Skip to content

Merge PallasGuard governance into DocSentinel#14

Merged
arthurpanhku merged 10 commits into
mainfrom
feat/pallasguard-merge
Jul 1, 2026
Merged

Merge PallasGuard governance into DocSentinel#14
arthurpanhku merged 10 commits into
mainfrom
feat/pallasguard-merge

Conversation

@arthurpanhku

@arthurpanhku arthurpanhku commented Jul 1, 2026

Copy link
Copy Markdown
Owner

Summary

This PR merges PallasGuard governance capabilities into DocSentinel while preserving DocSentinel history, public assets, CI, examples, MCP/A2A gateway, React console, and existing assessment behavior.

It also includes the first post-merge roadmap feature: OSCAL/OpenCRE governance exports for compliance-as-code interoperability.

Phase Commits

  • [mergeP0] Establish merge baseline, branch, exclusions, and regression baseline.
  • [mergeP1] Converge dependencies on LangChain/LangGraph 1.x.
  • [mergeP2] Merge LLM configuration and safety support.
  • [mergeP3] Add SQLModel governance models and Alembic schema migration.
  • [mergeP4] Introduce governance agent graph while preserving assessment service contracts.
  • [mergeP5] Merge policy packs, governance services, Pallas Lens, Excel helpers, knowledge-base ingestion, and governance APIs.
  • [mergeP6] Add governance frontend, JWT login, optional metrics wiring, and optional Postgres/Redis Compose profile.
  • [mergeP7] Update documentation, migration guide, environment template, exclusions, and final validation records.
  • feat: add OSCAL governance exports adds /api/v1/oscal/catalog and /api/v1/projects/{project_id}/oscal/assessment-results, with OpenCRE links, docs, tests, OpenAPI, and generated frontend API types.

Validation

  • Backend tests: pytest -q -> 94 passed.
  • OSCAL export tests: pytest -q tests/test_oscal_export.py -> 2 passed.
  • Frontend build: cd frontend && npm run build -> passed.
  • Pre-commit: pre-commit run --all-files -> passed.
  • Contract check: python scripts/export_contracts.py --check -> passed.
  • Docker default profile: docker compose up -d --build -> app started and /health OK.
  • Docker full profile: docker compose --profile full up -d -> app, Postgres, and Redis started healthy.
  • E2E smoke: login, project creation, controls, evidence upload, Pallas Lens, questionnaire, Gate 1 submit/review, and frontend /console routes passed.
  • Sensitive-content grep: zero matches for the required TAP/vendor/private-content patterns.
  • Open-source readiness audit: no committed secrets, databases, private policy packs, _pallasguard_src, or high-confidence secret patterns found in current tree or git history.

Notes

  • Real assessment report generation still requires a configured LLM provider. Without Ollama/API key, assessment jobs are accepted but fail at generation time, which is expected for an unconfigured local environment.
  • pymupdf remains a legacy PDF fallback dependency and is AGPL/commercial dual licensed; this should be reviewed if the project wants a strictly permissive dependency posture.
  • OSCAL payloads are currently pragmatic OSCAL-style JSON exports. A future increment can add strict OSCAL schema validation and true OpenCRE registry IDs.

Rollback

Each merge phase is intentionally isolated. If a regression appears, revert the matching [mergeP{n}] commit and rerun that phase's acceptance commands before continuing. The OSCAL/OpenCRE export feature is isolated in feat: add OSCAL governance exports.

