.path.join(package_root, "governance")

# A. Load rule metadata from V4 federated domain files
loaded = None
Expand Down
4 changes: 2 additions & 2 deletions anchor/core/constitution.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,8 @@


# SHA-256 of the official legacy files (optional in V3).
CONSTITUTION_SHA256 = "A2F164DCE626688188F969C45C79EC2C6DC819820C20BACDF1151F588AD269A5"
MITIGATION_SHA256 = "45F3F8513C63DB3BDC26960F27CFD92647AF3747F4D3857748F0998B8431C74B"
CONSTITUTION_SHA256 = "E292674E571C32273E5C227DFD5F77379B5C15E07E6272C228C39BF91B5C8D79"
MITIGATION_SHA256 = "E38500AB08E5071B258B2508DBA84D230D03DB4F17949D348E9219D80F77C7BE"


# =============================================================================
Expand Down
145 changes: 145 additions & 0 deletions anchor/governance/constitution.anchor
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,145 @@
# ─────────────────────────────────────────────────────────────
# Anchor V4 — Root Constitution
# type: manifest
# ─────────────────────────────────────────────────────────────

type: manifest
version: "4.1"
anchor_version: ">=4.0.0"
name: "Anchor Constitutional Root"

core_domains:
- path: domains/security.anchor
namespace: SEC
required: true

- path: domains/ethics.anchor
namespace: ETH
required: true

- path: domains/shared.anchor
namespace: SHR
required: true

- path: domains/alignment.anchor
namespace: ALN
required: true

- path: domains/agentic.anchor
namespace: AGT
required: true

- path: domains/privacy.anchor
namespace: PRV
required: true

- path: domains/legal.anchor
namespace: LEG
required: true

- path: domains/operational.anchor
namespace: OPS
required: true

- path: domains/supply_chain.anchor
namespace: SUP
required: true

frameworks:
- path: frameworks/FINOS_Framework.anchor
namespace: FINOS
source: "FINOS AI Governance Framework"
active: true

- path: frameworks/OWASP_LLM.anchor
namespace: OWASP
source: "OWASP LLM Top 10 2025"
active: false

- path: frameworks/NIST_AI_RMF.anchor
namespace: NIST
source: "NIST AI RMF 1.0"
active: false

regulators:
- path: government/RBI_Regulations.anchor
namespace: RBI
source: "RBI FREE-AI Report August 2025"
active: false

- path: government/EU_AI_Act.anchor
namespace: EU
source: "EU AI Act 2024/1689"
active: false

- path: government/SEBI_Regulations.anchor
namespace: SEBI
source: "SEBI AI/ML Consultation 2024-2025"
active: false

- path: government/CFPB_Regulations.anchor
namespace: CFPB
source: "CFPB Regulation B + 2024 Guidance"
active: false

- path: government/FCA_Regulations.anchor
namespace: FCA
source: "FCA AI Governance Guidance 2024"
active: false

- path: government/SEC_Regulations.anchor
namespace: USSEC
source: "SEC 2026 Examination Priorities"
active: false

policy:
path: policy.anchor
enforce_raise_only: true
allow_custom_rules: true
custom_rule_prefix: "INTERNAL"

# ── LEGACY ALIASES ───────────────────────────────────────────
# V3 → FINOS → V4 domain rule
# Full chain: ANC-NNN → FINOS-NNN → domain rule
# FINOS_Framework.anchor is the Rosetta Stone.

legacy_aliases:
ANC-001: FINOS-001
ANC-002: FINOS-002
ANC-003: FINOS-003
ANC-004: FINOS-004
ANC-005: FINOS-005
ANC-006: FINOS-006
ANC-007: FINOS-007
ANC-008: FINOS-008
ANC-009: FINOS-009
ANC-010: FINOS-010
ANC-011: FINOS-011
ANC-012: FINOS-012
ANC-013: FINOS-013
ANC-014: FINOS-014
ANC-015: FINOS-015
ANC-016: FINOS-016
ANC-017: FINOS-017
ANC-018: FINOS-018
ANC-019: FINOS-019
ANC-020: FINOS-020
ANC-021: FINOS-021
ANC-022: FINOS-022
ANC-023: FINOS-023
Comment on lines +103 to +129
Copy link

Copilot AI Mar 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The legacy_aliases mapping currently assumes a 1:1 ANC→FINOS ID mapping. That conflicts with how the ANC IDs are used in governance/mitigation.anchor (e.g. ANC-001 is “Hosted Model Leakage” there, but FINOS-001 is “Prompt Injection” in frameworks/FINOS_Framework.anchor). Because the loader uses this alias chain to attach mitigation patterns, this will misattribute detections to the wrong FINOS/domain rules; the alias map should be updated to reflect the real ANC→FINOS correspondence.

Suggested change
# Full chain: ANC-NNN → FINOS-NNN → domain rule
# FINOS_Framework.anchor is the Rosetta Stone.
legacy_aliases:
ANC-001: FINOS-001
ANC-002: FINOS-002
ANC-003: FINOS-003
ANC-004: FINOS-004
ANC-005: FINOS-005
ANC-006: FINOS-006
ANC-007: FINOS-007
ANC-008: FINOS-008
ANC-009: FINOS-009
ANC-010: FINOS-010
ANC-011: FINOS-011
ANC-012: FINOS-012
ANC-013: FINOS-013
ANC-014: FINOS-014
ANC-015: FINOS-015
ANC-016: FINOS-016
ANC-017: FINOS-017
ANC-018: FINOS-018
ANC-019: FINOS-019
ANC-020: FINOS-020
ANC-021: FINOS-021
ANC-022: FINOS-022
ANC-023: FINOS-023
# NOTE: ANC IDs in governance/mitigation.anchor do not have a
# simple 1:1 correspondence with FINOS framework IDs.
# To avoid misattributing detections to the wrong FINOS
# or domain rules, ANC→FINOS aliases are intentionally
# disabled here. Add only verified mappings if/when a
# correct crosswalk is available.
#
# FINOS_Framework.anchor remains the Rosetta Stone for
# FINOS→domain rule mappings.
legacy_aliases: {}

Copilot uses AI. Check for mistakes.


engine:
fail_on: [BLOCKER, ERROR]
warn_on: [WARNING]
info_on: [INFO]
seal_check: strict
unknown_namespace: reject
suppress_tracking: true
suppress_requires_reason: true

output:
formats: [json, markdown]
report_path: ".anchor/reports/"
telemetry_path: ".anchor/telemetry/"
include_git_blame: true
Loading
Loading