|
| 1 | +# Agentic Graph Contract Validation |
| 2 | + |
| 3 | +Status: draft |
| 4 | +Related spec: `SourceOS-Linux/sourceos-spec#94` |
| 5 | +Related tracker: `SourceOS-Linux/sourceos-spec#86` |
| 6 | + |
| 7 | +## Purpose |
| 8 | + |
| 9 | +This document defines the first `sourceosctl` tooling slice for the SourceOS/SociOS local-first agentic graph foundation. |
| 10 | + |
| 11 | +The M1 objective is intentionally bounded: validate `.sourceos/manifest.json`, scan repos for contract posture, and provide non-mutating doctor/explain commands before runtime sync, agent, browser, shell, or relay integrations begin. |
| 12 | + |
| 13 | +## Commands |
| 14 | + |
| 15 | +### Validate a contract file |
| 16 | + |
| 17 | +```bash |
| 18 | +python3 bin/sourceosctl contract validate .sourceos/manifest.json |
| 19 | +python3 bin/sourceosctl contract validate .sourceos/manifest.json --json |
| 20 | +``` |
| 21 | + |
| 22 | +The first validator pass checks JSON parseability and the minimum `SourceOSRepoManifest` shape. |
| 23 | + |
| 24 | +### Scan one repo |
| 25 | + |
| 26 | +```bash |
| 27 | +python3 bin/sourceosctl repo scan . |
| 28 | +python3 bin/sourceosctl repo scan . --json |
| 29 | +``` |
| 30 | + |
| 31 | +The repo scanner checks for `.sourceos/manifest.json` and reports whether it is compliant, missing, or invalid. |
| 32 | + |
| 33 | +### Scan an estate root |
| 34 | + |
| 35 | +```bash |
| 36 | +python3 bin/sourceosctl estate scan ~/dev |
| 37 | +python3 bin/sourceosctl estate scan ~/dev --json |
| 38 | +``` |
| 39 | + |
| 40 | +The estate scanner checks immediate child repos for `.sourceos/manifest.json` and reports each repo status. |
| 41 | + |
| 42 | +### Inspect graph/sync posture |
| 43 | + |
| 44 | +```bash |
| 45 | +python3 bin/sourceosctl graph doctor |
| 46 | +python3 bin/sourceosctl sync doctor |
| 47 | +``` |
| 48 | + |
| 49 | +These are non-mutating posture probes. Runtime graph and sync backends are not configured in `sourceos-devtools` yet. |
| 50 | + |
| 51 | +### Explain a policy/audit JSON file |
| 52 | + |
| 53 | +```bash |
| 54 | +python3 bin/sourceosctl policy explain path/to/decision-or-audit.json |
| 55 | +``` |
| 56 | + |
| 57 | +This prints the available decision/outcome, reason, policy ID, and policy domain fields. |
| 58 | + |
| 59 | +## M1 validation statuses |
| 60 | + |
| 61 | +The scanner uses these status classes: |
| 62 | + |
| 63 | +- `compliant` |
| 64 | +- `missing-manifest` |
| 65 | +- `invalid-manifest` |
| 66 | + |
| 67 | +Future hardening should add: |
| 68 | + |
| 69 | +- `partial` |
| 70 | +- `missing-required-engine` |
| 71 | +- `missing-policy-class` |
| 72 | +- `missing-audit-events` |
| 73 | +- `schema-version-mismatch` |
| 74 | +- `authority-repo-mismatch` |
| 75 | + |
| 76 | +## Current limitations |
| 77 | + |
| 78 | +- The validator is dependency-light and does not yet perform full JSON Schema draft 2020-12 validation. |
| 79 | +- Schema loading from `SourceOS-Linux/sourceos-spec` is not yet vendored or pinned. |
| 80 | +- Estate scanning currently checks immediate child directories only. |
| 81 | +- Runtime SourceGraph, SourceSync, SourcePolicy, and SourceChannel backends are not configured in this repo. |
| 82 | + |
| 83 | +## Acceptance criteria for this slice |
| 84 | + |
| 85 | +1. `sourceos-devtools` declares a `.sourceos/manifest.json`. |
| 86 | +2. `sourceosctl contract validate` can validate the local manifest shape. |
| 87 | +3. `sourceosctl repo scan` can classify a repo manifest. |
| 88 | +4. `sourceosctl estate scan` can classify child repos with manifests. |
| 89 | +5. `sourceosctl graph doctor`, `sourceosctl sync doctor`, and `sourceosctl policy explain` are present and non-mutating. |
| 90 | +6. Tests cover manifest validation, repo scan, and doctor commands. |
0 commit comments