PAN CHAO added 10 commits June 30, 2026 22:59
- Created feat/pallasguard-merge branch and restored PallasGuard reference source under ignored _pallasguard_src/.\n- Added merge exclusions documentation without copying proprietary source content.\n- Baseline checks: pip install via Python 3.11 virtualenv passed; pytest -q passed (80 passed); frontend npm ci && npm run build passed.\n- Sensitive-content grep produced no matches.
- Raised Python metadata to 3.11+ and switched from langchain/langchain-community to LangChain 1.x core plus standalone provider packages.\n- Added LangGraph, Alembic, PyYAML, SQLModel, passlib, and python-jose as explicit dependencies; optional Redis/metrics packages are exposed via a governance-infra extra.\n- Migrated Ollama, Chroma, and HuggingFace embedding imports to standalone LangChain integration packages.\n- Validation: pip install -r requirements.txt passed; old langchain/langchain-community packages uninstalled; pip check passed; LangGraph smoke import passed; LangChain 0.x grep produced no matches; pytest -q passed (80 passed); sensitive-content grep produced no matches.
- Added AGENT_LLM_MODE=anthropic_compat support through DocSentinel's existing get_llm() factory.\n- Added governance and optional-infra settings needed by later phases.\n- Added runtime LLM config persistence, startup load_and_apply(), and gitignore coverage for local config secrets.\n- Added LLM text redaction helpers and Phase 2 tests for provider construction, runtime config persistence, and PII redaction.\n- Validation: deepseek and anthropic_compat get_llm smoke commands passed; sanitize_text redaction command passed; changed-file ruff check passed; pytest -q passed (84 passed); sensitive-content grep produced no matches.
- Introduced Alembic with SQLModel metadata and generated the initial governance schema migration.\n- Added SQLModel governance models for projects, submissions, controls, obligations, questionnaires, org framework config, audits, prompt audits, sub-agent runs, and knowledge records.\n- Kept DocSentinel's existing User model as the authority and added governance roles plus role-check helpers.\n- Moved DB URL to settings, added startup migration check and optional local seed helper.\n- Validation: alembic upgrade head passed on empty SQLite; alembic downgrade base passed; governance project/submission/control CRUD test passed; assessment regression tests included in pytest -q passed (86 passed); sensitive-content grep produced no matches.
Validation:\n- PYTHONDONTWRITEBYTECODE=1 .venv/bin/python -c "from app.agent.graph.graph_topology import GRAPH_REGISTRY, mermaid_ssdlc_lifecycle; print(sorted(GRAPH_REGISTRY)); print(mermaid_ssdlc_lifecycle().splitlines()[0])"\n- .venv/bin/ruff check app/agent/graph app/agent/orchestrator.py tests/test_orchestrator.py\n- PYTHONDONTWRITEBYTECODE=1 .venv/bin/pytest -q tests/test_orchestrator.py\n- PYTHONDONTWRITEBYTECODE=1 .venv/bin/pytest -q\n- grep -rniE "TOM Automation Platform|tap_column_label|\[Vendor\]|TAP_INTEGRATION" app/ docs/ policy_packs/ frontend/ --exclude-dir=_pallasguard_src (no matches)
Validation:\n- GET /api/v1/policy-packs returns generic-ssdlc plus 8 overlays (covered by tests/test_governance_phase5.py)\n- KB ingest single entry writes Chroma/GraphRAG path and graphify Light RAG artifacts (covered by tests/test_governance_phase5.py)\n- Pallas Lens scores a project with evidence (covered by tests/test_governance_phase5.py)\n- .venv/bin/ruff check app/api/governance app/services/policy_pack.py app/services/schema_service.py app/services/excel_contracts.py app/services/excel_gate1.py app/services/excel_scd.py app/services/light_rag.py app/services/graphify_kb.py app/services/s2o_rule_engine.py app/services/pallas_lens.py app/services/control_generator.py app/services/questionnaire_generator.py app/kb/service.py app/api/kb.py app/core/config.py app/main.py tests/test_governance_phase5.py\n- PYTHONDONTWRITEBYTECODE=1 .venv/bin/pytest -q tests/test_governance_phase5.py\n- PYTHONDONTWRITEBYTECODE=1 .venv/bin/pytest -q\n- grep -rniE "TOM Automation Platform|tap_column_label|\[Vendor\]|TAP_INTEGRATION" app/ docs/ policy_packs/ frontend/ --exclude-dir=_pallasguard_src (no matches)\n\nNotes:\n- PallasGuard source did not include frontend/public/tools/* or policy_packs/tools/*.html; only policy_packs/tools/README.md was available to migrate.\n- Excluded private/local/internal policy-pack directories; none were present in the source clone.
Phase 6 validation:

PASS: cd frontend && npm run build

PASS: .venv/bin/pytest -q

PASS: sensitive-content grep returned no matches

PASS: docker compose up -d --build; app started and /health returned ok

PASS: docker compose --profile full up -d; app/postgres/redis started, postgres and redis reached healthy state
Phase 7 validation:

PASS: .venv/bin/pytest -q (92 passed)

PASS: cd frontend && npm run build

PASS: .venv/bin/pre-commit run --all-files

PASS: docker compose up -d --build; app started and /health returned ok

PASS: docker compose --profile full up -d; app/postgres/redis started, postgres and redis reached healthy state

PASS: sensitive-content grep returned no matches

Notes: pre-commit applied mechanical whitespace, EOF, ruff-format, and pyupgrade fixes to existing tracked files.
@arthurpanhku arthurpanhku marked this pull request as ready for review July 1, 2026 03:30
@arthurpanhku arthurpanhku merged commit 770236e into main Jul 1, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant