generated from coulomb/repo-seed
Implement local runtime persistence and policy gates
This commit is contained in:
@@ -4,7 +4,7 @@ type: workplan
|
||||
title: "Policy, Audit, And Review Gates"
|
||||
domain: markitect
|
||||
repo: phase-memory
|
||||
status: proposed
|
||||
status: finished
|
||||
owner: phase-memory
|
||||
topic_slug: policy-audit
|
||||
planning_priority: P1
|
||||
@@ -52,11 +52,38 @@ activations, writes, compactions, and phase transitions.
|
||||
- Do not make `flex-auth` a hard dependency.
|
||||
- Do not store or expose secrets in test fixtures.
|
||||
|
||||
## Implementation Update - 2026-05-18
|
||||
|
||||
The policy, audit, and review-gate slice is complete.
|
||||
|
||||
Implemented outputs:
|
||||
|
||||
- `phase_memory.policy` defines canonical memory operation points, audit event
|
||||
schema helpers, review-record helpers, activation policy checks, and
|
||||
deterministic redaction.
|
||||
- `ReviewRecord` and `ReviewDecision` model structured local approvals and
|
||||
rejections for review-gated lifecycle actions.
|
||||
- Runtime audit events now use `phase_memory.audit.event.v1` and carry policy
|
||||
decisions, source references, dry-run flags, actor labels, and subjects.
|
||||
- `apply_lifecycle_actions` rejects review-required actions unless the caller
|
||||
provides a matching approved review record or explicit local approval marker.
|
||||
- Activation planning can evaluate required labels, denied labels, trust zones,
|
||||
secret denial, reauthorization, and freshness policy context before package
|
||||
selection.
|
||||
- Policy-denied activation nodes are omitted and returned as redacted denial
|
||||
records with diagnostics.
|
||||
- `docs/policy-audit.md` documents operation points, review records,
|
||||
activation policy, audit envelopes, and ownership boundaries.
|
||||
|
||||
Validation:
|
||||
|
||||
- `python3 -m pytest` -> 36 passed.
|
||||
|
||||
## T01 - Define memory operation policy points
|
||||
|
||||
```task
|
||||
id: PMEM-WP-0004-T01
|
||||
status: todo
|
||||
status: done
|
||||
priority: high
|
||||
state_hub_task_id: "1231b7bf-b23c-498d-a9d6-a6ee307aa3d4"
|
||||
```
|
||||
@@ -82,7 +109,7 @@ the right boundary.
|
||||
|
||||
```task
|
||||
id: PMEM-WP-0004-T02
|
||||
status: todo
|
||||
status: done
|
||||
priority: high
|
||||
state_hub_task_id: "b989d43c-eb25-4663-afd1-a54673ad565a"
|
||||
```
|
||||
@@ -107,7 +134,7 @@ Output: review record model and approval checks in the runtime facade.
|
||||
|
||||
```task
|
||||
id: PMEM-WP-0004-T03
|
||||
status: todo
|
||||
status: done
|
||||
priority: high
|
||||
state_hub_task_id: "6b677c18-7135-4d54-9e46-5116645d2ebe"
|
||||
```
|
||||
@@ -122,7 +149,7 @@ and deletion requests cannot be applied silently.
|
||||
|
||||
```task
|
||||
id: PMEM-WP-0004-T04
|
||||
status: todo
|
||||
status: done
|
||||
priority: high
|
||||
state_hub_task_id: "6f07087b-e6e2-469a-9bce-71bfd21cb633"
|
||||
```
|
||||
@@ -143,7 +170,7 @@ for policy-denied records.
|
||||
|
||||
```task
|
||||
id: PMEM-WP-0004-T05
|
||||
status: todo
|
||||
status: done
|
||||
priority: medium
|
||||
state_hub_task_id: "bb6461a8-9181-4b88-a152-334668b22208"
|
||||
```
|
||||
@@ -169,7 +196,7 @@ apply operations.
|
||||
|
||||
```task
|
||||
id: PMEM-WP-0004-T06
|
||||
status: todo
|
||||
status: done
|
||||
priority: medium
|
||||
state_hub_task_id: "dcdec3af-d20f-43ba-b12e-6febc4347d38"
|
||||
```
|
||||
@@ -183,7 +210,7 @@ Output: redaction utility, denied activation examples, and regression tests.
|
||||
|
||||
```task
|
||||
id: PMEM-WP-0004-T07
|
||||
status: todo
|
||||
status: done
|
||||
priority: medium
|
||||
state_hub_task_id: "c4e0bdff-5047-4fe5-ab86-e422d4b1a17e"
|
||||
```
|
||||
@@ -202,3 +229,26 @@ review-required operations.
|
||||
- Review-required actions fail closed without an explicit review record.
|
||||
- The policy layer remains adapter-based and does not become an identity
|
||||
platform.
|
||||
|
||||
## Closure Review - 2026-05-18
|
||||
|
||||
**Outcome:** All tasks completed.
|
||||
|
||||
### Completed
|
||||
|
||||
- PMEM-WP-0004-T01 - Define memory operation policy points
|
||||
- PMEM-WP-0004-T02 - Add review authorization records
|
||||
- PMEM-WP-0004-T03 - Enforce durable write gates
|
||||
- PMEM-WP-0004-T04 - Add activation policy checks
|
||||
- PMEM-WP-0004-T05 - Add audit event schema
|
||||
- PMEM-WP-0004-T06 - Add redaction and denial diagnostics
|
||||
- PMEM-WP-0004-T07 - Document policy and audit guarantees
|
||||
|
||||
### Cancelled
|
||||
|
||||
None.
|
||||
|
||||
### Carried Forward
|
||||
|
||||
Optional Markitect validation and context-package compiler bridge behavior
|
||||
remain in PMEM-WP-0005.
|
||||
|
||||
Reference in New Issue
Block a user