build(agent): new-agents-2#7e3bbc iteration

AGENTS.md

@@ -26,5 +26,10 @@ Contribution rules
 - Add tests for new features; ensure all tests pass before merging
 - Do not push to remote unless explicitly requested
 
-Notes
+- Notes
 - This is a multi-organization, highway-to-production project. The MVP emphasizes determinism, data locality, and governance transparency.
+- Architecture augmentation for GuardRailOps MVP (federated IR):
+- 1) Governance scaffolds: GovernanceLedger, PrivacyBudget, and a minimal AuditLog flow for provenance.
+- 2) Graph-of-Contracts skeleton: GoCRegistry for contract/adaptor metadata with a tiny in-memory store.
+- 3) Adapters marketplace: AdapterMarketplace container to register and discover adapters (e.g., SIEM/EDR).
+- 4) Existing core primitives (LocalIRTask, SharedTelemetry, PlanDelta) remain the core DSL, extended for privacy-preserving telemetry and deterministic delta-reconciliation.

src/idea138_guardrailops_federated_verifiable/__init__.py

@@ -64,6 +64,9 @@ class DeltaSyncEngine:
         for change in delta.changes:
             # Each change should be a dict with 'key' and 'value' and optional 'op'
             key = change.get("key")
+            # Guard against non-string keys to keep state dict coherent
+            if not isinstance(key, str):
+                continue
             value = change.get("value")
             op = change.get("op", "set")
             if op == "set":
@@ -91,4 +94,71 @@ __all__ = [
     "PlanDelta",
     "AuditLogEntry",
     "DeltaSyncEngine",
+    # Federation & governance scaffolds
+    "PrivacyBudget",
+    "RegistryEntry",
+    "GovernanceLedger",
+    "GoCRegistry",
+    "AdapterMarketplace",
 ]
+
+
+@dataclass
+class PrivacyBudget:
+    """Privacy budget for telemetry sharing per-signal and overall budget."""
+    per_signal: Dict[str, float] = field(default_factory=dict)
+    total_budget: float = 1.0
+    timestamp: float = field(default_factory=time.time)
+
+
+@dataclass
+class RegistryEntry:
+    """Minimal, vendor-agnostic registry entry for a GoC contract or adapter."""
+    adapter_id: str
+    contract_version: str
+    data_contract: Dict[str, Any] = field(default_factory=dict)
+    timestamp: float = field(default_factory=time.time)
+
+
+class GovernanceLedger:
+    """Append-only, cryptographically-signed governance ledger (scaffold)."""
+
+    def __init__(self) -> None:
+        self.entries: List[AuditLogEntry] = []
+
+    def append(self, entry: AuditLogEntry) -> None:
+        self.entries.append(entry)
+
+    def verify(self, entry: AuditLogEntry, key: str) -> bool:
+        if not entry.signature:
+            return False
+        # Recompute signature with provided key and compare
+        data = f"{entry.entry_id}:{entry.event}:{entry.detail}:{key}"
+        expected = hashlib.sha256(data.encode()).hexdigest()
+        return expected == entry.signature
+
+
+class GoCRegistry:
+    """Skeleton Graph-of-Contracts registry (in-memory)."""
+
+    def __init__(self) -> None:
+        self._registry: Dict[str, RegistryEntry] = {}
+
+    def register_contract(self, contract_id: str, entry: RegistryEntry) -> None:
+        self._registry[contract_id] = entry
+
+    def get_contract(self, contract_id: str) -> RegistryEntry | None:
+        return self._registry.get(contract_id)
+
+
+class AdapterMarketplace:
+    """Lightweight registry of adapters available for use."""
+
+    def __init__(self) -> None:
+        self._adapters: Dict[str, Any] = {}
+
+    def register_adapter(self, name: str, adapter: Any) -> None:
+        self._adapters[name] = adapter
+
+    def get_adapter(self, name: str) -> Any | None:
+        return self._adapters.get(name)