Merge PallasGuard governance into DocSentinel#14
Merged
Conversation
added 10 commits
June 30, 2026 22:59
- Created feat/pallasguard-merge branch and restored PallasGuard reference source under ignored _pallasguard_src/.\n- Added merge exclusions documentation without copying proprietary source content.\n- Baseline checks: pip install via Python 3.11 virtualenv passed; pytest -q passed (80 passed); frontend npm ci && npm run build passed.\n- Sensitive-content grep produced no matches.
- Raised Python metadata to 3.11+ and switched from langchain/langchain-community to LangChain 1.x core plus standalone provider packages.\n- Added LangGraph, Alembic, PyYAML, SQLModel, passlib, and python-jose as explicit dependencies; optional Redis/metrics packages are exposed via a governance-infra extra.\n- Migrated Ollama, Chroma, and HuggingFace embedding imports to standalone LangChain integration packages.\n- Validation: pip install -r requirements.txt passed; old langchain/langchain-community packages uninstalled; pip check passed; LangGraph smoke import passed; LangChain 0.x grep produced no matches; pytest -q passed (80 passed); sensitive-content grep produced no matches.
- Added AGENT_LLM_MODE=anthropic_compat support through DocSentinel's existing get_llm() factory.\n- Added governance and optional-infra settings needed by later phases.\n- Added runtime LLM config persistence, startup load_and_apply(), and gitignore coverage for local config secrets.\n- Added LLM text redaction helpers and Phase 2 tests for provider construction, runtime config persistence, and PII redaction.\n- Validation: deepseek and anthropic_compat get_llm smoke commands passed; sanitize_text redaction command passed; changed-file ruff check passed; pytest -q passed (84 passed); sensitive-content grep produced no matches.
- Introduced Alembic with SQLModel metadata and generated the initial governance schema migration.\n- Added SQLModel governance models for projects, submissions, controls, obligations, questionnaires, org framework config, audits, prompt audits, sub-agent runs, and knowledge records.\n- Kept DocSentinel's existing User model as the authority and added governance roles plus role-check helpers.\n- Moved DB URL to settings, added startup migration check and optional local seed helper.\n- Validation: alembic upgrade head passed on empty SQLite; alembic downgrade base passed; governance project/submission/control CRUD test passed; assessment regression tests included in pytest -q passed (86 passed); sensitive-content grep produced no matches.
Validation:\n- PYTHONDONTWRITEBYTECODE=1 .venv/bin/python -c "from app.agent.graph.graph_topology import GRAPH_REGISTRY, mermaid_ssdlc_lifecycle; print(sorted(GRAPH_REGISTRY)); print(mermaid_ssdlc_lifecycle().splitlines()[0])"\n- .venv/bin/ruff check app/agent/graph app/agent/orchestrator.py tests/test_orchestrator.py\n- PYTHONDONTWRITEBYTECODE=1 .venv/bin/pytest -q tests/test_orchestrator.py\n- PYTHONDONTWRITEBYTECODE=1 .venv/bin/pytest -q\n- grep -rniE "TOM Automation Platform|tap_column_label|\[Vendor\]|TAP_INTEGRATION" app/ docs/ policy_packs/ frontend/ --exclude-dir=_pallasguard_src (no matches)
Validation:\n- GET /api/v1/policy-packs returns generic-ssdlc plus 8 overlays (covered by tests/test_governance_phase5.py)\n- KB ingest single entry writes Chroma/GraphRAG path and graphify Light RAG artifacts (covered by tests/test_governance_phase5.py)\n- Pallas Lens scores a project with evidence (covered by tests/test_governance_phase5.py)\n- .venv/bin/ruff check app/api/governance app/services/policy_pack.py app/services/schema_service.py app/services/excel_contracts.py app/services/excel_gate1.py app/services/excel_scd.py app/services/light_rag.py app/services/graphify_kb.py app/services/s2o_rule_engine.py app/services/pallas_lens.py app/services/control_generator.py app/services/questionnaire_generator.py app/kb/service.py app/api/kb.py app/core/config.py app/main.py tests/test_governance_phase5.py\n- PYTHONDONTWRITEBYTECODE=1 .venv/bin/pytest -q tests/test_governance_phase5.py\n- PYTHONDONTWRITEBYTECODE=1 .venv/bin/pytest -q\n- grep -rniE "TOM Automation Platform|tap_column_label|\[Vendor\]|TAP_INTEGRATION" app/ docs/ policy_packs/ frontend/ --exclude-dir=_pallasguard_src (no matches)\n\nNotes:\n- PallasGuard source did not include frontend/public/tools/* or policy_packs/tools/*.html; only policy_packs/tools/README.md was available to migrate.\n- Excluded private/local/internal policy-pack directories; none were present in the source clone.
Phase 6 validation: PASS: cd frontend && npm run build PASS: .venv/bin/pytest -q PASS: sensitive-content grep returned no matches PASS: docker compose up -d --build; app started and /health returned ok PASS: docker compose --profile full up -d; app/postgres/redis started, postgres and redis reached healthy state
Phase 7 validation: PASS: .venv/bin/pytest -q (92 passed) PASS: cd frontend && npm run build PASS: .venv/bin/pre-commit run --all-files PASS: docker compose up -d --build; app started and /health returned ok PASS: docker compose --profile full up -d; app/postgres/redis started, postgres and redis reached healthy state PASS: sensitive-content grep returned no matches Notes: pre-commit applied mechanical whitespace, EOF, ruff-format, and pyupgrade fixes to existing tracked files.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR merges PallasGuard governance capabilities into DocSentinel while preserving DocSentinel history, public assets, CI, examples, MCP/A2A gateway, React console, and existing assessment behavior.
It also includes the first post-merge roadmap feature: OSCAL/OpenCRE governance exports for compliance-as-code interoperability.
Phase Commits
[mergeP0]Establish merge baseline, branch, exclusions, and regression baseline.[mergeP1]Converge dependencies on LangChain/LangGraph 1.x.[mergeP2]Merge LLM configuration and safety support.[mergeP3]Add SQLModel governance models and Alembic schema migration.[mergeP4]Introduce governance agent graph while preserving assessment service contracts.[mergeP5]Merge policy packs, governance services, Pallas Lens, Excel helpers, knowledge-base ingestion, and governance APIs.[mergeP6]Add governance frontend, JWT login, optional metrics wiring, and optional Postgres/Redis Compose profile.[mergeP7]Update documentation, migration guide, environment template, exclusions, and final validation records.feat: add OSCAL governance exportsadds/api/v1/oscal/catalogand/api/v1/projects/{project_id}/oscal/assessment-results, with OpenCRE links, docs, tests, OpenAPI, and generated frontend API types.Validation
pytest -q-> 94 passed.pytest -q tests/test_oscal_export.py-> 2 passed.cd frontend && npm run build-> passed.pre-commit run --all-files-> passed.python scripts/export_contracts.py --check-> passed.docker compose up -d --build-> app started and/healthOK.docker compose --profile full up -d-> app, Postgres, and Redis started healthy./consoleroutes passed._pallasguard_src, or high-confidence secret patterns found in current tree or git history.Notes
pymupdfremains a legacy PDF fallback dependency and is AGPL/commercial dual licensed; this should be reviewed if the project wants a strictly permissive dependency posture.Rollback
Each merge phase is intentionally isolated. If a regression appears, revert the matching
[mergeP{n}]commit and rerun that phase's acceptance commands before continuing. The OSCAL/OpenCRE export feature is isolated infeat: add OSCAL governance exports.